What’s new with FedRAMP

In the world of cybersecurity, FedRAMP has long been one of the most coveted  –  and challenging  –  level of compliance to achieve. It’s the golden ticket to selling cloud-based software to the U.S. federal government. But it’s also infamous for being expensive, time-consuming, and downright daunting.

But that may finally be changing. Let’s break down what FedRAMP is, why it matters, and how recent updates are opening the door for hundreds, if not thousands, of companies to finally be considered for federal contracts.

What is FedRAMP?

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government’s framework for evaluating and approving cloud products for federal use.

With the government handling some of the most sensitive data in the world, the stakes for protecting it are incredibly high. And while commercial tech has moved fast, most tools aren’t built with the stringent security, privacy, and reliability requirements that government systems demand.

That’s why FedRAMP exists – both to standardize requirements and to lay out the qualifications cloud vendors need to meet so that federal agencies can safely adopt modern tools without compromising security. These requirements include:

• Strict encryption (with FIPS-validated modules)
• Fully triaged or justified vulnerabilities
• Stringent access and identity controls
• Extremely detailed security documentation (300+ pages)
• Ongoing audits and continuous monitoring

High cost, high reward

Achieving FedRAMP compliance is an undeniably massive undertaking.

The process can take several months to years, cost millions of dollars, and require dedicated teams, specialized partners, and extensive documentation. In fact, an entire ecosystem of consultants and tooling has emerged to support companies through the process.

And the work doesn’t end once you’re approved  –  maintaining FedRAMP status requires continuous monitoring, regular audits, and annual re-certification. It’s an ongoing investment, not a one-time milestone.

That said, the opportunity is substantial. FedRAMP unlocks access to dozens of federal agencies, long-term contracts, and extremely high-value projects. And because the barrier to entry is so high, competition is limited  –  making compliance a very powerful strategic advantage.

The complexity problem

Over time, FedRAMP has become a victim of its own complexity.

With increased demand, the backlog of companies waiting for has approval skyrocketed. And amid such strict requirements, even innovative products that could truly help the government have been stalled. So while the tools to improve federal security exist, many never make it into the hands of government agencies.

Enter: FedRAMP 20X

The FedRAMP team recently introduced a series of changes under the umbrella of "FedRAMP 20X", designed to streamline the process, leverage more industry voices, and enable more companies with real value to enter the fold.

What’s changing? One of the biggest pain points with FedRAMP is the manual, highly time-consuming burden of getting and maintaining your status every year. The new approach aims to automate large portions of the submission and review process, especially around continuous compliance.

A new FIPS stream

Traditionally, companies needed FIPS-validated-encryption modules to be FedRAMP compliant. FIPS validation, as opposed to compliance, means it went through a testing lab and received a CMVP certificate for the specific platform that its meant to run on. But FIPS validation can take years and its fully platform dependent, which means if you run containers on several operating systems and hosts, you need to validate each combination, and every change requires re-validation. And during that time, the FIPS module would accumulate vulnerabilities that couldn’t be patched – since even minor changes would invalidate the certification, rendering it non-compliant with FedRAMP requirements.

Now, as of January 2025, there are two ways to achieve FedRAMP certification:

• The longstanding validation module stream - This contains only FIPS-validated software and patches, regardless of whether more recent, unvalidated patches or updates exist.
  The new update stream - This contains the latest patches and updates to be applied to software, even if the changed software has not yet received FIPS-validation. As long as re-validation is a part of the POA&M, you can keep your software up to date.
• The latter option doesn’t lower the bar  –  it simply recognizes that to be a truly secure system, continuous updates and changes need to be applied. The perception of static approvals at one point on time as being the most secure is changing; and FedRAMP providing (and favoring) this stream, clearly reflects this shift.

Why this shift matters

FedRAMP 20X could finally make it feasible for fast-moving, cloud-native companies to work with the federal government  –  without spending years and millions of dollars in the process. It means the potential for:

• Faster time to market
• More innovation flowing into government agencies
• A chance for new players to compete in a high-stakes, high-value space
• Streamlined reporting for cloud providers

What should companies do now?

If you’ve been avoiding FedRAMP because it felt out of reach, now’s the time to take a second look.

• Audit your vulnerability management: Do you have control over your vulnerabilities? Is your vulnerability management scalable?
• Explore vulnerability patching tools and vendors that can take on the burden of continuous monitoring and patching for you.
• Stay updated on FedRAMP 20X as more details roll out  –  the framework is still evolving.
• Consider your encryption strategy: Does the FIPS validation path make sense for you, or is being continuously clean a better fit?

FedRAMP used to be a mountain only a select few companies could climb. With these updates, the government is trying to make the process faster, smarter, and more accessible.

If your product can help the public sector, now’s the time to go after it.