Reinventing FedRAMP in the Age of AI

By David Appel, Vice President of U.S. Federal at AWS

For more than a decade, Amazon Web Services (AWS) has been at the forefront of enabling government agencies and their partners to deploy secure cloud services through the Federal Risk and Authorization Management Program, known as FedRAMP. This program provides a standardized compliance approach to U.S. federal government agencies as they adopt secure cloud solutions. AWS was the first cloud provider to achieve FedRAMP High authorization, and we supported Congress in codifying the FedRAMP program into law in 2022. Today, AWS has over 130 approved services at the High baseline and over 150 at Moderate.

The General Services Administration (GSA) recently announced FedRAMP 20x, a new compliance model aimed at modernizing the program through updated security practices. Over the past few months, experts from across AWS participated in industry working groups with other cloud providers, security experts, and agency representatives to share best practices and help shape implementation standards.

As GSA and federal IT security leaders continue reforming the program, they should consider the following recommendations:

Automate everything that can be automated. We are pleased to see GSA aim to automate compliance procedures everywhere possible. AWS is architected to be the most secure and flexible cloud environment available today. Our services already meet the rigorous security requirements set by FedRAMP, enabling our U.S. federal customers and our extensive partner network to confidently deploy cloud for mission-critical operations. By emphasizing real-time compliance verification and automated control validation, AWS can continue to be a strong partner to our government customers in continuing to deliver solutions at scale with the highest security standards.

Enable startups and new innovation. AWS supports FedRAMP 20x’s direction toward modernizing cloud security authorization, particularly through the initiative to recognize existing frameworks, which we believe will accelerate adoption for startups and AI providers. By acknowledging certifications like SOC 2 Type II, which already validates controls for security, availability, and confidentiality over an extended period, providers can leverage these existing assessments toward FedRAMP authorization. This approach eliminates redundant documentation, creates a more efficient path to authorization, and lowers barrier to entry for innovative cloud solutions while maintaining rigorous security standards.

Authorize secure, innovative AI. The use of AI, including Generative AI, is becoming an increasingly important tool that can help the government do more with less, thereby increasing the efficiency of service delivery to citizens while keeping cybersecurity a top priority. Through FedRAMP’s new proposed notification-based approach for significant changes, we believe that cloud providers will be able to rapidly deploy AI updates and improvements without lengthy approval processes. By significantly reducing compliance times for software services, these changes can help the federal government adopt AI solutions faster and tap into cutting-edge AI and machine learning tools for mission use. And by doubling down on proposed reforms, FedRAMP can help close the gap between a commercially deployed solution and one that is available for government use.

We believe the changes proposed by GSA, if implemented, could benefit both government and the citizens it serves. FedRAMP can further enable federal agencies to meet compliance requirements and enhance their security while realizing cost savings and greater speed and efficiencies.

We look forward to working with GSA to continue this momentum. We have been supporters of the program since its inception, and we are excited to be part of its future. By continuing to enhance FedRAMP’s security while expanding its offerings to our partners and government, we can continue to power the next generation of government innovation.