
FedRAMP 20x: Here’s What We Know About the Goals, Timeline & Results to Date
Anna Fitzgerald
Senior Content Marketing Manager
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
Introduced in 2011 and enacted into law in December 2022, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to assess, authorize, and monitor that cloud services used by US federal agencies are meeting strict security requirements.
Now, FedRAMP is evolving to modernize the current FedRAMP authorization process to make it faster and more secure. The latest major iteration of the program—FedRAMP 20x—is designed to meet the needs of the federal market and reduce the time and cost currently required for authorization and continuous monitoring with automation.
In this article, we explain why FedRAMP is transforming, what major milestones the program has already hit and what’s still to come, and the impact 20x has already had since it was announced on March 24, 2025.
What is FedRAMP 20x?
FedRAMP 20x is the newest iteration of the FedRAMP program designed to streamline compliance, reduce bureaucracy, and accelerate cloud service adoption using a new authorization process—one that’s cloud-native, simple to automate, and created by and for the industry.
By shifting away from the existing highly bureaucratic and paperwork-based process to an automation-driven compliance framework, FedRAMP 20x aims to accomplish two main objectives:
- Reduce the compliance burden and extremely high costs for cloud service providers (CSPs) to achieve FedRAMP authorization while actually improving security
- Reduce wait times for FedRAMP reports, audits, and authorization packages for federal agencies seeking cloud services.
Achieving these objectives will not only enable more cutting-edge technologies to support the US government and its missions, it will also help make the American government more efficient and modernized.
Let’s take a closer look at the purpose of this new initiative.
Recommended reading

Introducing the FedRAMP Hub: 15+ Free Resources to Simplify Authorization
Why is FedRAMP being updated?
Since FedRAMP was enacted into law in 2022, cloud service providers have found the process of achieving and maintaining FedRAMP authorization to be highly manual, time-intensive, costly, and complex.
While FedRAMP authorization is meant to be achievable for all types of organizations, its current model is really only accessible and feasible for enterprise companies with hundreds of millions of dollar budgets and solely-focused GRC teams. Most companies don’t even consider FedRAMP authorization because of the cost and level of effort that is required.
As a result, the FedRAMP Marketplace has not grown quickly enough to keep up with agency demand for new and innovative services and it has inherently restricted authorization to corporate enterprises.
To address these challenges, FedRAMP 20x is centered on the following five core goals:

1. Make it simple to validate FedRAMP requirements using automation
The primary goal of FedRAMP 20x is to establish a new cloud-native, automated process to validate that CSPs are meeting FedRAMP requirements and authorize them more efficiently than the current process.
Currently, it can take anywhere from 12 to 18 months or more for CSPs to receive an Authority to Operate (ATO) status from an agency due to the extensive documentation and manual review processes. 20x is designed to cut that timeline down to weeks.
The benefit of automating validation is not just speeding up the authorization process—it’s smarter, stronger security.
2. Reduce FedRAMP-specific documentation
The current FedRAMP program has extensive documentation requirements. For example, the FedRAMP System Security Plan (SSP) has 17 appendices, many of which require organizations to use a FedRAMP-provided template. That means that even if an organization already has an information system contingency plan in place to meet the requirement of a best-in-class commercial framework, it may have to create a redundant plan using the FedRAMP-provided Information System Contingency Plan (ISCP) template to achieve compliance with FedRAMP.
A goal of FedRAMP 20x is to reduce the requirements for new documentation—ideally down to a few pages—if a company can provide existing security policies, change management policies, and other documentation. By essentially allowing organizations seeking FedRAMP authorization to “inherit” policies from best-in-class commercial security frameworks they’ve already implemented, 20x aims to reduce the complexity, redundancy, and most tedious aspects of the existing FedRAMP authorization process.
3. Find a more simple, hands-off approach to continuous monitoring
Getting FedRAMP authorized is not a one-and-done achievement. Currently, organizations must meet rigorous continuous monitoring requirements that involve annual reassessments and monthly or otherwise periodic deliverables submitted to the FedRAMP repository to maintain authorization.
FedRAMP 20x wants to make this part of the process more efficient as well, so that it’s easier to achieve and maintain FedRAMP authorization. The aim is to move away from point-in-time security assessments and extensive documentation in favor of automated monitoring, standardized machine-readable documentation, and dashboards. This will make it easier for CSPs to show their security posture, updates, and risks in real time and for agencies to enforce ongoing compliance.
4. Shift to industry-led compliance with community working groups
Rather than have the government continue to dictate how security requirements should be met, FedRAMP 20x wants to place decision-making power into the hands of cloud service providers and agencies through community working groups.
These working groups will be facilitated, but not led by, FedRAMP. These groups will not follow Federal Advisory Committee Act (FACA) rules or the Federal Register process. Instead, CSPs will propose security standards, automation methods, and monitoring strategies that work for them and government agencies will validate that these recommendations meet minimum federal requirements.
The goal of this community-driven approach is to build trust between industry and federal agencies and let them decide how best to meet the minimum requirements set by FedRAMP. This should result in procedures and practices that are more agile and aligned with industry best practices than the traditional top-down government oversight approach.
5. Reduce bureaucracy to enable rapid and continuous innovation
The final goal of FedRAMP 20x is to enable rapid and continuous innovation by removing unnecessary oversight and other obstacles (ie. “artificial checkpoints”) that aren’t actually improving security.
Under this new marketplace model, CSPs will be expected to take on more responsibilities to ensure security is constantly in place and to interact more directly with agencies through dashboards and compliance automation platforms rather than annual security assessments and authorization packages that are “triple checked” by the FedRAMP Program Management Office (PMO).
As a result, FedRAMP staffing and budget has been drastically reduced and their focus is being limited to setting standards and policies rather than leading the authorization processes.
Recommended reading

FedRAMP Revision 5: What It Is, Who Needs It, and Where to Start
What are the expected major changes in FedRAMP 20x?
Community working groups will be tasked with implementing changes to FedRAMP 20x to achieve these key goals of automating security assessments and reporting, aligning with industry best practices, shifting responsibilities from FedRAMP to CSPs and agencies, and encouraging ongoing innovation to keep pace with emerging technologies.
FedRAMP is still in the process of collaborating publicly with industry and other stakeholders to decide what those changes will be exactly. But at a high level, here are four key changes to the authorization process that you can expect under the FedRAMP 20x framework:
- Shifting away from manual security assessments and periodic check-ins to real-time, automated monitoring. Rather than requiring CSPs to submit logs and security reports manually to FedRAMP, FedRAMP 20x will require CSPs to offer real-time continuous monitoring, security dashboards, and trust centers directly to their federal customers so they can access this data in real-time.
- Replacing redundant government-specific documentation with existing policies from best-in-class commercial security frameworks. Under the new model, CSPs will be able to submit existing security policies, change management policies, and other documentation from widely-accepted commercial frameworks, instead of extensive FedRAMP-specific compliance documentation.
- Replacing paper-based security attestations with real-time, automated validation tools. Rather than requiring CSPs to manually describe their security configurations and posture in documents and having humans review them, 20x will allow CSPs to use automation tools to continuously validate compliance so humans are removed from the loop.
- Replacing annual security assessments with real-time security updates. Instead of relying on point-in-time security reviews, agencies under the new 20x model will be able to track security changes in CSPs’ environments in real time via automation.
Recommended reading

A FedRAMP Auditor Turned Compliance Automation Practitioner’s First-Hand Take on FedRAMP 20x’s Shift to Automation
Timeline for FedRAMP 20x
FedRAMP 20x was only announced at the end of March 2025, and already a lot has happened. While the timeline for this major overhaul of the FedRAMP program is subject to change, you can expect it to continue to move quickly.
The U.S. General Services Administration (GSA) and current presidential administration’s goal is to overhaul the program quickly and decisively without engaging with Congress or providing an incremental transition from the previous FedRAMP model. Congress is welcome to work with GSA and the public working groups, however congressional approval is not needed for these updates.
Below are key milestones that have already been achieved in the first six months since FedRAMP 20x was announced—and a look at what’s expected next in the timeline.

March 24, 2025
On March 24, 2025, the new FedRAMP model was announced by director Pete Waterman at an Alliance for Digital Innovation (ADI) event in Washington, D.C.
The FedRAMP website also added a blog and new website pages with more program details, including:
- The FedRAMP 20x page
- The Community Working Groups page
- The FedRAMP 20x Frequently Asked Questions page
Early to Mid-April 2025
Initial Community Working Groups were launched in April to begin working on their key objectives, including defining standards, automation approaches, and security monitoring strategies.
FedRAMP initially launched four groups focused on key goals related to FedRAMP 20x incrementally:
- Group 1 launched March 31, 2025 to work on Rev5 Continuous Monitoring
- Group 2 launched April 2, 2025 to work on Automating Assessments
- Group 3 launched April 8, 2025 to work on Applying Existing Frameworks
- Group 4 launched April 10, 2025 to work on Continuous Reporting
April 24, 2025
Since the existing Agency Authorization path based on FedRAMP Rev5 baselines was the only active path to FedRAMP authorization at this time—and will continue to remain that way until other paths are finalized—FedRAMP is still responsible for reviewing agency authorized FedRAMP packages.
On April 24, 2025, one month after GSA announced FedRAMP 20x, FedRAMP began reporting the monthly progress of their review team in working through the backlog of pending Rev5 authorizations.
Notable takeaways from this announcement included:
- They authorized 29 new cloud services, bringing the total that year to 73 and having the FedRAMP Marketplace surpass 400 authorized products
- They authorized another 12 cloud services as FedRAMP Ready or In Process
- As a result of these and other activities, they cleared their review queue down to 25 authorization packages—the smallest it had been since July 2022.
May 29, 2025
Next month, on May 29, 2025, FedRAMP announced that their review queue was down to 11 packages—the lowest of the year.
They also announced they were consolidating the four community working groups into two larger groups focused on specific sub-communities:
- FedRAMP 20x focuses on making the 20x authorization process faster and more efficient using automated validation and existing best practices from commercial security frameworks
- FedRAMP Rev5 focuses on improving and modernizing the existing Rev5 authorization and monitoring processes
May 30, 2025
The next day, on May 30, FedRAMP officially opened the FedRAMP 20x Phase One pilot (20xP1) to the public and began accepting formal submissions.
The goal of this pilot program was to test new strategies for improving the FedRAMP Low authorization process by introducing a reduced set of Key Security Indicators (KSIs) to replace traditional FedRAMP Rev5 baselines as indicators of a CSP’s security posture and readiness. Successful participants in Phase One would receive a 12-month FedRAMP 20x Low authorization and be prioritized for Moderate authorization in future phases of the pilot program.
To support the authorization of cloud services during 20xP1, FedRAMP published two formal FedRAMP Standards which integrated hundreds of public comments. One was the Key Security Indicators (KSIs) and the other was Minimum Assessment Scope, which provides guidance for CSPs to narrowly define information resource boundaries while still including all necessary components.

FedRAMP 20x Low Compliance Checklist
Cloud service providers seeking FedRAMP 20x Low authorization must apply all Key Security Indicators (KSIs) to all aspects of their cloud service offering. Use this checklist listing all KSIs and their underlying NIST 800-53 controls to evaluate your compliance status.
June 2025
While industry outreach efforts began earlier in the timeline, with senior FedRAMP officials explaining the new approach through public forums on GitHub, Zoom, and industry conferences,
June was a high watermark for community outreach. FedRAMP officials participated in eight events in total, starting with the FINN Cloud Exchange on June 2 and closing out the month with the Paramify Podcast 20x Roundtable on June 30.
The main goal of outreach activities like these is to answer industry questions and gather feedback to continuously refine the 20x framework. This type of community outreach and engagement has continued in the preceding months—and will continue to do so in the future—with the same goal.
June 17, 2025
The existing FedRAMP standard for Significant Change Requests creates a devastating bottleneck in the current Rev5 authorization process.
On June 17, 2025, FedRAMP published a draft of an updated standard for Significant Change Notification Requirements (Release 25.06A) in the FedRAMP 20x standards repository to be continuously tested and evaluated during the 20x Pilot and ongoing Rev5 Balance Improvement Test. This testing is part of FedRAMP’s mission of working with the community to understand the impact of its new policies and adjust them based on real-world experiences.
June 26, 2025
FedRAMP made several important announcements at the end of June:
- They released a FedRAMP Roadmap to transparently share what activities they have planned, in progress, or recently completed.
- They shared the first four submissions in the 20x Phase One Pilot publicly.
- They provided another record-breaking update on Rev5 authorizations: They had successfully reduced the authorization life cycle to 30 days or less from submission to authorization.
July 30, 2025
By the end of July, FedRAMP authorized the first four cloud services under the 20x Phase One Low pilot (20xP1). This marked a major milestone and provided proof that the new model can deliver authorizations in weeks instead of months.
In fact, that same month, FedRAMP achieved another major milestone: they authorized 114 cloud services in the past six months—more than double the number completed in the entire fiscal year 2024—and brought down the average agency authorization review time to approximately five weeks.
As a result of this faster authorization timeline, FedRAMP saw a surge of interest from CSPs in getting FedRAMP authorized. By the end of July, they had received 69 Rev5 package submissions this fiscal year. Previously, the highest number received in an entire fiscal year was 67 submissions back in FY23.
August 19, 2025
Phase One Pilot officially closed on August 19, 2025 at 11:59PM ET. At this point, FedRAMP no longer accepted submissions so they could focus on completing the review of all submitted 20xP1 packages.
August 24, 2025
On August 24, 2025, an initial release of the Authorization Data Sharing Standard was published in the FedRAMP 20x standards repository. This standard outlines requirements that will underpin initial pilots for CSPs that want to use trust centers to store and share FedRAMP authorization data with federal agencies.
The goal of these pilots is to replace the current document-based sharing model, which requires FedRAMP to manage and secure a centralized file repository that hosts most information about hundreds of CSPs’ security plans for Low and Moderate FedRAMP authorizations and requires CSPs to repeatedly upload continuous monitoring materials to this FedRAMP repository.
Like other draft standards, this will be continuously tested and evaluated during the 20x pilot and ongoing Rev5 Balance Improvement Test.
A minor revision of Significant Change Notification Requirements (version 25.06B ) was also published on this day.
August 25, 2025
On August 25, the GSA and FedRAMP made a joint announcement that FedRAMP will begin prioritizing the authorization of certain “AI-based cloud services that provide access to conversational AI engines designed for routine and repeated use by federal workers,” starting with ChatGPT Enterprise.
Qualifying CSPs must meet all Initial Submission Requirements for the 20x Phase One pilot, but there is no deadline for submission and these CSPs will receive support from the FedRAMP team and FedRAMP Board throughout the process.
By prioritizing the authorization of AI-based cloud services, FedRAMP aims to streamline the adoption of advanced AI capabilities across the federal government so that the government can enhance operational efficiency and innovation while keeping their data secure.
August 28, 2025
At the end of August, FedRAMP reported that 26 CSPs in total got 20x Low authorized under the Phase One pilot, including Secureframe.
They also announced a major change in their timeline for the pilot program. While the original goal had been to make FedRAMP 20x Low authorizations widely available before starting the Phase Two Moderate pilot (20xP2), they said now their plan is to finalize Phase One by October and Phase Two by December, and then make both the 20x Low and Moderate authorization standards widely available by end of January.
This decision was made after the interest and participation in 20xP1 made the FedRAMP team realize they do not have the resources to simultaneously open 20x Low authorizations to the public while running Phase Two of the pilot. So instead they will release 20x Low and Moderate authorizations at the same time, just at a later date than originally planned.
September 2025
FedRAMP's KSI team is aiming to finalize updates for KSIs for Moderate authorization under 20xP2 as well as minor changes to Low KSIs and publish both on September 16. Note that changes to the Low KSIs are expected to be minor and primarily revolve around the addition of a few new ones.
There should be more information about Phase Two published on this page of the official FedRAMP website throughout the month, culminating in the official 20xP2 Launch announcement expected on September 24 during the 20x Community Working Group meeting.
Around this time, FedRAMP also aims to publish additional 20x standards for public comment under RFCs. The goal is to set expectations and requirements around using new, automated processes to streamline different parts of the existing Rev5 authorization process, including:
- Vulnerability Detection and Response Standard which requires CSPs to use automated systems to continuously identify, prioritize, and remediate vulnerabilities, while reporting metrics related to these activities to agencies for ongoing authorization. This combines elements of the previously standalone Continuous Reporting and POA&M standards.
- Collaborative Continuous Monitoring Standard which aims to formalize a structure where CSPs and agencies share responsibility for joint monitoring
- Continuous Validation Standard which aims to establish a framework to assess CSPs’ automation capabilities to validate security controls in real-time
- Recommended Secure Configuration Standard which aims to formalize secure baselines and recommendations for 20x that will be more conducive to automated assessments than the current process (which relies heavily on a static Customer Responsibility Matrix)
October 2025
The 20xP2 Moderate submission window is now expected to open in mid-October and close in early December.
By the end of October and as part of 20x Phase Two, FedRAMP aims to release the three FedRAMP Standards mentioned above, with each update incorporating all public comments received during the RFC period.
November 2025
In November, if not sooner, FedRAMP expects to kick off an Agency AI Pilot for 20x to align with the AI Prioritization Process announced on August 25.
While more public updates are expected to be made in the coming weeks, this pilot will likely involve working with a few limited early-adopting agencies as well as the FedRAMP Board to assess, review, and authorize AI-based cloud services that are approved for FedRAMP 20x Authorization in Phase One.
January 2026
By the end of January 2026, a new type of automated authorization should be available for 20x Low and Moderate. Once finalized, these standards will be a significant step forward in FedRAMP 20x’s mission of scaling FedRAMP to thousands of services.
While nothing has been formally announced, a pilot for 20x High authorization will likely kick off around this time once the Low and Moderate standards are final.
Recommended reading

FedRAMP 20x Roadmap: Key Dates and Deliverables Expected Next in the Phased Rollout
FedRAMP 20x results and progress in first six months
Less than six months into its rollout, FedRAMP 20x is already showing measurable impact.
In a recent Govcast interview, FedRAMP director Pete Waterman explained that the ultimate goal of FedRAMP 20x is to ensure that the government has access to the same technology that every other commercial business has.
This will require a massive shift in how FedRAMP has previously acted: rather than act as a gatekeeper slowing adoption of commercial technology, it must become a concierge helping agencies tap into the same best-in-class cloud services used across the private sector. This will require more than incremental changes to the existing FedRAMP program—it will require a complete overhaul.
“FedRAMP 20x is a paradigm shift. Instead of taking what is currently being done and improving it incrementally, it’s how do we start from scratch and achieve the same outcome but achieve an exponentially better outcome. You can’t just improve something to make it 50 times better—you have to start over,” said FedRAMP Director Pete Waterman during a Govcast interview on August 26, 2025.
Here are the outcomes FedRAMP 20x has already been able to achieve in less than six months:
- Record-breaking number of authorizations: FedRAMP completed 114 authorizations already in FY25, which is more than double the number completed in FY24.
- Faster authorization timelines: With this record breaking number in FY25, FedRAMP reduced the average time to authorization from over a year to about five weeks.
- Low authorized cloud services able to enter the federal market through pilot: 26 new cloud services, including Secureframe, were authorized through the 20x Low Pilot. While 26 may not seem that impressive, that’s more cloud services than the rescinded FedRAMP Joint Authorization Board processed in the last four years of its existence combined.
These results show that FedRAMP 20x is already delivering on its promise of faster, smarter, more secure cloud adoption for the federal government.
FedRAMP 20x is expected to continue to expand the size and diversity of the marketplace—likely faster and sooner than we think. With new authorization standards for 20x Low and Moderate expected by early 2026, it’ll soon be feasible for startups, smaller providers, and other previously vulnerable swaths of the cloud services market to sell to the government—without years of upfront investment.
Recommended reading

Secureframe Achieves FedRAMP® 20x Low Authorization, Strengthening Our Federal Compliance Expertise
How Secureframe can help you get and stay compliant with FedRAMP over time
Keeping up with the latest changes to compliance requirements like FedRAMP can be challenging. That’s why Secureframe makes it a priority to keep our customers informed about updates that could impact their environment and ensure our platform remains up to date.
With all FedRAMP requirements, controls, and tests already mapped out, we support FedRAMP compliance out-of-the-box. As FedRAMP evolves in 2025 and beyond, Secureframe will continue to align with the latest requirements, ensuring you stay ahead of regulatory changes.
Secureframe offers several key features and capabilities to support FedRAMP compliance, including:
- Government and federal compliance expertise: Our team includes former FedRAMP, FISMA, and CMMC auditors who provide expert guidance at every step, from readiness work before an audit to maintaining compliance and continuous monitoring after the audit.
- Integrations with federal cloud products: Secureframe automates continuous monitoring and evidence collection with integrations for AWS GovCloud and other federal cloud services.
- Continuous monitoring: Our platform continuously monitors your tech stack 24/7 to alert you of non-conformities, making it easier to maintain continuous compliance and a strong security posture. You can specify test intervals and notifications for required regular tasks to maintain FedRAMP compliance.
- Risk Management: Our Risk Register and Risk Management capabilities enable you to track, assess, and mitigate security risks while ensuring proper documentation and ongoing Plan of Action and Milestones (POA&M) maintenance to maintain a FedRAMP compliant-risk management program.
- Vendor Management: Manage third-party risk with automated vendor assessments and due diligence tracking. Secureframe ensures you continuously evaluate vendors' security postures to meet FedRAMP’s supply chain risk management requirements.
- User Access Reviews (UAR): Enforce least privilege and access control best practices with automated user access reviews. Secureframe helps ensure you meet FedRAMP requirements to conduct access reviews regularly and revoke unnecessary access in a timely manner.
- Vulnerability Management: Secureframe integrates with leading vulnerability scanning tools so you can continuously monitor your systems for vulnerabilities and ensure compliance with FedRAMP’s security assessment and remediation requirements.
- Cross-mapping across frameworks: Secureframe simplifies compliance by mapping FedRAMP controls to over 40+ other frameworks like NIST 800-53, NIST 800-171, and CJIS—reducing duplicate efforts.
- Trusted partner network: Our relationships with C3PAOs, vCISOs, MSPs, MSSPS, and other trusted service partners can help further streamline FedRAMP readiness and audits.
- Easier document and policy management: Templated policies, procedures, and SSPs written by former federal auditors can be fully customized to meet your needs. Our enterprise policy management capabilities include POA&M documents, impact assessments, and readiness reports. We're also adding a review and approval workflow for policies, which is a FedRAMP requirement.
- Customizable Trust Center: Showcase your security and compliance posture in real-time to establish transparency and trust and differentiate yourself from competitors through a fully customized Trust Center. Check out ours as an example.
Request a demo today to see how we can help you achieve and maintain FedRAMP 20x compliance over time with confidence.