Irina Denisenko It’s so hard to get through FedRAMP because, at its core, the program is designed to secure cloud software and the sensitive government data it holds—a mission that began nearly 15 years ago when interacting with the internet still felt risky.
The process of achieving FedRAMP authorization can be surprisingly complex for software and service companies, even those with substantial resources. Irina Denisenko, CEO of Knox Systems, experienced this firsthand. “Even if you have $3 million to spend and a dedicated U.S.-based team, that’s still not enough,” she explained. A crucial hurdle is securing an agency sponsor willing to assume the cyber risk and invest roughly $500,000 in an initial security review and ongoing continuous monitoring—an estimated $250,000 annually.
Denisenko’s company, Knox Systems, now streamlines this process by offering an “inheritance model.” Knox operates the largest FedRAMP managed cloud, hosting customer environments across AWS, Azure, and GCP. Customers then inherit the authorization from sponsoring agencies like the Treasury, the VA, and the Marines, avoiding the significant upfront and ongoing costs associated with individual authorization.
The government’s approach is evolving with the launch of FedRAMP 20X, an initiative from the Office of Management and Budget and the General Services Administration. This program focuses on machine-readable and continuous authorization, aiming to replace manual processes—like reviewing spreadsheets of vulnerabilities—with automated data flows using standards like OSCAL.
Automating Security: The Promise of FedRAMP 20X
The goal is to accelerate the adoption of secure cloud technologies within the government.
- FedRAMP 20X aims to automate security reporting and reduce manual labor.
- The initiative emphasizes continuous monitoring and rapid vulnerability notification.
- Phase I focused on FedRAMP Low; Phase II, starting in 2026, will address FedRAMP Moderate.
- AI integration is being explored to enhance both productivity and security.
- The inheritance model, exemplified by Knox Systems, offers a faster path to FedRAMP authorization.
Currently, continuous monitoring often involves manually reviewing spreadsheets of vulnerabilities with agencies. Denisenko highlighted the inefficiency: “We, as a cloud service provider, come with a spreadsheet…and we review that spreadsheet in a meeting with our agencies, and then upload that spreadsheet into a system.” FedRAMP 20X seeks to replace this with real-time, machine-readable reporting, enabling faster identification and remediation of critical vulnerabilities—potentially reducing notification times from 30 days to just minutes.
Phase II of FedRAMP 20X, scheduled to begin in 2026, will focus on FedRAMP Moderate, the authorization level most cloud service offerings require. The success of the initiative hinges on establishing a standardized format for machine-readable security reporting and determining the appropriate role of artificial intelligence.
For companies awaiting the results of FedRAMP 20X, Denisenko recommends exploring the inheritance model offered by companies like Knox Systems and Palantir. “There is a massive, massive premium put on getting innovative technology in the hands of our government faster,” she stated. She emphasized a current window of opportunity, with the administration prioritizing commercial off-the-shelf solutions and accelerating technology adoption.
Denisenko cited Celonis as an example, noting that the company secured three agency implementations within months of achieving FedRAMP authorization through Knox, after a five-year pursuit. “If you want outcomes, you need to get these technologies into the hands of our agencies today,” she concluded.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
