Over the past year, FedRAMP 20x has steadily reshaped federal cloud authorizations. FedRAMP introduced Phase One and Phase Two pilots, tested a new Key Security Indicator–based assessment model, and began reworking standards around continuous monitoring, vulnerability management, and authorization data sharing.

In January 2026, FedRAMP followed that work with a coordinated set of updates, including six new Requests for Comment, the announcement of Phase Two Moderate pilot participants, and additional guidance tied to the FedRAMP Authorization Act.

For cloud service providers, the key question is not just what appears on the FedRAMP 20x roadmap, but how these changes affect their compliance efforts. After all, FedRAMP 20x is not just a procedural update to legacy FedRAMP — it represents a fundamental shift in how cloud security is assessed for federal agencies.

Note: Because FedRAMP 20x is still in active rollout, timelines and details may shift as priorities and staffing change. For the most up-to-date information, refer to the FedRAMP 20x Public Roadmap on GitHub.

Phase one: Modernizing FedRAMP Low

Phase One is where FedRAMP began pressure-testing the 20x model in real environments, starting with Low-impact systems. The goal is to see how these changes work in practice, gather feedback, and refine them before rolling them out at scale. 

It is also the first opportunity for CSPs to experience a faster, more automated path to authorization, while still meeting the government’s security requirements. By the end of Phase One, the standards tested here will become the foundation for how FedRAMP Low authorizations are handled going forward. 

Key milestones include:

• August 15, 2025: Authorization Data Sharing Standard
  This standard allows CSPs to self-host FedRAMP authorization data, including continuous monitoring materials, without having to upload them to the FedRAMP Secure Repository. It offers more flexibility while keeping agencies informed.
• August 29, 2025: Finalize FedRAMP 20x Low Authorization Standard
  Consolidates everything learned during the Phase One pilot into official Low authorization guidance for ongoing use.
• September 4, 2025: Continuous Vulnerability Management Standard
  This standard merges reporting and monitoring into one unified set of requirements. It sets the expectation that CSPs will continuously detect, prioritize, and remediate vulnerabilities using automated systems.
• September 12, 2025: Federal Information Technical Assistance
  Provides guidance on what qualifies as federal information for the purposes of the Minimum Assessment Scope, helping CSPs determine which data falls under FedRAMP requirements.
• September 26, 2025: Finalize Key Security Indicators for FedRAMP Moderate
  Updates the metrics used for assessing FedRAMP Moderate authorizations, ensuring that Phase Two launches with clear and measurable expectations.
• September 26, 2025: Agency Adoption Pilot for 20x Low
  Pairs early-adopting agencies with Phase One authorized CSPs to evaluate how 20x works in practice and identify opportunities for improvement.
• October 3, 2025: Collaborative Continuous Monitoring Standard
  Introduces a formal structure for joint monitoring between CSPs and agencies, making the process more efficient and collaborative.
• October 3, 2025: Agency Reuse Playbook for 20x
  Creates a resource for agencies explaining how to review and reuse 20x authorized services without unnecessary duplication of effort.

Phase two: Scaling to FedRAMP Moderate

Once Phase One established that the 20x model could work at the Low impact level, FedRAMP shifted its focus to scaling those same principles to Moderate authorizations. This phase incorporates lessons learned during the pilot, but it also raises expectations, especially around continuous validation, cryptographic requirements, and modernization of legacy processes like POA&Ms. 

For CSPs, this is where the program moves closer to its vision of a largely automated, continuous authorization process that is faster to achieve and easier to maintain. Phase Two also provides the opportunity for CSPs authorized at Low to transition to Moderate more seamlessly.

Key milestones include:

• October 31, 2025: Continuous Validation Standard
  Establishes expectations for near real-time validation of security controls, with a target of achieving 80 percent or more validation through automation.
• October 31, 2025: FIPS Cryptographic Module Application for Commercial Services
  Provides updated guidance on how FIPS 140-3 requirements apply to commercial services, taking a more risk-based approach.
• November 14, 2025: POA&M Standard
  Updates the decades-old Plans of Action and Milestones process, making it more relevant for modern cloud environments and aligning it with commercial best practices.
• November 15, 2025: 20xP2 Moderate Pilot Submission and Review Window
  Opens the pilot for Moderate-level authorizations under 20x.
• December 5, 2025: Finalize FedRAMP 20x Moderate Authorization Standard
  Publishes the final requirements for Moderate authorizations based on pilot results.
• TBA: Finalize FedRAMP 20x High Authorization Standard
  While FedRAMP has not yet formally announced its plans for 20x High, the expectation is that work will begin after the Moderate standard is finalized. This future phase would adapt the 20x model to the unique requirements of High impact systems, ensuring the same efficiency, automation, and continuous monitoring improvements extend to the most sensitive federal workloads.

Modernizing FedRAMP.gov and the Marketplace

Policy changes are only part of the 20x transformation. The program is also investing in the tools and resources that agencies and CSPs rely on every day. 

FedRAMP.gov and the Marketplace are being redesigned to make it easier to find information, streamline listings, and ensure that outdated content is clearly marked and archived.

Key updates include:

• August 15, 2025: Major Redesign of FedRAMP.gov
  Delivers a new design and reorganized content focused on 20x, with improved navigation and clearer separation of legacy materials.
• September 30, 2025: Marketplace Redesign
  Refreshes the FedRAMP Marketplace to improve performance, filtering, and integration with FedRAMP.gov.
• November 30, 2025: External Data-Driven Marketplace
  Moves toward a model where CSPs provide their own Marketplace listing data through secure feeds, reducing manual updates.

Preparing for FedRAMP 20x: Turning dates into an action plan

FedRAMP 20x is less about reducing paperwork and more about changing how security programs operate day to day. In our experience, teams that succeed under 20x approach authorization as an ongoing capability, not a one-time event. Evidence should be treated as a byproduct of your daily operations, and controls must be designed to hold up under continuous scrutiny.

Automation plays a central role, but it works best when it sits on top of clear ownership, reliable asset inventory, and disciplined change management. When those foundations are in place, continuous validation reduces friction.

At Secureframe, we've been closely involved in shaping and testing the 20x process from the early stages. We participated in the Phase One pilot, achieved our FedRAMP 20x Low Authorization under the new model, and are proud to have been selected for the Phase Two Pilot program. This hands-on experience has given us a clear view of readiness, where teams lose momentum, and what it takes to maintain authorization in a model built around continuous validation and transparency.

If you want to be ready for these milestones, start with a readiness assessment that focuses on scope clarity, evidence durability, and operational ownership. To help, we’ve created a FedRAMP Requirements Checklist that breaks down what you need to address at each stage.