In the spring of 2025, the U.S. General Services Administration (GSA) announced the launch of FedRAMP 20x, a new approach to the Federal Risk and Authorization Management Program (FedRAMP) that aims to modernize and streamline the FedRAMP authorization process for cloud service providers (CSPs).
What is FedRAMP 20x, and what does this new initiative mean for CSPs seeking FedRAMP authorization? Let’s break it down.
FedRAMP: Back to Basics
FedRAMP is a U.S. government-wide initiative that standardizes the security assessment, authorization, and continuous monitoring of CSPs that work with federal agencies.
For organizations that provide or want to provide cloud-based services to federal agencies outside of the Department of Defense (DoD), FedRAMP authorization is required. But compliance with FedRAMP not only meets federal requirements—it also strengthens your security posture and opens the door to valuable government contracts.
CSPs can choose to pursue one of four levels of authorization depending on level of risk:
- Low: This level covers basic confidentiality, integrity, and availability protections.
- Moderate: The most popular level of authorization, this level adds more stringent controls for CSPs.
- High Impact: This level best suits CSPs working with highly sensitive data that requires the most rigorous protection.
- Li-SaaS: This more streamlined option is designed for low-impact authorizations and organizations that don’t interact with personally identifiable information (PII).
Gaining FedRAMP authorization has long been a rigorous, complex, and multi-step process that required the backing of a federal agency and an accredited Third-Party Assessment Organization (3PAO). But FedRAMP 20x is changing the game, especially for lower-risk organizations.
What’s Changing?
According to the GSA, the goal of FedRAMP 20x is to reduce unnecessary red tape, introduce more automation, and make the authorization process faster and more cost-effective overall, particularly for low-risk CSPs. Instead of taking months or years, approvals could be completed in weeks, without the need for an agency sponsor in some cases, the GSA said in their announcement.
The new process is designed to be turn-key, with engineer-friendly security requirements that are easier to understand and implement. FedRAMP 20x will also simplify security requirements, provide early technical guidance, and host public working groups to gather industry input and ensure equal access to information.
Ultimately, FedRAMP 20x aims to create a more flexible, innovation-friendly environment where CSPs can demonstrate modern security practices and collaborate more directly with federal agencies.
What Does This Mean for CSPs?
For cloud service providers, FedRAMP 20x represents a major shift toward flexibility, automation, and industry-driven innovation. Here are some of the most notable changes that CSPs can expect:
- Fewer Documentation Requirements: Instead of requiring lengthy, manual documentation for every control, more than 80% of requirements would be able to be validated via automation.
- New Tools: New templates and code-based tools can help simplify how CSPs document and demonstrate their security postures.
- Reduced Redundancies: CSPs would be able to repurpose many policies they’ve already written to meet other security and compliance requirements.
- Smarter Continuous Monitoring: Continuous monitoring will move toward a more hands-off format, with a focus on what truly matters for security.
- Faster Decision-Making: By encouraging direct collaboration between CSPs and federal agencies, FedRAMP 20x opens the door for faster decision-making and stronger partnerships—without compromising intellectual property or forcing one-size-fits-all solutions.
- More Innovation: Under FedRAMP 20x, CSPs won’t face unnecessary checkpoints or reauthorization hurdles for every change. Instead, as long as providers follow approved processes and maintain baseline security, they’ll be free to evolve their services with greater agility and confidence.
For CSPs, these changes would result in less time spent navigating bureaucracy and more time delivering innovation.
“FedRAMP 20x doesn’t change what it takes to protect federal data; it changes how we prove it,” said Aaron Hamlin, practice leader of cybersecurity consulting at BARR Advisory. “By modernizing how we communicate and track the metrics that matter, we can keep security strong and create space to test innovative approaches without compromising the rigor needed for higher-impact systems.”
The Bottom Line
FedRAMP 20x marks a meaningful step forward in the evolution of federal cloud security. By removing unnecessary barriers, embracing automation, and giving CSPs more flexibility, the new initiative is making it easier for secure cloud solutions to enter the federal marketplace.
While many details are still being finalized, one thing is clear: FedRAMP 20x is setting the stage for a more modern, collaborative, and efficient path to federal authorization.
Need help navigating your path to FedRAMP authorization? Contact us today for a free consultation.