FedRAMP 20x

A different model for cloud assurance

FedRAMP 20x

A new approach to cloud security assessment and authorization that moves beyond traditional compliance to focus on the security decisions that matter most.

We designed FedRAMP 20x for businesses to set their own security goals, continuously measure the effectiveness of their decisions, and assure federal government agencies through progressively increasing commitments to addressing government-specific needs.

“ ” — OMB Memorandum M-24-15 on FedRAMP's purpose

FedRAMP 20x is here

Available Now

The full rules for FedRAMP 20x Certification are now finalized for Class A, Class B, and Class C.

Class A

Available now

Class A Certifications are for cloud services with mature security and compliance programs that are looking to enter the federal marketplace. Class A requires a small amount of information in advance and a small subset of initial ongoing monitoring and reporting requirements.

Class B

Available now

Class B Certifications are for cloud services that provide fairly common small-scale or light use services where an entire agency is unlikely to use the service for important work so considerable additional investment in ongoing maintenance and reporting activities is not expected.

Class C

Available now

Class C Certifications are for cloud services that provide common enterprise services that are likely to be used in systems across an entire agency or that provide important government services.

Class D

Phase 4

Class D Certifications will be developed during FedRAMP 20x Phase 4.

“ ” — OMB Memorandum M-24-15 on Class A Certifications

What guides the work

Core Principles

Five ideas move assurance away from paperwork and toward evidence.

Transparency

Cloud service providers should share honest information about their security decisions without worrying about whether they meet an arbitrary bar or set of requirements that might not apply or make sense for them.

Flexibility

Informed engineering decisions that produce secure outcomes appropriate to a specific provider’s environment and goals are strongly encouraged. The effective security posture of a cloud service should never be reduced to meet a security control.

Accountability

Instead of compliance-focused audits to check a box, assessments provide direct business value by clarifying the effectiveness of chosen measures. Security should be continuously enforced, monitored, and reported—not staged for a point-in-time audit.

Accuracy

Assessments based on reviewing the effectiveness of security decisions instead of questioning the validity of each decision are more likely to lead to accurate reporting of a provider’s approach to security.

Automatic Validation

Once a goal and its measures are defined, status, progress, and outcomes should be automatically enforced and validated whenever possible. Continuous evidence of what is happening is stronger than a policy saying it should happen.

“ ” — OMB Memorandum M-24-15 on Commercial Services

Why This Works

Context Matters

Security decisions are complex. The right expectations for a cloud service depend on the agency use case and mission—not a single, binary verdict that a provider is either “secure” or “not secure.”

“ ” — OMB Memorandum M-24-15 on Decision Making

The government has many needs for many types of services, each with different requirements for confidentiality, integrity, and availability. Some systems carry little risk regardless of their security posture; a failure in another could threaten an agency's operational effectiveness.

Requiring every service to meet requirements designed for the highest-risk systems is not fair to agencies or the cloud services they want to use.

Instead of deciding if a cloud service is “good enough” for every government-wide use case, the FedRAMP assessment process ensures agencies have sufficient, accurate information to make the right security-based decisions.

Two services, different needs

A public website might need high availability, moderate integrity, and low confidentiality. A medical records application might need moderate availability, high integrity, and high confidentiality.

The 20x approach lets agencies understand those tradeoffs and select the service whose security goals match the mission.

Built in public, delivered in increments

Phased Implementation

Each phase responds to measurable impact and lessons from providers, assessors, agencies, and the public.

FedRAMP 20x is currently in Phase 3. Future dates are estimates for public awareness, not firm commitments, and will shift as real-world conditions change.

Delivery goal

Test the concepts behind FedRAMP 20x with industry and demonstrate the feasibility of automation-based assessment and validation for potential Low impact cloud services.

Outcome

Demonstrated feasibility and demand with substantial industry interest and support.

Phase 1 Recap

The Phase 1 pilot ran from April through September 2025. It focused nearly entirely on Key Security Indicators as a proof of concept for automation-based validation of security decisions and outcomes. Submissions were open to the public, with qualifying participants receiving a FedRAMP 20x Low pilot authorization.

FedRAMP received 26 complete packages between May 30 and August 18, 2025. The first cohorts received pilot authorizations in late July, demonstrating that automation-based validation could work in practice.

Unexpected demand meant FedRAMP completed 13 reviews during Phase 1. The October 1-November 13, 2025 government shutdown further delayed provider meetings, so remaining reviews continued into Phase 2.

Key lessons

Key Security Indicators can demonstrate security posture in near real time, replacing static yearly manual assessments while improving confidence and overall security.
Industry demand for a new approach had been building for years.
Independent assessment must move beyond traditional control-by-control, minimum-bar audits to evaluate security decisions.
Cloud providers need deep engagement from engineering teams to adopt the approach.
A fully open pilot with minimal guardrails produces a very wide range of implementation quality and clarity.
No participants actively reused existing framework assessments such as SOC 2.
Program authorization without an agency sponsor opened the door to offerings such as GRC tools—the largest submission category.

Watch

Community updates

Scroll for more

Read

Phase 1 blog posts

Scroll for more

Delivery goal

Add the requirements needed for FedRAMP Moderate and test whether automated validation could scale to a higher impact level.

Outcome

Expanded capabilities and coverage and completed initial Moderate testing.

Phase 2 Recap

The Phase 2 pilot ran from November 18, 2025 through March 2026. It tested the depth, breadth, effectiveness, and burden of each Key Security Indicator at the Moderate impact level. Participation was limited to passing Phase 1 providers, AI-prioritized offerings, and critical-need services such as trust centers and GRC tools.

FedRAMP received 14 qualifying submissions. The first cohort received pilot authorizations on March 6, 2026. As of April 27, 2026, six additional cloud service providers had received pilot authorizations, with more to come.

Lessons learned

The Key Security Indicator approach adapts readily to higher levels of security.
Automated validations can integrate into existing provider tools and processes.
Authorized by FedRAMP requirements presented as Key Security Indicators were confusing.
Bespoke demonstrations foster creativity and free teams from checkbox compliance and performative security.
Fast reviews shared several traits: timely submission access, good interfaces, consistent machine-readable schemas, concise evidence context, clear failure criteria, assessor feedback beside provider validation, and assessor review of validation code.
Assessors need clearer guidance, support, and a dedicated 20x community of practice.
Trending validation data over time promotes confidence in a provider’s security program.

Phase 2 vibes

The world sees the potential of the 20x approach.
No more racing to finish paperwork just before an audit.
Participants valued the pilot’s freedom, speed, and collaboration.
Increased assessor engagement throughout the process is invaluable.
Assessors valued collaboration but needed more clarity on testing depth and coverage.
Clear, informative, non-static depictions of service scope are possible—and multiple providers delivered them independently.

Watch & listen

Phase 2 updates

Scroll for more

Delivery goal

Formalize FedRAMP 20x requirements from the Phase 1 and 2 outcomes and provide wide-scale agency support and training for the new Certification types.

The pilots are over. FedRAMP 20x is here to stay.

Phase 3 focuses on the final activities needed to formally establish FedRAMP 20x Certification types:

The FedRAMP Consolidated Rules for 2026 will contain all requirements for FedRAMP 20x and are planned for completion by the end of FY26 Q3 (June 2026).
The submission pipeline is planned to open in FY26 Q4 (July-September 2026).
FedRAMP 20x will initially support Class A (Pilot), Class B (Low), and Class C (Moderate) Certifications.

Follow the Community Updates, Blog, and Public Notices for current progress.

Phase 4 FUTURE 20x Class D (High) Pilot FY27 Q1 to FY27 Q2 · estimated

Delivery goal

Continue wide-scale adoption while piloting a path for 20x Class D (High) services.

Phase 5 FUTURE End of Life for FedRAMP New Rev5 Certifications FY27 Q3 to FY27 Q4 · estimated

Delivery goal

FedRAMP will stop accepting new Rev5 Certifications on June 11, 2027, and provide a clear transition path and timeline for existing Rev5 offerings by the end of Phase 5.

The path to FedRAMP 20x

Timeline

The policy, pilot, and delivery milestones that shaped FedRAMP 20x and what comes next.

Dec 2022

FedRAMP Authorization Act

Established FedRAMP in law as a government-wide, standardized, reusable approach to cloud security assessment and authorization.

Jul 2024

OMB Memorandum M-24-15

Replaced the previous policy with a vision centered on new authorization paths, automation, and government-wide cloud adoption.

Mar 2025

FedRAMP 20x announced

GSA announced a new path to be developed with industry and government, tested in public, and delivered incrementally.

Sep 2025

Phase 1 completed

The Low pilot demonstrated automation-based validation and strong industry demand across 26 submissions.

Nov 2025

Phase 2 began

The Moderate pilot began after the government lapse in appropriations.

Mar 2026

Phase 2 completed

The Moderate pilot expanded the approach and informed development of the Consolidated Rules for 2026.

Apr 2026

Phase 3 active

FedRAMP is formalizing 20x Certification types and preparing the public submission pipeline.

FY27 Q1-Q2

Phase 4 estimated

Estimated window for the Class D (High) pilot.

FY27 Q3-Q4

Phase 5 estimated

Estimated window to stop accepting new Rev5 Certifications and establish transition paths for current Rev5 Certified cloud service providers.

Get in the FedRAMP Game

Let's Go!

FedRAMP 20x simplifies the path to federal cloud adoption. Follow along with FedRAMP as we continue to build and evolve the program to meet the needs of federal agencies and cloud service providers.

Consolidated Rules for 2026

Community Discussions on GitHub

FedRAMP 20x

Available Now

Class A

Class B

Class C

Class D

Core Principles

Transparency

Flexibility

Accountability

Accuracy

Automatic Validation

Context Matters

Phased Implementation

Phase 1 Recap

Key lessons

Community updates

Phase 1 blog posts

Phase 2 Recap

Lessons learned

Phase 2 vibes

Phase 2 updates

Timeline

Let's Go!

Interact with FedRAMP

Keep Up To Date

FedRAMP 20x

Available Now

Class A

Class B

Class C

Class D

Core Principles

Transparency

Flexibility

Accountability

Accuracy

Automatic Validation

Context Matters

Phased Implementation

Phase 1 COMPLETED 20x Low Pilot and Proof of Concept FY25 Q3 to FY25 Q4 ↓

Phase 2 COMPLETED 20x Moderate Pilot FY26 Q1 to FY26 Q2 ↓

Phase 3 ACTIVE Wide-scale Adoption of FedRAMP 20x FY26 Q3 to FY26 Q4 ↓

Timeline

Let's Go!