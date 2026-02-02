After a year of talks with industry on how to improve the program, FedRAMP is turning inward. Leaders of the government’s cloud security assessment program say they’re increasing their engagements with federal agencies and the Office of Management and Budget as they continue to work toward a faster, less costly version of the program, called “FedRAMP 20x,” but that they’ve already made significant improvements.

The focus on industry over the past year had a lot to do with the fact that agency budgets and personnel have been in a state of flux since the start of the new administration, said Pete Waterman, the director of the FedRAMP program at the General Services Administration.

“We saw that coming really early here at GSA, and we chose to focus on working with industry partially because we just weren’t sure who was going to be here in a year and what agency missions would look like,” he said.

But Waterman, speaking recently at an event hosted by the Digital Government Institute, said a lot has stabilized in recent months.

“People are a little bit more clear about what they’re doing, what they have to work with, what type of tools and capabilities they need. So our program is really going to be focusing over the next three to six months on working with OMB and with the FedRAMP board to directly engage with agencies at the executive level, via the councils, via a bunch of federal sprints that are being run by OMB, as well as engaging more and more at the practitioner level,” he said. “As the direction has taken shape and we started to deliver on results and build this thing out, the attitude has shifted. People are now starting to see the new FedRAMP as something that will give them access to tools that they need.”

And Waterman said a lot has changed in the year and a half since the Office of Management and Budget released a new policy that led to FedRAMP modernization a dozen years after the program’s inception. Above all, the program is managing to authorize more cloud technology offerings more quickly — and with fewer staff and a smaller budget. He said the changes came after officials concluded the program was “stuck,” with more than a hundred services stuck in a backlog waiting for their final FedRAMP assessments.

Refocusing on final assessments

Waterman said dealing with that required some significant changes in the program’s staffing priorities.

“At the end of 2024, FedRAMP had more than 80 combined staff, but less than 20 people working on assessments. So we realigned our budget and staffing to make sure almost everyone would contribute directly to our core mission, which was that final assessment. Six months later, we had eliminated the backlog, and at the end of FY 25 our average review time had dropped from a year to under 30 days, which is where it remains today,” he said. “Even though FedRAMP is at the lowest staffing level and budget in more than 10 years, we have more staff dedicated to final assessment than ever before. That’s an example of how we’re truly mission focused.”

Next, he said, officials thought it was important to reset their relationship with the IT industry. That’s what FedRAMP has spent most of the last year doing.

“Industry was fed up with FedRAMP, expressing continuous frustration, not just to us, but to Congress and senior administration officials. Industry was struggling to parse unclear intentions and generally feeling disconnected from the program,” he said. “So to address that, instead of keeping our cards close, we put them on the table. For trade associations that regularly work with FedRAMP, we established a new norm of accepting any invite to speak — unscripted, directly with their members. We also maintain a living roadmap that is updated every two weeks. We wrote intentional monthly blogs to highlight our activities. We hosted two government-wide FedRAMP day events with over 100 federal employees, and we hosted over 15 public events ourselves. We ran carefully crafted pilots with industry, and the whole time sharing the results publicly and continuously. We expanded our request for comment process to get feedback on nearly 20 new processes. So today, industry feels a bit more like a trusted partner in the program, because they are.”

But central to the successes has been a significant overhaul of how the program conducts its assessments.

Piloting a new assessment approach

FedRAMP conducted its first pilots under the new approach last year and is about to begin a second round. The new version lets vendors take credit for the security features they’ve already built into their products — rather than mostly asking them to describe how they fit into the government’s requirements.

Before, Waterman said, the process was forcing vendors to leave some of their leading security improvements out of the versions of technology they offered to the government. That change, he said, has actually led to more robust security assessments.

“We’re talking about taking what used to be a once-a-year process where we asked people, ‘Tell me about this thing, paint me a picture,’ to, ‘You need to build real, true, validated capabilities that will demonstrate the metrics and performance of your security program over time,” he said. “Which would you rather have? A description of how someone plans on maintaining their program, or months, years, decades worth of pure security data showing ground truth of the decisions they made, good and bad?”

But over the long run, Waterman said officials hope a more robust assessment process will also be easier for vendors to navigate — with the assessment process itself built on a cloud-native platform.

“Because so many businesses are built on cloud-native platforms where a lot of these activities are already being done via automation, via infrastructure as code, via APIs that they’ve built and run, it will be easier for people to develop those capabilities and then reuse them across cloud services,” he said. “So we see one company create a program that lets you attest to how you manage your infrastructure and how those changes flow through your change management pipeline all the way out to your deployed infrastructure. Then other companies that use that same process can leverage that, and they don’t have to build it.”

Earlier this month, the program office released what officials think will be the final six requests for comment, with the final deadline for feedback set for March 11. Waterman says once those changes are firmly in place, the “transformation” of FedRAMP will be essentially finished from a policy perspective — and the program office will spend the rest of the year focusing on implementation.

