The FedRAMP program has successfully enabled commercial cloud computing adoption by Federal and DOD agencies for over 14 years, establishing itself as a cornerstone of secure cloud adoption within the government. Despite recent uncertainties and speculation within the community, it’s important to remember that the program’s fundamental principles remain strong. FedRAMP agency authorizations continue at a healthy pace, and the authorization backlog is demonstrably shrinking.
| Ready | In-Process | Authorized | Total | Change from Prior Period | |
| 3/14/2025 | 40 | 111 | 380 | 531 | 6 |
| 3/1/2025 | 36 | 119 | 370 | 525 | 15 |
| 2/1/2025 | 26 | 121 | 363 | 510 | 11 |
| 1/1/2025 | 23 | 120 | 356 | 499 | 3 |
| 12/1/2024 | 23 | 119 | 354 | 496 | -1 |
| 11/1/2024 | 26 | 119 | 352 | 497 | 1 |
| 10/1/2024 | 28 | 120 | 348 | 496 |
Source: FedRAMP.gov and historical data pulled from Wayback Machine
Government-wide mandates for efficiency and prioritization are driving changes across all agencies, including FedRAMP. As a program established in law to provide a standardized, reusable approach to security assessment and authorization, FedRAMP is evolving to meet these new demands. This post outlines actionable ideas that preserve the hallmarks of the FedRAMP program, which include: 1) independent testing & assessment, 2) robust continuous monitoring, and 3) strong oversight with penalties for non-compliance.
As we look at FedRAMP in 2025 and beyond, the goals should be:
- Removing bottlenecks by streamlining processes for both new and existing CSPs to allow Agencies the choice of compelling commercial cloud solutions that are safe.
- Reducing costs & delays by removing duplication and focusing on critical risks/controls.
- Preserving the integrity of the independent assessment and continuous monitoring program that are essential for robust security.
RECOMMENDATIONS
1. Greater Industry Alignment: A Cloud Service Provider (CSP) that has a valid StateRAMP/GovRAMP, SOC2 against the 5 Trust Principles, or ISO 27001/2 certification and a valid Readiness Assessment Report (RAR) conducted by a 3PAO in good standing should be listed on the FedRAMP Marketplace within 5 days of submission with a Ready designation.
Note: The Cloud Service Offering (CSO) must demonstrate compliance with specific federal requirements including FIPS, DISA STIGs etc. that are aligned with NIST SP 800-53 and FISMA requirements. The rapid listing in the Marketplace will allow innovative service providers to begin marketing their services to Agencies.
2. Independent Testing of Technical and Critical Controls: NIST SP 800-53 security controls that drive the FedRAMP Security Assessment Framework are largely categorized into Management, Operational and Technical Controls. A common criticism of the FedRAMP program is the focus on “compliance” versus “security” – this can be addressed by exploring ideas presented in the recent CSIS “Faster into the Cloud” report published on the 16th January 2025. The CSP for a given CSO must attest to the implementation of Management and Operational controls. However, independent testing and assessment by a 3PAO are a hallmark of the FedRAMP program and must be preserved for critical and technical controls. A 3PAO should test & assess technical controls as well as FedRAMP Board mandated critical controls to generate a Security Assessment Report (SAR). By separating technical controls from management & operational controls from the scope of independent 3PAO testing, we can reduce the time and cost for both the CSP and the 3PAO while maintaining the integrity of the FedRAMP program.
3. Go from Sponsor to Informed Consumer: Agency sponsorship or Initial Agency Partnership was a great way to help seed the FedRAMP marketplace during the initial setup of the program. However, as commercial cloud computing use cases move towards SaaS, the need for an explicit partner or sponsor does not exist. Given their FISMA obligations, agencies are required to perform their own risk assessment and acceptance, that includes both the initial ATO and on-going continuous monitoring. An agency should be free to review and accredit any CSO listed on the FedRAMP marketplace that has a valid Security Assessment Report (SAR) delivered by a 3PAO following FedRAMP PMO provided standards. A Cloud Service Provider (CSP) willing to invest in meeting FedRAMP security requirements, is at liberty to pursue listing in the FedRAMP marketplace. The FedRAMP PMO should continue to enforce adherence to FedRAMP standards by the CSPs and 3PAO to ensure the integrity of the program.
4. Move to a cATO Framework supported by 3PAOs: Shifting to an on-going assessment model performed by a 3PAO can help provide a decentralized mechanism for agencies to get risk data on CSOs that they are using. Ultimately, the Agency is responsible for the on-going authorization of a CSO, however their efforts can be aided by reviewing continuous monitoring (ConMon) artifacts produced by a qualified 3PAO on a periodic basis (e.g. monthly). The FedRAMP PMO should continue to exercise oversight over the 3PAO community to ensure standardization and quality in the ConMon reporting standards. Additionally, the FedRAMP PMO should continue to support and encourage the development of standards like NIST OSCAL to streamline the information exchange among the various parties (e.g. CSP, 3PAO and Agency). Engaging the OSCAL community through the OSCAL Foundation to develop robust Continuous Monitoring standards is a potential path forward.
5. Enable AI Ready CSPs: AI CSPs that have an ISO 27001/2 as well as ISO 42001 certification along with a valid RAR performed by a 3PAO, should be listed on the FedRAMP Marketplace as AI Ready. NIST SP 800-53 Rev 5 controls framework currently, does not offer specific protection for managing data risk, model risk and AI specific governance protections, ISO 42001 can offer Agencies with tools to more confidently adopt and deploy commercial cloud computing-based AI systems. This should be an interim solution to jumpstart secure AI adoption, while the NIST develops AI control overlays that eventually can be folded into a future NIST SP 800-53 revision.
Note: This approach will jumpstart AI solutions adoption by Federal Agencies while providing an initial set of guardrails. The proposed approach of developing AI control overlays was successfully used 15 years ago to develop cloud computing control overlays to fill gaps in enabling the deployed of secure cloud computing services for Federal agencies.
6. Listing Fee: To help pay for some basic services provided by the FedRAMP PMO, there should be a FedRAMP Marketplace listing fee of $1,000 per CSO per year for an initial listing and $500 per reuse listing. Similarly, each 3PAO should be charged a $2,500 fee to be listed on the marketplace. It is a well-known fact that FedRAMP.gov’s marketplace is visited globally by customers looking for secure cloud products. A listing on the FedRAMP marketplace is a valuable marketing tool for CSPs and 3PAOs. Every ATO reuse listing indicates a sale, thereby demonstrating confidence in the product by agencies. There is clear commercial value for both CSPs and 3PAOs, which should make this nominal listing fee acceptable. Fees from the FedRAMP Marketplace listing likely will generate over $1,000,000 per year to offset some costs for the PMO.
