Today we're excited to share that Secureframe meets the FedRAMP® security requirements for 20x Moderate authorization as one of 13 organizations selected to participate in FedRAMP's Phase Two Moderate pilot.

Like our FedRAMP 20x Low authorization, this is more than a compliance milestone. It's proof that the automation-driven approach we've built our platform around can hold up at a much higher bar — one that covers the moderate-impact, moderate-risk federal data that makes up the majority of federal cloud workloads, including systems handling Controlled Unclassified Information (CUI).

"Moderate authorization isn't just the next step after Low, it's proof that automation-first authorization holds up as the stakes get higher,” said Shrav Mehta, Founder and CEO at Secureframe. “We built our platform to meet the same high bar, and this is the clearest evidence yet that the model works at scale."

What we learned by participating in the FedRAMP 20x Moderate pilot

FedRAMP 20x Low proved that automation-based validation was possible. Phase Two asked whether that same approach would hold up for moderate-impact systems, where the requirements are deeper, the interdependencies are more complex, and the data is more sensitive.

The Moderate baseline introduces a new KSI theme, Authorization by FedRAMP, that roughly quadruples the validation scope compared to Low. As one of only 13 CSPs that were selected for the Phase Two pilot, meeting these standards meant providing persistent validation that pulls evidence directly from production environments, evaluated continuously rather than at a single point in time. It also meant working closely with FedRAMP throughout the process, through structured workshops and ongoing collaboration with our assessor, Coalfire.

What this means for our customers

This authorization makes us a better partner to every organization working toward federal compliance, in two concrete ways.

First, it strengthens our compliance automation platform. Moderate-level readiness means continuous, production-derived validation infrastructure, the same infrastructure that underpins how we help customers collect evidence, monitor controls, and stay assessment-ready rather than scrambling at the last minute. These capabilities are built and enhanced by going through assessments ourselves, finding the real gaps, and closing them.

Second, it means the guidance we offer customers is rooted in firsthand experience. We know exactly what it takes to move from Low to Moderate, what FedRAMP's collaborative workshop model looks like in practice, and where organizations are most likely to lose time or hit surprises along the way. 

Leading the way in an evolving federal compliance landscape

FedRAMP has indicated that 20x is on track to fully replace the traditional Rev5 Low and Moderate agency authorization process by the middle of FY27, with High following by the end of FY27.

With support for more than 40 frameworks, including FedRAMP, CMMC, NIST 800-53, NIST 800-171, and GovRAMP, we're committed to helping organizations simplify compliance, strengthen security, and succeed in working with the federal government. Achieving FedRAMP 20x Moderate authorization ourselves is the latest proof that we hold our own platform to the same standard we help our customers meet.

If you're working toward FedRAMP 20x or CMMC compliance and want to learn from a team that's been through real-life assessments, reach out to our team to see how we can help.