Balancing FedRAMP Rev5 against improvements to FedRAMP 20x

[pete-gov]

This post provides a bit more detail on our planned approach to Rev5 improvements to begin the public conversation that will continue throughout upcoming Rev5 balance improvement tests and releases. All of this is subject to change as the environment, priorities, and decisions shift; FedRAMP's standard disclaimers apply.

Note: This thread is open for discussion but is not a formal Request For Comment.

Balancing FedRAMP Rev5 against improvements to FedRAMP 20x

FedRAMP’s primary focus this year is the development of FedRAMP 20x: a modern cloud-native approach to the security assessment and authorization of cloud services used by federal agencies. This approach will open the federal market for new businesses and enable rapid adoption of emerging best-in-class commercial services by the government, but there are close to 500 cloud service providers used by the government today that are heavily invested in the traditional Rev5 approach.

The Rev5 approach will become imbalanced, unfair, and ineffective compared to 20x if Rev5 continues unchanged. A new approach prioritizing innovative solutions for incremental delivery, testing, evaluation, and improvement can take risks during development that are unacceptable for an established approach like Rev5; changes to Rev5 must be made carefully, deliberately, with intent to minimize disruption and unpredictable impacts.

Our approach to Rev5 balance improvement assumes that improvements designed for 20x should be made available for Rev5 when feasible and appropriate so Rev5 will continue to be a viable path for FedRAMP authorization while 20x is developed and expanded. As improvements are drafted for 20x, FedRAMP will consider their application for Rev5 as optional balance improvements:

• Rev5 Balance Improvement Test: Limited release of optional improvements to test and evaluate the impact, effectiveness, and benefit of the improvement for Rev5. These will often be called “beta tests” for simplicity.

• Rev5 Balance Improvement Release: Formal wide release of an improvement made available for all Rev5 authorized parties; such releases will typically be optional but may be required when absolutely necessary.

Minimizing impact to existing investment

In general, FedRAMP intends to minimize any required changes to Rev5 authorization (initial or ongoing) for cloud service providers. We anticipate the following approach for Rev5 Balance Improvement Tests and Releases:

• They will be optional whenever they can reasonably be made optional
• They will be rolled out carefully and intentionally, with backup options when feasible
• We will provide as much guidance as we can about adoption for all necessary parties prior to wide release

In general, we expect balance improvements to be positive changes that cloud service providers choose to adopt but understand there are often business reasons to maintain the status quo.

Managing impact to agencies

Things are a bit different within the government - laws, policies, and administration priorities rule the day. Federal agencies will be impacted by changes to FedRAMP and government policy just as they always have been. FedRAMP is working closely with OMB OFCIO, the FedRAMP Board, the FedRAMP Technical Advisory Group, and the FedRAMP Agency Liaisons group to manage the impact to agencies. OMB OFCIO and the FedRAMP Board are also working with the CIO and CISO councils to support.

FedRAMP has been working to improve collaborative continuous monitoring to make it easier for all agencies to meet their statutory obligations to monitor the security of cloud services that are used in federal information systems, but many agencies and cloud service providers still rely on a single lead agency to do most of the work for continuous monitoring. If a cloud service provider is still relying on a single lead agency for continuous monitoring, FedRAMP will expect the cloud service provider to coordinate with their lead agency on their participation in Rev5 Balance Improvement Tests and Releases until they transition to full collaborative continuous monitoring.

For agencies, we anticipate the following approach for Rev5 Balance Improvement Tests and Releases:

• CSPs will be required to obtain permission and support from their lead agency and/or FedRAMP to participate in Balance Improvement Tests
• FedRAMP will provide additional support to agencies and CSPs during Balance Improvement Tests
• FedRAMP will provide as much guidance as we can about adoption for all necessary parties prior to wide release

Phased rollouts

Rev5 Balance Improvement Tests and Releases will generally be made available in a carefully phased rollout. The duration of these phases will vary by projected risk and impact, and some releases may skip some of these phases or add new phases if necessary. In general, Rev5 Balance Improvement Releases will follow these phases:

1. Development: An initial standard, requirement, or change is developed (including public comment) and prepared for Rev5 testing if relevant.

2. Closed Beta: A Balance Improvement Test will be available to limited invite-only participants based on agency needs and the risk tolerances of the CSP and lead agency to begin testing the release.

3. Open Beta: A Balance Improvement Test will be available to limited volunteer participants in a carefully structured environment while the release is tuned and finalized.

4. Wide Release: The Balance Improvement Release is made available for any cloud service provider to adopt along with a supporting framework to simplify the process based on learning and improvements made during testing.

Managing optional feature sets

The current Rev5 ecosystem for FedRAMP authorizations doesn’t have a lot of variance - everyone has pretty much met the same requirements and implemented the same things in the same way from an assessment standpoint, which makes it simple for agencies. Optional Balance Improvement Releases will make things a bit more complicated as CSPs start to pick and choose which releases they adopt and when.

FedRAMP will need to develop an approach to help stakeholders manage and leverage these different feature sets. Working with stakeholders on innovative solutions to monitor, understand, and apply different Rev5 feature sets based on Balance Improvement Releases will be a key aspect of early testing. This may start with something as simple as specific identifiers for which optional Balance Improvement Releases are adopted by the CSP in the FedRAMP Marketplace and authorization package materials.

What’s next

We’re planning out our roadmap based on current staffing and the projected impact of these improvements. The following released Standards and RFCs will form the likely basis for the next Rev5 Balance Improvement Tests & Releases:

• Minimum Assessment Standard (closed beta starting in July)
• Significant Change Notification Standard (closed beta starting in July)
• Continuous Reporting Standard (pending analysis)
• Storing and Sharing Authorization Data Standard (pending analysis)

This is just the beginning, but it will also give us plenty of opportunity to work with our stakeholders to refine and improve this approach.

---

Interested in participating in a closed beta?

Cloud service providers who are interested in participating in a closed beta may email rev5@fedramp.gov to discuss participation with the FedRAMP team directly.

[nickson56]

It looks directionality on-point. Look forward to the details.

[C-Cruse-MSI]

I agree completely. Really excited to see the details coming out of the closed beta items starting next month. Ideally, these will be very valuable as on-ramps into the 20X authorization process once the Rev. 5 auths are transitioned in the future.

[KimberlyDE]

I'm just getting up to speed with the latest blog posts and appreciate all the great work being done. As I'm catching up, I wanted to clarify a couple of points regarding the Cloud Service Providers (CSPs) that are eligible to participate in the upcoming Beta phase for Rev 5 improvements.

Are CSPs required to be fully FedRAMP Authorized at this stage, or is a “FedRAMP Ready” designation sufficient for them to take part? Additionally, I want to confirm whether only CSPs that have an agency sponsor are eligible to participate in this Beta round, or if there’s any flexibility there.

[pete-gov]

The question around FedRAMP Ready is excellent and one I will admit we have not explicitly considered in advance. I'm inclined to say that it makes a lot of sense for FedRAMP Ready folks to participate in the Beta phases if they are interested, but I need to talk this over a bit more with my team. Same for active authorized CSPs without lead sponsors.

When we post formal requirements/etc. for each Beta phase, I will make sure it's clear either way. Thank you for flagging!

[bhildebrandt-adobe]

As an organization maintaining several Rev5 agency authorizations, we support this path. We expect that leveraging these new streamlined processes would reduce overhead both for us as a CSP as well as all the agencies we engage with as a part of multi-agency continuous monitoring. To this end, we suggest considering giving CSPs the opportunity to self-enroll in these Rev5 Balance Releases ahead of the proposed phased rollout, provided the CSPs have agency approval documented in their continuous monitoring charters. Alternatively, we would welcome quicker adoption of the Balance Releases and would be interested in joining a closed beta phase once more information is available.

[pete-gov]

It is fantastic feedback that we should start taking Open Beta applications well in advance of finishing Closed Beta. Rolling beta applications are certainly a common play in industry. And we should certainly encourage folks to let us know if they are interested in Closed Betas in advance of their being officially open. Thanks for suggesting this! (informally, doesn't hurt to just drop us a note at rev5@fedramp.gov either way, though we're not fully set up to process that inbox yet, someone will see it)

Overall, this idea is new (to FedRAMP at least) so we're going to start carefully and gauge impact/effort/risk/etc. and adjust. Six months from now there will hopefully be a bunch of 20x improvements that need to be balanced over to Rev5, so running these deliberate balance improvement tests will be a continuous effort.

[bhildebrandt-adobe]

Thank you, Pete! We appreciate your work to ensure that Rev5 Balance Improvements are rolled out in a timely manner that reduces disruptions. We will certainly reach out to show interest in closed betas as future ones come up based on product fit and feasibility.

[Leah-GovRAMP]

First, kudos on the proposed updates to the significant change notification process and scope interpretation technical assistance!

Thinking about continuous reporting requirements (including significant change process) and recognizing providers may have multiple monthly meetings with various customers, GovRAMP is available for our member providers and federal agencies to leverage to streamline reporting in a centralized portal. This would enable providers to schedule their meetings to coincide with an established reporting frequency (i.e. no more than X days after reporting) with the added validation of the GovRAMP PMO’s review. FedRAMP team members could also be included as desired. This is entirely free for the public sector to leverage.

For providers in both the FedRAMP Marketplace and GovRAMP program, a pilot could be beneficial to explore. As always, happy to discuss further.

[pete-gov]

For providers in both the FedRAMP Marketplace and GovRAMP program, a pilot could be beneficial to explore.

GSA can't endorse or provide support that would give any non-governmental entity an unfair advantage but in general we strongly support and encourage industry stakeholders to partner up and work on shared pilots and solutions via whatever mechanisms make the most sense to them! It is much more effective than individual providers trying to figure things out on their own. 🚀

[Balsinawi]

Excellent work, team! I really appreciate the KSI approach—it clearly enhances the PMO’s ability to assess compliance and manage risk across CSPs’ SaaS and other cloud offerings.

Quick clarification: As both a CSP and a 3PAO, are we correct in assuming that we must continue to manage risk and compliance in alignment with NIST 800-53 and 800-53A, and still develop the full FedRAMP package—including the SSP, SAR, test case workbooks, plans, policies, and procedures? (This also includes generating OSCAL outputs for the SSP, POA&M, and SAR.)

From my understanding, the KSI framework serves as an overlay after completing the standard FedRAMP requirements, helping to streamline and summarize the package for a more efficient assessment and authorization process. Is that accurate?

Follow-up question: As a GRC platform provider, should we plan to develop a KSI-compatible output that maps findings into the KSI structure to take advantage of automation and reporting efficiencies?

Additionally, one of the challenges in the past has been the strict requirement to adhere to FedRAMP’s standardized templates—such as the SSP, appendices, and POA&M. Would the KSI framework provide more flexibility in how we generate and present these outputs, particularly from a GRC tooling perspective?

Thanks in advance for the clarification—I'm trying to work backwards from the desired end state to determine how our FedRAMP-accredited GRC platform should evolve its workflows and reporting to align with the advancements introduced in FedRAMP 20x. Many thanks again for all the hard work going into this!

[pete-gov]

20x vs Rev5 are separate paths to authorization. The 20x process is still being developed as part of the Phase One Pilot and will ultimately build an overall package that is very different from a Rev5 package. Both paths will be open for some time, meaning a cloud service provider will be able to choose which type of path and package they wish to pursue. KSIs will not be ported back to the Rev5 based process, unlike other 20x improvements.

All of FedRAMP's pilots and beta tests are designed to support innovative solutions that allow a lot more freedom than normal to develop special structures, patterns, etc., but the intent is to drive towards a more standardized solution before wide release based on what we learn. I don't think we'll ever drive back towards "fill out this spreadsheet exactly like this" but there will certainly be standard expectations.

You can get a good feel for where we're going right now by digging into the other standards that we're updating as those will trickle down to Rev5. Significant Change Notifications, Continuous Reporting Standards, Storing and Sharing Authorization Data Standards, etc. are all going to benefit from new capabilities added to GRC tools.

[C-Cruse-MSI]

Do you anticipate the latest RFC https://www.fedramp.gov/rfcs/0012/ (FedRAMP Continuous Vulnerability Management Standard) being added to the Rev5 Balance Improvement Tests & Releases list (above) at some point in the future? If so, can you forecast when that might come?

[pete-gov]

Yes. I need to rebalance our roadmap around that release at the end of this week, but it would probably be a closed beta starting in late September or early October (RFC closes on August 21, then I'm sure we'll need a couple weeks to finalize, then organize the closed beta).

[C-Cruse-MSI]

Thanks Pete! Appreciate the transparency as always.

[yflop]

I unfortunately built this before RFC-0012 so will need to make some updates.
GoComply/fedramp#29

[meagankwhite]

I know I'm tardy to the party, but I have a question about the "Optional" BIRs with the phrase "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026."

I worry I am being too pedantic, but does this mean that ADS, VDR, and CCM will be Mandatory for all Rev 5 Authorized Providers after the Open Beta closes, that CSPs will need to have plans in place, or that they remain truly optional after 22 May?

I also asked this question on the help desk, but thought others might benefit from this clarification as well. At least anyone as pedantic as myself.

[meagankwhite]

I found the answer to my own question at 52:41 in https://www.youtube.com/watch?v=903F2Tis-14
Summary: No, the "Provider" in the sentence refers to "Providers participating in the Beta" NOT to "Rev 5 Authorized Providers". Is there any chance you could update the BIR language to show this, please?

[pete-gov]

All of these docs are structured with an Overall Applicability section that explains if it's optional or mandatory - if it's tagged as optional then by definition any use of providers inside that only applies to people who opt-in. It would be terribly duplicative to constantly state "Providers participating in the beta" through the entire BIR.

That all said, I'll do some rewording of the Effective Date(s) & Overall Applicability for Rev5 section to hopefully clarify this a bit since a lot of folks have expressed concern about the phrasing/context.

[meagankwhite]

Thank you. I know from watching the videos and reading the updates that the PMO is moving the FedRAMP process away from one based on legal-ese and towards one of reasonable understanding and risk-based decision making, but a big part of me is still trying to interpret everything in the old legal-ese.

[pete-gov]

I reworked the wording in the Optional Implementation warning on this page to say:

All requirements in optional Balance Improvement Releases only apply to providers that are adopting the Balance Improvement Release.

(I didn't want to do it everywhere but hopefully having it just there will be sufficient to help folks feel like FR isn't trying to sneak anything past anyone ;)

[ElaineFR]

Hi @pete-gov ! Question: I hear that FR20x High will not be available for pilot entries till 2027. If that is the case, I imagine that Rev 5 is the only path to High at the moment. Can you please confirm? And is there any more information on the timing for FR High pilot opening?

[pete-gov]

Current plans for phased delivery of 20x are on the website here: https://www.fedramp.gov/20x/#phased-delivery-of-fedramp-20x

Ye olde disclaimer applies x1000 to future phases. At the moment I would say we're far more focused on consolidation and adoption at Moderate than developing 20x High, so don't expect much talking about it until we're halfway through Phase 3 at least.

[ElaineFR]

Okay got it, thank you! 🫡

[meagankwhite]

Hello @pete-gov I have a couple more questions for you!

1. My CISO wants to know if the VDR timelines are in "calendar" days or "business" days.
2. Can you please clarify if the VDR Timelines are for Low-Mod-High CVSS V3 Scores or for Low-Mod-High FedRAMP Rating? I'm pretty sure it's the latter given how the document is formatted, and the broad definition of vulnerability provided, but I want to be sure!

[pete-gov]

1. My CISO wants to know if the VDR timelines are in "calendar" days or "business" days.

Calendar days. We just say days for days. If a timeline is in business days it says business days. :)

2. Can you please clarify if the VDR Timelines are for Low-Mod-High CVSS V3 Scores or for Low-Mod-High FedRAMP Rating? I'm pretty sure it's the latter given how the document is formatted, and the broad definition of vulnerability provided, but I want to be sure!

Ah, yes, the Low, Moderate, and High tabs are based on the FedRAMP authorization. The severity of the vulnerability is addressed everywhere else.

[meagankwhite]

Thank you!

[vlmccarty]

I am currently completing the Significant Change Notification Participation Form and had a question regarding the "Agencies POC" field. Could you please clarify the level of detail required for this section? Specifically, are you looking for:

• Full names only?
• Names accompanied by official government email addresses?

Additionally, a brief overview of how this contact information will be used would be greatly appreciated to ensure we adhere to our internal privacy and data-sharing policies. Thanks!

[paulagosta]

Name of your government POC for each agency will suffice.

We will not contact the agency POC unless there is some issue that has been identified.

We are using the overall information to track who has transitioned to SCN. We may, in the future, add a field to marketplace to identify who has implemented which optional BIRs, but for now it is solely used for internal metrics.

Hope this helps.

[vlmccarty]

Thanks, Paul!