FedRAMP: Rapid, Incremental Cloud Security Innovation

Watch the Deep Dive of this post

FedRAMP’s Bold Leap: Rapid Innovation Reshapes Cloud Security Certification

After a decade marked by frustration, never-ending backlogs, and limited changes, the Federal Risk Authorization Management Program (FedRAMP) is charting an entirely new course. Under the leadership of FedRAMP Director Pete Waterman, the program is undergoing a significant transformation, embracing rapid, incremental innovation to make cloud security authorizations more agile and responsive.

A New Era of Flexibility and Collaboration The core of this new approach lies in the FedRAMP 20x Phase One Pilot. Instead of dictating a rigid, prescriptive process, FedRAMP is moving towards an elective and discretionary style of security verification. This means that cloud service providers (CSPs) can achieve low authorization by demonstrating they meet key security indicators using their own automation tools, rather than adhering to a pre-defined government process. Importantly, under this pilot, a CSP no longer needs an agency sponsor to participate.

This marks a 180-degree turn from traditional government cybersecurity approaches. FedRAMP is now focused on the outcome—proof that 40 important security requirements are met—leaving the “how” up to the industry. The belief is that if the program truly wants to drive innovation and reimagine cloud security authorizations, it cannot assume to have all the answers.

Industry Embraces the Risk Despite the initial lack of clearly established rules, the response from the private sector has been overwhelmingly positive. More than 30 cloud service providers, including 10 companies specializing in governance, risk, and compliance (GRC) tools, have expressed interest in participating in the Phase One Pilot. This strong engagement demonstrates that when space is created for industry, they are willing to step forward, innovate, and bring creative solutions to the table. The program expects to gather a significant amount of data from these participants, which will help settle on a new, more effective standard.

Continuous Evolution and Backlog Reduction The Phase One Pilot is just the beginning. FedRAMP plans to analyze the approaches from this pilot, formalize the findings, and grant 12-month low authorizations to successful vendors. Following this, a moderate authorization pilot will be launched, requiring vendors to meet additional security indicators, and then a high authorization pilot, continually widening the scope and repeating the incremental process. This ongoing evolution is so fundamental that the initiative is dubbed “20x,” signifying its adaptability for 2025 and beyond.

Beyond the pilots, FedRAMP has made significant strides in improving its current processes. Since October, the program has authorized 95 new CSPs, including 21 in May alone. One of the most remarkable achievements has been the drastic reduction in the backlog of CSP packages awaiting final approval, which plummeted from 80 to just 11. This improvement stems from a shift towards a more risk-based approach, where the FedRAMP Program Management Office is less “picky” and focuses on facilitating agency reuse while noting any specific component limitations.

The future of FedRAMP promises rapid innovations, making cloud products more accessible without compromising security rigor. Industry and agencies alike are encouraged to participate and adapt to this forward-moving, ever-evolving landscape.

Tags: FedRAMP, Cloud Security, Innovation, Government IT, Cybersecurity, GSA, Pete Waterman, Digital Transformation, Federal Agencies, ATO, Cloud Computing, Risk Management

Scroll to Top