FedRAMP 20x Phase Two marks a major milestone in modernizing federal cloud security. Building on the success of the 20x Low pilot, FedRAMP is now preparing to test these same concepts against the far more complex Moderate baseline. Phase Two will set the foundation for public 20x Low and Moderate authorizations in 2026 and reshape how cloud service providers approach assessment, validation, and continuous monitoring.

Here’s what cloud service providers need to know about the goals, requirements, and timeline of FedRAMP 20x Phase Two, and how to prepare for what’s next.

From pilot to progress: Where FedRAMP 20x stands today

When FedRAMP 20x was first announced, it signaled the start of a major shift in how the federal government assesses and authorizes cloud services. The 20x Phase One Pilot tested whether automated, machine-readable data could streamline much of the manual review and documentation that has long slowed down traditional FedRAMP authorizations.

Through this first phase, FedRAMP introduced several key innovations. Cloud service providers participating in the pilot used automated reporting, continuous validation, and measurable Key Security Indicators (KSIs) to prove that core controls were implemented and working in real time. FedRAMP’s goal wasn’t just faster reviews; it was to build a model that reflects how modern cloud environments actually operate.

While participation in Phase One was limited, it demonstrated that automation-based reviews could significantly accelerate the authorization timeline without compromising security. Lessons learned from those pilots directly shaped the standards and expectations for the next phase of the program.

With the Phase One pilot largely complete and Low authorizations underway, FedRAMP is moving into Phase Two, a limited pilot focused on Moderate-impact systems. This phase will test whether the automation-based approach can scale to more complex environments and lay the groundwork for full public adoption in 2026.

The goals of FedRAMP 20x Phase Two

FedRAMP 20x Phase Two builds on Phase One by expanding the model to include Moderate-impact systems and introducing more structured requirements. Each of its goals reflects a deliberate step toward making automation-driven authorization viable across the entire program.

Validate automation at the Moderate level

Phase Two will determine whether the efficiencies achieved at the Low baseline can be replicated for Moderate systems, where the number of controls, interdependencies, and data sensitivities increase substantially. The goal is to confirm that continuous, automated validation can provide the same or greater assurance than traditional manual assessment methods.

Refine and standardize the 20x framework

FedRAMP is using feedback from Phase One to finalize standards for automation, data exchange, and evidence collection. The agency wants a consistent, measurable framework that any CSP or assessor can apply, ensuring transparency and predictability across all authorizations.

Prove scalability and collaboration

A central aim of Phase Two is to test how multiple CSPs, 3PAOs, and agencies can operate within a shared, automated environment. By demonstrating interoperability between differing compliance and security tools as well as trust centers, FedRAMP can confirm that continuous authorization isn’t limited to a few early adopters; it can work across the entire ecosystem.

Prepare for the 2026 wide release

Finally, Phase Two is the bridge to public availability. FedRAMP will use the results to finalize the 2026 standards, address implementation challenges, and ensure federal agencies are ready to evaluate automated authorization data at scale.

What’s next: Updated timeline, cohorts, and public comment

Following the historic government shutdown, FedRAMP has released updated guidance for the 20x Phase Two pilot. FedRAMP now expects to finalize Phase Two requirements and open the submission window approximately three to four weeks after the shutdown ends.

Instead of a general submission period, cloud service providers will apply to join a specific Phase Two cohort. Cohort 1 applications are expected to open on December 1, with additional cohorts following on a schedule determined by FedRAMP.

Once Phase Two concludes, FedRAMP will finalize the 2026 20x standards and begin Phase Three, which focuses on scaling the model, refining documentation, and preparing federal agencies for automated authorization reviews. Phase Four, expected in 2026, will open FedRAMP 20x Low and Moderate authorizations to all cloud service providers.

FedRAMP emphasizes that all dates are estimates and subject to change. Providers can track real-time updates on the FedRAMP Public Roadmap and the Phase Two Q&A and discussion threads on GitHub.

Ongoing compliance requirements after authorization

CSPs that earn a 20x authorization will need to maintain compliance through monthly or quarterly automated evidence submissions, including Ongoing Authorization Reports (OARs) that summarize risk, key system changes, and performance against KSIs. Continuous validation data will flow directly from providers to FedRAMP and participating agencies, supporting year-round visibility into system posture.

Public comment and upcoming standards

Several standards remain open for public comment and are expected to be finalized shortly before Phase Two opens:

• RFC-0014: Phase Two Key Security Indicators (adds five new Moderate KSIs).
• RFC-0015: Recommended Secure Configuration Standard (defines secure configuration practices consistent with FedRAMP baselines).
• RFC-0016: Collaborative Continuous Monitoring Standard (outlines joint monitoring between CSPs and agencies).
• RFC-0017: Persistent Validation and Assessment Standard (expands on continuous validation using automation).

Despite recent delays, the trajectory of the FedRAMP program is unchanged: by 2026, continuous, data-driven authorization will be the new standard for federal cloud security.

Our take: What to expect for FedRAMP 20x Moderate and how to prepare

While Phase Two standards are still being finalized, several trends are clear from public drafts and roadmap discussions. Providers pursuing 20x Moderate should prepare for:

Greater control depth and automation coverage

Where 20x Low focused on proof-of-concept automation, Moderate systems will require more automation and broader evidence collection across technical controls, especially those tied to configuration management, vulnerability remediation, and identity assurance.

Integration of AI and data governance expectations

Cloud services that use AI will need to demonstrate compliance with FedRAMP’s AI Prioritization criteria, including model security, data integrity, and human oversight. Expect alignment with OMB M-24-15 and emerging AI risk management guidance.

Continuous monitoring as default

Rather than annual reporting cycles, providers will be expected to produce ongoing validation data that can be automatically reviewed by agencies. The Persistent Validation and Assessment standard will formalize how this data flows between CSPs and the FedRAMP repository and introduce more frequent touchpoints for review.

Authorized providers will also be required to submit quarterly Ongoing Authorization Reports, summarizing key changes, risk findings, and system performance against KSIs. Along with periodic review meetings, these reports will help maintain real-time insight into each system’s security posture and ensure agencies can make informed risk-based decisions throughout the authorization lifecycle.

Collaboration through trust centers

FedRAMP 20x encourages the use of secure trust centers for authorization data sharing, aligned with 20x’s machine-readable authorization data model. These portals will enable agencies to view current security posture and remediation activity directly, reducing reliance on email-based document exchanges.

Preparing for full FedRAMP 20x implementation in 2026

Phase Two marks a turning point for FedRAMP. Automation, transparency, and collaboration are no longer optional—they’re becoming the foundation of how federal cloud security will operate. For cloud service providers, that means security can’t be a point-in-time exercise anymore. It has to be measurable, continuous, and provable every day.

CSPs that invest early in automation and visibility will be best positioned to meet these expectations. The ability to produce live data showing control health, configuration state, and vulnerability remediation will distinguish leading providers from those still relying on static documentation.

At Secureframe, we’ve experienced this transformation firsthand. As one of the first organizations to achieve FedRAMP 20x Low authorization and preparing for the Phase Two Moderate pilot, we’ve built our GRC platform to help CSPs modernize compliance in step with this new FedRAMP model.

Our automation platform streamlines every stage of the authorization lifecycle, from readiness through continuous monitoring. With more than 300 integrations across AWS GovCloud, Azure Government, Microsoft GCC High, and Intune GCC, Secureframe automates evidence collection, vulnerability detection, and control testing to simplify compliance and speed up authorization. Our continuous monitoring ensures you always have a real-time view of your security posture, while built-in tools for risk, vendor, and policy management keep your compliance operations connected and efficient.

Secureframe also includes a customizable Trust Center designed for the 20x era, enabling CSPs to securely share live authorization data with agencies in a standardized, machine-readable format that meets FedRAMP’s data-sharing access requirements.

Whether you’re just beginning your FedRAMP journey or preparing for 20x Moderate, Secureframe gives you the automation, visibility, and expertise to move faster toward authorization. Request a demo to see how Secureframe can help you achieve and maintain FedRAMP 20x compliance.