The recent FedRAMP 20x Community Working Group meeting brought together early adopters and innovators to reflect on lessons learned and progress made during the pilot. Among those who shared meaningful insights were Chad Spears, Director of Security Operations at InfusionPoints, and Gary Guercio, Vice President of Service Delivery at Fortreum, our 3PAO partner for the AuditShield submission. Together, they offered a candid look into what it takes to thrive in the evolving FedRAMP 20x ecosystem.

Building on Lessons Learned: Chad Spears on Strategy and Execution

Chad Spears spoke to InfusionPoints’ long-term commitment to automation and continuous compliance:

“We’ve been pushing toward a moderate authorization even before 20x was on the table. Our AuditShield framework- automated evidence collection, structured control mappings, and continuous validation- aligned naturally with the pilot’s vision.”

Chad emphasized the importance of adaptability, calling out the need to pivot quickly in response to shifting requirements:

“We had to recognize early on that what worked on day one might not work on day ten. That’s the nature of a true pilot and one of the most valuable parts of being involved in this community-driven initiative.”

When asked about team structure, Chad described the submission effort as “all hands on deck,” involving five to six engineers, advisory leadership, and executive support:

“We absolutely believe small teams can do this. The 20x model lowers the barrier to entry- if you’re focused and aligned, it’s achievable.”

From Assessment to Innovation: Gary Guercio on the 3PAO Perspective

Gary Guercio shared Fortreum’s unique vantage point as a 3PAO navigating the paradigm shift from static compliance checks to real-time validation:

“We’re not just auditing outcomes anymore. We're validating the entire process- from how data is pulled from AWS services, to how it’s structured, to how it's reported as Key Security Indicators (KSIs).”

In the AuditShield assessment, Fortreum evaluated everything from Python scripts and Lambda functions to DynamoDB integrations:

“It required technical depth. We reviewed live code, followed the data trail, and ensured the automation was accurately reporting status- not just pass/fail, but a spectrum of security health.”

Gary praised the speed and efficiency of the pilot process, noting:

“What would have taken six to eight weeks under Rev. 5, we did in three. With strong engineering support and clear architecture, 20x assessments can be turned around in as little as two weeks.”

Real Talk: What We’d Tell Others Starting Now

When asked what advice they’d give others considering a 20x submission, both Chad and Gary were aligned:

Chad:

“Know your team’s capacity- and their vacation schedules. But seriously, get involved in the community. Don’t sit on the sidelines. Share ideas. Learn from others. And make this a company-wide priority, not just a security project.”

Gary:

“If your team understands modern cloud environments and your federal business case is strong, go for it. If not, it might make sense to wait for the dust to settle. But either way, start engaging now.”

The Bottom Line

InfusionPoints and Fortreum’s joint participation in the FedRAMP 20x pilot is more than a compliance milestone- it’s a statement of direction. Together, we’re not just responding to a new framework- we’re helping to shape it.

Stay tuned as we continue refining AuditShield and supporting clients in real-time, machine-verifiable compliance across FedRAMP Moderate, High, and DoD IL5/6 environments.