Overview

The FedRAMP 20x Phase One pilot tests how cloud service providers can meet FedRAMP Low authorization requirements using Key Security Indicators in place of traditional baselines and generate machine-readable validation that can be assessed by trusted third parties. It is open to the public and any cloud service provider may participate.

FedRAMP will open submissions for initial review in late May. Qualifying cloud service offerings that successfully complete Phase One will receive a 12 month FedRAMP Low authorization and will be prioritized for FedRAMP Moderate authorization in Phase Two.

To qualify, participants must submit a machine readable assessment package that shows how they meet FedRAMP’s Key Security Indicators and have it reviewed by a 3PAO. Participants who are uncomfortable with an unstructured approach should wait for formal FedRAMP 20x standards as this pilot allows maximum flexibility to encourage participants to demonstrate an effective approach to security assessment and validation.

Participation

Participation is self-organized and self-directed. Participants should:

1. Read the instructions including linked documents on this page
2. Review the Key Security Indicators and background in RFC-0006
3. Consider how well your current security process aligns with the Key Security Indicators
4. Consult with your partners, providers, and 3PAO about participation
5. Review the submission requirements
6. Engage in our community working groups in the 20x Phase One Pilot category

If you’d like, you can let us know you’re participating by emailing 20x@fedramp.gov - we can’t meet with you until we’re ready for submissions but we’d love to hear how it’s going and we’ll keep you posted on submission windows and next steps.

Participants have equal access to all information about the pilot by reviewing the additional materials on this site and in the public working groups. FedRAMP is not providing special briefings, additional information, or business advice to any individual parties; all information is public. It’s important that you read this information so you can make the best decisions about how to move forward on your own.

The expected reading time for the remaining materials on this page is ~8 minutes.

Phase One Timeline

FedRAMP is moving fast - while the timeline below is likely to shift, these are our current targets:

FedRAMP will continue to accept Phase One submissions while preparing for Phase Two. Phase One submissions will remain open based on demand.

Who Should Participate

The FedRAMP 20x Phase One pilot is open to the public and there are no specific eligibility requirements to participate, but FedRAMP expects cloud service providers that meet the following criteria are best positioned to qualify for authorization during Phase One:

• Deployed on an existing FedRAMP authorized cloud service offering, using primarily cloud-native services from the host provider
• Service is provided only via the public internet (browser and/or APIs)
• Has completed a SOC 2 Type 2 audit or federal agency ATO process within the last 12 months
• Has a 3PAO ready to conduct a pilot 20x assessment informed by the Key Security Indicators
• Should only use printable ASCII and graphical Unicode characters

FedRAMP encourages participants to self-organize based on established relationships between cloud service providers, host service providers, third party services, and independent assessment organizations.

Submission Requirements

Unlike traditional requirements laden with extensive documentation, this pilot embraces flexibility and innovation. Our objective is to learn from and showcase participants’ innovative approaches, directly informing future guidance and potential standardization.

FedRAMP will begin accepting draft submissions followed by final submissions during late May and June. You can let us know you’re participating by emailing 20x@fedramp.gov and we’ll keep you posted on submission windows and instructions.

Final submissions must include at least:

• Summary of the cloud service provider and cloud service offering
• Summary of and rationale for the approach used to generate the submission
• Summary from a 3PAO explaining the approach used for assessment
• Machine-readable assessment file
  • Include the status of each KSI Validation (True, False, Partial)
  • Include supporting evidence for each KSI Validation
  • Include integrated verification by a 3PAO
• Data definition or data schema that explains the machine-readable package
• Proposal or prototype for continuously reporting on a significant percentage of KSI Validations

Draft submissions

FedRAMP is accepting draft submissions starting on May 19. The purpose of providing a draft submission is to allow for FedRAMP to review them and share public, generalized feedback in advance of the final submission window. FedRAMP will not provide detailed, personalized feedback to individual submitters. Additionally, any cloud service provider that would like to be considered for a FedRAMP 20x authorization must submit a final package when the final submission window opens after May 30.

How to submit

The submission process in and of itself is part of the pilot. FedRAMP’s preference is that participating cloud service providers make their submission available to us directly their own way. FedRAMP will prioritize public package submissions for the 20x pilot effort to facilitate the most efficient feedback mechanisms. FedRAMP should not be required to create accounts to access the submitted package. Please note that because of the aggressive timeline FedRAMP will be unable to agree to any terms or conditions including the use of a Non-Disclosure Agreement (NDA) or similar.

Between May 19 and May 25, we’ll accept draft submissions via email 20x@fedramp.gov, but all final submissions need to come to us via another mechanism hosted by the cloud service provider.

Relevant Links

• Key Security Indicators
  • The foundation of the 20x Phase One pilot. Most pilot deliverables center around applying validations for the Key Security Indicators. The final Key Security Indicators may vary slightly after public comment, but the draft version is a solid start.
• Pilot Launch Town Hall
  • A video recording of a town hall that occurred 4/30/2025, where details about the pilot were shared and community questions were answered.
• Automating Assessment Community Working Group Discussions
  • A discussion space to ask questions and share ideas about the KSI validations, evidence, and machine-readable formats as they relate to the Phase One Pilot.
• Applying Existing Frameworks Community Working Group Discussions
  • A discussion space to ask questions and share ideas about applying existing commercial frameworks to the KSI validations.
• Continuous Reporting Community Working Group
  • A discussion space to ask questions and share ideas about continuous reporting prototypes and proposals.
• Pilot Participation Example
  • An example of how a CSP might approach the pilot

Additional Information

Communication and Engagement

• FedRAMP will be learning from both providers and 3PAOs during this pilot and is aware that this process does not include a detailed prescriptive checklist that can be easily reviewed by a 3PAO without subject matter expertise. Providers and 3PAOs who are uncomfortable with ambiguity may prefer to wait for formal standards.
• Emails to info@fedramp.gov requesting additional information about the 20x pilot will be ignored - please review all public materials and post in the appropriate community working group if there is something missing so everyone can see the additional information.
• The right place to engage with pilot-related topics, including questions and updates, is the Community Working Groups and their respective GitHub Discussions forums.
• GRC tools that are not currently FedRAMP authorized may use this pilot as a path to authorization and will be prioritized during review. Pilot participants may use GRC tools that are also participating in the pilot.
• 3PAOs used for assessment must be FedRAMP recognized. 3PAOs will assess the method a provider used to generate evidence for each validation. They may also provide evidence where automation is not easily applied. The 3PAO will not be validating any NIST controls directly, just the Key Security Indicators. We are flexible with the format and methodology of the 3PAO verification, but prefer that the 3PAO attestation be included in the machine readable assessment file.

The Pilot Package

• An example workflow for how a pilot participant may assemble the Phase One Pilot package can be found here.
• You can invent your own data format or use an existing framework for the machine readable assessment, just be sure to provide documentation or schema so we can familiarize ourselves with your format.
• We expect that reasonable attempts will be made to provide machine-generated validation for most of the Key Security Indicator validations but we’re not expecting perfection. If you have a situation where data isn’t easily accessible, get creative. Use APIs, headless browsers, OCR - whatever works. A base64 blob isn’t ideal, but it’s a start. The key is pushing towards more intelligent, extractable data solutions.
• In the interest of showcasing innovative approaches that meet FedRAMP security requirements and can be reused by others, submissions should be as transparent as possible. Where publicly available submission packages are impossible, please submit an alternative, non-sensitive version.

Future Outlook

• A 20x authorization will show up in the marketplace as a distinct authorization type from a traditional Rev5 authorization.
• FedRAMP 20x machine readable packages will eventually converge towards a standardized structure and pilot participants will be expected to adjust their packages to meet formalized standards to maintain FedRAMP authorization.