Over the last year the longstanding Federal Risk and Authorization Management Program (FedRAMP) has undergone significant changes. FedRAMp was established as a way to standardize the approval of cloud technologies for government use with a uniform, government-wide framework for assessing, authorizing, and continuously monitoring cloud services to ensure security.
Before FedRAMP, each agency did its own security review of cloud vendors, leading to inconsistent requirements, duplicative work, and delays in adopting modern cloud solutions. However, with an increased reliance on these same solutions, FedRAMP was unable to keep up with demand, resulting in the very delays it was created to stop.
A New Way to FedRAMP
The FedRAMP 20x initiative was introduced in March of 2025 to speed up approval processes with the use of automation. Almost a year in, this updated FedRAMP has been activated in two phases:
- Phase One was focused on FedRAMP Low authorization, introducing an automated process focused on Key Security Indicators (KSIs) rather than the traditional NIST SP 800-53 narrative control set. Vendors meeting the KPIs were granted a 12-month FedRAMP Low authorization. Using this process, the first FedRAMP authorizations were issued in just four months.
- Phase Two moved on to FedRAMP Moderate authorizations. Participation in this pilot is by invitation only, in order to ensure the small FedRAMP staff concentrates efforts on participants that are well-positioned to achieve Moderate authorization. The focus of this phase, “quality, not quantity,” is aimed at fine-tuning automated processes, with a target of 10 approved solutions.
Phase Three, expected to begin in the first half of 2026, will formalize the first two pilots, making them available to the public as standard authorization processes. FedRAMP High authorizations will be addressed in Phase Four, which is expected to start in the autumn of 2026.
This new approach has shown early success. In the first half of 2025, FedRAMP completed 114 authorizations—as compared to issuing only 49 authorizations in all of 2024. The time for authorizations has accelerated to five weeks, improving significantly on the 12-month-plus average in 2024’s fiscal year.
The Road Ahead
All of this success has happened despite major cuts to FedRAMP staff. During the same period FedRAMP 20x rolled out, the FedRAMP staff was cut by 50 employees and had its budget reduced from $22 million to $11 million. This has left some lawmakers wondering if the changes implemented will be scalable and sustainable long term, and led to them asking for an increase in funding for the FedRAMP program management office (PMO) to ensure the progress continues. If the FedRAMP office cannot keep up its early pace, there is a risk that agencies will go back to developing their own processes and building their own cloud environments to get the technology they need fielded quickly.
It seems, however, that this concern is being addressed. In January, Pete Waterman, the FedRAMP director, previewed a new initiative called “FedRAMP Cybersecurity Service.” According to Waterman, this initiative will recruit security engineers to build FedRAMP into a world-class security program. He also stated that the program aims to increase staff to approximately 43 employees in FY 2026.
FedRAMP and Government Cloud Adoption Resources
To learn more about FedRAMP and cloud adoption in government, check out these resources from GovWhitePapers and GovEvents:
- Cloud Security Summit (April 16, 2026; Reston, VA) – The Public Sector Cloud Security Summit will convene government and industry leaders to discuss strategies for implementing secure, scalable, and compliant cloud environments that align with Federal mandates and evolving cybersecurity guidance.
- 2026 Digital Transformation Summit (April 22, 2026; McLean, VA) – Hear from high-ranking, impact-driven individuals who are setting the government up to not just catch up to commercial industry, but also to harness its tools and form long-lasting partnerships that will ensure the U.S. has the capabilities to best its near-peers on the global stage. They will share exclusive plans for next-generation evolutions in AI, cyber, user experience, enterprise IT, and more.
- Embracing Private Cloud: A Strategic Shift for Government Agencies (May 7, 2026; virtual) – Through expert-led discussions and real-world use cases, participants will learn how to align private cloud strategies with mission-critical objectives, streamline operations, and future-proof IT investments.
- FedRAMP: Evolving Standards, Emerging Challenges, and the Road Ahead (white paper) – FedRAMP, once a groundbreaking framework for authorizing cloud services, is now undergoing a critical transformation through the 20x initiative—aimed at streamlining processes, reducing sponsor burden, and embracing automation over paperwork. Yet, challenges remain, from securing agency sponsorship to helping smaller innovators break into the federal market.
- Navigating Challenges: How GovRAMP Empowers State and Local Governments (white paper) – State and local governments face mounting pressure from tight budgets, rising cyber threats, staffing shortages, and aging technology. This paper explores how GovRAMP provides a standardized, trusted framework that helps agencies modernize securely while navigating complex procurement and compliance demands.
- The Cloud Playbook (white paper) – Cloud adoption in government has evolved far beyond simply migrating workloads to the public cloud. Agencies are now rethinking strategies to balance cost, compliance, and security while building resilient infrastructures that support innovation.
- Navigating Uncertainty in Government Cloud Security (white paper) – As government agencies accelerate their shift to the cloud, they’re also navigating mounting cybersecurity challenges and operational complexities. The Institute for Critical Infrastructure Technology’s 2025 report highlights a growing “effectiveness gap” between agencies’ goals and their capacity to secure multi-cloud environments, manage regulatory requirements, and maintain operational agility.
Search GovWhitePapers and GovEvents to find even more details on cloud security for government.
