If you’ve been in the security and compliance universe for the last few decades, you know historically FedRAMP authorization is like a very long, very difficult marathon. It seemed like endless paperwork, manual screenshots, hours of talking with auditors, and expensive delays. It was common to wait 12 to 18 months just to get approved. But there is some hope that things are starting to change and that agonizing compliance marathon is finally coming to an end.
In our recent webinar, Josh Bressers (VP of Security, Anchore) sat down with Tanner Bailey (20X Compliance Lead, InfusionPoints) and Alex Erhart (20X Engineering Lead, InfusionPoints) to break down the highly anticipated FedRAMP 20X changes. Together, they discussed how organizations can trade the traditionally heavy compliance paperwork for automated provenance. Watch the video recap.
The “Chicken and Egg” Problem
Let’s step back and look at why this change is happening. One of the most persistent hurdles in the federal space has been the “chicken and egg” problem of securing agency sponsorship, coupled with an unsustainable time-to-market and high entry costs. You needed to find a sponsor before you could start the FedRAMP journey, but then that sponsor might not become a customer until after that journey is complete. The fundamental driver behind FedRAMP 20X is fixing a broken system without lowering the security bar.
By shifting toward Key Security Indicators (KSIs), the FedRAMP Program Management Office (PMO) aims to eliminate unnecessary red tape. KSIs allow organizations to build a cohesive security story by leveraging existing cloud-native security practices they already have in place rather than forcing their architecture to fit rigid, outdated checkboxes. And the best part? The new process is designed to be faster, and CSPs can even achieve their program certification up through the Moderate level without an agency sponsor.
Automated Provenance Over Static Documents
Relying purely on static, document-heavy processes to measure compliance is a systemic problem. The days of spending hours taking manual screenshots of AWS consoles and packaging them into massive folders for a 3PAO audit are coming to an end. The panelists discussed how 20X shifts the focus from these static, document-heavy processes to machine-readable authorization packages and continuous validation.
“How can you automate your compliance for your system, as opposed to taking the compliance framework and adapting your system to fit it? You’re taking your compliance framework and saying, ‘How are we doing these things in this system we already have?'” — Tanner Bailey, 20X Compliance Lead, InfusionPoints
Instead of an annual review where controls might slip through the cracks, KSIs can be automated to run continuously. This shift to automated provenance means that assessors validate the automation code and its output rather than manually verifying individual settings, drastically reducing audit stress. This provides real-time visibility into the health of the system via a modern “Trust Center,” allowing agencies and customers to view the continuous status of the product’s security indicators.
The Vulnerability Intelligence Gap
Traditionally we have had a heavy focus on technical security control. Things like security vulnerabilities or firewall settings. There’s more to FedRAMP 20x than just technical controls overhaul. Do you know what happens if your credit card paying the AWS bill just expired? FedRAMP 20X challenges traditional thinking by bringing critical “out-of-boundary” business metrics into the fold. The webinar highlights how organizations must now prove the effectiveness of their operations—from incident response tabletops and security training to ensuring that AWS billing credit card is valid.
Furthermore, the discussion debates the radical shift coming to vulnerability management. Prioritization under 20X is no longer dictated solely by a traditional CVSS score matrix. Instead, it utilizes a context-aware approach that evaluates factors like Known Exploited Vulnerability (KEV) status and internet reachability. This allows engineering teams to focus remediation efforts on actual business impact rather than wasting cycles on low-level noise isolated deep within unexposed systems.
Watch the full webinar
Ready to stop guessing about your compliance?
It’s easy to be a cynic about federal compliance, but the truth is you can’t secure what you can’t continuously validate. If your team is navigating the complexities of federal compliance, looking to move away from Rev 5, or simply wanting to streamline GRC operations with cloud-native automation, this discussion provides a pragmatic framework for the future of FedRAMP.
