Blog

If you develop or sell commercial-off-the-shelf (COTS) technology that ends up in Department of Defense (DoD) environments, there’s a new bar you have to clear. Katie Arrington, the acting DoD CIO has issued a new memo that directly impacts how you manage your software supply chain, and it’s going to change how COTS vendors prepare for procurement.

The FedRAMP 20x pilot marks the most significant shift in federal cloud security in over a decade. Launched in May 2025, the program aims to modernize the authorization process by emphasizing speed, automation, and real-time security validation. For organizations pursuing Low Baseline authorization, the 20x path offers a faster, more efficient entry point into the federal market.

Organizations seeking to work with the US government today must navigate a growing array of compliance requirements. Among the most prominent security frameworks are the Cybersecurity Maturity Model Certification (CMMC) and Federal Risk and Authorization Management Program (FedRAMP), each playing a critical role in securing federal information and systems.

Vulnerability scanning is one of the most critical — and commonly misunderstood — requirements in achieving the Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO). Cloud Service Providers (CSPs) must demonstrate a mature vulnerability management program to meet FedRAMP’s rigorous standards, requiring the right people, processes, and technologies in place.

It's been an exciting past few years for the Schellman penetration testing team. Throughout 2024, our team worked with over 150 clients to support their efforts in securing their businesses. As a lead assessor in the FedRAMP marketplace, Schellman prides ourselves in being able to assess our clients’ systems and helping to identify the vulnerabilities they may have.

Any Cloud Service Provider (CSP) who is familiar with FedRAMP likely knows that presenting an authorization package that includes a non-FedRAMP-authorized external service storing or processing of federal metadata wouldn’t get you very far—it’s likely a showstopper. However, some may not realize that that’s not necessarily the case regarding StateRAMP.

TAMPA, Fla. – March 31, 2025 – Schellman, a leading provider of attestation and compliance services and a top 50 CPA firm, is pleased to announce that Schellman has expanded its offerings to perform cleared assessments for its clients. As an accredited FedRAMP® Third Party Assessment Organization (3PAO), this enables Schellman to perform Department of Defense (DoD) Impact Level 6 (IL6) assessments as well as other NIST-based assessments, SOC 2 examinations, and penetration testing for DoD systems. This milestone strengthens Schellman’s position as a trusted assessment partner for government and defense-related environments.

As more government agencies move sensitive data to the cloud, ensuring security and compliance is of paramount importance. As such, the FedRAMP (Federal Risk and Authorization Management Program) assessment and authorization process is a critical framework to ensure that cloud environments meet federal security standards.