GSA unveils FedRAMP revamp with automation, private sector in mind 

FedRAMP is getting another overhaul, one that will involve far more automation and a greater role for the private sector, the program’s chief announced Monday.

Through FedRAMP 20x, the General Services Administration-based team focused on the program aims to simplify the authorization process and reduce the amount of time needed to approve a service from months to weeks, Director Pete Waterman said during an Alliance for Digital Innovation event. The private sector will also have increased responsibility over monitoring of their systems, he noted. 

In a critical change, agency sponsorship will — eventually — no longer be necessary to win authorization. For the time being, companies must find a federal agency to shepherd them through the FedRAMP process, which can be time-intensive and expensive. 

“This is a thing that we need to build, we need to understand, we need to figure out,” Waterman told FedScoop after the event. “As people hear about changes, they tend to leap forward to conclusions based on past discussions around goals from the past, goals for FedRAMP, goals for agencies, and none of those apply in this environment.”

He continued: “We’re building something new from first principles, and what that looks like is going to be different. So don’t get ahead of the game — participate in the working groups, follow along with us in public and help us shape something that works for everyone.”

During the event, Waterman said GSA wants there to be value for companies pursuing FedRAMP authorization so that civil servants can access what the industry builds out. He emphasized that instead of the government deciding what is best, “we’ll collaborate with industry to drive the solution.” He pointed to manually reviewing spreadsheets for assessing security as a thing of the past. 

One major priority is updating security standards and getting through FedRAMP’s authorization backlog by the end of April. 

Waterman told FedScoop that he believes the team at GSA can solve the problem that FedRAMP’s mission addresses without relying on large language models. He pointed to previous AI models as “simple scripts that checked the output of systems,” and said in that way, the team is encouraging the use of AI.

“I expect we will significantly be relying on AI to develop that code and those processes and those systems,” he said. “Especially using the new GSAi tool that is available to many of us at GSA to simplify and automate aspects of our job, which will allow us to do more, focus, produce more code and be more efficient as we go about our work.” 

FedRAMP will move from a “baseline checklist” approach and instead use key security indicators as an “abstract layer” to align government compliance and modern security best practices, Waterman said. He pointed to the example of encryption, which could be measured by a compliance tool, built into code, or ensured through services that override non-encrypted communications to meet that goal, rather than having a person “looking at a spreadsheet.” 

Instead of having humans reviewing paper-based records, “machines” will provide validation capabilities, he said. “If you build validation software, you won’t be excluded anymore,” Waterman explained. 

As a first step, FedRAMP has launched four community working groups, which give the public a chance to share feedback, and focus on creating “innovative solutions” to formalize the program’s standards. 

In the meantime, Waterman said existing baselines will remain in place and there are no immediate changes to the program.

It’s not yet clear how companies, assessors, and agencies that work within the FedRAMP structure will respond to the changes, though some initial reactions from cloud service providers were positive. Brian Conrad, the authorizing authority liaison at Zscaler and the former acting administrator of FedRAMP, called the move “ a promising step.” Jessica Salmoiraghi, who represents the Business Software Alliance, a technology industry trade group, similarly said the pivot was an “encouraging sign.”

But there may be opponents to the new approach. Immediately after Waterman spoke, Rep. Gerry Connolly, D-Va., released a statement criticizing the Trump administration for not consulting Congress on changes to the program.

“To date, the Trump Administration has not consulted Congress on changes to the program or new guidance regarding its implementation — a radical departure from the longstanding partnership between Congress and the Executive Branch on this issue,” said Connolly, ranking member of the House Committee on Oversight and Government Reform. “Congress plays an integral role in ensuring the implementation of a program that is both streamlined and rigorous. Any effort to improve these objectives must comply with current law.”