The General Services Administration will overhaul the cloud security program, known as FedRAMP, with a goal of making it leaner, less burdensome to contractors and agency customers and more reliant on automation.
A source familiar with GSA’s new strategy and who requested anonymity, said when the agency releases details of its Federal Risk Authorization Management Program (FedRAMP) 2025 plan on Monday, the aim is to make sure “FedRAMP is not going to stand between cloud providers and their customers any longer.”
FedRAMP director Pete Waterman is speaking at an Alliance for Digital Innovation (ADI) event in Washington, D.C. Monday afternoon where he is expected to detail the new approach.
A GSA spokesperson said would not confirm details about FedRAMP 2025, saying only it release more information about a new concept for how stakeholders can engage and collaborate with FedRAMP later this month.
“GSA is recommitting itself to its founding purpose: ensuring government-wide efficiency and maximizing value for the American taxpayer. With this in mind, GSA is executing changes organizationwide in response to the Executive Orders of this administration. These changes will lead to a more effective and efficient government overall,” the spokesman said. “FedRAMP is a priority for GSA and the Technology Transformation Service (TTS). FedRAMP is redirecting resources and efforts to critical priorities that will increase government adoption of modern technology and improve the customer experience for agencies and the commercial cloud industry.”
Federal News Network has learned from multiple sources that FedRAMP 2025 will shift the program to focus only on creating and maintaining standards and policies and getting out of the business of approving cloud authorization packages, at least at the low and medium levels.
Reducing the size of the PMO
To that end, multiple sources say the program management office is ending its contracts with Noblis and The Clearing for support services. Sources say the PMO will not pick up the option on Noblis’s $64 million contract, awarded in 2024 for program management and technical support service. Noblis held this or a similar contract since 2012.
“Noblis and its subcontractors will provide cloud cybersecurity assessment analysis, cloud architecture reviews, program and risk management, policy and guidance development, strategy, stakeholder engagement and continuous monitoring of cloud systems,” Noblis wrote in its press release its 2020 award.
The Clearing won an 18-month task order worth $4.5 million in 2024 to provide support services to the PMO.
Sources say the FedRAMP program management staff will only be a handful of federal employees, who will focus on making the program run faster, smoother and get cloud services on the marketplace easier.
“Ending the support contracts is the outcome of the PMO no longer re-checking the work of individual assessors and agency assessment teams. If the agency completed the package, it’s done and it will get listed,” said the source. “The big complaint about FedRAMP is an agency would do the assessment and it would sit in queue until the PMO looks at it. That process took 11 months overall. That is unpalatable to everyone. The new direction for FedRAMP is it will not provide centralized services for the government.”
The source said once an agency provides the cloud service provider with an authority to operate, the PMO will do a basic check to make sure nothing is missing from the authorization package and it will get listed on the marketplace.
“FedRAMP accepted risk for the CSP and the agency, but they had not power or statutory authority to do that. Even the FedRAMP bill says they create a standardized approach for government, but nothing about accepting risks. FedRAMP is returning to its statutory authority,” the source said.
Long-time goal to improve FedRAMP
Rep. Gerry Connolly (D-Va.), the ranking member of the Oversight and Reform Committee and author of the FedRAMP Authorization Act that became law in 2023, said he’s concerned about the changes to FedRAMP the Trump administration is pursuing
“To date, the Trump administration has not consulted Congress on changes to the program or new guidance regarding its implementation — a radical departure from the longstanding partnership between Congress and the Executive Branch on this issue,” he said in an email to Federal News Network. “Congress plays an integral role in ensuring the implementation of a program that is both efficient and rigorous. Any effort to improve these objectives must comply with current law. The beginning of this administration has been defined by chaos and a lack of transparency. This is already law. Congress must be consulted on proposed changes to the program and the administration must provide clear assurance that it will result in effective and rigorous security outcomes.”
Improving the FedRAMP program has been an ongoing goal for GSA almost since its inception in 2011. Over the last almost 14 years, it has introduced new concepts like FedRAMP Ready and FedRAMP Tailored in an effort to reduce the time and cost for cloud service providers to achieve authorization. In July, the Office of Management and Budget issued its first update to the FedRAMP policy in more than a dozen years, detailing how it plans to address many long-standing challenges.
As part of FedRAMP 2025, GSA plans to lean more heavily into automation tools.
Sources say automating at least 80% of the current requirements is more than doable for CSPs.
A former GSA official, who requested anonymity because they didn’t get permission to talk to the press, said the big difference is the automation will happen at the agency or provider level instead of by the PMO.
FedRAMP awarded a contract to US AI for a governance, risk and compliance (GRC) tool last summer. But GSA has cancelled or is planning to cancel that contract too, sources said.
“Previously FedRAMP established a GRC tool to inject Open Security Controls Assessment Language (OSCAL) packages, but now with contracts being cancelled and the GRC no longer there, agencies and CSPs will accept the information,” the former official said. “The reason it did not happen earlier was FedRAMP had always been funded to keep the lights on with minimal staffing and trying to keep up with the demand for cloud services. But a lot of agencies are using GRC tools and vendors building in automation organically, especially the more mature cloud providers. Once FedRAMP settled on using OSCAL through its work with NIST, a lot of CSPs read the tea leaves and said this was something they wanted to invest in and they did it organically.”
Automation will bring more rigor
Through automation, FedRAMP will set standards for CSPs to meet and the agency customers and providers will demonstrate they are meeting them.
The first source offered an example of the FedRAMP requirement for a system security plan. Today, vendors must list every device and network configuration to prove it’s applying encryption capabilities. That resulted in an 800-page document with a lot of screenshots. It was a lot of work and it ended up being meaningless because of how fast technology audits can go out of date.
“In the new process, it will be a requirement to say encrypt everything. Now if the CSP says they are doing that, they will need to show the code running that says everything is encrypted and give industry runway to innovate to create solutions,” the source said. “Google or AWS or other CSPs can do that already. You can click a button to become FedRAMPed on their platform. The idea is how we can use technology to solve a problem that used to be a big checklist.”
The GSA spokesman offered a little more insight into some of these changes.
“The traditional [NIST 800-53] Rev5-based agency authorization process will remain largely unchanged; however, agencies have reached the limits of what can be reasonably automated using this approach,” the spokesperson said. “FedRAMP 2025 (FR25) will encourage innovative alternative approaches to make automation of FedRAMP authorizations simpler, easier, and cheaper for everyone while improving security continuously. “
The source said the use of third-party assessment organizations (3PAOs) will not go away, but if the vast majority of controls are using automated attestation tools, their engagements will be much smaller.
No more compliance theater?
Doug Barbin, chief growth officer with Shellman, a provider of attestation and compliance services, said the continued role of 3PAOs is unclear.
“Our experience is that you have certain smaller agencies who don’t have resourcing and they get lot of benefit of existing packages. There are other larger agencies that have more resources to review FedRAMP packages,” he said. “There are a lot of big questions out there, including if agencies will rely more on 3PAO decisions like ISO and other certifications do? We don’t want it watered down from a security perspective.”
The first source, however, pushed back against FedRAMP losing any security rigor.
“The current process is compliance theater. What about it is rigorous?” the person said. “Anyone who has done an audit knows it changes when the auditor walks out the door. The current system is not functional. It’s broken and the new one will be better.”
The former GSA official agreed that letting machines do that compliance oversight work humans used to do will benefit the entire program.
“You also are creating velocity to get packages through the queue more quickly,” the former official said. “I think there will be some questions about that at first, but as time goes on, there is no abdication for agencies to do risk assessments. I think they will get cloud services authorized more quickly. I’m optimistic what will come out of this is a leaner and meaner program. I think it still is going to provide some security rigor for cloud services, but it may not look like what it has over last 10-12 years, but it will still be there.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
