[Aaron Hamlin, Practice Leader, Cybersecurity Consulting at BARR Advisory:]
FedRAMP is evolving. Alongside the traditional authorization path, GSA is piloting FedRAMP 20x, which is an effort to make parts of the traditional FedRAMP authorization process more automated and collaborative, especially for low to moderate impact services. And the goal is clearly to not lower security; it’s to modernize how we demonstrate that security.
So what stays the same? The core security expectations for protecting federal data are not changing. Agencies still need competence and cloud service providers to implement security controls, exercise due diligence, and operationalize continuous monitoring. FedRAMP will continue to support traditional authorizations as FedRAMP 20x evolves through its coming pilots and matures into a broader acceptance across the federal government.
So what’s new in the current 20x pilots? So, FedRAMP 20x is testing more automation, machine-readable artifacts, clear and measurable signals of security posture. The program aims to automate a meaningful share of requirement validation and to focus on continuous monitoring metrics that matter, not just point-in-time static checklists.
So where does FedRAMP 20x fit today? Right now, 20x is in a phase pilot with early activity focused on lower-impact services, and a limited number of approvals have been completed to date. It’s a promising track for certain use cases, while the established traditional FedRAMP authorization path remains the norm for all other use cases.
Why does this matter? What’s important about this? Well, for agencies, modernization can mean evaluating secure cloud-native tools significantly faster. For providers, it can mean updating features without restarting long authorization cycles when baseline controls and approved change procedures are adequately maintained to the FedRAMP 20x specification. And so the intent, in my words, is speed and assurance, not speed instead of assurance.
And so when considering what path to choose, really it comes down to two questions to start with. The first question is, what is your information system capable of storing, processing, and/or transmitting—AKA, what is your impact level? And which authorization path best matches A, your timeline and market ambitions, and B, the potential agency sponsors that you may be currently positioned to serve?
At BARR, we align security engineering and documentation with both models, traditional and FedRAMP 20x. We help teams build a readiness plan. We design scalable security architectures. We produce audit-ready and machine-readable artifacts where applicable. And we are adept at tuning continuous monitoring processes to reflect real risk.
And so in closing, what FedRAMP 20x is doing is critically important for our federal government, and that is working to modernize our cybersecurity posture without compromising the rigor of the security measures that we put into place. And so as 20x matures, many government programs will still rely on the traditional authorization path, while others may benefit from what 20x is implementing. And so the key is choosing the route that matches your system’s risk, your agency partner’s expectations, and your go-to-market plan.
Contact us today to learn more.