When Pete Waterman, director of the FedRAMP program, said the goal of FedRAMP 20x was "to make authorization better, faster, and cheaper," it resonated with us immediately. Not because it was catchy, but because it reflected what we've been working on at Secureframe for dozens of security frameworks.

Our mission is to provide an automation-first approach that empowers our customers to achieve real security outcomes and prove it over time, without the traditional burden of manual and paperwork-based processes that made compliance so costly, complex, and inefficient.

So we decided to put our own platform through FedRAMP 20x, first as one of the earliest participants in the Phase One pilot to achieve 20x Low Authorization and now as part of the Phase Two Moderate pilot. This wasn't a vanity exercise or marketing ploy. It was a way of validating our automation capabilities and demonstrating our commitment to the federal market.

Here’s what we’ve learned so far.

How FedRAMP 20x is different from other frameworks

Traditional compliance frameworks allow for flexibility in how organizations demonstrate compliance. FedRAMP 20x is different because it prioritizes automation and continuous monitoring as much as possible.

"While you can comply with frameworks like SOC 2 or ISO 27001 in many different ways, 20x has specific requirements around automation and continuous validation, which required us to change some of our internal processes,” Cavan Leung, Senior Compliance Manager at Secureframe notes. 

Security goals had to be defined first, then proven continuously—not documented after the fact.

This required deep collaboration across our product, engineering, platform and infrastructure, security, and compliance teams. 

For many organizations, 20x will require a fundamental shift in how their teams operate and approach security and compliance. It's not just about tools. It's about letting go of "documentation completeness" and completed assessments as the primary measure of success and embracing persistent and automated validation instead.

What "automation-first" actually means in practice for 20x 

FedRAMP 20x isn't just the traditional FedRAMP Agency Authorization path with fewer controls. It's a fundamentally different assessment model that emphasizes continuous validation over narrative-based assessments.

In practice, this means:

1. A large percentage of configuration validation is automated.

Instead of writing hundreds of pages of documentation explaining how systems are configured to meet prescribed requirements, we demonstrated that security controls are implemented and working as intended through real-time evidence of configuration settings that is pulled automatically and continuously from our environment.

2. Policy is treated as code.

A pillar of 20x is automating the creation of KSI validation by code, not human-written narratives. So instead of providing screenshots, point-in-time tests, or static documentation that would still require manual reviews by humans to validate KSI requirements, we focused on providing automated checks and machine-readable data that validate that our technical systems enforce and meet these requirements over time.

3. Continuous monitoring and real-time data replace periodic manual reviews.

Rather than submitting point-in-time assessments or static documentation that's outdated the moment it's submitted, we used automated monitoring and dashboards to share ongoing, machine-readable validation data that reflected our actual, current security posture throughout the authorization lifecycle.

"Because of the alignment between what 20x asks for—more automation, more real-time data, more modern approaches—and what our platform delivers, our journey was smoother than it might be for companies not in the GRC platform space," says Shrav Mehta, Founder and CEO of Secureframe.

What Phase Two Moderate actually demands

FedRAMP designed Phase One so participants needed limited engineering lift and could meet many requirements with existing tooling. Phase Two is fundamentally different.

"It requires significant engineering lift, including custom automation and persistent validation capabilities," says Leung. "The requirements are more robust, which has required us to make our internal processes more robust as well. However we've been able to leverage many of our platform's capabilities to make this transition more manageable than it would be otherwise."

This isn't about adding more controls. It's about demonstrating a higher level of assurance through continuous validation. For organizations considering FedRAMP 20x at the Moderate level, the question isn't just "Do we have the right tools?" It's "Can our engineering and security teams build and maintain persistent validation at scale?"

The distinction matters. Tools can automate evidence collection. But continuous validation requires architectural decisions, engineering commitment, and cultural alignment around security as an ongoing practice rather than a point-in-time achievement.

“We've proven our platform was strong in Phase One, and we're making it even stronger in Phase Two,” explains Leung.

Why 3PAO partnership matters more, not less

One common misconception about FedRAMP 20x is that automation reduces the need for a skilled 3PAO. The opposite is true.

"Given the ambiguity inherent in a pilot program, having a partner like Coalfire who could navigate this uncharted territory with us while maintaining the rigor of an independent assessment was crucial," says Leung. 

Phase One was more straightforward so Coalfire operated strictly as an independent auditor. But with Phase Two, the relationship has evolved significantly.

"The higher assurance requirements of 20x Moderate demand tighter collaboration between organizations and their assessors. FedRAMP explicitly allows assessors to share advice with providers about techniques and procedures that will improve security posture or the effectiveness of security validation and reporting, as long as it doesn't compromise assessment objectivity," Leung explains.

“Now, if we have questions about how to implement certain requirements or want Coalfire's perspective on how to interpret them, they can actually weigh in and help guide us."

20x isn't a reduction in rigor and automation doesn’t eliminate the need for expertise. It raises the bar for what’s expected of cloud service providers and assessors and what that partnership looks like.

What FedRAMP 20x changes long-term for government authorizations

The shift FedRAMP 20x represents goes beyond process improvement. It's a fundamental change in what government authorization looks like.

"The traditional FedRAMP model required an agency sponsor just to start the process," Leung explains. "Under 20x, cloud service providers can pursue authorization directly through FedRAMP without needing an agency sponsor. The FedRAMP Marketplace allows agencies to search for the vendor tools they need and gives agencies the power to assess risk themselves based on the standardized security information vendors provide."

But the operational shift is even more significant.

"From an operational perspective, the emphasis on continuous validation rather than periodic, point-in-time assessments changes everything," says Leung. "Organizations will need to build security programs that can demonstrate compliance continuously, not just during audit season. This is a higher bar, but it's also a more honest representation of an organization's actual security posture. I think other compliance frameworks will start moving in this direction as they see the benefits of this approach."

Mehta sees this as part of a broader convergence: "I believe FedRAMP 20x will fundamentally shift more cloud security and government authorization models toward an automation-first approach in order to achieve the same meaningful reductions in manual reviews, static documentation, and point-in-time assessments that made traditional FedRAMP authorization burdensome, cost-intensive, and slow. The distinction between cloud security for federal agencies and contractors versus the private sector will continue to diminish."

What this means for CSPs in the federal market

Whether you’re already in the federal market or considering entering it, FedRAMP 20x will soon replace the traditional FedRAMP Rev5 Agency Authorization path.

Here’s what you need to know to prepare for the future of cloud security:

• Automation isn't optional. This isn't a traditional FedRAMP authorization with a lighter control set. It's a different assessment model that requires continuous validation capabilities.
• Assessor partnership matters more, not less. Choose a 3PAO with deep federal experience and a willingness to navigate ambiguity collaboratively.
• Expect significant engineering lift. Budget for custom automation, persistent validation, and cross-functional collaboration between security, compliance, and engineering teams.
• The cultural shift is real. Moving from documentation completeness to continuous assurance requires organizational change, not just tooling.

The good news? The result is a more honest, more efficient, and ultimately more secure approach to federal authorization. FedRAMP 20x isn't just making authorization faster. It's making it better.

Ready to explore FedRAMP 20x for your organization? Learn more about simplifying 20x with Secureframe and how we're helping cloud service providers navigate the future of federal compliance.