Overview

Timeline

December 2022

The FedRAMP Authorization Act (44 USC § 3607 - 3616)

Establishes FedRAMP in law as a "Government-wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies." The law changes FedRAMP significantly and requires the Office of Management and Budget to issue guidance that must be followed by agencies.

July 2024

The Office of Management and Budget's Memorandum M-24-15

Rescinds the entire previous FedRAMP policy memo, replacing it with an "updated vision, scope, and governance structure for FedRAMP that is responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established." This vision focuses on rapidly increasing the size of the FedRAMP Marketplace by evolving new FedRAMP authorization paths, streamlining processes through automation, and encouraging government-wide adoption of commercial cloud services.

March 2025

FedRAMP 20x Announced

GSA announces the development of FedRAMP 20x, a new assessment and authorization path based on the authority and goals set forth in the FedRAMP Authorization Act and M-24-15. This path would be developed in collaboration with industry and government, tested in public, and delivered incrementally in phases. FedRAMP would be transparent and responsive to feedback and adjust their goals, timeframes, requirements, processes, and all other aspects of the program based on real-world impacts and changes in the operating environment.

September 2025

20x Phase One Completed

FedRAMP completes 20x Phase One while ending FY25 completing an historic 144 FedRAMP authorizations and the elimination of the FedRAMP authorization backlog. The 20x Phase One pilot included an initial 12 FedRAMP 20x Low pilot authorizations from 26 pilot submissions with more pilot authorizations to follow. The world sees the potential of the FedRAMP 20x approach.

November 2025

20x Phase Two

FedRAMP begins 20x Phase Two.

Legacy FedRAMP Rev5 vs FedRAMP 20x

FedRAMP Rev5	FedRAMP 20x
Authority is derived from a 2011 memorandum from the Federal CIO without statutory basis	Authority is derived from the 2022 FedRAMP Authorization Act and 2024 OMB Memorandum M-24-15
Does not take into account the significant changes to law and policy over the past fifteen years	Based on current law and policy which redefined FISMA requirements for cloud services and established FedRAMP to define the government-wide assessment and authorization process
Encourages government-specific versions of cloud service offerings	Encourages government adoption of commercial cloud service offerings
Requests an agency to sponsor authorization by investing considerable resources in advance	Does not require an agency sponsor; FedRAMP reviews initial authorization requests directly
Typically requires years of preparation and investment to receive FedRAMP authorization	Pilot participants have received FedRAMP authorization in less than two months from start
Designed for extensive written narratives describing static security decisions	Designed for automated demonstration of secure configurations and practices
Treats commercial cloud service providers like they are government-operated entities	Encourages cloud service providers to set their own security goals and procedures then demonstrate how these meet varying security needs
Cloud service providers must request advance permission from government customers to make changes and improvements to their cloud services	Cloud service providers receive authorization to maintain and improve their cloud services following established processes without permission needed for significant changes

Phased Delivery of FedRAMP 20x

FedRAMP 20x is being delivered in phases, with specific inputs and outcomes expected for each phase. This phased approach enables agile delivery of policy and technology improvements based on the measurable impact to cloud service providers, assessors, agencies, and other stakeholders. The details of each phase will be responsive to learnings from prior phases and within each phase such that the final delivery of 20x will look different than expected originally while being a far better product.

FedRAMP 20x is currently in Phase 2.

All future timelines on this page are estimated goals at the time of the latest update. These estimated timelines are available for the awareness of the public and do not represent a firm commitment by FedRAMP or GSA. Timelines will shift based on real-world impact and changes in the operating environment throughout each phase. You can view bi-weekly updates about how work is progressing through each phase on the public FedRAMP Roadmap.

20x - PHASE 1

COMPLETED

20x Low Pilot and Proof of Concept

Timeline

FY25 Q3 to FY25 Q4

Delivery Goal

Test the concepts behind FedRAMP 20x with industry to demonstrate the feasibility of a true automation-based approach to assessment and validation with potential Low impact cloud services.

Outcome

Demonstrated feasibility and demand with massive industry interest and support.

20x - PHASE 2

ACTIVE

20x Moderate Pilot

Timeline

FY26 Q1 to FY26 Q2

Delivery Goal

Include additional requirements for FedRAMP Moderate to ensure effective adoption and implementation based on the outcomes from Phase 1 with a goal of demonstrating the additional automated validation required for Moderate.

20x - PHASE 3

FUTURE

Wide-scale Adoption of 20x Low and Moderate

Timeline

FY26 Q3 to FY26 Q4

Delivery Goal

Formalize all 20x Low and Moderate requirements for cloud service providers and 3PAO 20x accreditation based on the outcome from the Phase 1 and Phase 2 pilots; provide wide-scale agency support and training for adoption of the new 20x authorization path.

20x - PHASE 4

FUTURE

20x High Pilot

Timeline

FY27 Q1 to FY27 Q2

Delivery Goal

Continued wide-scale adoption of 20x Low and Moderate while piloting a path for 20x High authorizations targeted at hyperscale IaaS and PaaS providers; All Rev5 Authorized providers will be required to transition to machine-readable authorization data for both initial and continuing authorization.

20x - PHASE 5

FUTURE

End of Life for New Rev5 Authorizations

Timeline

FY27 Q3 to FY27 Q4

Delivery Goal

FedRAMP will stop accepting new Rev5-based agency authorizations at the end of this phase and provide a clear path and timeline for ensuring all legacy Rev5 Authorized cloud service offerings can successfully transition to a 20x-based authorization. This is likely to include multi-year deadlines.