FedRAMP 20x – One Month in and Moving Fast
54 comments
·May 13, 2025fn-mote
ocdtrekkie
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
See for example: https://fedscoop.com/google-earns-fedramp-high-authorization...
And this announcement is basically just that they're going to massively lower the bar.
stackskipton
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
tw04
That’s just easily and provably not true. FedRamp is absolutely not “mostly dog and pony”.
See: Okta being compromised, and their FedRamp High environment remaining secure:
https://www.meritalk.com/articles/okta-hack-didnt-touch-fedr...
hoseyor
I wish I could vote more for this.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
xvector
Anything involving auditors or policy people in tech turns into a clown show. Dunno what it is like for other industries (but my friends in pharmaceutical research feel similarly).
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
estebarb
It feels like enforcing that everything must be written in Ada. And then relaxing the requirement... history always repeats itself, it seems.
solardev
Sounds like a good time to invest in Russian VPS hosts.
alephnerd
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5- 2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Spooky23
It’s mostly an easy button for procurement officers. You’re required to meet the control standards that FedRAMP requires anyway, and it saves months of the customer’s time to do it once.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
drivingmenuts
Well, it explains why all the SV billionaires were so hot to get Trump in office. Basically, a taxpayer funded payday for them.
mindslight
Trump is basically living the dream of every computer illiterate boomer who responds to a text message asking for their bank account details so stolen money can be deposited. "This cyber thing is pretty great. I've been saying this for a long time, thanks J-Kush. By the way, I said, I'm sorry for calling you 'mid' yesterday. Am I am I using that right? I am using that right. I'm not doing that to brag, because, you know what, I don't have to brag."
SomaticPirate
Everyone in startups should be a fan of this. More competition in government space is a net benefit for everyone.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
transpute
Public discussions, https://github.com/FedRAMP/rfcs
RFC-0005: Minimum Assessment Scope Standard, https://github.com/FedRAMP/rfcs/discussions/17
RFC-0006: 20x Phase One Key Security Indicators, https://github.com/FedRAMP/rfcs/discussions/18
RFC-0007: Significant Change Notification Standard, https://github.com/FedRAMP/rfcs/discussions/19
RFC-0008: Continuous Reporting Standard, https://github.com/FedRAMP/rfcs/discussions/27
bluedino
Every FedRAMP/GRC cloud service seems to be some funky version that's missing features or behind on releases
tguvot
Updates of service that alter controls, change crypto libraries and some other stuff require assessment and approval. For most of companies it's easier just to update it once a year of ever
barney54
So, is there any evidence of actual improvement in anything that taxpayers care about?
Spooky23
The .gov be able to host cloud products in their tenants, and get the ability to do so more quickly. Perhaps cheaper.
It’s probably a good thing.
alephnerd
Better procurement rates.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
kaydub
If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
tguvot
I work for an established saas company with rather large and complicated system. For fedramp we had to build a new dedicated environment (because it was impossible to certify existing one which is hybrid, located in multiple countries ), hire dedicated us personal (agency requirements) and redo a bunch of internal processes to comply with fedramp controls.
I think cost was around $15m
Spivak
> I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
downrightmike
[flagged]
0xbadcafebee
So for ya'll who haven't been involved with DoD/secret/etc cloud projects, there's a bunch of jargon to learn, but suffice to say there's a lot legally-required standards that define the right way to run secure government IT. It's normal good practice, but cranked up, standardized, and verified.
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
paulddraper
Most people in the security space realize there are two things you do: (1) things for security (2) things for compliance.
And the Venn diagram has less overlap than you might think.
tguvot
Fedramp 20x as of now is only for low impact services that are hosted on fedramp authorized cloud.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
tw04
If there’s one thing I don’t really want to see “accelerated” it’s the pace at which our state secrets add new, unvetted technology.
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
derektank
FedRAMP services, even FedRAMP High services, aren't authorized to host classified material. My understanding is that those agreements are still largely negotiated directly between the intelligence / defense services and the big providers, such as the Joint Warfighting Cloud Capability contract. FedRAMP is a program for vetting SaaS services for use by government agencies broadly. FedRAMP Moderate and High certified services are qualified to host Controlled Unclassified Information, which might be sensitive and held by either the government or private companies like defense contractors, but I wouldn't call them state secrets per se
lordofgibbons
This is a false dichotomy. There's a massive grand canyon sized gulf between "unvetted technology" and whatever the hell SAP/Oracle/Tyler-Technologies are.
paulddraper
FedRAMP can’t have classified data.
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
echelon
What is this, exactly?
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
_bin_
The point here is to avoid the oracles of the world getting everything. Please trust me on this one: fedramp isn’t really about security. Compliance with it doesn’t ensure it and noncompliance doesn’t preclude it. It was okay when originally released but that’s not been the case for years now.
tcfunk
Oracle was already on the FedRAMP list I think. AFAIK this is about getting smaller cloud providers approved to host government projects so there’s more options available.
ritwikgupta
This is about changing the way FedRAMP accreditation is done for any cloud service, like Box (or a new SaaS that you may create tomorrow). The FedRAMP process requires you go through a certain set of audits, meet a certain set of standards, etc., in order to be approved to host CUI (IL4/5) or SECRET (IL6) information.
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
kaydub
I'm pretty sure IL4/5/6 are all outside the scope of FedRAMP
tguvot
IL 4/5/6 actually add a bunch of additional controls and parameters on top of standard fedramp baselines
ksec
But why would any agency chooses smaller cloud providers other than Oracle, AWS, Azure and Google? They are the lowest risk selection in terms of responsibility.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
Spooky23
They tend to converge on each other. Also the Feds may have particular needs for connectivity, location, etc.
cyberge99
To stay off the radar. To do shady stuff at a small company that you can easily control/manipulate.
tguvot
Saas is most common use case
ecb_penguin
Serious question: Why don't you spend a few minutes learning about it, rather than throwing negative comments out?
Do you think vomiting a negative talking point without understanding it is considered "smart"?
tomrod
FedRAMP is a set of technologies vetted by a common standard by GSA. It assists in moving technologies from one-off authority to operate (ATO) with a specific CIO office in an agency or department to a shared standard.
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
[1]: https://en.wikipedia.org/wiki/FedRAMP