Cloud Exchange 2025: FedRAMP’s Pete Waterman on rapid, incremental innovation

BlackHays

1 day ago

Originally published Cloud Exchange 2025: FedRAMP’s Pete Waterman on rapid, incremental innovation on June 20, 2025 15:44 by https://federalnewsnetwork.com/cloud-computing/2025/06/2025-cloud-exchange-fedramps-waterman-on-rapid-incremental-innovation/ at Federal News Network

https://federalnewsnetwork.com/wp-content/uploads/2025/06/Cloud-Exchange-25-7-1024x576.png

The update to the cloud security program known as FedRAMP is taking an approach that is mostly foreign to government.

After a decade of frustration — what seemed like never-ending backlogs and new initiatives that resulted in limited changes — the Federal Risk Authorization Management Program had little choice but to try something new.

With its FedRAMP 20x Phase One Pilot, the program management office is moving to a more elective or discretionary style of security verification rather than a prescriptive one, said Pete Waterman, director of FedRAMP at the General Services Administration.

Under the Phase One Pilot, cloud services providers can achieve a low authorization by demonstrating they meet key security indicators using automation tools instead of following a predesigned process. Additionally, a CSP does not need an agency sponsor.

Creating more flexibility in FedRAMP certification process

“One of the things that is unique about this pilot is that we haven’t defined the entirety of the standard ahead of time. So normally you would say, ‘We’re the government, and we want you to do these things in this way and provide us the evidence in this way,’ and this is how we’ll let someone pass,” Waterman said during Federal News Network’s Cloud Exchange 2025.

“We upended all of that. We just said, basically, ‘We want to see proof that you do these 40 important things. How you show us that proof, how you determine that proof, what that proof should look like and what is a way that is sufficiently good to earn the thumbs up on that proof is really up to you.’ We didn’t put any of that out in advance because the intent is this idea of rapid, incremental delivery, where we test this and we see what they come up with.”

That is a 180-degree turn from what the government usually does, especially when it comes to cybersecurity.

But Waterman said if the program wants to drive innovation and reimagine what cloud security authorizations look like, then the FedRAMP PMO can’t assume to know best.

“If we get 15 people at different technology companies that all say we want to do it this way, then that says we’re on to something. It’s better than the government telling them what to do in advance,” he said.

“By virtue of having that lack of clear established rules, it created an environment where it’s like, who is going to participate? Who’s going to take a risk? Who’s going to spend their time, their engineers, their product managers and their designers building something that maybe they’re going to have to change — that almost certainly they will have to change at some point when FedRAMP standardizes?”

More than two dozen vendors express interest in FedRAMP innovation

It turns out a lot of vendors are willing to take that risk.

More than 30 cloud service providers told GSA they want to take part in the Phase One Pilot, including 10 companies that provide governance, risk and compliance (GRC) tools.

Waterman said he was pleasantly surprised by both the overall interest of vendors who want to participate and more specifically the interest by GRC tool vendors.

“We are going to get a significant amount of data points. We’re going to understand the best way to do this, and we’ve demonstrated that there are companies out there that will step forward, try to provide these innovative solutions and bring them to the table,” he said.

“Honestly, when we first started talking about it, there were a whole lot of people that said, ‘well, they’re just announcing an idea, and nobody’s going actually try to do that.’ And turns out, if you create a space for industry, they will fill it and they will innovate, and that’s what we’re here to do.”

The plan next is to analyze approaches the participants come up with to demonstrate how they will meet the requirements of low authorization. Waterman said the end goal is for these experiences to help the PMO settle on a standard.

“By July, we’ll have the first few authorizations done under this almost certainly. Then those, especially the GRC folks, that are coming early, they’re going to start being used by other people because they brought that technology, they got FedRAMP-authorized and now others can use them,” he said.

“In July, we’ll start working with agencies, and that becomes an adoption thing. We don’t want a situation where there’s 50 agencies that are all trying to deal with 30 different packages set up in different ways as part of this pilot. We’re going to work with agencies to identify some specific cloud services that they want — that are ready to go — that they’ll take a test with. As we go through that process, I anticipate that by the end of July, by somewhere around August, we’ll have a really good idea of what works for the cloud service providers, what works for FedRAMP, what works for third-party assessment organizations (3PAOs) and what works for agencies.”

FedRAMP to take pilot experience and apply more broadly

The FedRAMP Program Management Office will formalize the phase one findings and then provide a 12-month low authorization to those vendors that meet the requirements.

Waterman said FedRAMP teams will take what they learned and launch a moderate authorization pilot that will require vendors to meet a few more key security indicators.

“It’ll be a little bit bigger, a little bit more complicated, and then we’ll see how that goes. We will just repeat that as we get to high authorizations. Then, we go all the way back, and we start just widening that net and repeating that incrementally,” he said.

“There’s never going to be a point in time when this is done — even once we have given every single person on a path to FedRAMP authorization — because the way the technology changes, the mechanisms change, and the way that we think about this stuff changes and the adoption changes. We’re going to constantly be moving forward with this. That’s the genesis of why this originally is called 20x because the idea was that it’s going to be good for 2025, and then we’ll update it.”

The Phase One Pilot is just one of several ongoing initiatives that the PMO is pursuing as part of FedRAMP modernization efforts.

Waterman said community groups FedRAMP set up are helping drive many of these changes, whether that’s updated key security indicators, a new minimum assessment scope or revised technical assessment standards.

“We went through, started building and interacting with people in these community working groups, and we started to find a lot of opportunities where everyone had just taken some things for granted a little bit: ‘This is the way FedRAMP was going to be. Just deal with it,’ ” he said.

“People started seeing this new approach, this new attitude, and they started bringing those back up again. It caused this upswell. In the last three months, we’ve published drafts on six, seven, eight standards. I’ve got three or four more in draft right now that are coming out. We are just really pushing forward on trying to take these longstanding problems, these pain points that existed for so long that everyone just kind of got used to them and stopped complaining about them.”

FedRAMP backlog of CSP authorizations on the decline

Along with the pilots and new standards, Waterman said FedRAMP has improved the current process for cloud service providers already in the process too.

Since October, FedRAMP has authorized 95 new CSPs, including 21 in May alone. Meanwhile, 42 CSPs have received FedRAMP-ready designations, meaning the 3PAOs have approved their security packages and they are not waiting for final approval.

Waterman said one of the biggest accomplishments over the last several months is the reduction in the backlog of CSP packages that were waiting for final approval, dropping from 80 to 11.

“When I got here in August of 2025, we were telling people that it was going to be 26 weeks before FedRAMP would even look at their package. Many, many, many people were waiting a year or more. It was an untenable problem. And needless to say, a lot of people bent my ear about it in my first couple months while I was on the job,” he said.

“We worked with the FedRAMP board and with our technical advisory group to dig into this whole process. What we started to find was that we were triple checking everything at the PMO. It was too picky. Bluntly, we were wanting everything to just be too perfect, and it was causing too much of a problem. We spent a lot of time talking with our board about different approaches, and we started talking about moving toward a more risk-based approach, where this idea was based on every agency is still required by the law to issue an authority to operate when they reuse a federate package.”

Instead, the PMO shifted, saying instead of trying to make everything perfect and just look for potential issues that an agency user might miss.

He offered an example of a cloud service that was authorized by an agency.

“This cloud service was using an external, non-FedRAMP-authorized cloud service for voice over IP for incoming phone calls. That was OK for their use case because those phone calls were intended to be with the public. It wasn’t government information flowing over those phone calls, so it was fine,” he said.

“Another agency using it might make the mistake of using this cloud service for some internal stuff, and now you have federal information flowing over an unauthorized provider. In the past, that would have caused a lot of drama as we decided how to approach that. This time, we just put a note in the package that said, ‘Hey, this particular component should only be used with the public. Be aware, if you deploy this, don’t use it for internal government information.’ That’s it, and we moved forward. That let us really chip away at our review time and let us give people advice.”

Waterman said he wants industry and agency customers alike to expect rapid innovations over the coming months. He strongly encouraged CSPs to participate in the pilots and other programs. As for agencies, the FedRAMP PMO will incrementally make changes, which it will test, review and change as needed to make cloud products more accessible without losing any security rigor, he said.

Discover more articles and videos now on our Cloud Exchange 2025 event page.

Originally published Federal News Network