The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 by the U.S. Office of Management and Budget (OMB) through Memo M-12-03, in response to the federal government’s increasing adoption of cloud technologies. Its primary goal was to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies—ultimately aiming to reduce duplication of effort, enhance transparency, and strengthen the overall security posture of government systems.
Although initial adoption was gradual, FedRAMP gained significant traction in the years that followed. The program experienced rapid growth in 2020, driven by the acceleration of cloud adoption across federal agencies and increased reuse of FedRAMP authorizations. In 2022, the program reached a major milestone when it was formally codified into law through the National Defense Authorization Act (NDAA) for Fiscal Year 2023. This legislation also established the FedRAMP Board and laid the foundation for future modernization.
The Launch of FedRamp 20X: A Paradigm Shift
On March 24, 2025, a transformative new phase—FedRAMP 20x—was announced. This initiative represents a substantial departure from the program’s legacy processes. Historically, FedRAMP was viewed as complex, costly, and resource-intensive, and in many ways, that reputation was well-earned. With the rollout of FedRAMP 20x came significant staffing reductions within the FedRAMP Program Management Office (PMO), signaling a decisive shift toward innovation and agility.
Driven by collaboration with federal experts and industry stakeholders, FedRAMP 20x aims to modernize the authorization process by emphasizing security-driven decision making rather than compliance for compliance’s sake. This blog provides a summary of the four primary working groups under FedRAMP 20x from the perspective of a third-party assessment organization (3PAO).
FedRamp 20X Community Working Groups
Central to FedRAMP 20x is the establishment of Community Working Groups where industry and the public collaborate directly with FedRAMP experts. Launched in spring 2025, these groups provide FedRAMP with community insights while giving stakeholders equal access to information and innovation opportunities through transparent, PMO-facilitated forums on GitHub and biweekly meetings.
Applying Existing Frameworks Working Group
The Applying Existing Frameworks Working Group is focused on exploring how established frameworks—such as SOC 2 and ISO 27001—can be leveraged to reduce the documentation burden associated with FedRAMP by reusing existing policies and procedures. From my perspective as a 3PAO—and having conducted hundreds of SOC 2 audits—this approach is viable only for Low-Impact Software-as-a-Service (LI-SaaS) systems.
In practice, the policies developed for a SOC 2 audit do not align with the depth and breadth of controls required for a FedRAMP Moderate assessment, and frankly, they’re not intended to. FedRAMP Moderate and High baselines include 18 control families, many of which are either entirely unaddressed or only partially addressed in SOC 2-aligned documentation. In most cases, the procedures supporting SOC 2 are not robust enough to satisfy FedRAMP’s more rigorous expectations for Moderate systems.
However, for LI-SaaS systems, which have a narrower risk profile, SOC 2-based documentation is generally sufficient to meet FedRAMP requirements—making this a practical and promising area of focus for this working group.
Automating Assessments Working Group
As a 3PAO, I find the Automating Assessments Working Group to be the most intriguing and potentially impactful component of the FedRAMP 20x initiative. Its primary goal is to automate the application and validation of security requirements, targeting automated validation for over 80% of controls—a dramatic shift from the current manual approach. Today, much of the evidence collection process relies on screenshots accompanied by narrative explanations, which is not only time-consuming but also highly inefficient.
This working group proposes a shift toward configuration-based assessments conducted through automated tools, eliminating the need to sift through spreadsheets containing hundreds of assessment objectives spanning interviews, examinations, and tests. I strongly support this move to automation—though the 80% automation goal may be ambitious—because it addresses a major pain point in the current assessment process. That said, as with most transformational efforts, the challenge lies in the details, especially given the variability in cloud service provider (CSP) environments and application architectures.
A critical success factor will be establishing trust in the accuracy of automated outputs. I’ve encountered cases where tools reported results that didn’t align with the actual system configuration. Until that trust is earned, automation will remain limited in its effectiveness. However, once validated, automation has the potential to streamline assessments significantly and eliminate the need for extensive written descriptions to demonstrate control effectiveness.
Leveraging existing APIs and analyzing infrastructure-as-code (IaC) artifacts will further strengthen the feasibility of this approach. While implementation will take time, the momentum is clearly building—and frankly, it must. The end result—a repeatable, scalable, and security-focused assessment process—would be a substantial improvement over the status quo.
Rev 5 Continuous Monitoring Working Group
The current continuous monitoring process is time-consuming and burdensome for cloud service providers (CSPs), who must manage and report on a range of activities—including Plan of Action and Milestones (POA&M) remediation efforts, vulnerability scans and their resolution, accurate inventory maintenance, and the submission of significant change requests.
The Continuous Monitoring Working Group under FedRAMP 20x aims to reduce this manual burden by introducing automated, machine-readable validations of security controls. By doing so, federal agencies will gain greater visibility into the real-time risk posture of a cloud service offering (CSO), improving both the efficiency and effectiveness of the monitoring process. This initiative will also streamline continuous monitoring across multiple agencies, easing the reporting obligations for CSPs that support more than one federal entity.
Continuous Reporting Working Group
The Continuous Reporting Working Group is a forward-looking initiative aimed at replacing the traditional FedRAMP Rev 5 continuous monitoring approach with a more dynamic model based on real-time security metrics. Specifically, it focuses on developing and implementing Key Security Indicators (KSIs) that will provide a live, ongoing view of a system’s security posture.
Under the current model, federal agencies rely on point-in-time data delivered in various formats—such as reports, scan outputs, and narrative summaries—which limits their ability to assess evolving risk. The envisioned future state is a continuously updated dashboard that offers agencies immediate insight into a cloud system’s operational and risk status at any moment.
As with other FedRAMP 20x efforts, automation is central to realizing this vision. By streamlining data collection and validation, continuous reporting will significantly enhance both situational awareness and decision-making across the federal cybersecurity landscape.
The Future of FedRAMP: 2025 and Beyond
2025 marks a pivotal year for FedRAMP, as the FedRAMP 20x initiative ushers in a long-overdue overhaul of the program. Despite operating with a leaner staff, the FedRAMP Program Management Office (PMO) is aggressively advancing this transformation—and with good reason. The traditional approach has become costly, inefficient, and burdensome for all stakeholders involved, including CSPs, 3PAOs, and federal agencies.
FedRAMP 20x, driven by industry collaboration and aligned with guidance from the PMO, is poised to be the catalyst for meaningful change. Its initiatives are not only well-founded—they represent the foundation for sustained innovation that will strengthen the FedRAMP ecosystem and better align it with modern security needs and operational realities.
If you would like to learn more about how Linford and Company can assist your organization regarding FedRAMP assessment services, please contact us.
If you are looking for additional information regarding FedRAMP, read our other blog posts here:
- What is FedRAMP Compliance? Requirements, Process, and More
- The FedRAMP SSP: Important Tips for a Successful Outcome
- An Expert Guide to a FedRAMP Readiness Assessment
- FedRAMP vs. FISMA: What You Need To Know
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.