GSA launches second phase of FedRAMP 20x backed by OMB

Greg Barbaccia, the federal chief information officer, says that the Office of Management and Budget is backing the General Services Administration’s overhaul of FedRAMP, the government’s cloud security assessment and authorization program. 

GSA launched FedRAMP 20x — meant to use more automation in place of annual assessments, cut red tape and speed up authorizations — in March. It announced its phase two pilot on Wednesday.

Barbaccia acknowledged the past problems with FedRAMP at a Wednesday event held by the Alliance for Digital Innovation. 

“I have done FedRAMP in my past life,” said Barbaccia, who previously worked at Palantir and more recently at a machine-learning enabled asset manager. “What a pain in the butt.”

The FedRAMP program is planning on pursuing 10 pilot authorizations at the Moderate security level as part of the new phase of FedRAMP 20x, said FedRAMP Director Pete Waterman.

Those pilot authorizations are not open to the public, which will have the opportunity to go through the 20x Low and 20x Moderate authorization processes under phase four of the revamp. Only those that submitted a complete package for phase one that was not rejected; meet all FedRAMP AI prioritization criteria; have governance, risk and compliance automation capabilities that can consume FedRAMP 20x information; and provide compatible trust centers can submit to take part in the phase two pilot. The submission window will be from mid-October to mid-December.

Phase one focused on a new approach to Low authorization, and phase three of the effort will focus on formalizing low and moderate, as well as pushing wide-scale agency adoption. 

These new efforts come as FedRAMP has gone from a $22 million budget to $11 million during this fiscal year. It has a $10 million allocated budget for fiscal 2026, said Waterman, though Congress has yet to pass appropriations for the upcoming fiscal year. 

The program is also down to 28 employees after losing about 50 people this fiscal year. The staffing goal for the coming year is 43 people, said Waterman, who noted that hiring is “probably going to be one of our biggest problems over the next few months.” GSA has hired new contractors and staff since July, when it was down to 20 people.

One thing that Waterman does have, he said, is leadership support at the agency and OMB levels. 

“I talked more with the previous acting GSA administrator on a week to week basis than I ever spoke with the previous GSA administrator,” he said Wednesday. “They care about technology.”

As for Barbaccia’s efforts, he said that the CIO Council is working on a “top tier list of services” that agencies need and want the most, including conversational artificial intelligence, to give “clear demand signals” to industry. 

“If your product is in high demand and meets our criteria, we will make sure it gets the attention it deserves,” said Barbaccia. “This is our way of telling you exactly what the government wants.”

Another priority is putting the presumption of adequacy into practice, said Barbaccia, who also serves as the federal chief AI officer and was recently dubbed the Service Delivery Lead under the Government Service Delivery Improvement Act.

“This means agencies will accept the work you’ve already done to secure your product, and we’ll have a clearer, faster path to reuse and scale across the government once it’s in the marketplace,” Barbaccia added, noting that the focus is on both cultural as well as procedural changes.