A FedRAMP strategy for solving the cyber talent shortage
With a mandate to adopt more commercial tools for mission fulfillment, federal agencies are grappling with how to manage the need for rapid deployment with the regulatory requirements for cloud security, specifically FedRAMP authorization. Proven compliance with this rigorous framework is necessary to gain Authority to Operate (ATO) for any cloud platform or software-as-a-service (SaaS) application that processes federal data.
Facing a lengthy, complex and costly FedRAMP journey, some agencies instead opt for a proprietary approach, hosting apps in an internal cloud environment. While that can work well for agency-developed apps, it is less appealing for commercial SaaS providers who are then limited to selling customized single-agency deployments. It also limits other agencies’ access to off-the-virtual-shelf commercial innovation.
Neither approach meets the government’s goal of faster, more scalable commercial technology adoption. To overcome the hurdles and modernize the federal environment, the compliance model needs to evolve. That is both a technical and a workforce requirement.
Whether pursuing or maintaining an ATO, it is common for agency security staff to spend much or even all of their time on the supporting documentation. There is a highly detailed and labor-intensive administrative process for proving compliance, supported by security specialists, security engineers and information system security officers (ISSOs). Obtaining just one ATO can take well over a year.
Since each ISSO is assigned to and responsible for maintaining the security of up to dozens of systems, their bandwidth can be consumed by the documentation updates that support continuous monitoring. It is time-consuming and months may go by between reviews, increasing risk for the agency and overwhelming the security team. The intense and painstaking workload is not a path for career growth or talent retention. In the face of an enduring cyber talent shortage and higher-paying industry opportunities, this system is increasingly unsustainable.
Changes to the FedRAMP process that can ease the burden are starting to appear. The General Services Administration’s FedRAMP 20x initiative, launched in 2025, is working to accelerate the government’s FedRAMP authorization process. Commercial innovations are also emerging. One of these is known as a FedRAMP-authorized landing zone, where SaaS providers can deploy their apps into a pre-authorized cloud boundary, inheriting existing, approved security controls instead of recreating them for each app. Integrating automation enables continuous monitoring and validation of the landing-zone environment.
Once an app is FedRAMP-authorized in this way, the ATO burden for any federal agency to adopt it is significantly lower. Running apps in a landing zone also means maintaining just one platform, with all products documented in a single package that leverages inherited controls, rather than requiring individual ATO packages for each SaaS provider. This is game-changing for agency security staff who then need to spend far less time on paperwork for any newly adopted cloud system within the landing zone. In an era of government workforce reductions, enabling more work with fewer people is a win for everyone.
Innovations like landing zones and FedRAMP 20x can also free personnel time for more meaningful and interesting technical duties, like security engineering and continuous monitoring and incident response, enhancing government job appeal to high-caliber cyber talent.
As agencies incorporate AI and automation into their ATO processes through innovations like landing zones, modern security roles will align better with industry and enable cyber talent to keep up with the latest technological advancements. Closer mission alignment can also inspire greater understanding, commitment and innovation from an entire group of employees, bringing new perspectives on solving problems and optimizing security.
For their part, the landing-zone model will enable SaaS vendors targeting the government to achieve FedRAMP authorization far more quickly than the typical process, while offloading much of the risk to the landing zone itself. By inheriting the security controls already in place, vendors can avoid recreating the wheel, which could take years or even require expensive architectural changes. This approach lowers the barrier to government market entry for many small or midsized businesses that otherwise could not qualify, expanding the number of SaaS apps that will be available to agencies.
With the abundance of commercial offerings available, federal agencies should not have to build their own commodity products to support routine work. Nor should they have to wait many months or even years to access these modern technologies. The landing-zone model gives agency information technology leaders a fast, scalable and more efficient path to FedRAMP-authorized products, maximizing limited resources while developing the skill and potential of their teams. This new approach stands to transform the way agencies adopt SaaS applications, while better aligning security, innovation and the mission outcomes our government needs to modernize.
Carrie Lee is a federal advisory board member of Knox Systems and a former deputy CIO at the Department of Veterans Affairs.
