Instead of overhauling the entire federal cloud authorization system in a single release, FedRAMP is rolling out 20x in deliberate phases — testing new concepts in controlled pilots, incorporating what it learns, and then opening the new authorization paths to the broader market.
For cloud service providers, that means the transition to 20x is already underway, even if the formal authorization paths aren't publicly available yet. Understanding how the rollout is structured and what each phase is designed to accomplish helps you plan ahead rather than scramble to catch up.
This article walks through the phased structure of the FedRAMP 20x rollout, what the pilot programs are meant to test, and what CSPs at different stages should be thinking about right now.
Why FedRAMP chose a phased, pilot-first approach
FedRAMP 20x represents a fundamental shift in how cloud security is assessed for federal use, not just a procedural update to the existing Rev5 process. Rather than replacing a well-understood system with an untested one overnight, FedRAMP chose to pressure-test the new model in real environments before rolling it out government-wide.
The pilot-first approach serves a few specific purposes. It lets FedRAMP validate that automation-based assessment actually works in practice, not just in theory. It also surfaces implementation challenges and edge cases before they become widespread problems. And it keeps the process transparent: FedRAMP has developed 20x entirely in public, publishing requirements, Requests for Comment, and progress updates through its public GitHub roadmap so that any CSP, agency, or assessor can track how the program is evolving and contribute feedback.
The result is a rollout that moves faster than traditional government program updates, but with enough structure to ensure the new model is sound before it becomes the only path forward.
An overview of the FedRAMP 20x phased rollout
FedRAMP 20x is being delivered in five broad phases, each with specific goals and outcomes that feed into the next. The early phases focus on pilots and proof of concept; the later phases shift to formalization, wide-scale adoption, and eventually the retirement of the legacy Rev5 process.
Here's how the phases are structured at a high level, with the understanding that specific dates are subject to change as the program evolves. For the most current milestones and changelog, refer to the FedRAMP 20x Public Roadmap on GitHub.
Phase One: Proving the concept at FedRAMP Low (completed)
Phase One was the proving ground for the entire 20x model, focused on the lowest-risk cloud services. A limited cohort of cloud service providers pursued FedRAMP Low authorization using a new approach built around Key Security Indicators (KSIs) — specific, automatable security checks — rather than the traditional Rev5 control documentation. The results exceeded expectations: 26 CSPs submitted packages, and participants achieved authorization in as little as three months, compared to the 18+ months typical under Rev5.
The lessons from Phase One directly informed how Phase Two was designed. For a detailed look at how the pilot worked and what it proved, see our FedRAMP 20x Phase One Pilot article.
Phase Two: Scaling to FedRAMP Moderate
Phase Two took the model proven at Low and tested whether it could scale to Moderate-impact systems, which carry significantly higher complexity, data sensitivity, and validation requirements. Participation was intentionally limited to just 13 selected CSPs — roughly half the number from Phase One — so FedRAMP could work closely with each provider and manage the variability in approaches.
Where Phase One asked "can this work?", Phase Two asked "can this work at scale, with higher stakes?" The outcomes will be used to finalize the formal 20x authorization standards for both Low and Moderate before they open to the public.
Secureframe was among the 13 CSPs selected for the Phase Two pilot, an experience that directly shapes the guidance and support we're able to offer customers navigating their own FedRAMP 20x journeys. For a full breakdown of how Phase Two differed from Phase One, see our article on the FedRAMP 20x Phase Two Pilot.
Phase Three: Wide-scale adoption of 20x Low and Moderate (expected Q3–Q4 FY2026)
Phase Three is where 20x becomes available to everyone. Based on the outcomes of the first two pilots, FedRAMP plans to finalize the formal authorization standards for both Low and Moderate impact levels and open those paths to all CSPs. This phase also includes formalizing a 20x accreditation path for 3PAOs and providing agencies with the training, tooling guidance, and playbooks they need to evaluate and consume machine-readable authorization data at scale.
Phase Four: High-impact pilot and full modernization (expected Q1–Q2 FY2027)
Phase Four extends the 20x model to High-impact systems, with a pilot focused primarily on hyperscale IaaS and PaaS providers. During this phase, all CSPs with existing Rev5 authorizations will also be required to transition to machine-readable authorization data — completing FedRAMP's shift away from static documentation toward continuous, transparent data sharing.
Phase Five: End of new Rev5 authorizations (expected Q3–Q4 FY2027)
Phase Five marks the formal end of the legacy Rev5 path. FedRAMP will stop accepting new Rev5-based agency authorizations and publish a clear transition timeline for existing authorized providers to migrate to 20x. FedRAMP has indicated this transition is likely to include multi-year deadlines, giving providers time to migrate while making 20x the only path forward for new federal cloud authorizations.
What the pilot programs are testing
The core question the pilots are answering is whether automated, continuous validation can deliver equal or greater security assurance than traditional point-in-time assessments, and whether that approach can scale across the full spectrum of federal cloud services without creating new risks or gaps.
Each pilot phase is designed to test a progressively harder version of that question. Phase One asked whether automation-based validation could work at all for low-risk services. Phase Two asked whether it could handle the higher complexity and assurance requirements of Moderate systems. Future phases will ask whether it can extend to the most sensitive federal workloads.
Along the way, FedRAMP is also testing the practical mechanics of the new model: how CSPs structure and share machine-readable authorization data, how 3PAOs adapt their assessment practices to evaluate continuous evidence rather than static packages, and how agencies learn to consume and act on real-time authorization data rather than waiting for periodic reports.
What this means for CSPs right now
Regardless of where you are in your FedRAMP journey, the phased rollout has practical implications worth thinking through now.
If you're not yet FedRAMP authorized: The traditional Rev5 path remains valid through at least the middle of FY2027, so pursuing Rev5 authorization now doesn't put you on a dead-end road. That said, building your compliance program with automation and continuous monitoring in mind from the start will make the eventual transition to 20x significantly less disruptive. The closer your current program is to the 20x model, the smoother that transition will be.
If you're already Rev5 authorized: Your authorization remains valid, and there's no immediate mandate to migrate to 20x. However, FedRAMP is already introducing Balance Improvement Releases (targeted updates that bring select 20x requirements into the Rev5 process) so some degree of alignment is already becoming expected. Understanding the transition timeline and beginning to evaluate your readiness for 20x now is worthwhile, especially if your current program relies heavily on static documentation and periodic assessments.
If you're actively planning for 20x: Phase Three is expected to open the formal 20x Low and Moderate authorization paths to the public in Q3 FY2026, which is approaching quickly. CSPs that want to be early movers when Phase Three launches should be evaluating their automation capabilities, evidence collection processes, and continuous monitoring infrastructure now.
FAQs
When will FedRAMP 20x authorization be available to everyone?
FedRAMP 20x Low and Moderate authorization paths are expected to open to the public during Phase Three, targeted for Q3–Q4 FY2026. FedRAMP plans to finalize the formal standards by the end of June 2026, with wide-scale adoption to follow. As always, specific dates are subject to change, and the FedRAMP 20x Public Roadmap is the best place to track current milestones.
Do I have to switch to FedRAMP 20x if I'm already Rev5 authorized?
Not immediately. Existing Rev5 authorizations remain valid through the transition period, and FedRAMP has indicated it intends to provide multi-year transition deadlines for legacy authorized providers. However, FedRAMP plans to stop accepting new Rev5-based agency authorizations in Phase Five (expected Q3–Q4 FY2027), making 20x the only path forward for new authorizations at that point.
How can I participate in the FedRAMP 20x pilot?
The Phase One and Phase Two pilots have concluded. Phase Three, which will open formal 20x authorization paths to the public, is expected to begin in Q3 FY2026. There is no separate application process for Phase Three, and it will be broadly available to qualifying CSPs when it launches.
Where can I track updates on the FedRAMP 20x rollout?
FedRAMP maintains a public GitHub roadmap with regular progress updates, as well as a Community Working Group where CSPs, agencies, and assessors can follow new standards, Requests for Comment, and pilot developments. FedRAMP also publishes updates through its Focus on FedRAMP blog and social channels.
