Blog

FedRAMP 20X: A Game-Changer for Cloud Security and CSPs

Posted by Ece Karel on June 13, 2025 at 10:21

13584441057?profile=RESIZE_180x180

Cloud security is evolving to meet the demands of a rapidly changing digital landscape. Enter FedRAMP 20X, a pilot program designed to streamline authorization processes while maintaining robust security standards for Cloud Service Providers (CSPs) and federal agencies. But what does this mean for the industry, and how can CSPs leverage these changes? In this post, we’ll explore insights shared by Travis Howerton, Co-Founder and CEO of RegScale, on the Risk Management Show. Together, we unpack the key changes in FedRAMP 20X, the role of automation, and the opportunities ahead. Let’s dive in! 

What is FedRAMP 20X and Why Does It Matter?

FedRAMP 20X is being hailed as a significant leap forward in how cloud services are authorized for federal use. According to Howerton, one of the standout aspects of this program is its focus on adopting a more commercial, service-oriented mindset. This means reducing redundant review steps and accelerating the adoption of innovative technologies from the private sector.

The program aims to address a long-standing challenge: the slow pace at which federal agencies adopt modern technologies. By closing this gap, FedRAMP 20X ensures that government customers can access cutting-edge solutions while maintaining stringent security standards. As Howerton puts it, "Cyberspace has never been more dangerous than it is today. While we want to go fast, we cannot afford to lower the bar on security."

Key Changes and Benefits for CSPs

For CSPs, the FedRAMP 20X program offers both opportunities and challenges. Here’s what’s changing and why it matters:

  • Express Lane for Low-Risk Systems: One of the primary goals is to create a streamlined "fast lane" for low-risk systems. This allows companies to get their foot in the door faster while maintaining a focus on high security for moderate and high-risk systems.

  • Reciprocity and Reuse: FedRAMP 20X is exploring ways to leverage existing certifications like SOC 2 or ISO 27001 to accelerate the process. This reduces barriers to entry for new CSPs while enhancing efficiency.

  • Continuous Monitoring Improvements: The program is shifting from ambiguous deliverables to machine-readable Key Security Indicators (KSIs). This opens the door for automation, reducing operational burdens for CSPs.

  • Significant Change Notice (SCN): Instead of requiring approval for every new feature or service, CSPs can now notify the government of changes. This dramatically speeds up the process of offering new solutions to federal agencies.

 

These changes not only make it easier for CSPs to enter the federal market but also ensure that federal agencies can access the latest technologies quickly and securely.

The Role of Automation and AI in Transforming Compliance

One of the most exciting aspects of FedRAMP 20X is its emphasis on automation. Halberton breaks this down into three key components:

  • Compliance as Code: By using machine-readable formats like the Open Security Controls Assessment Language (OSCAL), CSPs can automate assessments and streamline compliance processes.

  • Automation Ecosystem: APIs and open standards enable the creation of self-updating documentation, reducing the need for manual, time-consuming processes.

  • AI Overlays: RegScale, for instance, uses AI agents to generate audit reports in hours rather than weeks, significantly speeding up the authorization process.

 

Halberton highlights the dramatic impact of these advancements: "Technology has evolved to the point where you can automate a ton of tasks, reducing both the time and cost it takes to achieve compliance."

 

Challenges and Opportunities Ahead

Despite its many advantages, FedRAMP 20X is not without challenges. Halberton points out two major hurdles:

  • Finding Federal Sponsors: CSPs still need a government agency to sponsor their FedRAMP application. This can be a time-consuming and resource-intensive process.

  • Rework Across Agencies: Even with FedRAMP certification, CSPs often face redundant processes when working with multiple agencies. Halberton advocates for government-wide approvals to eliminate unnecessary rework.

 

However, these challenges also create room for innovation. For example, adopting a fee-for-service model could streamline the process while reducing the burden on taxpayers. Additionally, greater use of automation and AI can help CSPs navigate these hurdles more efficiently.

Takeaways for CSPs and Federal Agencies

For CSPs, now is the time to rethink your approach to security and compliance. Halberton advises focusing on being "secure by design" and leveraging automation to reduce costs and accelerate authorization timelines. For federal agencies, adopting more streamlined and standardized processes can lead to significant cost savings and faster access to cutting-edge technologies.

Final Thoughts: The Future of Cloud Security

FedRAMP 20X represents a pivotal moment for cloud security and compliance. By balancing innovation with robust security standards, it opens up new possibilities for CSPs and federal agencies alike. As Halberton aptly concludes, "If you’re still doing things manually, now is the time to explore automation and AI. The tools exist to transform your risk and compliance programs for the better."

 

Views: 57
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by Ece Karel

Ece Karel - Community Manager - Global Risk Community

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

FEATURED BLOG POSTS

LATEST BLOG POSTS

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead