FedRAMP 20x: Automation in Action- Cut Costs and Speed Up Compliance!

© ControlCase. All Rights Reserved.
YOUR IT COMPLIANCE PARTNER
GO BEYOND THE CHECKLIST
WEBINAR
FedRAMP 20x:
Automation in Action
CutCostsandSpeed UpCompliance!

Agenda
1
2
3
4
5
About ControlCase
Q&A
2
About
ControlCase
About FedRAMP
& FedRAMP 20x
Open Forum
What is FedRAMP?
What is FedRAMP 20x?
What is next for FedRAMP 20x?
About the
Services

HOST
Ashley Hibbs
Account Executive, Federal
PRESENTER
Erik Winkler
President, Federal

ControlCase
Snapshot

ControlCase Overview
Provider of Compliance as a Service (CaaS) subscription-based offering bundling proprietary GRC
software and managed services
Best-in-Class
Compliance
Platform
 ControlCase is revolutionizing the way enterprises and
organizations deal with the numerous and frequently
changing IT compliance and regulatory requirements
 Proprietary software, including appliance and SaaS
solutions, that enable CaaS (GRC and Data Discovery)
 Compelling proprietary offering combining
proprietary software, certification/audits, and
managed services on a single platform.
 One AuditTM enables our clientele to Assess once:
Comply to Many
 Leadership positions in the PCI DSS, SOC 2, ISO
27001, HIPAA, HITRUST, FedRAMP and CMMC
domains
 Serving over 1,000 customers
 Global footprint with offices in the U.S., LATAM, Europe, India, Canada, and UAE
 Leverages an offshore delivery infrastructure for competitive advantage
 IT compliance manager for multiple industry segments including banking, service providers,
retail, hospitality, and telecom
Global Vision &
Solutions Enhancement
Founded in
2004
Headquartered
in
Fairfax,
VA
Offices in
U.S.,
Canada,
India
250+
Employees
5

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintaining IT compliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Offload much of
the compliance
burden to a
trusted
compliance
partner
Improve
efficiencies by
doing more with
less resources
and gain
compliance peace
of mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS
6

ControlCase Snapshot – Solution
Partnership
Approach
Compliance
HUBTM
+
Continuous
Compliance
Services
IT Certification
Services
= &
Certification
and Continuous
Compliance
Services
7

Certification Services
One Audit
Assess Once. Comply to Many.
8

FedRAMP
Overview

What is FedRAMP?
Why FedRAMP?
• Access to Federal Market-Required for doing business with
U.S. government agencies
• Competitive Advantage-Demonstrates strong cybersecurity
to federal and commercial customers
• “Do Once, Use Many”- one authorization allows you to work
with multiple agencies
• Reduced Risk-Ongoing monito ensures continuous
compliance and security assurance
• FedRAMP (Federal Risk and Authorization Management
Program) - A U.S. government-wide program that
standardizes security assessment, authorization, and
monitoring for cloud products and services.
• Ensures cloud solutions meet strict federal security
requirements before agencies can use them.
• Provides a “stamp of approval” so federal agencies can
safely adopt cloud technologies
• Builds trust, reduces security risk, and opens the door to
federal contracts

How long does the FedRAMP authorization process take?
The timeline depends on the path a CSP takes and how prepared they are going in. At a high level:
Preparation: (3-6 Months)
 Gap analysis, remediation, documentation, selecting a Third-Party Authorization Organization (3PAO)
 Making sure your system is audit-ready: recommended 3 months of scans, complete System Security Plan
(SSP)
Security Assessment: (8-10 Weeks)
 Formal Audit by a 3PAO, testing of controls, penetration testing, remediation of findings, and report
submission
Authorization (TBD)
 Can be weeks or months-depends on the queue of the sponsoring agency and FedRAMP PMO
Total Timeline: (9-12 Months)
 Some move faster if they are highly mature and well-prepared
 Others can take longer if extensive remediation is needed
 Can also depend on agency and Authorizing Official (AO)

What are the main differences between FedRAMP baselines?
Low, Moderate, High, and LI-SaaS
Security Impact Level:
Baselines (Low, Moderate, High, LI-
SaaS) align with FIPS 199 impact
levels for confidentiality, integrity,
and availability.
Number of Required
Controls
Low has the fewest security
controls, Moderate has more, and
High has the most to address
increased risk.
Data Sensitivity
Low handles less sensitive federal
data, Moderate covers Controlled
Unclassified Information (CUI), and
High involves data where loss
could cause severe or catastrophic
impact.
Assessment Rigor
Higher baselines require more
detailed testing, documentation,
and evidence to verify control
implementation.
Authorization Effort
Timelines, costs, and complexity
increase with higher baselines due
to more controls and stricter
validation requirements.
Agency Usage
Low is often for public-facing or
low-risk systems, Moderate is the
most common for federal use, and
High is typically for law
enforcement, emergency services,
or national security systems.

What role does a 3PAO play in the FedRAMP Process?
An accredited 3PAO such as ControlCase must complete your FedRAMP audit. CSPs
cannot self-assess.
What should a CSP look for in a 3PAO?
Expertise: Look for a 3PAO with expertise in federal compliance frameworks like NIST, FedRAMP, and
StateRAMP to ensure they can guide you effectively through the certification process. You should also
consider the experience and credentials of the employees-making sure they have the relevant cybersecurity
certifications (FedRAMP R311, CISSP, etc.) and knowledge of other frameworks is a plus
(SOC/ISO/PCI/GDPR)
Quality: High-quality 3PAOs go beyond just checking the boxes-they bring extensive expertise and a deep
understanding of the FedRAMP processes, know how to navigate the organizational hierarchy of the
government agencies, and have quality assurance processes in place
Relationships: A 3PAO should serve as a trusted partner throughout the challenging process of a FedRAMP
audit. Choose a 3PAO that can align your business goals with the assessment methodology and remain
transparent throughout the process

FedRAMP 20x
Overview

What is the FedRAMP 20x Pilot Program?
FedRAMP 20x is a forward-looking initiative by the General Services Administration (GSA) to
modernize and accelerate the U.S. federal cloud authorization process—making it significantly
faster, automated, and more flexible than the traditional FedRAMP path.
Cloud-native, automation-first approach: FedRAMP 20x replaces manual, narrative-heavy reviews with machine-
readable validation and continuous security monitoring. This shifts focus to real-time assurance of security posture.
Reduced authorization timelines: What used to take months — or even years — can now be achieved in weeks.
Starting with pilot programs open to public participation: Cloud-native providers (e.g., SaaS offerings) can
participate in the pilot programs without requiring an agency sponsor, making it easier for small and emerging providers
to enter the federal marketplace.
Use of Key Security Indicators (KSIs): Instead of a full baseline, Phase One focuses on KSIs—streamlined security
indicators that can be evaluated quickly and via automation.
Collaborative & transparent process: Participation is encouraged through public working groups, forums, and
community-driven feedback, ensuring open innovation and fairness.

20x Overview
Aspect Details
Approach
Cloud-native, automated, outcome-
based assessment
Pilot Participation
Open to public, no agency sponsor
required
Key Tool
Key Security Indicators (KSIs), machine-
readable validation
Timeline
Submission window specified by
FedRAMP PMO
Authorization
Duration
12 months for FedRAMP 20x Pilots
Benefits
Significantly faster, cost-efficient, and
transparent path to FedRAMP
authorization
What is FedRAMP 20x
FedRAMP 20x marks a strategic shift in federal
cloud security authorization, moving from a
cumbersome, documentation-heavy process to
an agile, outcomes-based, automated model.
For both agencies and cloud providers, this
translates to:
• Faster adoption of modern cloud technologies
• Reduced barriers to entry for innovative
solution providers
• Stronger, real-time security validation
• Collaborative development in a transparent
and inclusive environment

What are the core goals of FedRAMP 20x?
Benefits of FedRAMP 20x:
• Achieve FedRAMP Low and get listed on the Marketplace without the need for an agency sponsor-a streamlined process to
a one-year FedRAMP Low authorization
• Simplified documentation
• Eliminates redundancy by leveraging recent SOC2 Type 2 or similar audit (ideal for current ControlCase customers who
have recently completed an audit)
• 20x is an excellent way for cloud-native companies looking to break into the government market (If your business is eager
to sell your offerings to the government, this is an incredible opportunity to get your foot in the door.)
Making
automation simple
Leveraging
existing industry
frameworks
Continuously
monitoring
security
Building trust
Enabling rapid
improvements

How does FedRAMP 20x aim to simplify the authorization
process through automation?
Notably, over 80%
of requirements are intended to
support automated validation,
eliminating lengthy narrative
documentation

What is next for
FedRAMP 20x

What does “Continuous Monitoring” look like under
FedRAMP 20x?
It involves simple, hands-off
machine-readable validation
and automated enforcement
of security controls by
industry partners.

How does FedRAMP 20x aim to build trust between cloud service
providers and federal agencies?
By enabling direct, business-level
interactions and preserving
providers’ control over intellectual
property, while maintaining
security standards

Three Key Areas of Focus
CONTROLCASE SOLUTION
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.
© ControlCase. All Rights Reserved. 22

Q&A – Open Forum

Thank You
for the opportunity to
participate in your
compliance program.
www.controlcase.com
(US) + 1 703.483.6383
(INDIA) + 91.22.62210800
contact@controlcase.com

FedRAMP 20x: Automation in Action- Cut Costs and Speed Up Compliance!

More Related Content

Similar to FedRAMP 20x: Automation in Action- Cut Costs and Speed Up Compliance!

More from AmyPoblete3

Recently uploaded

FedRAMP 20x: Automation in Action- Cut Costs and Speed Up Compliance!