Skip to main content
Knox has achieved our 16th federal sponsor, FEMA for Fed High authorization.

The FedRAMP PMO: What It Does, How It Is Changing, and What Vendors Need to Know

Written by: 
Team Knox
Published on: 
June 16, 2026

The Federal Risk and Authorization Management Program (FedRAMP) Program Management Office (PMO), housed within the General Services Administration (GSA), runs the federal government's cloud security authorization program. It is the central interface between agencies, cloud service providers (CSPs), and Third-Party Assessment Organizations (3PAOs).

For Software as a Service (SaaS) vendors planning to enter the federal market, the PMO is changing as it continues to set the rules for authorization. The office is rewriting parts of the authorization model, operating with a smaller workforce, and managing overlapping deadlines.

Vendors need a clear view of what the PMO controls, what agencies still control, and where current guidance is still taking shape before they commit to a FedRAMP investment.

Key Takeaways

  • Legal foundation. The 2022 FedRAMP Authorization Act and Office of Management and Budget (OMB) Memorandum M-24-15 expanded the PMO's role in review, oversight, and government-wide reuse. Agency Authorizing Officials still issue their own Authority to Operate (ATO).
  • 20x direction. FedRAMP 20x shifts part of the process toward automated validation. Key Security Indicators (KSIs) and machine-readable packages are emerging as part of FedRAMP 20x's move away from the traditional System Security Plan (SSP) narrative model.
  • Execution pressure. Staffing cuts and delayed guidance affect execution. FedRAMP 20x introduced KSIs for Low and Moderate baselines while the program continues to work through operational constraints.
  • Parallel planning. Vendors need to plan for Rev5 and 20x simultaneously. FedRAMP authorization timelines continue to change, and machine-readable package requirements are becoming a larger part of submission expectations.

What the FedRAMP PMO Is and What It Does

The FedRAMP PMO is the federal office, housed within GSA's Office of the Chief Information Officer (OCIO), that manages the day-to-day operations of the FedRAMP program. It reviews cloud authorization packages, maintains the FedRAMP Marketplace, publishes security baselines and templates, oversees Continuous Monitoring (ConMon), and coordinates relationships among federal agencies, CSPs, and 3PAOs.

Its statutory basis is the FedRAMP Authorization Act, codified at 44 U.S.C. §§ 3607–3616. The PMO is led by Director Pete Waterman.

The PMO and the FedRAMP Board split governance responsibilities. The PMO handles day-to-day operations: processing authorization packages, managing the Marketplace, publishing baselines and templates, and overseeing ConMon.

The FedRAMP Board, established by the Authorization Act, consists of up to seven senior officials from federal agencies appointed by the OMB Director. The Board sets guidelines and requirements for security authorizations consistent with National Institute of Standards and Technology (NIST) standards, but it does not approve individual authorization packages.

The PMO reviews the authorization package and confirms whether a cloud service is designated for the FedRAMP Marketplace. Agencies issue the ATO. 3PAOs perform the independent assessment. The PMO reviews the final package, and its confirmation is required before a product appears on the Marketplace as authorized.

The PMO's role appears most clearly in the functions it has run across the authorization lifecycle. Those day-to-day functions show what the PMO controlled before recent legal and operational changes began reshaping the program.

Under the Traditional Model, the PMO Runs the Program's Day-to-Day Operations

Under the Rev5 model still used today, the PMO manages work across the authorization lifecycle.

  • Marketplace management: The Marketplace lists hundreds of cloud products and services across multiple FedRAMP authorization stages, including FedRAMP Ready, In Process, and FedRAMP Authorized offerings. The PMO follows a structured review process from initial ATO letter through package verification, review, and Marketplace designation.
  • Baseline and template publication: The operative baseline document is the FedRAMP Security Controls Baseline, derived from NIST SP 800-53. Updates move through a public Request for Comment (RFC) process.
  • ConMon governance: The Continuous Monitoring Playbook consolidated nine previously standalone guidance documents. The PMO distributes ConMon materials to all agency users and oversees daily operations.
  • Significant change adjudication: CSPs that made material changes traditionally submitted a Significant Change Request (SCR) and waited for approval. As part of the review-prioritization process, the PMO has introduced a Significant Change Notification (SCN) process that uses a notification-based approach for significant changes rather than a permission-based one.
  • Authorization pathway coordination: The PMO now coordinates FedRAMP authorization pathways, with agency-led authorization remaining a central approach.

Those responsibilities began as policy-based program functions. Over the last two years, they have also gained a clearer statutory basis.

Four Shifts Are Reshaping What the FedRAMP PMO Does

The FedRAMP PMO is not the same office it was two years ago. A new statute, a new authorization model, a restructured governance arrangement, and a shrinking workforce are all moving at once. Each of these shifts changes what the PMO controls, what it delegates, and what vendors should expect when they engage with the program. The four subsections below break down the most consequential changes in the order they began affecting vendors.

1. Statutory Backing Gave the PMO More Authority Than Its Original Policy Base

Before December 2022, FedRAMP operated under a 2011 OMB memorandum. The governance structure, including the Joint Authorization Board (JAB), could have been altered or dissolved by administrative action alone. The FedRAMP Authorization Act and OMB Memorandum M-24-15 replaced that policy-only footing with statutory authority and binding implementation guidance.

  • Codification in statute: The FedRAMP Authorization Act, enacted on December 23, 2022, as Section 5921 of the FY2023 National Defense Authorization Act (NDAA), codified FedRAMP. OMB cannot dissolve the program by withdrawing a memorandum; statutory amendment would be required.
  • Director-level risk authority: M-24-15, issued July 25, 2024, gave the Director authority to determine "acceptable risk for what can be called a FedRAMP authorization."
  • Special Review power: The PMO can now initiate a Special Review of any existing authorization regardless of path.
  • New Program Authorizations: M-24-15 created Program Authorizations to replace the old JAB Provisional Authority to Operate (P-ATO).
  • Binding agency obligations: Agencies must obtain FedRAMP authorization for cloud services within the program's scope, and agency policies "should not assume that particular paths or sponsors of FedRAMP authorizations are unacceptable."

For vendors, this means PMO decisions now carry the weight of statute rather than discretionary policy. Authorizations, reviews, and Marketplace status are harder to challenge, and agency pushback against specific paths or sponsors has less standing than it did before.

2. FedRAMP 20x Replaces Part of the Narrative Package With Automated Validation

FedRAMP 20x, publicly announced in March 2025, changes the authorization model by using more automation. It is described as a simplified, more automated approach to federal authorization that leverages continuous monitoring to improve the speed and effectiveness of cloud security authorizations.

  • KSIs replace narrative controls: FedRAMP 20x uses KSIs organized into 11 themes covering identity management, incident response, and supply chain risk.
  • Machine-readable evidence: 20x emphasizes Open Security Controls Assessment Language (OSCAL)-based, machine-readable artifacts and evidence in place of static documentation. FedRAMP has set a September 30, 2026, deadline for new authorization packages to include machine-readable OSCAL outputs, which affects vendors on the Rev5 path today regardless of whether they pursue 20x.
  • Automated documentation generation: All Phase 2 documentation is generated automatically from machine-readable materials in the FedRAMP repository.
  • Move away from SSP narratives: The model shifts from the extensive written SSP narratives that defined Rev5 to automated demonstrations of secure configurations.
  • Outcome-focused framing: Acting GSA Administrator Michael Rigas characterized the shift as moving from "process-driven compliance to outcome-focused security," while Director Pete Waterman described the goal as having "machines" provide validation capabilities instead of humans reviewing paper-based records.

Compliance teams that built their workflow around long SSP narratives will need to invest in OSCAL tooling and continuous evidence pipelines, and engineering practices must produce automated, validatable outputs rather than written explanations.

3. The PMO Now Confirms Marketplace Status but Does Not Own Every Authorization Function

The May 2024 FedRAMP changes redrew the governance map. The PMO consolidated control over Marketplace listing and standard-setting, while operational authorization work moved closer to the agencies that actually use the services.

  • JAB replaced by the Board: The May 2024 changes replaced the JAB with the Board and began phasing out the P-ATO path and its associated FedRAMP Connect prioritization process in favor of a single authorization model.
  • ConMon moved to lead agencies: Centralized ConMon oversight for JAB-authorized CSPs was transitioned to designated lead agencies, initially former JAB agencies or FedRAMP, and in some cases later to another agency customer.
  • PMO authority concentrated: The PMO retained or gained sole confirming authority for Marketplace listing, standard-setting in coordination with the Board, Special Reviews of any existing authorization, and Program Authorizations for wide reuse without an agency sponsor.
  • Agencies as primary authorizers: Agencies must sponsor the CSP, issue the ATO, and take on ongoing ConMon responsibility.
  • Unresolved transition paths: FedRAMP proposed a time-limited path for CSPs that have made substantial progress toward Rev5 certification without an agency sponsor; the specific deadline had not been confirmed in official published sources at the time of writing.

For vendors, this means the agency relationship matters more than ever. Without an agency sponsor willing to issue and maintain the ATO, the PMO's confirmation alone will not get a product onto the Marketplace, which is why some vendors operate within an already-authorized boundary to reduce that dependency.

4. Operational Constraints Are Slowing the PMO's Transition Plan

The PMO's stated direction and operational capacity are misaligned. The FedRAMP workforce declined significantly in September 2025, with most of the reductions occurring on the contractor side, and the program is rolling out 20x while clearing a Rev5 backlog with fewer people.

  • Budget reduction: The GSA FY2026 Congressional Justification shows core operating appropriations that are $21.4 million less than the FY2024 and FY2025 enacted budgets, a 10.5% reduction.
  • Delayed 20x openings: Formal 20x Low and Moderate authorizations were expected to open in February 2026, while Rev5 remained the only authorization path at that time.
  • Extended Rev5 runway: The Rev5 sunset target is Q3 to Q4 2027.
  • Late 20x rules and High pilot: Consolidated 20x rules are not expected until mid-2026, and the 20x High baseline pilot is not expected until Q1-Q2 2027.

With the PMO redefining parts of the program while agencies still issue authorizations, vendors have to decide how much infrastructure and compliance work to carry themselves. What if that burden did not have to sit entirely on the vendor while the operating model is still changing?

A Pre-Authorized Boundary Is the Cleanest Way Through the FedRAMP PMO Transition

The picture above is a moving target: statute is tightening, 20x is reshaping evidence, agencies are carrying more of the authorization burden, and the PMO is doing all of this with a smaller team. Vendors that try to absorb every one of those shifts in-house, while also building their own infrastructure stack, end up rebuilding compliance plumbing every time the PMO publishes new guidance. The faster path is to remove infrastructure from the equation entirely, so the only moving parts a vendor has to manage are those tied to its own application.

Knox Systems offers a FedRAMP-as-a-Service environment built around a pre-authorized boundary covering FedRAMP Moderate, FedRAMP High, and DISA IL-4 (IL-5 authorization in process, estimated December 2026). SaaS vendors inherit a substantial portion of the required Moderate baseline controls, OSCAL-aligned evidence, and ConMon tooling, rather than building the full infrastructure stack themselves. That keeps the September 30, 2026, machine-readable submission deadline and the agency-sponsor dependency from becoming blocking problems, and it absorbs future updates as the PMO folds 20x requirements into Rev5.

Book a meeting to map your authorization path.

FAQs About the FedRAMP PMO

How can vendors contact the FedRAMP PMO directly?

The PMO accepts inbound questions through info@fedramp.gov and publishes program updates, RFCs, and pilot announcements on fedramp.gov. Most substantive engagement, however, happens through an agency sponsor or 3PAO rather than direct vendor-to-PMO communication.

Does the FedRAMP PMO charge vendors a fee for review?

No. The PMO does not charge CSPs for package review or Marketplace designation. Vendor costs come from 3PAO assessments, internal engineering and compliance work, and any agency-side reimbursement arrangements negotiated with a sponsor.

How long does PMO review typically take after a 3PAO assessment is submitted?

There is no published service-level guarantee, and timelines vary with package quality and PMO workload. Historically, reviews have ranged from a few months to over a year, which is part of why the PMO has shifted toward machine-readable submissions to compress the review cycle.

Can a vendor appeal a PMO decision on Marketplace designation?

There is no formal appeals process codified in M-24-15. Vendors can resubmit a corrected package, address PMO findings through their sponsoring agency, or request clarification, but the Director's risk determination is the controlling decision.

Does the PMO interact with the Department of Defense (DoD) authorization process?

The PMO runs the civilian FedRAMP program, while the DoD maintains its own Impact Levels (IL2 through IL6) under the DoD Cloud Computing Security Requirements Guide. FedRAMP Moderate is typically a prerequisite for IL2 reciprocity, but DoD authorizations are issued separately by DoD authorizing officials.

Book a Meeting