FedRAMP 20x: How Federal Cloud Security Changes Impact MSPs
The General Services Administration (GSA) has launched FedRAMP 20x, a significant transformation of the Federal Risk and Authorization Management Program that will fundamentally change how cloud services are authorized for government use.
What is FedRAMP 20x?
FedRAMP 20x is GSA's initiative to modernize the Federal Risk and Authorization Management Program through automation and reduced bureaucracy. Launched on March 24, 2025, it represents a shift from manual compliance checklists to automated security validations, with the goal of making cloud service authorizations faster, simpler, and more efficient. The “20x” name suggests the program aims to be twenty times more effective than its predecessor, focusing on working with industry to develop a new, cloud-native approach to authorizations.
Why this matters for MSPs
The FedRAMP program is required for all federal agency cloud services, making it a critical compliance framework for managed service providers offering cloud solutions to government clients. FedRAMP 20x aims to address several longstanding challenges with the program that Pete Waterman, FedRAMP director, acknowledged at an industry event: “The reality is that FedRAMP is so expensive and burdensome right now that most companies never consider it. FedRAMP today is not meeting our needs… Why is it so hard? It's because FedRAMP is rooted in the past.”
For MSPs, these changes are significant because they:
- Act as intermediaries between cloud service providers and clients in regulated sectors
- Manage cloud environments (M365, AWS, etc.) that require compliance
- Handle key security functions like encryption, logging, patching, and backups
- Develop and implement compliance policies for clients
As FedRAMP shifts toward automation, real-time controls, and API-level attestation, clients will likely expect the same from their MSPs — moving beyond “compliance as documentation” to more streamlined, value-driven approaches that demonstrate real security. (Reading tip: Compliance Scorecard CEO Tim Golden’s LinkedIn post on the FedRAMP revamp)
Key changes
- Automated Validation: Over 80% of security requirements will use automated validation instead of written explanations
- Faster Authorizations: Reducing authorization timelines from months/years to weeks for most cloud offerings
- Reduced Requirements: Eliminating the need for federal agency sponsors for simple, low-impact service offerings
- Continuous Monitoring: Replacing annual assessments with automated checks
Core principles
The FedRAMP 20x initiative is built on five key goals:
- Simplified Automation: Making it simple to automate the application and validation of security requirements
- 80%+ of requirements will have automated validation without narrative explanations
- Technical controls will align with standard configuration choices
- Industry will provide competing solutions with FedRAMP setting standards
- Leveraging Existing Investments: Inheriting best-in-class commercial security frameworks
- New documentation will be reduced to a few pages when companies provide existing security policies
- Optional templates will be available as foundations for remaining requirements
- Complex technical systems can be documented by code rather than narrative
- Continuous Monitoring: Implementing simple, hands-off approaches
- Standardized machine-readable validation for critical security elements
- Automated enforcement and secure-by-design principles to prevent mistakes
- Consistent approach across industry
- Building Trust: Strengthening direct business relationships between providers and agencies
- Direct interaction over established business channels
- Industry groups can establish shared procedures
- Businesses maintain control of their intellectual property
- Enabling Innovation: Replacing artificial checkpoints with continuous security
- Implementation of enforcement systems for constant security
- Significant changes following approved processes won't require additional oversight
- Clear, consistent guidelines for major changes
Implementation timeline
- Contractors and agencies can continue to work with traditional FedRAMP Rev5 baselines until GSA announces a formal end-of-life timeline
- Technical assistance and guidance will be formalized on a rolling basis as the pilot is validated
Want to read more about FedRAMP 20x?
Need help? We are here for you.
With our compliance-as-a-service (CaaS) platform, every regulatory framework your clients need to adhere to offers a new revenue opportunity for you.
Contact Us:
Contact Us
"*" indicates required fields