By Amanda Mull, Federal Contract Specialist, immixGroup
FedRAMP 20x, the General Services Administration (GSA) initiative to improve authorizations of cloud-native services, has just concluded its soft launch. Those who are a part of the federal government marketplace have an opportunity to collaborate in the transition.
There are two goals for the FedRAMP 20x program:
- Simplify automated authorization for better security and lower costs to both applicants and the government.
- Create an easier application process for low-impact cloud services, with fewer sponsorship and application requirements. Higher impact services will still require agency sponsorship.
In specific cases, cloud service providers can now submit documentation and automated validation directly to FedRAMP before being added to the FedRAMP marketplace.
These changes should help remove competitive disadvantages, so that small businesses or advanced technological services find it easier to obtain FedRAMP approvals.
Updated FedRAMP guidance
The FedRAMP soft-launched standards include already-received public comments and have resulted in the guidance outlined below.
Key Security Indicators (KSI). This is a summary of security capabilities necessary for FedRAMP low authorization of cloud-native software-as-a-service (SaaS) offerings. It applies to all FedRAMP 20x pilot authorizations and formal pilot submissions.
Minimum Assessment Scope (MAS). MAS offers guidance for cloud service providers to narrowly define information resource boundaries, while still including all necessary components.
FedRAMP also released some clarifying information for its continuing evolution.
“FedRAMP agency authorization is now based exclusively on FedRAMP Rev. 5 baselines. Companies and agencies with active investments in achieving FedRAMP authorization via this path “are encouraged to evaluate the progress of FedRAMP’s efficiency improvement initiatives to make their own informed decisions.”*
FedRAMP plans to collaborate with industry to build and continually improve the new FedRAMP 20x cloud-native authorization process.
Opportunities for community input
For more information about public engagement and collaboration, FedRAMP has established a Community Working Groups page. The page invites industry participation in biweekly Zoom meetings, and it includes open Q&A in each session.
The Community Working Groups page currently has two active groups that are open to the public:
- FedRAMP 20x explores how FedRAMP can rely on automated validations and simplify documentation and management requirements, using existing best practices and commercial security frameworks.
- FedRAMP Rev. 5 focuses on grounding authorization and monitoring processes in modern security practices to enable commercial cloud providers to better deliver their services to the government.
Other resources for FedRAMP information
FedRAMP has posted several other resources on their website for stakeholders and third parties to stay abreast of the changes in the program.
- FedRAMP 20x. Get information on the new authorization process, information on pilot eligibility and next steps.
- FedRAMP 20x Engagement. Explore past and future public events, press coverage and podcast interviews.
- FedRAMP 20x Frequently Asked Questions. View the official answers to commonly asked questions about FedRAMP 20x.
- Changelog tracks significant information updates all in one place.
An overhaul as large as this can be confusing. In the long run, however, it should streamline ways for industry to demonstrate the security of their cloud-based solutions for better engagements with federal agencies.
*Quotes taken from FedRAMP 20x blog, March 24, 2025, https://www.fedramp.gov/2025-03-24-FedRAMP-in-2025/
Contact immixGroup for more information on navigating the transition to FedRAMP 20x.
This commentary is adapted from information first published in Washington Technology. For the full original commentary, click here.
