On March 24, the Alliance for Digital Innovation (ADI) hosted a discussion about the future of the General Services Administration's (GSA) Federal Risk and Authorization Management Program (FedRAMP), featuring Pete Waterman, Director of the program. The event focused on the changes anticipated at FedRAMP, particularly the launch of FedRAMP 20x, and how this new initiative will improve cloud security for government agencies, with a focus on transparency, collaboration, and continuous improvement.

Waterman candidly addressed FedRAMP’s current challenges, pointing out that the government’s security standards were built years ago and do not reflect the current state of technology. With cloud services constantly evolving, the old model no longer works. FedRAMP needs to adapt to a world where technology is continuously developed, implemented, and updated without any downtime—and that requires a new, agile approach.

One of the biggest takeaways from the event was that FedRAMP is not going to figure out these challenges alone. Waterman made it clear that GSA needs input from industry leaders to help design and implement a new, streamlined process. This new approach centers on industry and government working hand in hand to create a cloud-native security framework that can evolve with the times.

Waterman also tackled the issue of FedRAMP being too expensive and burdensome for many companies. He explained that FedRAMP needs to be worth it for every cloud provider so that agencies can access the cutting-edge technology that industry is building. To solve this, FedRAMP is focusing on reducing complexity and making the authorization process more accessible and efficient. 

The FedRAMP 20x vision also includes a big push for automation. Waterman highlighted how tools like Infrastructure as Code (IaC), automated validation, and continuous reporting will allow for faster and more accurate security assessments. This shift will not only improve the speed of FedRAMP authorizations but also create hundreds of new approvals every year, ensuring that federal agencies get access to the most secure, innovative cloud services available.

To meet these goals, FedRAMP is setting up four working groups that will focus on Rev. 5 Continuous Monitoring, Automating Assessments, Applying Existing Frameworks, and Continuous Reporting. These groups will help ensure that the new approach is shaped by the needs of the cloud industry, and will be convened in a public manner to promote transparency and collaboration. 

In a fireside chat with ADI Executive Director Ross Nodurft, Waterman shared that industry is eager to get involved and help shape FedRAMP 20x and this new era of the program. The Department of Defense, for example, is on board, though they’re excited – and a bit nervous – about how quickly things are moving. But with industry’s help, they’re confident that FedRAMP’s new approach will be a win for everyone.

While it’s clear that FedRAMP is about to undergo some serious changes. With a focus on industry collaboration, automation, and continuous validation, FedRAMP 20x is setting the stage for a more efficient, transparent, and secure cloud environment for federal agencies. As Waterman said, “industry leads the way.” 

‍