Christian Baer
Technical Fellow, Schellman
SunStone OSCAL PlugFest
May 15, 2025
At the inaugural SunStone OSCAL PlugFest, Christian Baer, Technical Fellow at Schellman, shared his perspective on the evolving FedRAMP 20X initiative. He offered candid insights from the vantage point of a 3PAO (Third Party Assessment Organization). With over a decade of hands-on experience in federal audits, FISMA, and FedRAMP assessments, Baer brought a practical and informed voice to the conversation.
The Need for Change in FedRAMP
Baer began by outlining why reform is necessary. The traditional FedRAMP process has long been criticized for being slow, expensive, and overly manual — with long delays between submission and authorization decisions, sometimes stretching over two years. Challenges like shadow requirements, unclear expectations, and inconsistent documentation have made it difficult for Cloud Service Providers (CSPs) to efficiently navigate the process.
What’s Changing with 20X
According to Baer, FedRAMP 20X represents a major shift in how the program operates:
- The PMO Steps Back: The FedRAMP Program Management Office is stepping away from its centralized role in reviewing and approving packages. This includes moving away from maintaining a centralized repository and instead empowering agencies to make their own risk decisions.
- Faster Turnarounds: Baer noted that some packages now receive authorization with minimal feedback — a stark contrast to the years-long reviews of the past.
- Decentralized Risk Assessment: Agencies are being encouraged to make independent, risk-based decisions rather than relying solely on FedRAMP authorization status.
Clarifying Myths
Christian also debunked a few common misconceptions:
- Agency Sponsorship Isn’t Going Away: Traditional paths to FedRAMP authorization via an agency sponsor are still in place.
- No Major Changes to Related Frameworks Yet: Requirements tied to CMMC, StateRAMP, and DoD Impact Levels remain as-is, at least for now.
- FedRAMP Equivalency Still Exists: The DoD’s model of “FedRAMP equivalency” for CSPs without a sponsor is unchanged.
Opportunities for Automation and OSCAL
One of the most promising aspects of FedRAMP 20X is its alignment with automation and OSCAL (Open Security Controls Assessment Language). Baer emphasized that machine-readable artifacts could reduce duplicative work and improve accuracy by automating consistency checks across assessment packages. Instead of copying data manually between documents, tools could help streamline updates across the SAR, Risk Exposure Tables, and other deliverables.
“Let the machines handle the repetition,” Baer said. “I want to spend more time identifying true risks, not tracking down inconsistencies.”
Prescriptive Guidance and Reciprocity
Another area Baer hopes will evolve is clearer, more prescriptive guidance, especially for newer CSPs without access to experienced advisors. Drawing inspiration from efforts like CISA’s SCuBA baselines, he sees potential for more consistent expectations across agencies.
He also called for greater reciprocity between frameworks, suggesting that overlapping controls across FedRAMP, SOC 2, PCI, ISO, and others should be streamlined. This would reduce audit fatigue for CSPs and allow assessors to focus on deltas rather than redoing redundant work.
Unanswered Questions
Despite the optimism, Baer acknowledged that many aspects of FedRAMP 20X remain unclear:
- Implementation Timelines are still unknown.
- How Commercial and Federal Frameworks Will Align remains a challenge, particularly with scoped environments and boundary definitions.
- Adoption Across Agencies will vary widely, as each agency has its own culture, risk tolerance, and preferred templates — a longstanding challenge for reciprocity.
Conclusion
Baer closed his talk by encouraging continued dialogue and collaboration across the FedRAMP ecosystem. Whether it’s simplifying package development, encouraging reuse of assessments, or pushing for more automation through OSCAL, the changes unfolding in FedRAMP 20X could mark a turning point for cloud security in the federal space — provided the community works together to shape the outcome.