Introduced in 2011 and enacted into law in December 2022, the Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to assess, authorize, and monitor that cloud services used by US federal agencies are meeting strict security requirements.

Now, FedRAMP is evolving to modernize the current FedRAMP authorization process to make it faster and more secure. The latest major iteration of the program—FedRAMP 20x—is designed to meet the needs of the federal market and reduce the time and cost currently required for authorization and continuous monitoring with automation. 

In this article, we explain why FedRAMP is transforming, what major milestones the program has already hit and what’s still to come, and the impact 20x has already had since it was announced on March 24, 2025.

What is FedRAMP 20x?

FedRAMP 20x is the newest iteration of the FedRAMP program designed to streamline compliance, reduce bureaucracy, and accelerate cloud service adoption using a new authorization process—one that’s cloud-native, simple to automate, and created by and for the industry.

By shifting away from the existing highly bureaucratic and paperwork-based process to an automation-driven compliance framework, FedRAMP 20x aims to accomplish two main objectives:

1. Reduce the compliance burden and extremely high costs for cloud service providers (CSPs) to achieve FedRAMP authorization while actually improving security
2. Reduce wait times for FedRAMP reports, audits, and authorization packages for federal agencies seeking cloud services. 

Achieving these objectives will not only enable more cutting-edge technologies to support the US government and its missions, it will also help make the American government more efficient and modernized.

Let’s take a closer look at the purpose of this new initiative. 

What are the expected major changes in FedRAMP 20x?

Community working groups will be tasked with implementing changes to FedRAMP 20x to achieve these key goals of automating security assessments and reporting, aligning with industry best practices, shifting responsibilities from FedRAMP to CSPs and agencies, and encouraging ongoing innovation to keep pace with emerging technologies.

FedRAMP is still in the process of collaborating publicly with industry and other stakeholders to decide what those changes will be exactly. But at a high level, here are four key changes to the authorization process that you can expect under the FedRAMP 20x framework:

• Shifting away from manual security assessments and periodic check-ins to real-time, automated monitoring. Rather than requiring CSPs to submit logs and security reports manually to FedRAMP, FedRAMP 20x will require CSPs to offer real-time continuous monitoring, security dashboards, and trust centers directly to their federal customers so they can access this data in real-time.
• Replacing redundant government-specific documentation with existing policies from best-in-class commercial security frameworks. Under the new model, CSPs will be able to submit existing security policies, change management policies, and other documentation from widely-accepted commercial frameworks, instead of extensive FedRAMP-specific compliance documentation.
• Replacing paper-based security attestations with real-time, automated validation tools. Rather than requiring CSPs to manually describe their security configurations and posture in documents and having humans review them, 20x will allow CSPs to use automation tools to continuously validate compliance so humans are removed from the loop.
• Replacing annual security assessments with real-time security updates. Instead of relying on point-in-time security reviews, agencies under the new 20x model will be able to track security changes in CSPs’ environments in real time via automation. 

Timeline for FedRAMP 20x

FedRAMP 20x was only announced at the end of March 2025, and already a lot has happened. While the timeline for this major overhaul of the FedRAMP program is subject to change, you can expect it to continue to move quickly.

The U.S. General Services Administration (GSA) and current presidential administration’s goal is to overhaul the program quickly and decisively without engaging with Congress or providing an incremental transition from the previous FedRAMP model. Congress is welcome to work with GSA and the public working groups, however congressional approval is not needed for these updates.

Below are key milestones that have already been achieved in the first six months since FedRAMP 20x was announced—and a look at what’s expected next in the timeline. 

March 24, 2025

On March 24, 2025, the new FedRAMP model was announced by director Pete Waterman at an Alliance for Digital Innovation (ADI) event in Washington, D.C.

The FedRAMP website also added a blog and new website pages with more program details, including:

• The FedRAMP 20x page 
• The Community Working Groups page
• The FedRAMP 20x Frequently Asked Questions page 

Early to Mid-April 2025

Initial Community Working Groups were launched in April to begin working on their key objectives, including defining standards, automation approaches, and security monitoring strategies.

FedRAMP initially launched four groups focused on key goals related to FedRAMP 20x incrementally:

• Group 1 launched March 31, 2025 to work on Rev5 Continuous Monitoring
• Group 2 launched April 2, 2025 to work on Automating Assessments
• Group 3 launched April 8, 2025 to work on Applying Existing Frameworks
• Group 4 launched April 10, 2025 to work on Continuous Reporting

April 24, 2025

Since the existing Agency Authorization path based on FedRAMP Rev5 baselines was the only active path to FedRAMP authorization at this time—and will continue to remain that way until other paths are finalized—FedRAMP is still responsible for reviewing agency authorized FedRAMP packages.

On April 24, 2025, one month after GSA announced FedRAMP 20x, FedRAMP began reporting the monthly progress of their review team in working through the backlog of pending Rev5 authorizations. 

Notable takeaways from this announcement included:

• They authorized 29 new cloud services, bringing the total that year to 73 and having the FedRAMP Marketplace surpass 400 authorized products 
• They authorized another 12 cloud services as FedRAMP Ready or In Process
• As a result of these and other activities, they cleared their review queue down to 25 authorization packages—the smallest it had been since July 2022.

May 29, 2025

Next month, on May 29, 2025, FedRAMP announced that their review queue was down to 11 packages—the lowest of the year. 

They also announced they were consolidating the four community working groups into two larger groups focused on specific sub-communities:

• FedRAMP 20x focuses on making the 20x authorization process faster and more efficient using automated validation and existing best practices from commercial security frameworks
• FedRAMP Rev5 focuses on improving and modernizing the existing Rev5 authorization and monitoring processes

May 30, 2025

The next day, on May 30, FedRAMP officially opened the FedRAMP 20x Phase One pilot (20xP1) to the public and began accepting formal submissions. 

The goal of this pilot program was to test new strategies for improving the FedRAMP Low authorization process by introducing a reduced set of Key Security Indicators (KSIs) to replace traditional FedRAMP Rev5 baselines as indicators of a CSP’s security posture and readiness. Successful participants in Phase One would receive a 12-month FedRAMP 20x Low authorization and be prioritized for Moderate authorization in future phases of the pilot program.

To support the authorization of cloud services during 20xP1, FedRAMP published two formal FedRAMP Standards which integrated hundreds of public comments. One was the Key Security Indicators (KSIs) and the other was Minimum Assessment Scope, which provides guidance for CSPs to narrowly define information resource boundaries while still including all necessary components.

June 2025

While industry outreach efforts began earlier in the timeline, with senior FedRAMP officials explaining the new approach through public forums on GitHub, Zoom, and industry conferences, 

June was a high watermark for community outreach. FedRAMP officials participated in eight events in total, starting with the FINN Cloud Exchange on June 2 and closing out the month with the Paramify Podcast 20x Roundtable on June 30. 

The main goal of outreach activities like these is to answer industry questions and gather feedback to continuously refine the 20x framework. This type of community outreach and engagement has continued in the preceding months—and will continue to do so in the future—with the same goal. 

June 17, 2025

The existing FedRAMP standard for Significant Change Requests creates a devastating bottleneck in the current Rev5 authorization process. 

On June 17, 2025, FedRAMP published a draft of an updated standard for Significant Change Notification Requirements (Release 25.06A) in the FedRAMP 20x standards repository to be continuously tested and evaluated during the 20x Pilot and ongoing Rev5 Balance Improvement Test. This testing is part of FedRAMP’s mission of working with the community to understand the impact of its new policies and adjust them based on real-world experiences.

June 26, 2025

FedRAMP made several important announcements at the end of June:

• They released a FedRAMP Roadmap to transparently share what activities they have planned, in progress, or recently completed. 
• They shared the first four submissions in the 20x Phase One Pilot publicly.
• They provided another record-breaking update on Rev5 authorizations: They had successfully reduced the authorization life cycle to 30 days or less from submission to authorization.

July 30, 2025

By the end of July, FedRAMP authorized the first four cloud services under the 20x Phase One Low pilot (20xP1). This marked a major milestone and provided proof that the new model can deliver authorizations in weeks instead of months.

In fact, that same month, FedRAMP achieved another major milestone: they authorized 114 cloud services in the past six months—more than double the number completed in the entire fiscal year 2024—and brought down the average agency authorization review time to approximately five weeks.

As a result of this faster authorization timeline, FedRAMP saw a surge of interest from CSPs in getting FedRAMP authorized. By the end of July, they had received 69 Rev5 package submissions this fiscal year. Previously, the highest number received in an entire fiscal year was 67 submissions back in FY23.

August 19, 2025

Phase One Pilot officially closed on August 19, 2025 at 11:59PM ET. At this point, FedRAMP no longer accepted submissions so they could focus on completing the review of all submitted 20xP1 packages.

August 24, 2025

On August 24, 2025, an initial release of the Authorization Data Sharing Standard was published in the FedRAMP 20x standards repository. This standard outlines requirements that will underpin initial pilots for CSPs that want to use trust centers to store and share FedRAMP authorization data with federal agencies. 

The goal of these pilots is to replace the current document-based sharing model, which requires FedRAMP to manage and secure a centralized file repository that hosts most information about hundreds of CSPs’ security plans for Low and Moderate FedRAMP authorizations and requires CSPs to repeatedly upload continuous monitoring materials to this FedRAMP repository. 

Like other draft standards, this will be continuously tested and evaluated during the 20x pilot and ongoing Rev5 Balance Improvement Test.  

A minor revision of Significant Change Notification Requirements (version 25.06B ) was also published on this day.

August 25, 2025

On August 25, the GSA and FedRAMP made a joint announcement that FedRAMP will begin prioritizing the authorization of certain “AI-based cloud services that provide access to conversational AI engines designed for routine and repeated use by federal workers,” starting with ChatGPT Enterprise. 

Qualifying CSPs must meet all Initial Submission Requirements for the 20x Phase One pilot, but there is no deadline for submission and these CSPs will receive support from the FedRAMP team and FedRAMP Board throughout the process. 

By prioritizing the authorization of AI-based cloud services, FedRAMP aims to streamline the adoption of advanced AI capabilities across the federal government so that the government can enhance operational efficiency and innovation while keeping their data secure.

August 28, 2025

At the end of August, FedRAMP reported that 26 CSPs in total got 20x Low authorized under the Phase One pilot, including Secureframe. 

They also announced a major change in their timeline for the pilot program. While the original goal had been to make FedRAMP 20x Low authorizations widely available before starting the Phase Two Moderate pilot (20xP2), they said now their plan is to finalize Phase One by October and Phase Two by December, and then make both the 20x Low and Moderate authorization standards widely available by end of January. 

This decision was made after the interest and participation in 20xP1 made the FedRAMP team realize they do not have the resources to simultaneously open 20x Low authorizations to the public while running Phase Two of the pilot. So instead they will release 20x Low and Moderate authorizations at the same time, just at a later date than originally planned. 

September 2025

FedRAMP's KSI team is aiming to finalize updates for KSIs for Moderate authorization under 20xP2 as well as minor changes to Low KSIs and publish both on September 16. Note that changes to the Low KSIs are expected to be minor and primarily revolve around the addition of a few new ones.

There should be more information about Phase Two published on this page of the official FedRAMP website throughout the month, culminating in the official 20xP2 Launch announcement expected on September 24 during the 20x Community Working Group meeting.

Around this time, FedRAMP also aims to publish additional 20x standards for public comment under RFCs. The goal is to set expectations and requirements around using new, automated processes to streamline different parts of the existing Rev5 authorization process, including:

• Vulnerability Detection and Response Standard which requires CSPs to use automated systems to continuously identify, prioritize, and remediate vulnerabilities, while reporting metrics related to these activities to agencies for ongoing authorization. This combines elements of the previously standalone Continuous Reporting and POA&M standards.
• Collaborative Continuous Monitoring Standard which aims to formalize a structure where CSPs and agencies share responsibility for joint monitoring
• Continuous Validation Standard which aims to establish a framework to assess CSPs’ automation capabilities to validate security controls in real-time 
• Recommended Secure Configuration Standard which aims to formalize secure baselines and recommendations for 20x that will be more conducive to automated assessments than the current process (which relies heavily on a static Customer Responsibility Matrix)

October 2025

The 20xP2 Moderate submission window is now expected to open in mid-October and close in early December. 

By the end of October and as part of 20x Phase Two, FedRAMP aims to release the three FedRAMP Standards mentioned above, with each update incorporating all public comments received during the RFC period.

November 2025

In November, if not sooner, FedRAMP expects to kick off an Agency AI Pilot for 20x to align with the AI Prioritization Process announced on August 25. 

While more public updates are expected to be made in the coming weeks, this pilot will likely involve working with a few limited early-adopting agencies as well as the FedRAMP Board to assess, review, and authorize AI-based cloud services that are approved for FedRAMP 20x Authorization in Phase One.

January 2026

By the end of January 2026, a new type of automated authorization should be available for 20x Low and Moderate. Once finalized, these standards will be a significant step forward in FedRAMP 20x’s mission of scaling FedRAMP to thousands of services. 

While nothing has been formally announced, a pilot for 20x High authorization will likely kick off around this time once the Low and Moderate standards are final. 

FedRAMP 20x results and progress in first six months

Less than six months into its rollout, FedRAMP 20x is already showing measurable impact.

In a recent Govcast interview, FedRAMP director Pete Waterman explained that the ultimate goal of FedRAMP 20x is to ensure that the government has access to the same technology that every other commercial business has. 

This will require a massive shift in how FedRAMP has previously acted: rather than act as a gatekeeper slowing adoption of commercial technology, it must become a concierge helping agencies tap into the same best-in-class cloud services used across the private sector. This will require more than incremental changes to the existing FedRAMP program—it will require a complete overhaul.

Here are the outcomes FedRAMP 20x has already been able to achieve in less than six months:

• Record-breaking number of authorizations: FedRAMP completed 114 authorizations already in FY25, which is more than double the number completed in FY24. 
• Faster authorization timelines: With this record breaking number in FY25, FedRAMP reduced the average time to authorization from over a year to about five weeks.
• Low authorized cloud services able to enter the federal market through pilot: 26 new cloud services, including Secureframe, were authorized through the 20x Low Pilot. While 26 may not seem that impressive, that’s more cloud services than the rescinded FedRAMP Joint Authorization Board processed in the last four years of its existence combined.

These results show that FedRAMP 20x is already delivering on its promise of faster, smarter, more secure cloud adoption for the federal government. 

FedRAMP 20x is expected to continue to expand the size and diversity of the marketplace—likely faster and sooner than we think. With new authorization standards for 20x Low and Moderate expected by early 2026, it’ll soon be feasible for startups, smaller providers, and other previously vulnerable swaths of the cloud services market to sell to the government—without years of upfront investment.

How Secureframe can help you get and stay compliant with FedRAMP over time

Keeping up with the latest changes to compliance requirements like FedRAMP can be challenging. That’s why Secureframe makes it a priority to keep our customers informed about updates that could impact their environment and ensure our platform remains up to date.

With all FedRAMP requirements, controls, and tests already mapped out, we support FedRAMP compliance out-of-the-box. As FedRAMP evolves in 2025 and beyond, Secureframe will continue to align with the latest requirements, ensuring you stay ahead of regulatory changes.

Secureframe offers several key features and capabilities to support FedRAMP compliance, including:

• Government and federal compliance expertise: Our team includes former FedRAMP, FISMA, and CMMC auditors who provide expert guidance at every step, from readiness work before an audit to maintaining compliance and continuous monitoring after the audit.
• Integrations with federal cloud products: Secureframe automates continuous monitoring and evidence collection with integrations for AWS GovCloud and other federal cloud services.
• Continuous monitoring: Our platform continuously monitors your tech stack 24/7 to alert you of non-conformities, making it easier to maintain continuous compliance and a strong security posture. You can specify test intervals and notifications for required regular tasks to maintain FedRAMP compliance. 
• Risk Management: Our Risk Register and Risk Management capabilities enable you to track, assess, and mitigate security risks while ensuring proper documentation and ongoing Plan of Action and Milestones (POA&M) maintenance to maintain a FedRAMP compliant-risk management program.
• Vendor Management: Manage third-party risk with automated vendor assessments and due diligence tracking. Secureframe ensures you continuously evaluate vendors' security postures to meet FedRAMP’s supply chain risk management requirements.
• User Access Reviews (UAR): Enforce least privilege and access control best practices with automated user access reviews. Secureframe helps ensure you meet FedRAMP requirements to conduct access reviews regularly and revoke unnecessary access in a timely manner.
• Vulnerability Management: Secureframe integrates with leading vulnerability scanning tools so you can continuously monitor your systems for vulnerabilities and ensure compliance with FedRAMP’s security assessment and remediation requirements. 
• Cross-mapping across frameworks: Secureframe simplifies compliance by mapping FedRAMP controls to over 40+ other frameworks like NIST 800-53, NIST 800-171, and CJIS—reducing duplicate efforts.
• Trusted partner network: Our relationships with C3PAOs, vCISOs, MSPs, MSSPS, and other trusted service partners can help further streamline FedRAMP readiness and audits. 
• Easier document and policy management: Templated policies, procedures, and SSPs written by former federal auditors can be fully customized to meet your needs. Our enterprise policy management capabilities include POA&M documents, impact assessments, and readiness reports. We're also adding a review and approval workflow for policies, which is a FedRAMP requirement.
• Customizable Trust Center: Showcase your security and compliance posture in real-time to establish transparency and trust and differentiate yourself from competitors through a fully customized Trust Center. Check out ours as an example.

Request a demo today to see how we can help you achieve and maintain FedRAMP 20x compliance over time with confidence.