FedRAMP 20x Phase Two marks a major milestone in modernizing federal cloud security. Building on the success of the 20x Low pilot, this next phase will test automation-driven assessments for Moderate systems and set the foundation for public authorizations going into 2026. 

Here’s what cloud service providers need to know about the goals, requirements, and timeline of FedRAMP 20x Phase Two, and how to prepare for what’s next.

From pilot to progress: Where FedRAMP 20x stands today

When FedRAMP 20x was announced earlier this year, it signaled the start of a major shift in how the federal government assesses and authorizes cloud services. The 20x Phase One Pilot tested whether automated, machine-readable data could streamline much of the manual review and documentation that has long slowed down traditional FedRAMP authorizations.

Through this first phase, FedRAMP introduced several key innovations. Cloud service providers participating in the pilot used automated reporting, continuous validation, and measurable Key Security Indicators (KSIs) to prove that core controls were implemented and working in real time. FedRAMP’s goal wasn’t just faster reviews; it was to build a model that reflects how modern cloud environments actually operate.

While participation in Phase One was limited, it demonstrated that automation-based reviews could significantly accelerate the authorization timeline without compromising security. Lessons learned from those pilots directly shaped the standards and expectations for the next phase of the program.

Now, with Phase One complete, FedRAMP is moving into Phase Two, a limited pilot focused on Moderate-impact systems. This phase will test whether the automation-based approach can scale to more complex environments and lay the groundwork for full public adoption in 2026.

The goals of FedRAMP 20x Phase Two

FedRAMP 20x Phase Two builds on Phase One by expanding the model to include Moderate-impact systems and introducing more structured requirements. Each of its goals reflects a deliberate step toward making automation-driven authorization viable across the entire program.

Validate automation at the Moderate level

Phase Two will determine whether the efficiencies achieved at the Low baseline can be replicated for Moderate systems, where the number of controls, interdependencies, and data sensitivities increase substantially. The goal is to confirm that continuous, automated validation can provide the same or greater assurance than traditional manual assessment methods.

Refine and standardize the 20x framework

FedRAMP is using feedback from Phase One to finalize standards for automation, data exchange, and evidence collection. The agency wants a consistent, measurable framework that any CSP or assessor can apply, ensuring transparency and predictability across all authorizations.

Prove scalability and collaboration

A central aim of Phase Two is to test how multiple CSPs, 3PAOs, and agencies can operate within a shared, automated environment. By demonstrating interoperability between differing compliance and security tools as well as trust centers, FedRAMP can confirm that continuous authorization isn’t limited to a few early adopters; it can work across the entire ecosystem.

Prepare for the 2026 wide release

Finally, Phase Two is the bridge to public availability. FedRAMP will use the results to finalize the 2026 standards, address implementation challenges, and ensure federal agencies are ready to evaluate automated authorization data at scale.

What’s next: Updated timeline and public comment

The recent government shutdown has temporarily delayed the start of the FedRAMP 20x Phase Two pilot. According to the FedRAMP PMO, all Phase Two requirements will now be finalized and the submission window will open approximately 3-4 weeks after the government reopens. The submission window will remain open for roughly two months before closing. Successful participants will be eligible for a 12-month FedRAMP 20x Moderate authorization.

While specific dates are still being confirmed, the overall structure of the FedRAMP 20x program is unchanged. Phase Two will continue as a limited Moderate pilot, targeting around ten authorizations. Once the pilot concludes, FedRAMP will use the results to finalize the 2026 standards that define the official 20x authorization path. 

Phase Three will focus on preparing for broad adoption, refining documentation, and ensuring federal agencies are equipped to review automated authorization data. Phase Four will open FedRAMP 20x Low and Moderate authorizations to all CSPs, marking the program’s full transition to the new model.

For CSPs that earn a FedRAMP 20x authorization, compliance does not stop at authorization. Providers will be required to adhere to continuous monitoring standards and report on their security posture regularly (typically on a monthly or quarterly cadence) using automated, machine-readable evidence. These updates will allow FedRAMP and federal agencies to maintain real-time visibility into each system’s ongoing security and risk posture.

As FedRAMP notes in its recent update, all dates and milestones are subject to change based on real-world impacts. The official FedRAMP Public Roadmap is updated every two weeks and remains the best source for the latest timelines and progress updates. 

Several standards remain open for public comment and are expected to be finalized shortly before Phase Two opens:

• RFC-0014: Phase Two Key Security Indicators (adds five new Moderate KSIs).
• RFC-0015: Recommended Secure Configuration Standard (defines secure configuration practices consistent with FedRAMP baselines).
• RFC-0016: Collaborative Continuous Monitoring Standard (outlines joint monitoring between CSPs and agencies).
• RFC-0017: Persistent Validation and Assessment Standard (expands on continuous validation using automation).

Despite the delay, the trajectory of the FedRAMP program is unchanged: by 2026, continuous, data-driven authorization will be the new standard for federal cloud security.

Our take: What to expect for FedRAMP 20x Moderate and how to prepare

While Phase Two standards are still being finalized, several trends are clear from public drafts and roadmap discussions. Providers pursuing 20x Moderate should prepare for:

Greater control depth and automation coverage

Where 20x Low focused on proof-of-concept automation, Moderate systems will require more automation and broader evidence collection across technical controls, especially those tied to configuration management, vulnerability remediation, and identity assurance.

Integration of AI and data governance expectations

Cloud services that use AI will need to demonstrate compliance with FedRAMP’s AI Prioritization criteria, including model security, data integrity, and human oversight. Expect alignment with OMB M-24-15 and emerging AI risk management guidance.

Continuous monitoring as default

Rather than annual reporting cycles, providers will be expected to produce ongoing validation data that can be automatically reviewed by agencies. The Persistent Validation and Assessment standard will formalize how this data flows between CSPs and the FedRAMP repository and introduce more frequent touchpoints for review.

Authorized providers will also be required to submit quarterly Ongoing Authorization Reports, summarizing key changes, risk findings, and system performance against KSIs. Along with periodic review meetings, these reports will help maintain real-time insight into each system’s security posture and ensure agencies can make informed risk-based decisions throughout the authorization lifecycle.

Collaboration through trust centers

FedRAMP 20x encourages the use of secure trust centers for authorization data sharing. These portals will enable agencies to view current security posture and remediation activity directly, reducing reliance on email-based document exchanges.

Preparing for full FedRAMP 20x implementation in 2026

Phase Two marks a turning point for FedRAMP. Automation, transparency, and collaboration are no longer optional—they’re becoming the foundation of how federal cloud security will operate. For cloud service providers, that means security can’t be a point-in-time exercise anymore. It has to be measurable, continuous, and provable every day.

CSPs that invest early in automation and visibility will be best positioned to meet these expectations. The ability to produce live data showing control health, configuration state, and vulnerability remediation will distinguish leading providers from those still relying on static documentation.

At Secureframe, we’ve experienced this transformation firsthand. As one of the first organizations to achieve FedRAMP 20x Low authorization and preparing for the Phase Two Moderate pilot, we’ve built our GRC platform to help CSPs modernize compliance in step with this new FedRAMP model.

Our automation platform streamlines every stage of the authorization lifecycle, from readiness through continuous monitoring. With more than 300 integrations across AWS GovCloud, Azure Government, Microsoft GCC High, and Intune GCC, Secureframe automates evidence collection, vulnerability detection, and control testing to simplify compliance and speed up authorization. Our continuous monitoring ensures you always have a real-time view of your security posture, while built-in tools for risk, vendor, and policy management keep your compliance operations connected and efficient.

Secureframe also includes a customizable Trust Center designed for the 20x era, enabling CSPs to securely share live authorization data with agencies in a standardized, machine-readable format that meets FedRAMP’s data-sharing access requirements.

Whether you’re just beginning your FedRAMP journey or preparing for 20x Moderate, Secureframe gives you the automation, visibility, and expertise to move faster toward authorization. Request a demo to see how Secureframe can help you achieve and maintain FedRAMP 20x compliance.