The Federal Risk and Authorization Management Program (FedRAMP) is expanding its push to modernize federal cloud security with a new FedRAMP Cybersecurity Service designed to speed cloud authorizations while bringing rotating technical experts into the program.
In an interview with MeriTalk, FedRAMP Director Pete Waterman said the initiative is part of the broader FedRAMP 20x effort to move the program toward automated, continuous security validation.
At the center of the effort is the newly announced FedRAMP Cybersecurity Service (FRCS), which Waterman said will help FedRAMP scale technical expertise across agencies and industry.
“It’s not about filling a gap,” Waterman said of FRCS. “It is actually because we are about to massively expand FedRAMP’s program certification. Our intent is to take this burden from agencies, to take both initial and ongoing certification into FedRAMP itself.”
The service comes as FedRAMP 20x aims to replace documentation-heavy compliance reviews with continuous, machine-readable security validation. Waterman said the current Rev5 authorization process has become unsustainably expensive for both government and industry.
“FedRAMP did a couple of Rev5 program certifications, and it costs us a million dollars. That’s 10% of our budget right now,” he said. “We couldn’t sustain that up to a rate of 100 a year without an unheard of injection of cash into the program.”
“With 20x, we found that we have that ability to maintain a solid throughput with a relatively smaller team,” Waterman added. “The team still needs to grow, though, to be able to manage that as we take on more.”
FRCS looks to bolster workforce
Waterman said FedRAMP first proposed the Cybersecurity Service in 2024, envisioning a rotating workforce model that would blend career federal staff with detailees and private-sector experts to keep technical expertise current.
After shifting priorities and uncertainty slowed momentum in late 2024 and early 2025, Waterman said the initiative is now moving forward with strong backing from leadership at the General Services Administration (GSA) and the Office of Management and Budget (OMB).
“Getting to the point now where we can actually start to build this out, it shows the massive support that we have in this administration and from the leadership, especially here at GSA and at OMB, to grow this and really deliver for FedRAMP and for all of the agencies,” he said.
The FedRAMP Cybersecurity Service aims to hire 15 employees for two-year terms of service. FedRAMP officially opened applications for the initial cohort of four lead cloud security engineers on May 4.
The first year, participants will spend time working with the FedRAMP team and gaining a deep understanding of the program.
In the second year, participants will receive a temporary assignment to another federal agency’s security team. There, they will help the agency better adopt cloud services while coordinating with their team back at FedRAMP.
“The concept is FedRAMP will have a core of career federal staff,” he said. “And then we’ll be simultaneously rotating in large groups of people from private sector, from agencies, from other positions, where they can bring in all the fresh knowledge.”
“This is going to be so very exciting. We’ve got so much support to make this happen. It will really bring FedRAMP forward,” Waterman said, adding, “Honestly, if we’re successful on this, this is like a proof of concept … If I can hire 15 positions in the next six months, get people on board, and start showing value, I think there’s a good shot we’re going to have support to make this even bigger.”
FedRAMP 20x aims to reduce friction
More broadly, Waterman noted FedRAMP 20x represents a fundamental shift away from static compliance checklists toward outcome-driven security practices built around automation and continuous monitoring.
One of the most consequential changes so far, according to Waterman, has been overhauling the program’s “Significant Change Request” process. Historically, cloud providers had to seek government approval before implementing changes that could affect security – a requirement Waterman argued discouraged commercial companies from participating in FedRAMP and led to isolated government-only cloud environments.
FedRAMP 20x replaced that process with a “Significant Change Notification” model that allows providers to move at commercial speed while still giving agencies visibility into security-related updates.
“That one change has led to a number of entrants into FedRAMP, including some of the top technology companies that we’re looking for wide-scale adoption right now that were not considering FedRAMP before,” Waterman said.
Waterman also emphasized that federal agencies themselves will need to rethink how they approach cloud authorizations under the new model.
“The model for agencies doesn’t change at all, but the way that agencies do it needs to change,” he said.
“We want the agency to start with understanding its actual problems, the security it actually expects, and then look for cloud service providers that meet those capabilities,” Waterman explained.
Looking ahead, Waterman said FedRAMP’s long-term success should be measured not only by the number of authorized providers, but also by how quickly agencies can adopt and retire technologies as mission needs evolve.
“We want people to use a cloud service for six months for a specific task and then turn it off because they don’t need it anymore,” he said. “We don’t want everyone locked into these things so that the number just keeps going up year after year.”
Still, Waterman suggested the most significant long-term impact of FedRAMP 20x, or what he called the “sleeper metric,” may come from the vast amount of machine-readable security data the program will generate.
That data could eventually provide the Cybersecurity and Infrastructure Security Agency (CISA) with unprecedented government-wide visibility into commercial cloud security practices, he said.
“What happens when CISA … is able to invest in governance, risk, and compliance programs that can ingest this information on behalf of the entire federal government and start really digging into that telemetry to see problems and risks and trends?” he said.
“What has the government benefited from having this unprecedented insight into how all of these commercial companies are doing security?” Waterman said. “That’s a valuable, valuable thing that’s going to be quite fun to watch.”