What FedRAMP 20x Means for You

Last week, the FedRAMP program management office (PMO) announced a new initiative, FedRAMP 20x, which is meant to streamline the authority to operate (ATO) process. While the PMO did not announce any concrete changes to the ATO process, there is one clear theme underpinning FedRAMP 20x: automation. The PMO emphasized that the core security and compliance controls for ATO are not changing, but the automated validation of those controls – a stark contrast to the current manual, paper-based approach – is coming.

Here at Chainguard, we’re excited about FedRAMP 20x—an ATO process based on continuous, automated validation enhances our value proposition of building secure-by-design software that meets FedRAMP security controls by default. All Chainguard Containers are built with FIPS-validated cryptography and OS-level STIG hardening out of the box. And importantly, all of our containers are minimal, CVE-free, and guarded under a best-in-class CVE remediation SLA (7 days for critical, 14 days for high, medium, and low) that enables customers to meet FedRAMP’s CVE remediation requirements (30 days for critical/high, 90 days for medium, and 180 days for low).

Ultimately, Chainguard Containers are the best solution for independent software vendors (ISVs) looking to meet FedRAMP’s controls for container security by default. In an automation-first world, Chainguard further simplifies FedRAMP requirements, which helps achieve the goals of FedRAMP 20x, and enables ISVs to get to market faster. Chainguard is looking forward to working with all the FedRAMP stakeholders – the PMO, federal agencies, hyperscalers, and ISVs – to ensure that the U.S. government benefits from private sector innovation, without sacrificing security standards.

Deeper Dive into FedRAMP 20x

The primary focus areas of FedRAMP 20x are to 1) lower the time, cost, and complexity of FedRAMP authorizations, and 2) introduce more software-defined automation for FedRAMP’s continuous compliance monitoring process. The Director of FedRAMP, Pete Wasserman, talked at length about these core thematic areas of change. As of now, the PMO has not made concrete process changes to FedRAMP ATO, but Chainguard is committed to being your partner as the requirements evolve. Here’s where things stand:

1. The existing agency-based authorization path as outlined in FedRAMP Rev. 5 remains the sole active path to ATO. There are no changes planned to this process at this time. 

2. The core security controls and compliance requirements as outlined in FedRAMP Rev. 5 are not changing. That means companies building containerized applications for the federal government are still required to manage, remediate, and report CVEs, implement and enforce FIPS-validated cryptographic algorithms, and harden their software based on security technical implementation guides (STIGs). 

3. The sponsoring agency and authorizing official (AO) still carry significant responsibility when it comes to accepting your compliance package and its associated risk. With the FedRAMP PMO and Board taking less of an active role in reviewing Rev 5 packages, agencies and the AO will take on an even greater burden. So regardless of whether FedRAMP 20x changes the accreditation and continuous monitoring process, your AO may still point to the original FedRAMP requirements as defined over the last few years. 

Above all, the laws that act as the foundation for federal information security standards – Federal Information Security Management Act (2002) and FedRAMP Authorization Act (2021) – have not been modified. So even as the PMO’s role changes in the authorization process changes, the security and compliance requirements that ISVs must meet to get approval from an AO and sell to the federal government are preserved until the law itself changes.

What FedRAMP 20x Means for You

We believe that FedRAMP 20x will help transform the status quo, in which FedRAMP accreditation has become exceedingly expensive, bureaucratic, and complex. We support FedRAMP’s mission towards an end state that eliminates mountains of paperwork, costly consultants, and lengthy timelines. And we believe the best way to future-proof yourself against the coming ambiguity for FedRAMP ATOs is to adopt software and infrastructure that is secure-by-default and purpose-built to solve FedRAMP controls out of the box.

That’s the reason why Chainguard’s philosophy is rooted in building software entirely from source in hardened infrastructure. This approach enables us to eliminate CVEs by default and offer a best-in-class CVE remediation SLA, build FIPS-validated containers that implement approved cryptographic algorithms that execute independent of the host kernel, and harden our containers according to an operating-system level STIG – all out of the box. We address a handful of FedRAMP’s hundreds of controls — controls that aren’t changing anytime soon — and our customers rely on us to address them exceedingly well.

Start Building with Chainguard Containers Today

Ultimately, Chainguard Containers offer the best solution to meet FedRAMP’s controls for container security. We will continue to work closely with the keyFedRAMP stakeholders – the PMO, federal agencies, hyperscalers, and ISVs – to ensure that the U.S. government benefits from private sector innovation without sacrificing security.

If you’d like to learn more about Chainguard’s minimal, zero-CVE containers with FIPS-validated cryptography to simplify your FedRAMP requirements, reach out today.