GSA Begins FedRAMP 20x Rollout

- The initiative aims to reduce the authorization timeline from the historical 12-18 months to just a few weeks. This is a response to long-standing criticism from both industry and government about the slow pace of the existing process. - A primary goal is to automate the validation of over 80% of security controls, a significant shift from the current process that requires extensive manual documentation and narrative explanations for 100% of controls. - The reforms are underpinned by the FedRAMP Authorization Act and the Office of Management and Budget's (OMB) Memorandum M-24-15, which rescinded previous FedRAMP policy. This new guidance directs the GSA to increase the number of authorized cloud services by streamlining processes. - For Low-impact systems, Cloud Service Providers (CSPs) will no longer need an agency sponsor to begin the authorization process, a change intended to open the federal market to smaller providers. - The first phase of the pilot for Low-impact systems was completed in September 2025 and saw 26 complete submission packages in just under three months, with 12 initial authorizations granted. The second phase, focusing on a limited cohort for Moderate baseline authorizations, is scheduled to run from November 2025 to March 2026. - The initiative moves towards a continuous monitoring model using machine-readable data and Key Security Indicators (KSIs) rather than relying on annual, point-in-time audits. This is designed to provide a more real-time view of a system's security posture. - Instead of creating duplicative documentation, CSPs will be able to leverage existing best-in-class commercial security frameworks, such as SOC 2 and ISO 27001, to meet FedRAMP requirements. - The traditional Joint Authorization Board (JAB) model is being eliminated, shifting to a more distributed approach where agencies directly validate and monitor CSP compliance, and the FedRAMP Program Management Office (PMO) focuses on standards and automation.