Hey FedRAMP Board!

The last couple months have had a few unexpected plot twists but I’m happy to report that FedRAMP is continuing to process Rev5 agency authorization packages faster than our 30 day target and is now deep into 20x Phase 2 after releasing an extensive set of modern assessment and authorization requirements for FedRAMP Moderate pilot program authorizations.

The shutdown resulted in a big gap between meetings of the FedRAMP Board so I’m looking forward to catching up on Dec 18 to build momentum for government-wide adoption of the new assessment and authorization processes. Here are some highlights of what’s changed since our last formal meeting:

• I’m now in a cardiac rehabilitation program to carefully monitor and shape the remodeling of my heart after an estimated ~20% of my cardiac muscle died during a heart attack the day before our last Board meeting. This sounds pretty traumatic but my cardiologists are expecting an effectively full recovery due to my “young age” (haha) and relatively strong indicators. I’m working to manage my own expectations for myself and the related work stress better but there’s still plenty of room for FedRAMP in what remains of my heart. ;) Thank you for the gift - it gave me a good chuckle when I got back into the office.

• We started 20x Phase 2!! This pilot phase includes a massive set of complex changes and requirements that build on what we learned in Phase 1 while adding in new requirements to simplify agency reuse and ongoing authorization. All of these changes follow the direction of the law and M-24-15 to position FedRAMP as the provider of a modern government-wide assessment and authorization process for agency use. Phase 2 is expected to run through March 31, 2026 (FY26 Q2).

• The Phase 2 set of 20x processes include new expectations for Authorization Data Sharing, Persistent Validation and Assessment, providing Recommended Secure Configurations, and a massive overhaul of expectations for Vulnerability Detection and Response. It carries our recently updated processes for identifying a Minimum Assessment Scope and Significant Change Notifications forward and outlines a new path for agencies to be more traditional customers during Collaborative Continuous Monitoring. And we significantly improved our Key Security Indicators based on real-world impact and feedback during the Phase 1 pilot. All of these processes combine to successfully convey the direction FedRAMP is heading - clear, concise requirements and recommendations that cloud service providers will follow to ensure agency customers have all the information they need to make both initial and ongoing decisions about the risk of using these services.

For the last nine months I’ve intentionally been focused on external communication and industry engagement. FedRAMP needed to demonstrate that we could drive this modernization efficiently and get industry buy-in with how we’d do it. We had years of built-up negativity and lost trust to fix and couldn’t move the program forward when the majority of industry didn’t trust us. I believe that we have succeeded at establishing a new baseline of trust with industry through a combination of intense focus and collaboration, continuous transparency, and meeting with industry on their own terms in the spaces they use… but most importantly by rapidly delivering on what we talk about while continuously adjusting based on real-world feedback. That engine is now running well and it will take less effort to maintain than it did to repair.

Now, with the help of the Board, we need to do the same for federal agencies.

Driving Change in Government

The FedRAMP Authorization Act and M-24-15 effectively “patched” FISMA and the A-130 to explicitly grant FedRAMP the authority and responsibility for establishing and regularly updating the processes that federal agencies must follow when assessing, authorizing, and monitoring cloud services. They place a significant responsibility on the FedRAMP Board to ensure that these processes are adopted government-wide with consistency and transparency.

As we move into 2026, we must start building momentum government-wide to move agencies towards an updated approach to cloud services that aligns with modern law and policy. We need to empower agencies through effective use of our authority and responsibility to deploy cloud services faster, more efficiently, while focusing their authorization and continuous monitoring efforts on how they use those services.

Helping Agencies Update Information Security Policies

We need to develop more explicit instructions and sample policies to help agencies navigate the new authorities and requirements placed on them in these recent changes to the law and policy. Most agencies did not meet the legislative mandate for updating their information security policies because we have not provided a clear starting point for them.

To meet this need we will create and publish sample FedRAMP policies for agency use along with plain language summaries of the new requirements and recommendations for agencies. We will also maintain a simple playbook for agency reuse that includes sample system security plans based on NIST SP 800-53 controls that cover the key security responsibilities for agencies using cloud services (such as access management, event logging, information management, user training, etc).

Engaging Agency Executives

We can’t just rely on documentation to spread the word; it’s hard enough to keep up with changes in the operating environment already. We need to continue connecting directly with agency executives and information security professionals using our existing networks, the various councils we interact with already, and the FedRAMP agency liaison program.

To meet this need we will expand our quarterly FedRAMP Day efforts to include executives from across government with targeted executive-specific sessions supported by the Board. Our first two quarterly FedRAMP Days brought a hundred agency representatives together to update the agency community and get folks hands on with GRC automation tools with broad positive feedback. Our FY26 Q2 and future FedRAMP Days will include separate breakouts for government IT executives to discuss agency policy updates, legal frameworks, AI adoption, and changes to sponsorship and continuous monitoring that will play out over the next year. The FedRAMP Board should lead the way and help run these sessions.

Supporting Government-wide AI Adoption

There are currently three cloud service offerings that have met the requirements for AI Prioritization that you agreed to earlier in the year and we believe all three are likely to complete their FedRAMP 20x Low authorization in January. OMB is expecting government-wide adoption of tools like this to take place rapidly, and we’re directly supporting them with these prioritized authorizations. Agencies need access to secure AI services with the right kind of information to make an assessment for their particular use cases and 20x will ensure they have it.

To meet this need we plan to provide direct guidance and review support to agency authorizing officials as part of this prioritization process. Our assessment team will sit down directly with agencies to walk them through the authorization package while coordinating with the provider in real-time to address concerns. We anticipate starting this with agencies represented by the FedRAMP Board then having your support showing information security executives at other agencies how to make a hands-on evidence-based decision using these materials.

Making Rev5 Balance Improvements Widely Available

M-24-15 mandated government-wide changes to the processes agencies follow for continuous monitoring of cloud services. We delivered a model for those changes under 20x but still need to apply many of these improvements to the current Rev5 process that will be the default for most agencies for a bit longer. Balance Improvement Releases are requirements and recommendations initially developed for 20x that we are carefully and intentionally retrofitting to Rev5.

To meet this need we plan to make the optional Significant Change Notifications and Minimum Assessment Scope available to all cloud services in FY26 Q2. At the same time we will move the Authorization Data Sharing and Vulnerability Detection and Response processes directly into Open Beta while coordinating a carefully managed Closed Beta of the Collaborative Continuous Monitoring process. All five of these optional processes should be available to all Rev5 cloud service providers by the end of FY26 Q3 to deliver nearly all of the changes mandated by M-24-15 for improving continuous monitoring.

Phased Delivery

We are currently in Phase 2 of our FedRAMP modernization project, working with industry to pilot improvements to the entire process. Phase 2 is projected to be completed at the end of FY26 Q2 where we will transition in Phase 3 - wide-scale adoption of these improvements. Phase 3 will be our primary focus during the last half of FY26, in Q3 and Q4, but the year is moving fast and we need to start planning for Phase 3 right now so we can keep building momentum, delivering continuously, and improving relentlessly. The fact that it’s hard won’t prevent us from trying.

If you made it all the way through - thanks for your dedication to this Board and see you soon! :D

-Pete