CIO council building list of ‘top-tier’ services amid FedRAMP reforms

Federal CIO Greg Barbaccia is backing a push to streamline the long-running FedRAMP program, as he works to accelerate the government's adoption of AI.

The federal government’s top IT official is working with agency chief information officers on a “top-tier list” of technology services that will be prioritized for accreditation.

The Federal CIO Council’s focus on key technologies including artificial intelligence comes as the General Services Administration moves to the next phase of its effort to streamline the FedRAMP cloud security program.

Greg Barbaccia, the federal CIO at the Office of Management and Budget, spoke about some of his priorities during a Sept. 24 event in Washington hosted by the Alliance for Digital Innovation. Barbaccia gave his backing to GSA’s “FedRAMP 20x” initiative, which is focused on using automation and cutting processes to speed up authorizations.

“We’re fully committed to the GSA 20x initiative,” Barbaccia said. “It’s about moving from these paper-based compliance processes to automated ones. We want to accept existing commercial frameworks and documentation, saving you time, saving you money. And we’re building this for automation so you could do it once [and] deploy it many, many different times across different agencies.”

Barbaccia said the CIO Council is “prioritizing tech that agencies need and want most” by identifying “a top-tier list of services, including conversational AI engines.” In August, the CIO Council asked the FedRAMP program to prioritize AI tools for approval.

“If your product is in high demand and meets our criteria, we will make sure it gets the attention it deserves,” Barbaccia said. “This is our way of telling you exactly what the government wants. Too much guesswork is done in the early stages of R&D.”

The CIO’s office is also working to create a “presumption of adequacy” process for FedRAMP authorizations.

“This means agencies will accept the work you’ve already done to secure your product, and we’ll have a clearer, faster path to reuse and scale across the government,” Barbaccia said.

The FedRAMP Authorization Act, passed in late 2022, directed agencies to lean toward accepting products that have already been FedRAMP-authorized, rather than requiring additional assessment. But agencies are still able to seek additional security requirements if they feel an existing FedRAMP authorization package doesn’t meet all their security requirements.

To that end, Barbaccia said he’s working to change “cultural things” within government.

“We need to trust one another,” he said. “I promise you, I’m working very hard to get these cultural changes in place so we could put these procedural changes in place for reuse.”

FedRAMP 20x enters phase two

Meanwhile, GSA’s FedRAMP 20x project is entering “phase two” of its efforts to speed up and modernize the cloud security review process.

The initial phase of the pilot program has focused on streamlining FedRAMP “low” authorizations, which involve the least amount of security controls. The pilot has found success with at least four approvals.

The goal of the second phase is to achieve 10 “moderate” level pilot authorizations. Phase two is only open to cloud services that participated in the first phase of the 20x pilot. GSA will open the submission window sometime between Oct. 16 and Oct. 23, and close it on Dec. 16.

Pete Waterman, the director of the FedRAMP program, said phase two will have “much stricter requirements” to achieve the key goals of 20x, especially for automating assessment processes through machine-readable formats.

“The expectation is that you really lean into the vision of 20x,” Waterman said at the ADI event. “Every single recommendation and requirement for 20x must be addressed.”

A big focus for phase two will be on “AI and [Governance, Risk Management and Compliance] automation capabilities with early agency adoption,” he added.

The 20x effort will include several more phases, according to Waterman’s presentation, with the goal of requiring all FedRAMP authorized cloud service providers to transition to machine-readable authorization data by the second quarter of fiscal 2027.

FedRAMP staffing challenges

Waterman also said the FedRAMP program office is likely to face staffing constraints against the backdrop of steep cuts at GSA and a governmentwide hiring freeze.

Waterman said the FedRAMP program’s $22 million annual budget was cut in half in January and its headcount has gone from 80 to 28.

The program is aiming to grow back to 43 people in the coming fiscal year, but Waterman said “hiring is hard.”

“It is complicated,” he said. They don’t know if we’re going to get there. It will affect our ability to deliver, full stop. Right now we have 28. We’ll see what we can do.”

On the other hand, Waterman said he feels his efforts to streamline FedRAMP has stronger support from GSA and OMB leaders today than it has in recent years.

“They care about technology,” Waterman said.

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Man in front of computer, cybersecurity cloud

    Cyber training will enable government to successfully harness AI while staying secure

    Read more

    Cloud Exchange 2026: Coast Guard’s Brian Campo on service’s new Digital Transformation Strategy

    Read more