Introduced in 2011 and enacted into law in December 2022, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to assess, authorize, and monitor that cloud services used by US federal agencies are meeting strict security requirements.

Now, FedRAMP is evolving to modernize and improve the current FedRAMP authorization process in order to meet the needs of the market and reduce the time and cost required for authorization and continuous monitoring with automation. The latest major iteration of the program — FedRAMP 20x — was announced today on March 24, 2025. 

In this article, we explain why FedRAMP is transforming, what major changes the program is undergoing, and when you can expect major milestones and implementation phases.

What is FedRAMP 20x?

FedRAMP 20x is the newest iteration of the FedRAMP program designed to streamline compliance, reduce bureaucracy, and accelerate cloud service adoption using a new authorization process that is designed to be cloud-native and simple to automate.

By shifting away from a highly bureaucratic and paperwork-based process to an automation-driven compliance framework, FedRAMP 20x aims to reduce the compliance burden and extremely high costs for cloud service providers (CSPs) and reduce wait times for FedRAMP reports, audits, and authorization packages for federal agencies seeking cloud services. This will in turn help make the American government more efficient and modernized while also enabling cutting-edge technologies to support the US government and its missions. 

What are the expected major changes in FedRAMP 20x?

Working groups will be tasked with implementing changes to FedRAMP 20x to achieve key objectives, including aligning with industry best practices, automating security assessments and reporting, shifting responsibilities from FedRAMP to CSPs and agencies, and encouraging ongoing innovation to keep pace with emerging technologies.

To achieve these objectives, expected key changes include:

• Shifting away from manual, monthly security assessments to real-time, automated monitoring. Rather than requiring CSPs to submit logs and security reports manually to FedRAMP, FedRAMP 20x will require CSPs to offer real-time continuous monitoring, security dashboards, and trust centers directly to their federal customers so they can access this data in real-time.
• Replacing redundant government-specific documentation with best-in-class commercial security frameworks. Under the new model, CSPs will be able to submit existing security policies, change management policies, and other documentation from widely-accepted commercial frameworks , instead of extensive FedRAMP-specific compliance documentation.
• Replacing paper-based security attestations with real-time, automated validation tools. Rather than requiring CSPs to manually describe their security configurations and posture in documents and humans to review them, the new approach allows CSPs to use automation tools to continuously validate compliance.
• Replacing annual security assessments with real-time security updates. Instead of relying on point-in-time security reviews, agencies under the new model will be able to track security changes in CSPs’ environments in real time via automation. 

Timeline for FedRAMP 20x

While the timeline is subject to change, you can expect it to be fast. The U.S. General Services Administration (GSA) and current presidential administration’s goal is to overhaul the program quickly and decisively without engaging with Congress or providing an incremental transition from the previous FedRAMP model. Congress is welcome to work with GSA and the public working groups, however congressional approval is not needed for these updates.

Below are the key milestones and expected implementation phases that have been confirmed.

March 24, 2025

Today, the new FedRAMP model was announced by director Pete Waterman at an Alliance for Digital Innovation (ADI) event in Washington, D.C. The FedRAMP website also added a blog and new website pages with more program details, including:

• The FedRAMP 20x page 
• The Community Working Groups page
• The FedRAMP 20x Engagement page
• The FedRAMP 20x Frequently Asked Questions page 

Late March - Early April 2025

At this time, initial Community Working Groups will be launched to begin working on their key objectives, including defining standards, automation approaches, and security monitoring strategies.

FedRAMP is launching four groups focused on key goals related to FedRAMP 20x incrementally:

• Group 1 launching March 31, 2025 to work on Rev 5 Continuous Monitoring
• Group 2 launching April 2, 2025 to work on Automating Assessments
• Group 3 launching April 8, 2025 to work on Applying Existing Frameworks
• Group 4 launching April 10, 2025 to work on Continuous Reporting

At this stage, industry outreach efforts will also begin and senior FedRAMP officials will explain the new approach through public forums on GitHub, Zoom, and industry conferences. The goal of this phase is to answer industry questions and gather initial feedback to refine the framework.

End of April 2025

By the end of April, the backlog of pending authorizations is expected to be cleared and the FedRAMP Program Management Office (PMO) will continue to process new FedRAMP Rev 5 authorizations based on demand.  

The existing Agency Authorization path based on FedRAMP Rev. 5 baselines will remain the only active path to FedRAMP authorization until other paths are finalized. No changes to this path are planned at this time.

Early 2026

Previously, FedRAMP was updated every few years in alignment with NIST 800-53. So the FedRAMP baselines, controls, documentation, and templates were last updated in 2023 to align with NIST 800-53 Revision 5, which was published in September 2020.

By early 2026, this compliance model of aligning FedRAMP revisions to NIST 800-53 revisions will be replaced by an annual update cycle that resembles software release cycles. The goal of this annual update cycle is to ensure that security requirements evolve in tandem with industry best practices and current cybersecurity standards. So you can expect FedRAMP 2026 to be released sometime in 2026. 

How Secureframe can help you get and stay compliant with FedRAMP over time

Keeping up with the latest changes to compliance requirements like FedRAMP can be challenging. That’s why Secureframe makes it a priority to keep our customers informed about updates that could impact their environment and ensure our platform remains up to date.

With all FedRAMP requirements, controls, and tests already mapped out, we support FedRAMP compliance out-of-the-box. As FedRAMP evolves in 2025 and beyond, Secureframe will continue to align with the latest requirements, ensuring you stay ahead of regulatory changes.

Secureframe offers several key features and capabilities to support FedRAMP compliance, including:

• Government and federal compliance expertise: Our team includes former FedRAMP, FISMA, and CMMC auditors who provide expert guidance at every step, from readiness work before an audit to maintaining compliance and continuous monitoring after the audit.
• Integrations with federal cloud products: Secureframe automates continuous monitoring and evidence collection with integrations for AWS GovCloud and other federal cloud services.
• Continuous monitoring: Our platform continuously monitors your tech stack 24/7 to alert you of non-conformities, making it easier to maintain continuous compliance and a strong security posture. You can specify test intervals and notifications for required regular tasks to maintain FedRAMP compliance. 
• Risk Management: Our Risk Register and Risk Management capabilities enable you to track, assess, and mitigate security risks while ensuring proper documentation and ongoing Plan of Action and Milestones (POA&M) maintenance to maintain a FedRAMP compliant-risk management program.
• Vendor Management: Manage third-party risk with automated vendor assessments and due diligence tracking. Secureframe ensures you continuously evaluate vendors' security postures to meet FedRAMP’s supply chain risk management requirements.
• User Access Reviews (UAR): Enforce least privilege and access control best practices with automated user access reviews. Secureframe helps ensure you meet FedRAMP requirements to conduct access reviews regularly and revoke unnecessary access in a timely manner.
• Vulnerability Management: Secureframe integrates with leading vulnerability scanning tools so you can continuously monitor your systems for vulnerabilities and ensure compliance with FedRAMP’s security assessment and remediation requirements. 
• Cross-mapping across frameworks: Secureframe simplifies compliance by mapping FedRAMP controls to over 40+ other frameworks like NIST 800-53, NIST 800-171, and CJIS—reducing duplicate efforts.
• Trusted partner network: Our relationships with C3PAOs, vCISOs, MSPs, MSSPS, and other trusted service partners can help further streamline FedRAMP readiness and audits. 
• Easier document and policy management: Templated policies, procedures, and SSPs written by former federal auditors can be fully customized to meet your needs. Our enterprise policy management capabilities include POA&M documents, impact assessments, and readiness reports. We're also adding a review and approval workflow for policies, which is a FedRAMP requirement.
• Customizable Trust Center: Showcase your security and compliance posture in real-time to establish transparency and trust and differentiate yourself from competitors through a fully customized Trust Center. Check out ours as an example.

Request a demo today to see how we can help you achieve and maintain FedRAMP 20x compliance over time with confidence.