From Choke Point to Transformation
The FedRAMP PMO team has set out with progressive ambitions with 20x that are nothing short of visionary and practical. I say this because the initial principle of FedRAMP, “certify once, use many,” was intended to create a program that would enable cloud adoption in the public sector while ensuring that security controls are adequately implemented. It was practical, pragmatic even. The main thing it was missing was alignment with real-world security, automation, and standardization. This created a choke point in authorizations. Hence, the industry’s grumbling. 20x’s vision is to reshape the way we think about control compliance, automation, and assurance, not just as static checkboxes, but as living, breathing systems that adapt to modern cloud realities. But for 20x to deliver on its promise, and for the industry to succeed collectively, we need consensus on the foundations that make such transformation possible. Without shared agreement, even the boldest ambitions risk being fragmented and falling short.
The Reinvention of Code
The first foundational premise is this: all security controls must be machine-readable and code-based. Controls come in all shapes and sizes, and fortunately, nothing (if not most things) is immune to code. Whether the control is operational, architectural, native-cloud, or third-party, it can’t remain locked in static documents or human-only processes. Code is an equalizer—it brings clarity, repeatability, and the ability to validate at scale. In an environment that demands speed and resilience, making evidentiary controls code-based is the baseline that ensures transparency and trust. With automation and enforcement tools such as Infrastructure-as-Code (IaC), Policy-as-Code (PaC), and Open Security Controls Assessment Language (OSCAL) organizations can create a well-rounded approach to a code-everywhere state. This would support comprehensive automation of security control review and validation regardless of the mode of the specific control.
Industry-wide Standardization
But codification alone is not enough. The leap from controls-as-code to full lifecycle automation requires something bigger: industry-wide standardization. This has always been an eternal challenge as it requires all parties within the compliance ecosystem to adhere to and participate in the standard in a unified manner. For FedRAMP 20x to achieve its goals, providers, assessors, and all stakeholders in the control lifecycle need to align on the proposed common standard. Without that, automation would remain siloed, bespoke, and ultimately limited. Standardization would ensure that automation scales, travels, and is recognized as trustworthy across the entire ecosystem. 20x has all of the ingredients and DNA to form a solid launchpad for not only FedRAMP authorizations but the general direction of code-based compliance and accreditations spanning multiple verticals. However, the reality is that there is no Utopia. Just phases of improvement and incremental progression towards a vision. And that is perfect (if we stay the course). The truth is, code is already ubiquitous but not always intended for controls or evidentiary purposes. And thus, the impetus for that is an adopted standard. As a practical proponent of FedRAMP 20x and its objectives, I’m excited (and optimistic) to see an evolution in codification and standardization. 20x’s ambitions can only be realized if the community embraces both of these principles. Together, they form the bedrock of a system where automation is not just possible, but sustainable and universally accepted. That’s the path where 20x may move from being a bold idea to a collective industry-wide breakthrough.
The industry is already moving in the direction of innovating around codifying infrastructure, operations, and documentation. Once there is an initiative and momentum amongst the agencies, regulatory bodies, assessors, and auditors to standardize the complete compliance and control lifecycle, we’ll have the foundation of a new and more efficient model.
What Should Standardization Look Like?
Standardization of control validation, evidentiary requirements, and audit processes is critical if FedRAMP 20x is to truly disrupt the current authorization model. We are all aiming towards disruption for the sake of progress and healthy economic activity. Rapid and validated authorizations mean exactly that. Today, every authorization journey is weighed down by inconsistent interpretations of controls, duplicative evidence requests, and varying expectations across agencies, assessors, and cloud service providers. This lack of consistency slows down innovation, adds unnecessary costs, and creates barriers to scaling secure cloud adoption across government.
Proper standardization means gaining consensus on all layers of a given system—from infrastructure through application and operations—and defining the precise evidence, artifacts, and formats required to prove full implementation of controls. By removing ambiguity (without being too narrow) and aligning the ecosystem on a single framework, FedRAMP 20x could replace the fractured and manual-heavy model with a streamlined, automation-ready system.
Real industry-wide adoption requires more than a framework on paper—it demands collective endorsement from all stakeholders in the authorization ecosystem, including federal agencies, third-party assessors, and cloud service providers.
A standardized model must not only unify evidence specifications but also simplify them, ensuring consistency without overburdening providers with redundant or overly complex requirements. While a universal and simple evidentiary standard may appear ambitious, its benefits would be transformative. If FedRAMP 20x successfully achieves this level of standardization, compliance, and authorization processes could be remodeled across all regulated industries and certifications, making assessments faster, more transparent, and far more scalable (In a way, this is already happening). The result would be a new era where security and compliance operate at the speed of innovation rather than being a bottleneck to it.
Side note: The open and collaborative RFC process, deliberation, and rapid movement pilot that the PMO has initiated for 20x is a breath of fresh air for those experienced in bureaucracy, which some sectors often have. 🙂
Earthling’s Approach to FedRAMP 20x
Earthling addresses FedRAMP 20x with a carefully crafted transition plan that integrates its own Earthling CodeOps™ platform alongside partner solutions like Symetri, Snyk, Terraform, and Pulumi. Since 2016, Earthling has been leveraging Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) methodologies to automate infrastructure and operational security controls, building an extensive library of pre-engineered compliance solutions. This foundation allows Earthling to accelerate adoption of the enhanced FedRAMP 20x requirements by automating control validation, evidentiary collection, and continuous monitoring. Through the combination of a structured 20x transition roadmap, Earthling CodeOps, and its ecosystem of partner tools, Earthling enables organizations to either fast-track their authorization process or transition into a more resilient and fully automated FedRAMP Continuous Monitoring program.
Contact Us | Earthling Security
Learn More or Get Started