Tag Archives: RegScale

FedRAMP 20x: Modernizing Cloud Security Authorization Through Automation and Continuous Assurance

Posted on by
Reply

FedRAMP authorization has long required extensive documentation, static point-in-time assessments and timelines of 18鈥24 months. This approach has slowed innovation for Federal agencies seeking secure cloud solutions and for vendors pursuing Government contracts.

FedRAMP 20x reimagines authorization through automation, machine-readable evidence and continuous monitoring, shifting compliance from document-driven processes to data-driven assurance. It also reshapes how Federal agencies, Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) collaborate to secure Government environments.

The Shift from REV 5 to 20x

Traditional FedRAMP authorization follows a linear, document-heavy process where CSPs write extensive System Security Plans (SSPs), undergo annual assessments and exchange static artifacts with 3PAOs. FedRAMP 20x maintains the same security requirements from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5 (REV 5) but transforms how evidence is validated. Instead of screenshots or single-moment spreadsheets, 20x uses logs, configuration files and automated integrations that reflect real-time security posture. This enables continuous assurance, with systems remaining audit-ready and controls validated through actual telemetry and configuration baselines.

The result is a more dynamic, risk-focused model that moves beyond top-down waterfall processes that often obscure security conditions.

Modernized Compliance

FedRAMP 20x requires robust compliance automation built on five pillars:

  1. Control normalization
  2. Engineering
  3. Infrastructure
  4. Evidence generation
  5. Reporting

Controls must be technically engineered into Continuous Integration/Continuous Deployment (CI/CD) pipelines, an approach often described as 鈥.鈥 Supporting infrastructure must generate evidence in a reliable, machine-readable format such as NIST (OSCAL) or JavaScript Object Notation (JSON) so CSPs, agencies and 3PAOs can share data rather than documents. This approach transforms compliance work from writing narratives and taking screenshots to building monitoring systems that continuously validate control effectiveness.

While artificial intelligence (AI) tools are emerging as assistants, the foundation remains consistent instrumentation and automated evidence collection. Organizations must invest in platforms capable of real-time logging, automated vulnerability scanning, Application Programming Interface (API)-driven evidence collection and continuous control monitoring, moving beyond spreadsheets or basic ticketing systems to true automated Governance, Risk and Compliance (GRC).

Maintaining Security Standards

FedRAMP 20x reduces the barriers to entry for small CSPs. Under the traditional REV 5 model, many providers faced prohibitive costs and timelines, often waiting indefinitely for Joint Authorization Board (JAB) review without agency sponsorship. The 20x pilot eliminates this sponsor requirement and accelerates review: organizations using automation have achieved authorization in six months.

RegScale, FedRAMP 20x blog, embedded image, 2025

, leveraging its own platform with features like automated evidence collection and AI-assisted control validation, completed its SSP and evidence in approximately three weeks and achieved full authorization within six months of audit start. This acceleration does not weaken security; rather, continuous monitoring and real-time evidence provide greater assurance than annual snapshots.

Another benefit of the 20x approach is that the machine-readable evidence can be reused for other frameworks, enabling a 鈥渃ertify once and comply many鈥 approach across:

  • System and Organization Controls 2 (SOC 2)
  • International Organization for Standardization (ISO) 27001
  • Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR)

For cloud-native organizations already operating with infrastructure as code (IaC) and automated pipelines, 20x aligns Federal compliance with modern DevSecOps practices.

Cultural and Organizational Change Management

The greatest challenge with FedRAMP 20x is cultural, not technological. Many organizations already possess the necessary tools but continue to rely on manual processes built over 15鈥20 years. Shifting to automation requires replacing 鈥渘o hope鈥 environments, where compliance is viewed as endless documentation, with the recognition that more efficient, sustainable operations are both possible and necessary.

Teams must actively retrain themselves to think operationally rather than as checklist validators. The transition also requires breaking down silos between security and compliance teams, agencies and 3PAOs, ensuring all stakeholders rely on the same real-time telemetry instead of debating the meaning of outdated screenshots. Federal agencies must also educate risk owners and embrace new evidence formats and methodologies. Ultimately, this is as much an organizational transformation as a technical one.

Continuous Monitoring and Real-Time Risk Management

FedRAMP 20x redefines relationships between CSPs, agencies and 3PAOs by replacing periodic reviews with continuous monitoring and near real-time risk visibility. Instead of exchanging PDFs, stakeholders share dashboards, datasets and evidence repositories that all parties can access. Auditors can review assessments based on evidence collected minutes or hours ago rather than relying on outdated artifacts.

Continuous monitoring supports 20x by allowing agencies to track configuration drift, Plan of Action and Milestone (POA&M) status and control effectiveness in regular cadences. The definition of 鈥渃ontinuous鈥 varies by control type; some require minute-by-minute validation, while policy controls may be quarterly or semi-annual.

For agencies, continuous assurance delivers better risk management capabilities, but only if they invest time in understanding how to interpret machine-readable formats such as OSCAL. Adoption varies, with some agencies already capable while others continue developing this capacity.

Moving Forward with Confidence

FedRAMP 20x is a strategic shift that aligns Federal authorization with modern DevSecOps, delivering faster innovation without reducing security standards. Since launching in March 2025, the pilot has processed 27 submissions and granted 13 authorizations, demonstrating scalability and viability.

With 20x, agencies gain improved risk visibility, reduced vendor timelines and access to innovative cloud solutions previously delayed by lengthy authorizations. However, success is not guaranteed. It requires adopting continuous assurance, investing in platforms that support machine-readable evidence and educating risk owners to interpret dynamic data. CSPs must centralize systems of record, instrument environments for continuous evidence collection and adopt standardized mappings that facilitate automation.  

The organizations that thrive will be those that use FedRAMP 20x as a motivator to replace outdated habits, engineer controls properly and embrace automation as an enhancement, not a replacement, of human expertise.

Discover how FedRAMP 20x is transforming Federal cloud authorization by watching the webinar, 鈥FedRAMP 20x in Motion: What Early Results Mean for Federal Agencies,鈥 featuring insights from RegScale and the CSA.

探花视频. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator鈥痜or our vendor partners, including RegScale, we deliver鈥solutions鈥痜or Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the 探花视频 Blog to learn more about the latest trends in Government technology markets and solutions, as well as 探花视频鈥檚 ecosystem of partner thought-leaders.

How to Accelerate the Journey to Government Compliance with CCM

Posted on by
Reply

Government agencies are inundated with a vast amount of daily Governance, Risk, and Compliance (GRC) tasks and processes. Achieving regulatory compliance, an arduous process, can take up precious time that could be reallocated to other business-critical missions.

Continuous controls monitoring (CCM) is one solution. CCM leverages AI and extreme automation to help cut down on manual processes, allowing agencies to overcome regulatory hurdles, supercharge their staff, and make better risk-based decisions with fast, cost-effective automations.

Improving the Compliance Process

Creating a quality compliance report comes with heavy, manual processing time. CCM can help significantly by taking away some of the cumbersome brunt work, cutting 60-80% of the manual tasks required by GRC programs.

RegScale Government Compliance CCM Blog Embedded Image 2024

It can also help overcome hurdles to reaching valuable security authorizations.  Completing an Authorization to Operate (ATO) package can take roughly six months to finish 鈥 but that process can be reduced to two weeks with the right CCM platform.  CCM also gives agencies a leg up with gaining Continuous Authorization to Operate (cATO) by leveraging OSCAL, a machine-readable format that standardizes security control documentation and enables automated validation.

The Time-Saving Capabilities of Machine Learning and AI

In the past year, advances in machine learning (including large language models and generative AI) have created exciting new possibilities for GRC teams. AI and machine learning (ML) can offer everything from better data analysis to proactive risk management to a major reduction in manual processes. Here are a few of the most compelling use cases for :

  • Help employees proactively monitor traffic
  • Review code for errors unlikely to be caught by the human eye
  • Explain complex controls and procedures in everyday language, bridging knowledge gaps
  • Generate accurate, up-to-date documentation in one click

Overall, AI allows agencies to move faster, with more accuracy, and with better visibility. To free up staff to complete mission-critical objectives, agencies should create their own AI/ML usage strategies and implement them within a Compliance as Code framework.

How RegScale鈥檚 CCM Leverages Compliance-Trained AI

RegScale鈥檚 AI-enabled platform, RegML, combines CCM and leading large language (LLM) tools to streamline compliance management with intelligent automation and precision. This approach improves compliance by significantly reducing manual labor and costs. It also provides user-friendly summaries and guidance and improves accuracy and precision in documentation, freeing up staff to focus on core business objectives. 

RegML has four main AI features:

  • AI Extractor, which automatically derives compliance documentation from existing policies and procedures.
  • AI Explainer, which is designed to demystify control statements by providing users with simple explanations of intricate controls.
  • AI Author, which helps draft control implementation statements in the context of relevant regulations and requirements. This process allows writers to focus on editing a draft, leading to fewer errors and better accuracy.
  • AI Auditor, which identifies gaps in controls and provides suggestions for improvement. This frees up teams to work on more critical tasks like fixing gaps and implementing controls.

CCM and the Future

Today, more and more work is being done in the cloud. As data becomes ephemeral and serverless, cybersecurity has become more important than ever 鈥 as have the mandatory frameworks governing it. Meanwhile, regulations such as NIST鈥檚 Secure Software Development Framework (SSDF), the Digital Operational Resilience Act (DORA), the Security and Exchange Commission (SEC) rules, Cybersecurity and Infrastructure Agency (CISA) mandates, and the European Union鈥檚 AI Act have or are predicted to undergo changes.

These shifting frameworks only make CCM more integral, as its AI features allow users to ensure that they are thoroughly compliant at every step of the process. By freeing time for additional tasks, and by maintaining adherence to changing regulations, CCM enables organizations to improve their GRC programs and streamline their operations.

To learn more about how RegScale鈥檚 CCM platform provides a layer of security around AI usage, watch its webinar .

探花视频. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator鈥痜or our vendor partners, including RegScale, we deliver鈥solutions鈥痜or Geospatial, Cybersecurity,聽MultiCloud,聽DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the 探花视频 Blog to learn more about the latest trends in Government technology markets and solutions, as well as 探花视频鈥檚 ecosystem of partner thought leaders.

Rethinking and Modernizing the ATO Approval Process

Posted on by
Reply

The path to securing Authorization to Operate (ATO) approval presents a myriad of challenges, such as complex regulations, the potential for human error and the constant threat of cyberattacks. The role of an Authorized Official (AO) necessitates both speed and thoroughness to ensure an organization’s risk is minimized while also safeguarding sensitive information. Traditional manual, point-in-time assessments are proving insufficient, resulting in significant security risks. As digital transformation accelerates in both the Government and Private Sector, regulatory compliance requirements have also increased, yet the tools and processes used to meet these standards fall behind. This disconnect poses a challenge for AOs, underscoring the urgent need for innovation in the ATO approval journey.

Preventing Compliance Drift

RegScale Modernizing ATO Approvals Webinar Recap Embedded Image Blog 2024

To stay ahead of the threats against the nation while simultaneously reducing the friction and corrosion in the compliance process, a proactive approach of implementing necessary measures and safeguards before they are mandated by regulatory requirements is essential. As Brandt Keller, Software Engineer at Defense Unicorns, stated during a recent webinar discussing the ATO approval process, 鈥淣ew technologies are coming, and we need to implement them and understand what they do, how they do it and what controls they do or do not satisfy.鈥 The role of compliance within the DevSecOps process is pivotal, especially when switching from one technology to another. This decision must consider how the change impacts compliance, as the environment shift can alter the ATO posture. Such changes may result in drift or even expose the system to malicious actors seeking to escalate privileges or perform unauthorized actions. While compliance and security are often viewed as separate processes, they can and should be integrated to provide an additional layer of defense.

Preventing drift in IT systems is a crucial aspect of maintaining continuous compliance. AOs must actively collect and report data to accurately reflect the current state of their systems. Leveraging open standards on a platform is essential for effectively utilizing data. To achieve this, AOs need reliable methods for producing and regularly assessing data. Building a system from the ground up with compliance in mind involves meticulously implementing and automating controls that can be rerun consistently. The process must be both repeatable鈥攁ble to redo tasks鈥攁nd reproducible鈥攁ble to collect evidence and achieve the same results. Any deviation indicates a potential issue, a change or an environmental modification that has made it less compliant. This approach allows AOs to confidently attest that their ATO meets all required controls and prevents any drift.

Implementing Automation

Automating processes within DevSecOps pipelines has emerged as a pivotal strategy, particularly streamlining compliance checks before system deployment. This approach allows decision-makers to assess risk before a system is even deployed. Moreover, the ability to continuously evaluate and update data in real time enhances accuracy and ensures timely access to critical information. However, accessibility of data remains a challenge due to the number of disconnected environments in existence. Open standards such as OSCAL solve this problem by providing a unified framework for continuous data integration. By adopting platforms that adhere to open standards, organizations can foster innovation and empower AOs with data in a familiar and actionable format, thereby optimizing efficiency and bolstering security measures.

ATO Risk Management Framework (RMF) artifacts represented in OSCAL machine-readable formats break down information silos, achieving effective communication across teams and facilitating seamless data handoffs. Automation is pivotal in expediting the decision-making process, alleviating the burden on the human workforce, enabling AOs to access better-quality data and making risk-based decisions more efficiently. While the potential for error is still present, automation significantly mitigates human error in data handoffs across all controls and systems. It also helps security professionals focus on managing risk rather than completing rudimentary compliance tasks.

Automating technical and administrative controls is not the same. While traditional approaches rely on application programming interface (API) data, nontraditional methods such as infrastructure as code (IaC)鈥攎anaging computing infrastructure through provisioning scripts鈥攐r compliance as code鈥攎anaging regulatory requirements by encoding them into automated scripts or code鈥攐ffer alternative paths. These approaches allow organizations to establish rules and apply validations programmatically, mirroring the precision and speed of technical controls. However, not all controls are created equal; some function as checkboxes without mitigating risks. The critical controls that significantly impact an environment’s security posture should be the priority for automation. As emphasized by Travis Howerton, Co-founder and CEO at RegScale, 鈥渋t is less important what percent of total controls are covered than what percentage of your total risk you are mitigating with automation.鈥

The cadence mismatch between cyber threats that move at lightspeed, and heavily manual compliance processes must be fixed. 鈥淭he big part of what has to modernize,鈥 according to Howerton, 鈥渋s taking more automated approaches, leveraging advances in technology and thought leaders in this space to figure out how we can do things in a more automated manner to bring the principles of DevSecOps to compliance.鈥 This strategic focus will ensure thorough and repeatable processes and prepare AOs for a future where compliance and security are dynamically intertwined, ultimately supporting better risk-based decisions and unlocking the full potential of digital transformation. By accepting early that ATOs should be more real-time and continuous, AOs can better position themselves for the future.

Watch RegScale and 探花视频鈥檚 webinar, , to learn more about modernizing the ATO approval process.

FedRAMP Rev. 5 Baselines are Here, Now What?

Posted on by
Reply

The FedRAMP Joint Authorization Board (JAB) has given the green light to update to  With this revision, FedRAMP baselines are now updated in line with the National Institute of Standards and Technology鈥檚 (NIST)  Catalog of Security and Privacy Controls for Information Systems and Organizations and  Control Baselines for Information Systems and Organizations. This transformation brings opportunities and challenges for all stakeholders involved, including Cloud Service Providers (CSP), Third Party Assessment Organizations (3PAOs), and Federal Agencies. But worry not 鈥 with we have your back! Let鈥檚 dive in and understand the impact and how to prepare for the coming changes.

Decoding the Transition

The transition has been in the works for a very long time, and FedRAMP has updated many of their controls to accurately reflect updates in technology since Rev. 4 was published in 2015.  brings with it significant updates to the security controls to meet emerging threats, including new families such as supply chain risk management, and places a greater emphasis on privacy controls. FedRAMP continues to strongly encourage package submission in NIST Open Security Controls Assessment Language () format to accelerate review and approval processes. To aid with a clear comprehension of the updates, FedRAMP has also released a  There are more than 250 controls with significant changes, including several whole new families of controls.

In the coming weeks, FedRAMP plans to release a series of updated OSCAL baseline profiles, resolved profile catalogs, System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plans of Action and Milestones (POA&;ampM) templates as well as supporting guides for each of these.

What is OSCAL, You Ask?

RegScale FedRAMP Rev. 5 Baselines Blog Embedded Image 2023

OSCAL is a set of standards for digitizing the authorization package through common machine-readable formats developed by NIST in conjunction with the FedRAMP PMO and industry.  defines it as a 鈥渟et of hierarchical, formatted, XML- JSON- and YAML-based formats that provide a standardized representation for different categories of security information pertaining to the publication, implementation, and assessment of security controls.鈥 OSCAL makes it easier to validate the quality of your FedRAMP packages and expedites the review of those packages.

The Impact on CSPs

FedRAMP has published the  providing a comprehensive roadmap and tool for CSPs to identify the scope of the Rev. 5 controls that require testing and offering support for everyone based on their stage in the FedRAMP authorization process. Timelines for the full transition range from immediate to 12-18 months. You should find a technology partner to assist you regardless of your FedRAMP stage so that you can quickly and completely adapt from Rev. 4 to Rev. 5 baselines as well as update, review, and submit your packages in both human-readable (Word, Excel) and machine-readable (OSCAL) formats.

If you are a CSP just getting started with your FedRAMP journey鈥

As of May 30, 2023, CSPs in the 鈥減lanning鈥 stage of FedRAMP authorization must adopt the new Rev. 5 baseline in their controls documentation and testing and submit their packages in the updated FedRAMP templates as they become available. You are in the planning phase if you are:

  • Applying for FedRAMP or are in the readiness review process
  • Have not partnered with a federal agency prior to May 30, 2023
  • Have not contracted with a 3PAO for a Rev. 4 assessment prior to May 30, 2023
  • Have a JAB prioritization but have not begun an assessment after the release of the Rev. 5 baselines and templates

If you are a CSP in the 鈥淚nitiation鈥 phase

CSPs in the initiation phase will complete an Authority to Operate (ATO) using the Rev. 4 baseline and templates. By the latest of the issuance of your ATO or September 1, 2023, you will identify the delta between your Rev. 4 implementation and the Rev. 5 requirements, develop plans to address the differences, and document those plans in the SSP and POA&;ampM. You are in the initiation phase if any of the following apply prior to May 30, 2023:

  • Prioritized for the JAB and are under contract with a 3PAO or in 3PAO assessment
  • Have been assessed and are working toward P-ATO package submission
  • Kicked off the JAB P-ATO review process
  • Partnered with a federal agency and are:
    • Currently under contract with a 3PAO
    • Undergoing a 3PAO assessment
    • Have been assessed and have submitted the package for Agency ATO review

If you are a Fully Authorized CSP

You are in the 鈥渃ontinuous monitoring鈥 phase if you are a CSP with a current FedRAMP authorization. By September 1, 2023, you need to identify the delta between your current Rev. 4 implementation and the Rev. 5 requirement, develop plans to address the differences and document those plans in the SSP and POA&;ampM. By October 2, 2023; you should update plans based on any shared controls.

If your latest assessment was completed between January 2 and July 3, 2023, you have a maximum of one year from the date of the last assessment to complete all implementation and testing activities for Rev. 5. If your annual assessment is scheduled between July 3 and December 15, 2023, you will need to complete all implementation and testing activities no later than your next, scheduled annual assessment in 2023/2024.

A Complete Technology and Transition Partner

The transition to FedRAMP Rev. 5 is not just about meeting the new requirements but doing so in the most efficient and seamless manner. You should focus on your core business while technology like RegScale handles the intricacies of the compliance transition.

Beyond compliance documentation, RegScale serves as a comprehensive FedRAMP compliance technology and transition partner. Our platform assists with mapping your security controls against FedRAMP and NIST SP 800-53 baselines for Rev. 4 and Rev. 5, supports gap analysis, provides remediation support, and enables continuous monitoring and improvement. The platform currently includes FedRAMP support and tools to develop human-readable and OSCAL-formatted content for Catalogs, Profiles, SSPs, Components, SAPs, SARs, POAMs and Asset Inventory. To help eliminate the friction and confusion of where to begin with OSCAL, RegScale provides an intuitive Graphical User Interface (GUI) to build artifacts using our wizards and then easily export them as valid OSCAL. By automating the creation of audit-ready documentation and allowing direct submission to the FedRAMP Project Management Office (PMO) through OSCAL and/or Word/Excel templates, RegScale provides a seamless transition experience to Rev. 5, reducing complexities and saving you valuable time and resources.

In closing, it is crucial for all CSPs and stakeholders to review the new mandates and the CSP Transition Plan and begin planning to address the updated templates. Let RegScale help make the shift to FedRAMP Rev. 5 a streamlined, efficient, and effective process with minimum costs and business disruptions.

This post originally appeared on  and is re-published with permission.

to learn more about the low-cost approaches for handling the transition to Rev 5.