On January 13, 2026, FedRAMP announced the official participants for the 20x Phase Two Moderate pilot, including Secureframe. 

Alongside 12 other selected cloud service providers, Secureframe is building on the lessons learned from achieving FedRAMP 20x Low authorization during Phase One of the pilot. In Phase Two, we’re working more closely with FedRAMP and our 3PAO to test and validate whether our automation-driven approach can meet the significantly higher assurance requirements of the Moderate 20x baseline, and be assessed effectively by independent third parties.

The results of this phase will shape the future of FedRAMP. Phase Two is meant to set the foundation for formal 20x authorization paths for both Low and Moderate systems, which are expected to open to the public and see widespread adoption in late 2026. In other words, this phase will fundamentally reshape how cloud service providers approach assessment, validation, and continuous monitoring for products and services they’re looking to sell or have already sold to the U.S. federal market.

That’s why understanding the goals, requirements, and implications of Phase Two matters even if you’re not an official participant.

Whether you’re a CSP, 3PAO, or federal agency, here’s what you need to know about where FedRAMP 20x stands today and what Phase Two signals for the future of federal cloud security.

From Phase One to Phase Two: What FedRAMP 20x has achieved so far

When FedRAMP 20x was first announced, it signaled a major departure from the highly bureaucratic and paperwork-based process the federal government used to assess and authorize cloud services under the existing FedRAMP program. 

The goal of FedRAMP 20x was to explore whether cloud-native, automation-first approaches could modernize how the federal government evaluates and authorizes cloud services so they could do so at speed and scale without sacrificing security.

The 20x Phase One Pilot served as a proof of concept, starting with the lowest risk cloud services (which are categorized as low-impact systems under FedRAMP). This phase tested whether an automation-based approach to assessment and validation could:

• meaningfully reduce the manual reviews, static documentation, and point-in-time assessments that had long made FedRAMP authorization burdensome, cost-intensive, and slow
• while still maintaining confidence in the security of authorized services

One of the most important changes introduced during Phase One was the 20x Low baseline. Instead of the traditional Low baseline which consisted of 156 NIST 800-53 controls, the 20x Low baseline consisted of 51 Key Security Indicators (KSIs). These KSIs were designed not as prescriptive security requirements, but as automated validation requirements meant to ensure that security measures are in place and operating effectively over time.

This represented a fundamental shift in how organizations are expected to demonstrate compliance, and not just from the existing Rev5 requirements but from most traditional compliance frameworks. 

Rather than documenting every control prescribed by their baseline in a hundred-plus page SSP, CSPs participating in the pilot defined their own security goals based on their unique environment, implemented the controls they believed best met those goals, and used automated processes to demonstrate that those controls were implemented and working in near real time.

Participation in Phase One exceeded expectations. While the FedRAMP team initially anticipated only a handful of providers to participate, 26 CSPs ultimately submitted pilot packages, and 13 received a FedRAMP 20x Low pilot authorization by September 2025 (with more expected as FedRAMP continues reviews after the government shutdown). 

These Phase One submissions demonstrated that automation-based validation was not only possible, but capable of significantly accelerating authorization timelines without compromising security.

The lessons learned from those submissions directly informed the design of Phase Two.

How FedRAMP 20x Phase Two differs from Phase One

FedRAMP 20x Phase Two builds on the success of Phase One by extending the testing of an automation-driven model to moderate-impact systems. This phase introduces substantially more complexity and far higher expectations for validation, transparency, and collaboration. Here’s the major differences:

What’s next: Final Phase Two milestones and the road to full 20x adoption

The Phase Two pilot is not just a test of FedRAMP 20x Moderate. It’s the inflection point for retiring the legacy Rev. 5 authorization model.

According to FedRAMP, the 20x program is on track to fully replace the traditional Low and Moderate agency authorization process by the middle of FY27, with High following by the end of FY27. That means FedRAMP intends to replace the entirety of FedRAMP as it previously existed starting in FY25 with a new, government-wide program in less than three years.

Understanding the timeline of this phased rollout helps cloud service providers and agencies plan for when 20x becomes the only path to FedRAMP 20x authorization and not the alternative.

The timeline below includes the most relevant and up-to-date milestones from FedRAMP’s public roadmap and changelog on Github. Please note that these dates are estimates and subject to change.

Phase Two: 20x Moderate 

Phase Two formally began in November 2025 and is expected to conclude on March 31, 2026. Key milestones include:

• November 18, 2025: Phase Two authorization requirements and evaluation criteria finalized
• December 2025–January 2026: Two application cohorts selected, resulting in 13 total pilot participants
• January 30, 2026: Final submission deadline for Cohort 1
• March 13, 2026: Final submission deadline for Cohort 2
• March 31, 2026: Conclusion of the Phase Two pilot

Phase Two marks the transition from experimentation to government-wide program definition, with FedRAMP using the outcomes of this phase to finalize 20x Low and Moderate requirements for public adoption.

Phase Three: Wide-scale adoption of 20x Low and Moderate

Phase Three is planned for FY26 Q3 through FY26 Q4 and represents the transition from pilot execution to program rollout. 

During this phase, FedRAMP will formalize all 20x Low and Moderate requirements for cloud service providers (expected by end of June) and establish a corresponding 20x accreditation path for 3PAOs based on outcomes from the Phase One and Phase Two pilots.

Another key focus during this phase will be preparing federal agencies to evaluate and consume machine-readable authorization data at scale. This includes publishing an Agency Reuse Playbook for 20x (expected by end of May) and ensuring all agencies have a path to adopt GRC automation tools to support the widespread adoption of the new 20x authorization model.

Phase Four: High-impact pilot and full modernization

Phase Four, planned for FY27 Q1 through FY27 Q2, will extend the testing of the 20x model to high-impact systems. During this phase, FedRAMP is expected to pilot a 20x High authorization path targeted primarily at hyperscale IaaS and PaaS providers, while continuing wide-scale adoption of 20x Low and Moderate across the federal ecosystem.

As part of this phase, all cloud service providers with existing Rev. 5 FedRAMP authorizations will be required to transition to machine-readable authorization data for both initial and ongoing authorization. This will complete FedRAMP’s shift away from static documentation toward continuous and transparent data sharing to enable agencies to make informed risk-based decisions when adopting cloud services. 

Phase Five: End of life for new Rev5 authorizations

Planned for FY27 Q3 through FY27 Q4, Phase Five marks the formal end of new Rev5–based agency authorizations. During this phase, FedRAMP will stop accepting new Rev5 agency authorizations and publish a clear transition path for legacy Rev5 authorized cloud services to move to 20x-based authorizations.

FedRAMP has indicated that this transition is likely to include multi-year deadlines, giving existing providers time to migrate while making 20x the only path forward for new federal cloud authorizations. Together with Phases Three and Four, this phase completes FedRAMP’s shift to an automation-first, continuously validated, government-wide authorization model.

What to expect from FedRAMP 20x Moderate & how to prepare now

Phase Two makes one thing clear: FedRAMP 20x Moderate is not simply a scaled-up version of the Low pilot. It represents a structural shift toward continuous, automation-first authorization that will require changes across engineering, compliance, and assessment operations.

With data-driven authorization becoming the default model for securing federal cloud services by the end of 2026, here’s how to prepare.

Deeper automation needed across more controls

Where the 20x Low pilot focused on proving that automation-based validation was possible, moderate-impact systems require broader and more consistent automation across technical controls. 

CSPs should expect expanded evidence requirements tied to configuration management, vulnerability detection and remediation, and identity assurance controls in particular. This evidence should be sourced directly from production environments rather than point-in-time documentation or assessments.

AI governance becomes part of authorization readiness

In August 2025, FedRAMP started prioritizing the authorization of AI-based cloud services that provide access to conversational AI engines like Google’s Gemini. This focus will expand to other cloud services that use AI or automated decision-making capabilities to help accelerate AI adoption across government. These cloud services will be expected to demonstrate strong data governance, model security, and human oversight. 

FedRAMP’s AI Prioritization criteria signal growing alignment with federal and commercial AI risk management guidance, including OMB M-24-15 which makes AI governance a readiness requirement rather than a future consideration.

Continuous monitoring becomes the default, not periodic assessments

Under the FedRAMP 20x model, continuous validation replaces periodic assessments as the default operating mode for authorization. Cloud service providers must be prepared to produce ongoing, machine-readable validation data that agencies can review throughout the authorization lifecycle, rather than relying on annual or ad hoc assessments or evidence submissions. 

This includes Ongoing Authorization Reports that summarize key system changes, risk findings, and performance against Key Security Indicators every three months, enabling agencies to make risk-based decisions using current operational data instead of point-in-time snapshots.

Continuous monitoring becomes collaborative and trust centers the default for data sharing

FedRAMP 20x also redefines how continuous monitoring responsibilities are shared between agencies and cloud service providers.

Under the traditional FedRAMP model, agencies were responsible for monitoring the cloud services they used, often requiring CSPs to repeatedly generate and distribute similar documentation across agency customers. 

Under 20x, CSPs and agencies are expected to embrace collaborative continuous monitoring, using automation, ongoing reporting, and hosting or attending quarterly reviews to discuss reports. They are also expected to automatically monitor, share, and/or review authorization data through secure trust centers aligned with FedRAMP’s machine-readable authorization data model. These portals reduce the documentation burden on CSPs while maximizing transparency by allowing multiple agencies to rapidly view a CSP’s current security posture, validation results, and remediation activity.

Providers that invest early in building FedRAMP-compatible trust centers will reduce the reporting burden for all customers, not just federal ones, and be better prepared for the public rollout of 20x Low and Moderate requirements around transparent, continuously accessible authorization data.

Preparing for full FedRAMP 20x implementation in 2026

Phase Two marks a turning point for FedRAMP. Automation, transparency, and collaboration are no longer optional—they’re becoming the foundation of how federal cloud security will operate. For cloud service providers, that means security can’t be a point-in-time exercise anymore. It has to be measurable, continuous, and provable every day.

CSPs that invest early in automation and visibility will be best positioned to meet these expectations. The ability to produce live data showing control health, configuration state, and vulnerability remediation will distinguish leading providers from those still relying on static documentation.

At Secureframe, we’ve experienced this transformation firsthand. As one of the first organizations to achieve FedRAMP 20x Low authorization and few participating in the Phase Two Moderate pilot, we’ve built our GRC platform to help CSPs modernize compliance in step with this new FedRAMP model.

Our automation platform streamlines every stage of the authorization lifecycle, from readiness through continuous monitoring. With more than 300 integrations across AWS GovCloud, Azure Government, Microsoft GCC High, and Intune GCC, Secureframe automates evidence collection, vulnerability detection, and control testing to simplify compliance and speed up authorization. Our continuous monitoring ensures you always have a real-time view of your security posture, while built-in tools for risk, vendor, and policy management keep your compliance operations connected and efficient.

Secureframe also includes a customizable Trust Center designed for the 20x era, enabling CSPs to securely share live authorization data with agencies in a standardized, machine-readable format that meets FedRAMP’s data-sharing access requirements.

Whether you’re just beginning your FedRAMP journey or preparing for 20x Moderate, Secureframe gives you the automation, visibility, and expertise to move faster toward authorization. Request a demo to see how Secureframe can help you achieve and maintain FedRAMP 20x compliance.