Federal CIO ‘fully committed’ to GSA 20x as it moves into phase two
The General Services Administration’s 20x initiative to improve how agencies buy cloud services has the full support of the federal government’s top IT official as it expands into its next phases.
“We promise you, we are taking everything we’re hearing from industry and from the field to heart, and we are completely moving mountains to make this process much, much better,’ Federal Chief Information Officer Greg Barbaccia said in remarks at an Alliance for Digital Innovation event Wednesday.
The event centered on progress with the 20x initiative and information for industry about the next two phases of the plan, which were presented by Pete Waterman, GSA’s FedRAMP director. Barbaccia, in a rare public appearance, provided an intro for that conversation, noting his own experience with the process and interest in fixing it.
“I have done FedRAMP in my past life, and what a pain in the butt,” said Barbaccia, who most recently worked at the underwriting technology company Theorem and previously spent 10 years at Palantir. He added that it “often has felt like a gate, not a gateway,” and called it an expensive, slow process that is not the direct pathway people hoped it would become.
“We know that if we want the government to accept and adopt incredible technology, we got to meet you halfway — ideally more — so we have to make the process more agile and predictable,” he said.
Some of the areas federal leaders are focusing on to fix that process include efforts to achieve less documentation and more automation and signaling what the government wants clearly, such as the administration’s prioritization of technology agencies want and need.
“We’re actively prioritizing tech that agencies need and want most,” he said. “We’ve been working with the CIO Council, which I chair, to identify a top-tier list of services, including conversational AI engines. If your product is in high demand and meets our criteria, we will make sure it gets the attention it deserves.”
Additionally, Barbaccia said the government is establishing a “presumption of adequacy” that translates into agencies accepting work a company has already done to secure their product. Though he also noted that there are “a lot of cultural things we need to do in the government to try to make this easier for people,” which he said he’s working toward.
The FedRAMP 20x revamp program, first unveiled in March, aims to simplify the authorization process for cloud services and cut the approval timeline from months to weeks. Eventually, agency sponsorship will no longer be necessary to obtain authorization, which is typically expensive and time-consuming under the current model.
As of July, FedRAMP had already approved more than twice as many government cloud services in fiscal year 2025 as all of fiscal 2024 as a result of the revamp program, according to the GSA.
Waterman, speaking in a fireside chat after Barbaccia’s remarks, said he considered quitting last December as a result of insufficient support for the revamp program, but the new leaders at GSA, along with Barbaccia, showed “they care about technology.”
“Greg’s not here just saying talking points because his staff convinced him to come. He’s here because he cares about this in a way that hasn’t always been the case in the past, and that means a lot to me,” Waterman said.
Waterman acknowledged hiring for the FedRAMP team at GSA is in a “tough situation,” while stating the team has been able to grow through contractors.
Next phases
As part of his remarks, Waterman announced details about the future phases of the 20x initiative. Phase two will focus on AI and governance, risk, and compliance (GRC) automation tools with early adoption by agencies. While it will not be open to the public, that phase will target roughly 10 pilot authorizations that will run from mid-October to mid-December, he said.
It will also have “much stricter requirements, especially for automation,” Waterman said. As far as eligibility, all companies that submitted complete packages for phase one that weren’t rejected or withdrawn are in the running. “We’re going to be meeting with pretty much all of you on Friday, I think, to talk about next steps on that. You can have a shot,” he said.
Starting early next year, phase three will formalize “low” and “moderate” categories, and a year from now, he said they expect to start the 20x “high” pilot.
“We want to start bringing the big players forward into 20x by the end of next year. A success measurement for us will be that every single agency has access to every single AI GRC automation tool that they need to go about their daily lives,” Waterman said.
By mid-fiscal 2027, Waterman said they expect all providers to have moved to a machine-readable format if they’re still following the current security and privacy controls for FedRAMP, known as Rev5. He acknowledged that it might be “a big lift for a lot of people,” but emphasized the importance of machine readability. Ultimately, two years from now, he said Rev5 will be gone.
Waterman said GSA would be working with OMB to make sure that every Chief Financial Officers Act Agency will have completed an initial reuse under 20x by the end of the quarter. Whether that will be achieved, he said, “we’ll see.”
“But for all of you that are talking about … the doubts and adoption, when you have some of the most in-demand technology services in the government all coming through FedRAMP 20x to be reused by every CFO Act agency in three months, you’ll know that we’re there,” Waterman said.
