A lot is changing with FedRAMP right now, and it’s happening quickly. The 20x initiative is reshaping how federal cloud authorizations are earned, maintained, and monitored. If you’re a cloud service provider (CSP), you might be wondering what exactly is coming, when those changes will take effect, and what you should be doing to get ready.

The rollout is structured in multiple phases, each tied to specific standards, pilots, and process updates. Alongside these are upgrades to FedRAMP.gov, the FedRAMP Marketplace, and targeted adjustments to Rev5 requirements to bring them in line with the new model.

Note: Because FedRAMP 20x is still in active rollout, the timeline and release dates are subject to change as priorities shift and staffing changes occur. For the most up-to-date information, visit the FedRAMP 20x Public Roadmap on GitHub.

How the FedRAMP 20x rollout is structured

FedRAMP 20x is the most significant modernization of the program since it was created, aiming to speed up the authorization process, reduce friction for CSPs, and improve security outcomes for agencies. It does this through updated standards, greater use of automation, and a stronger emphasis on continuous monitoring and collaboration.

This new FedRAMP 20x program is moving forward in two major phases, supported by parallel efforts to modernize public-facing tools and reconcile older requirements with new expectations.

Phase One focuses on updating FedRAMP Low authorizations and piloting new approaches. Phase Two applies those lessons to FedRAMP Moderate while also introducing new validation and reciprocity processes. Both phases are supported by improvements to FedRAMP.gov, the Marketplace, and Rev5 balance improvements.

Phase one: Modernizing FedRAMP Low

Phase One is the proving ground for the entire FedRAMP 20x initiative. This stage is where the program pilots updated processes and standards with real cloud service providers. The goal is to see how these changes work in practice, gather feedback, and refine them before rolling them out at scale. 

It is also the first opportunity for CSPs to experience a faster, more automated path to authorization, while still meeting the government’s security requirements. By the end of Phase One, the standards tested here will become the foundation for how FedRAMP Low authorizations are handled going forward. 

Key milestones include:

• August 15, 2025: Authorization Data Sharing Standard
  This standard allows CSPs to self-host FedRAMP authorization data, including continuous monitoring materials, without having to upload them to the FedRAMP Secure Repository. It offers more flexibility while keeping agencies informed.
• August 29, 2025: Finalize FedRAMP 20x Low Authorization Standard
  Consolidates everything learned during the Phase One pilot into official Low authorization guidance for ongoing use.
• September 4, 2025: Continuous Vulnerability Management Standard
  This standard merges reporting and monitoring into one unified set of requirements. It sets the expectation that CSPs will continuously detect, prioritize, and remediate vulnerabilities using automated systems.
• September 12, 2025: Federal Information Technical Assistance
  Provides guidance on what qualifies as federal information for the purposes of the Minimum Assessment Scope, helping CSPs determine which data falls under FedRAMP requirements.
• September 26, 2025: Finalize Key Security Indicators for FedRAMP Moderate
  Updates the metrics used for assessing FedRAMP Moderate authorizations, ensuring that Phase Two launches with clear and measurable expectations.
• September 26, 2025: Agency Adoption Pilot for 20x Low
  Pairs early-adopting agencies with Phase One authorized CSPs to evaluate how 20x works in practice and identify opportunities for improvement.
• October 3, 2025: Collaborative Continuous Monitoring Standard
  Introduces a formal structure for joint monitoring between CSPs and agencies, making the process more efficient and collaborative.
• October 3, 2025: Agency Reuse Playbook for 20x
  Creates a resource for agencies explaining how to review and reuse 20x authorized services without unnecessary duplication of effort.

Phase two: Scaling to FedRAMP Moderate

Once Phase One has proven the viability of the 20x approach at the Low impact level, Phase Two expands the scope to include FedRAMP Moderate authorizations. This phase incorporates lessons learned during the pilot, but it also raises expectations, especially around continuous validation, cryptographic requirements, and modernization of legacy processes like POA&Ms. 

For CSPs, this is where the program moves closer to its vision of a largely automated, continuous authorization process that is faster to achieve and easier to maintain. Phase Two also provides the opportunity for CSPs authorized at Low to transition to Moderate more seamlessly.

Key milestones include:

• October 31, 2025: Continuous Validation Standard
  Establishes expectations for near real-time validation of security controls, with a target of achieving 80 percent or more validation through automation.
• October 31, 2025: FIPS Cryptographic Module Application for Commercial Services
  Provides updated guidance on how FIPS 140-3 requirements apply to commercial services, taking a more risk-based approach.
• November 14, 2025: POA&M Standard
  Updates the decades-old Plans of Action and Milestones process, making it more relevant for modern cloud environments and aligning it with commercial best practices.
• November 15, 2025: 20xP2 Moderate Pilot Submission and Review Window
  Opens the pilot for Moderate-level authorizations under 20x.
• December 5, 2025: Finalize FedRAMP 20x Moderate Authorization Standard
  Publishes the final requirements for Moderate authorizations based on pilot results.
• TBA: Finalize FedRAMP 20x High Authorization Standard
  While FedRAMP has not yet formally announced its plans for 20x High, the expectation is that work will begin after the Moderate standard is finalized. This future phase would adapt the 20x model to the unique requirements of High impact systems, ensuring the same efficiency, automation, and continuous monitoring improvements extend to the most sensitive federal workloads.

Modernizing FedRAMP.gov and the Marketplace

Policy changes are only part of the 20x transformation. The program is also investing in the tools and resources that agencies and CSPs rely on every day. 

FedRAMP.gov and the Marketplace are being redesigned to make it easier to find information, streamline listings, and ensure that outdated content is clearly marked and archived. These updates will not only improve the user experience but will also support faster and more informed decision-making for both agencies and providers.

Key updates include:

• August 15, 2025: Major Redesign of FedRAMP.gov
  Delivers a new design and reorganized content focused on 20x, with improved navigation and clearer separation of legacy materials.
• September 30, 2025: Marketplace Redesign
  Refreshes the FedRAMP Marketplace to improve performance, filtering, and integration with FedRAMP.gov.
• November 30, 2025: External Data-Driven Marketplace
  Moves toward a model where CSPs provide their own Marketplace listing data through secure feeds, reducing manual updates.

Preparing for FedRAMP 20x: Turning dates into an action plan

The FedRAMP 20x rollout is a roadmap for how the federal cloud security landscape will operate for years to come. CSPs that track these milestones and prepare early will be in the best position to benefit.

At Secureframe, we have been closely involved in shaping and testing the 20x process. We participated in the Phase One pilot and are proud to have achieved our FedRAMP 20x Low Authorization under the new model. This hands-on experience and FedRAMP 20x low framework built out in our platform means we’re well-positioned to help other CSPs navigate the transition, meet new requirements efficiently, and stay ahead as the program evolves.

If you want to be ready for these milestones, start by aligning your teams, reviewing your internal processes, and making sure your documentation and controls meet the evolving standards. To help, we’ve created a FedRAMP Requirements Checklist that breaks down what you need to address at each stage.