FedRAMP in Flux: Pete Waterman Unveils FedRAMP 20x
At the recent FedRAMP 20x event in DC, Pete Waterman, Director of the FedRAMP Program Management Office (PMO), delivered a landmark address outlining a bold, transparent, and collaborative vision for transforming the federal cloud security authorization process. His message was clear: the FedRAMP of yesterday characterized by paperwork-heavy compliance is no longer sustainable. Instead, the future aligns closely with the modern, agile security validation approach InfusionPoints has long championed, built publicly with industry at the forefront
The Problem: A System Rooted in the Past
Waterman began by acknowledging the elephant in the room; FedRAMP is failing to meet the needs of the federal government for secure cloud services. The process, he explained, was designed around outdated models of system deployment that are fundamentally incompatible with today's continuous integration and delivery practices.
"Modern services are continuously and simultaneously developed and implemented while being operated without downtime and without stopping. [Y]ou would[n’t] fire your dev teams today and just operate what you’ve already built… so why are we still using an approach that’s designed for that?" Waterman noted.
He emphasized that the current FedRAMP process, still rooted in a 2006-era understanding of IT security, simply can't keep up with today's rapid pace of technological innovation.
What's Staying (For Now)
Despite the big changes on the horizon, Waterman made it clear that the current Rev. 5-based Agency Authorization process isn’t going away, at least not yet. In fact, the backlog of Rev. 5 authorizations is expected to be cleared by the end of April 2025, and the PMO will continue to process new ones as they are submitted.
CSPs already authorized should continue current ConMon requirements, including monthly submissions and assessments. Providers with agency sponsorship should maintain their current authorization path; however, this approach is likely to evolve as industry and government stakeholders collaboratively develop more efficient and effective solutions.
What’s Changing: A Shift Toward Industry-Led Innovation
Waterman’s core message signals a major shift: government alone cannot solve FedRAMP’s challenges. The biggest anticipated change is a faster path to FedRAMP Ready or Authorized status, along with accelerated approvals for Significant Changes.
The FedRAMP PMO will become leaner, focusing on clear, outcome-driven security standards to empower industry innovation and efficiency. Cloud providers, infrastructure and platform providers, third-party compliance vendors, and security experts are invited to openly collaborate on developing an automated, continuously validated security model.
While agencies will continue expecting detailed monthly ConMon deliverables, responsibility now falls directly on CSPs instead of the FedRAMP ConMon team. Recognizing the increased workload and agencies’ need for continuous reporting, InfusionPoints is prepared to immediately assist CSPs, ensuring compliance and automation of ConMon activities.
Key Concepts of FedRAMP 20x
- Key Security Indicators (KSIs): FedRAMP 20x proposes replacing exhaustive spreadsheet reviews with concise, automated validation indicators. For instance, rather than manually reviewing dozens of encryption checklist items, a single KSI could confirm, “Federal data is encrypted at rest and in transit,” automatically verified through trusted tools.
- Automation First: Eliminating manual document and screenshot reviews, Waterman proposed continuous, automated security validations relying on robust, industry-driven IaaS/PaaS offerings or accredited third-party compliance services.
- Remove Barriers to Entry: He emphasized the need to lower the burden for vendors, especially startups, to experiment, test, and achieve FedRAMP readiness without massive upfront investments or waiting years for agency sponsorship.
- Community Working Groups: Four open, public working groups are being launched to tackle specific challenges:
- Rev 5 Continuous Monitoring to unpack Continuous Monitoring & Reporting challenges
- Monday, March 31
- Automating Assessment of technical and management security controls
- Wednesday, April 2
- Applying Existing Frameworks to FedRAMP controls
- Tuesday, April 8
- Continuous Reporting to Agencies for incidents, changes, and vulnerabilities
- Thursday, April 10
- Rev 5 Continuous Monitoring to unpack Continuous Monitoring & Reporting challenges
InfusionPoints will actively participate and strongly recommends other CSPs, 3PAOs, and integrators to engage and influence these pivotal discussions.
It’s crucial to note that FedRAMP 20x adjustments apply exclusively to FedRAMP itself. Programs such as DoD’s SRG, CMMC and GovRAMP (StateRAMP) are not adopting these changes. Providers with existing Provisional Authorizations or Authorized status through these should coordinate directly with their Authorizing Officials and reviewers.
From Documents to Code
FedRAMP 20x will transition away from static documentation toward a dynamic "Documentation-as-Code" approach, embedding compliance directly into service deployment. This ensures continuous, real-time verification of security compliance, effectively replacing periodic, point-in-time authorizations with ongoing validation. Waterman emphasized flexibility in this transition, specifically noting that he is "not particularly invested in pushing any platform or approach," including OSCAL, leaving room for industry-driven solutions to shape the future.
Navigating Agency Concerns
Acknowledging potential resistance from risk-averse agencies, Waterman affirmed the PMO’s commitment to supporting agencies in adopting risk-based decisions through new continuous validation standards. While agency-specific authorization processes remain unchanged for now, the ultimate goal is to standardize expectations and accelerate adoption timelines. With extensive experience working directly with Agency Authorizing Officials, InfusionPoints can expertly guide you through these evolving expectations and streamline your path to achieving Authority to Operate (ATO).
A Call to Build, Together
"This is the dawn of something new. Let’s build it together," Waterman concluded. He urged industry stakeholders, including engineers, product managers, compliance specialists, and security leaders, to actively engage through public forums, GitHub discussions, and working groups. By taking a collaborative approach, Waterman believes the industry will drive tangible, rapid improvements.
Overall, FedRAMP 20x highlights security that works at scale, is validated automatically, and built with industry—not against it.
What's Next?
The FedRAMP PMO will maintain a leaner, agile structure focused on standard-setting and community engagement. Rev. 5 Agency Authorization processes remain operational but will gradually incorporate feedback and innovations from industry-led working groups and real world implementations.
Waterman’s vision marks a clear departure from centralized, paperwork-driven compliance to a transparent, automated, and community-driven FedRAMP, enabling secure, scalable government cloud services built collaboratively by public and private sectors alike.
Join the Shift Today
At InfusionPoints, we’ve been at the forefront of this evolution, embedding automated, real-time compliance validation into our tools and workflows. We're excited to see FedRAMP embrace the future we’ve been championing for years.
We remain committed to supporting our customers through every stage of their FedRAMP and DoD authorization journeys. See firsthand how our tools align with FedRAMP’s vision and empower your compliance journey, explore our automated compliance solutions:
