Ready to Grow Your Federal Business? Request a Tech Tuesday Briefing with the Optiv + ClearShark team by contacting us.
FedRAMP 20x: What's New and How Does it Impact Your FedRAMP Journey? Breadcrumb Home OCS FedRAMP April 03, 2025 On March 24th, the FedRAMP Program Office (PMO) announced the changes they are making under the FedRAMP 20x program. There is a lot to digest here, so in this post I’ll only cover my initial reactions. Honestly, I’m both disappointed and excited about the changes. Let me explain. The Agency Authorization path is still the only valid authorization path. However, the FedRAMP 20x FAQs indicates under “Will new cloud service providers need an agency “sponsor”?” that the CSP will submit both documentation and automated validations directly to FedRAMP prior to being listed to the Marketplace. Then the agencies can choose to authorize the service. Clarification will certainly be needed, but this may allow CSP’s to go under 3PAO audit without a sponsor, and to basically allow companies to pursue FedRAMP without having a sponsor in hand. FedRAMP is also rolling out a new framework under FedRAMP 20x which will be updated yearly. This is where the devil is in the details… Depending on a company’s readiness, brining a SaaS through FedRAMP may take a few years. I’d be a bit concerned on how changes in mid-stream would affect those on the slower path, although a yearly update does allow for rapid adaption to changing requirements and priorities. There is a lot of talk about automation in FedRAMP 20x, and I am curious about how that will work in practice. FedRAMP states that 80% of the controls will have automated validation. Will that be within a PMO tool, a 3PAO tool, or be the responsibility of the CSP? If the CSP will be incorporating automation, are there tools out there that can do that, or do they need to be built? I know many GRC tools can automate compliance monitoring, but very few are currently FedRAMP Authorized. Will the current crop of FedRAMP CNAPP tools be able to do this? I suspect detailed research has been done to prove out this 80% number, but I’ve yet to see it. I will say that the best part of this automation is the statement that these controls will not need to be fully documented in the SSP; that will be a huge time saver. In other good news, you may no longer need to write 18 different sets of policies and procedures for FedRAMP. This will be interesting because very few existing corporate policies state, in the same clarity as FedRAMP specific policies and procedures, that the company will meet the FedRAMP requirements. How well this works is what a 3PAO will label as “sufficient”. While I’d rather focus on what they do versus what the policies say they promise to do, any ability to easily leverage existing corporate documentation is welcomed. The next two sections in FedRAMP 20x (3. Continuously monitor security decisions using a simple, hands-off approach. And 4. Build trust between industry and federal agencies by leaning into the direct business relationships between providers and customers.) are interesting. They both rely on industry to create specific capabilities, yet they do not go into detail on how that will be accomplished. I look forward to industry participation, but I don’t know how this will be pulled off, and how competition between different companies will be addressed. At the end of the FedRAMP 20x page (FedRAMP 20x | FedRAMP.gov) is a treat. It looks like the annual assessment will be replaced by automated checks which will save CSP’s a lot of time and money. Also, it appears they are doing away with the Significant Change Request process and allow CSP’s to evolve their system under a minimal “business process”. In total, there is a lot to like here. However, as I mentioned earlier, with any roadmap or vision statement, the devil is in the details. In the near-term the PMO will stop doing many of its current activities by the end of March 2025 and the agencies will need to pick up that work until the tools and procedures of FedRAMP 20x is rolled out. Unfortunately, there is no information on their expected timeline to roll out these new automation tools and processes. This is both exciting and scary. As someone who works with clients on their FedRAMP strategy, this is going to open new options for companies, but I can see a lot of uncertainty weighing heavily on corporate leadership until more details area available. I hope they can quickly in getting this implemented. By: John Allison Sr. Director of Federal Advisory Services | Optiv + ClearShark John Allison spent 24 years in the Air Force, doing systems engineering, weapons research, program management, and intelligence analysis. He retired in 2015 and started his civilian career focusing on bringing to market compliant cloud solutions including DoD and FedRAMP offerings for both large companies and small startups. Throughout his career he's been called on as the technical and compliance expert and has a passion for bridging the gap between the Government's need for solutions and innovative non-traditional companies. Follow Optiv + ClearSharkLinkedIn: www.linkedin.com/company/clearsharkFacebook: www.facebook.com/optivincYouTube: www.youtube.com/c/OptivIncBlog: www.optiv.com/explore-optiv-insights/blog About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.
About Optiv + ClearSharkTM Optiv + ClearShark is a cybersecurity and IT solutions provider focused exclusively on serving the U.S. federal government. From the data center, cloud and to the edge, we have decades of experience securing and modernizing federal agency data and infrastructure. Our world-class advisory and engineering team is comprised of mission-focused, results-driven subject-matter experts with deep technology and agency domain knowledge and security clearances. Part of Optiv, the cyber advisory and solutions leader, Optiv + ClearShark partners with federal agencies to advise, deploy and operate complete cybersecurity programs.