Politics
FedRAMP 20x pilots finds initial success with four approvals
The initial results are in four months into the pilot effort to improve the cloud security program known as FedRAMP.
Four vendors have crossed the finish line to receive low authorizations under FedRAMP, proving the faster review process is working.
Pete Waterman, the director of the FedRAMP program, said the goal of 20x is to make the authorization process better, faster and cheaper.
Pete Waterman, the director of FedRAMP, speaks at the Alliance for Digital Innovation event in March. (Jason Miller/FNN)
“The learning is this has worked out really exactly like we dreamed, almost more than we dreamed. What we have found is that the proof of concept works. You can use automated capabilities to validate some fair majority of real security decisions and controls, and you can do that via first party and via third party tools, which is really awesome,” Waterman said after his speech at the 930Gov conference sponsored by the Digital Government Institute last Thursday. “As we go through this, we’re trending in on things that we need to tweak to make this a real authorization. That’s obviously the point of the pilot.”
The first four vendors reached authorization within the first month of the pilot.
The FedRAMP program management office will continue to accept phase one pilot 20x applications through Aug. 19. Waterman said there are about 14 cloud services packages already in the queue under this pilot and he expects several more to come in over the next few weeks. FedRAMP kicked off the programmatic overhaul in March with an appeal for more industry input and a goal of reducing the burden of achieving authorization.
“We’re going to be taking a lot of time at the end of August and September to really circle around with what we’ve learned, talk to these folks and make some determinations from there,” he said. “The core difference that we’re seeing is in the approach to validation. So right now, we’ve seen everything from ‘I ran this one time, and that like proved that I was right,’ all the way to, ‘I am running this constantly, every couple of hours, and it has proven that we’re right.’ That’s where we’ve seen the biggest amount of variance. As far as coverage goes, it’s been really high, definitely, typically, more than 80%. I just saw a demo a couple of weeks ago where we saw a lifecycle management where there was a validation that a change was made in the infrastructure and it tracks it all the way back to a ticket that was created to make that change and verified that the three people with the correct approval permission actually approved that ticket. You see this whole lifecycle happening in a moment in a way that you can’t get any other way.”
The initial successes of the 20x pilot comes about a year after the Office of Management and Budget updated the policy governing FedRAMP to address long-standing challenges with the cloud security program.
Waterman said the program really hit its stride in the last six months.
An automation forward process
He said FedRAMP is an entirely different program than the one that existed a year ago because of the way the expectations, the vision, the strategy, the responsibilities, the authority all changed based on the that new memorandum.
Last year FedRAMP had approved less than 350 cloud services in 10 years, built a backlog of more than 75 agency authorized services waiting for FedRAMP review, and averaged under 50 authorizations per year for the last five years.
Over the last year, and really in the last six months, FedRAMP has authorized more than 100 cloud services. The average agency authorization review queue remains under 15 cloud services with a typical review time of under five weeks.
“The new administration came in beginning of January and basically just said, ‘We don’t want you to navigate that anymore. We’d like you to just do all of the new, important stuff that you’re supposed to do and stop trying to carry this weird legacy stuff.’ So that led us to deeply, deeply focus on rethinking the process, to lean into that authority under the law, to develop, create and implement a process. That’s what we’ve been doing with FedRAMP 20x where the law and [OMB memo] required us to build an automation forward process,” Waterman said. “After many, many years of a lot of brilliant folks in private sector trying to figure out how to automate the existing process without much success, we decided to go at it with a different direction. 20x is designed to be a cloud native security assessment process that focuses on legitimate security outcomes that can be reviewed based on the actual configurations that you make while using a technology service, rather than the old process, which was based on narratives.”
The idea is for vendors to show how they are protecting data or their systems instead of telling it through a 300-400 page document. Waterman said, for example, the vendor’s cloud service provider can demonstrate that the data is encrypted through automated processes.
He said the idea driving 20x is not self-attestation, but validating configuration settings and getting to the ground truth.
“in the old way, you’ve got a 300-400 page document with a whole bunch of stuff, you have to pay someone to come in and look at it and do an analysis, and humans talk. It’s human, human, human, human, human, human, human,” he said. “In the 20x model, if you’re deployed on a FedRAMP authorized infrastructure like Amazon Web Services or Google cloud platform, you’ll be able to just press a button and get a report that says you’ve met 80% of the requirements. There’s a bunch of other things that you need to reconfigure, but the speed, the cost and the incentive is just totally different in that world.”
Comments due on vulnerability management standards
Once the program office is comfortable with the 20x process for low authorizations, Waterman said he expects to begin pilots for moderate level authorization this fall and the move to high authorizations in early 2026.
“Once we get to high, then we start all the way back down at low. Now it’s you’ve got your own data centers and you’ve got your own buildings, here’s how to get low in there, and we just keep adding on. So like true incremental delivery is what we’re looking for in that process,” he said. “When we think about the transformation that is going to happen in FedRAMP, it’s not going to be two years of waiting and then a switch flips and all of a sudden everything’s different. Instead, it’s going to be every couple of weeks, every month, there’s a little bit of a change, and then three years from now, you look back and see — oh, we got everything right.”
Along with the 20x pilots, FedRAMP released a request for comments on vulnerability management standards. The standard helps explain how cloud services should handle security risks with the goal of providing future guidance on having a clear, consistent approach to identifying and addressing vulnerabilities.
Waterman said the new standards are how FedRAMP is shifting to being a security based program rather than a compliance based program.
“This is a standard doesn’t say here’s what you have to meet in order to be good enough, but rather, it’s a standard that says here’s what we’re going to expect people to start shifting toward in order to improve their security over time,” he said. “So what we’re really looking for, from a public comment standpoint, is understanding what the impacts of those shifts will be, how realistic it is for different sized companies and different people to do it and where we match against private sector best practices. We had a vulnerability management special event hosted [July 30] and one of the consistent narratives from a lot of technology companies is that we go way above and beyond the requirements right now for FedRAMP, and these new requirements are actually starting get closer to what we do for our commercial customers. That’s the kind of feedback that helps us know that we’re going in the right direction, that we’re building something that makes sense for businesses and for government.”
Comments are due Aug. 21. Waterman said depending on the comments, the program management office may finalize the standards in a matter of weeks — or it may take a few months.
The post FedRAMP 20x pilots finds initial success with four approvals first appeared on Federal News Network.
