FedRAMP 20x - Five Months In and Full of Surprises
August 28, 2025
Twenty-six cloud service providers rallied around the idea of FedRAMP 20x to participate in the Phase One pilot program with one goal: make an initial attempt at automating initial validation of all of FedRAMP’s Key Security Indicators, get a 3PAO to assess and validate their approach, then show us how they did it. By comparison, that’s more cloud services than the rescinded FedRAMP Joint Authorization Board processed in the last four years of its existence combined.
We’re going to be working through Phase One for a minute, catching up with all of these cloud service providers to see how they went about this and review their security decisions in depth. In our August 20x Community Working Group session, we shared some interesting stats on these submissions and initial thoughts on the future (and a cool demo of Google’s new Cloud Compliance Manager with built-in automation support for FedRAMP 20x!).
A key principle behind the original Agile Manifesto is to welcome changing requirements, even late in development - and it’s clear that we’re going to need to change our previously planned requirements for Phase Two. We had planned to make FedRAMP 20x Low authorizations widely available before starting the Phase Two pilot but over the past few months everyone has been focused on when we’ll start the Phase Two pilot because Moderate is the most widely used impact level for FedRAMP authorizations.
Our current thinking is this: finish Phase One by October, finish Phase Two by December, then make 20x Low and Moderate widely available by January. These plans are always subject to change based on real world impacts, but this will be our goal for now.
We’ll iron this out over the next few weeks, share our plans with the community, and announce the details of Phase Two formally in our 20x Community Working Group on September 24, 2025. We can’t wait to jump into Phase Two with all of you!
Expanding to Meet Demand
A fascinating thing that sets FedRAMP apart is that our policy guidance (OMB Memorandum M-24-15) explicitly states that we have the responsibility to lead an information security program grounded in technical expertise. Thanks to the success of the 20x Phase One pilot, we recently received approval to add five folks from the U.S. Digital Corps to our highly focused team. The U.S. Digital Corps is a two-year fellowship program that brings early-career technologists into government to make a difference in high-impact areas.
Our five new U.S. Digital Corps Fellows and graduates are bringing new energy into various roles across FedRAMP. They’re digging into 20x packages with our seasoned security reviewers and working on a rebuild of the FedRAMP Marketplace. GSA’s Technology Transformation Services culture of nurturing early-career technologists in civic tech paid off at just the right time and we’re so stoked to win the internal competition for these folks!
Closing
This month’s blog update continues a slow shift from a focus on what we’ve done over the past month to talking about how our work is charting a path forward. We’ve combined the best of both worlds into our public working roadmap, where every two weeks we update our progress and realign our priorities and goals for the next few months based on real-world impacts. If you just want to jump in at any time to see what the plan is, that’s the place to start.
Cheers!
