The General Services Administration (GSA) today unveiled its plans to revamp the Federal Risk and Authorization Management Program (FedRAMP) with a heavy focus on automation to speed the approval process for secure cloud services used by the Federal government.
GSA also pledged to work more extensively with industry to get to “develop a new, cloud-native approach to authorizations” with the goals of making FedRAMP authorizations “simpler, easier, and cheaper while continuously improving security.”
GSA pointed industry to its new engagement kit that also debuted today.
The agency listed several core principles and goals for the program revamp, including:
- Cutting red tape by reducing “unnecessary paperwork and aiming to automate as much of the process as possible to accelerate approvals in a cost efficient manner.”
- Challenging the private sector to “show their leadership” in developing secure cloud solutions.
- Reducing the program’s traditional role as the “middleman” between cloud providers and Federal agencies and instead making it “easier for providers and agencies to work together directly.”
- Pledging to hold public working groups to “gather input from industry, ensure equal access to information, encourage pilot programs, and provide technical guidance before formal public comment and release.”
- Simplifying and clarifying security requirements “so that new cloud services can be approved in weeks instead of years.”
GSA said the program will continue to support traditional agency authorizations where agencies help cloud providers through the FedRAMP process.
But the agency also said that Federal agency sponsors will no longer be required for “simple, low-impact service offerings.”
It also pledged to promote “turn-key adoption for simple, cloud-native environments,” and “engineer-friendly security requirements that are easy to implement.”
“Our partnership with the commercial cloud industry needs serious improvement,” declared GSA Acting Administrator Stephen Ehikian.
“Strengthening this relationship will help us fulfill our commitment to cutting waste and adopting the best available technologies to modernize the government’s aging IT infrastructure,” he said. “FedRAMP 20x will give agencies access to the latest technology now — not months or years down the road.”
“FedRAMP is a shared service that meets the critical needs of agencies government-wide,” said Thomas Shedd, director of GSA’s Technology Transformation Services group and deputy commissioner of the Federal Acquisition Service. “We’re not just modernizing a process; we’re reimagining how federal cloud security can work and providing agencies the ability to determine their own risk posture,”
“FedRAMP 20x represents our commitment to cutting through complexity, empowering innovation, and ensuring that security keeps pace with technological advancement,” he said. “FedRAMP 20x will keep driving faster, smarter, and more customer-focused service for years to come.”
“As a member of the FedRAMP Board, I am incredibly excited about FedRAMP 20x,” commented Carrie Lee, who is chief product officer and deputy CIO, Product Delivery Service, at the Department of Veterans Affairs.
“This transformative vision will streamline FedRAMP processes, leveraging automation and modern technologies to accelerate secure cloud adoption across federal agencies,” Lee said. “By reducing authorization times from years to weeks and enhancing security postures through our modernization efforts, we are setting a new standard for efficiency and innovation.”
“I championed codification of the FedRAMP program in 2023 to ensure a more efficient, cost-effective security framework for agencies using modern cloud services. This past July, OMB issued statutorily required guidance on the implementation of that program,” said House Oversight and Reform Committee Ranking Member Gerry Connolly, D-Va.
“To date, the Trump Administration has not consulted Congress on changes to the program or new guidance regarding its implementation – a radical departure from the longstanding partnership between Congress and the Executive Branch on this issue,” he added.
“My goal remains, as it has always been, a program that ensures the security of cloud-based services in an efficient manner but let me be clear – Congress plays an integral role in ensuring the implementation of a program that is both streamlined and rigorous. Any effort to improve these objectives must comply with current law,” Rep. Connolly said. “This is already law. Congress must be consulted on proposed changes to the program and the Administration must provide clear assurance that it will result in effective and rigorous security outcomes.”
Brian Conrad, who was acting director of the FedRAMP program from 2021-2024 and is now Director of Global Compliance, Authorizing Authority Liaison at Zscaler, said today that GSA’s revamp plan “marks a promising step forward for FedRAMP and government IT modernization.”
“By embracing automated security validations, FedRAMP is advancing cloud security and efficiency,” he said. “Through more concerted automation and harmonization efforts, FedRAMP is strengthening cloud readiness and resilience across all sectors, reducing administrative burdens, and simplifying processes to drive greater operational efficiency.”
“This evolution underscores FedRAMP’s ongoing commitment to adapting to the dynamic needs of the cloud community and the evolving threat landscape,” Conrad continued. “By taking this step, FedRAMP is empowering agencies to adopt modern cloud solutions that drive meaningful outcomes and better support their missions.”
“Zscaler applauds these changes and remains committed to supporting FedRAMP’s continued efforts to enhance security, efficiency, and innovation in government IT,” he said.
