20x Phase 1 Recap
The FedRAMP 20x Phase 1 pilot ran from April 2025 to the end of September 2025. This pilot was focused nearly entirely on Key Security Indicators as a proof of concept for automation-based validation of security decisions and their outcomes. Submissions were open to the public to encourage maximum participation, with qualifying participants receiving a FedRAMP 20x Low pilot authorization.
FedRAMP received 26 complete submission packages during the submission period that ran between May 30, 2025 and August 18, 2025. The first cohorts of pilot authorizations were granted in late July, demonstrating that effective delivery of automation-based validation was possible.
Due to the unexpected demand and participation in the pilot, FedRAMP only completed reviews of 13 submissions during Phase 1. This was compounded by the government shutdown from October 1, 2025 to November 13, 2025, as FedRAMP was unable to meet with cloud service providers during this time to continue reviews. The FedRAMP review team will continue to review Phase 1 submissions during Phase 2 until a final determination has been made on all submissions.
FedRAMP learned the following critical lessons during the Phase 1 pilot:
The Key Security Indicator based approach could successfully demonstrate security posture in near real time to replace static yearly manual assessments and narratives while improving confidence and overall security.
There was intense industry demand for a new approach that has been building for many years.
The independent assessment process would need to change entirely from the traditional control-by-control minimum-bar audit approach in common use to assess security decisions.
Cloud service providers would need to heavily engage engineering teams to adopt a different approach.
A fully open pilot with minimal guardrails results in a wide variety of approaches, from extremely high quality implementations to those that are terribly confusing.
No participants were interested in actively reusing existing framework assessments (such as SOC2).
Program authorization (no agency sponsor required) opened the door for a number of cloud service offerings like GRC tools which was the largest category of submissions.
External communication during Phase 1 was at an all time high for FedRAMP with a focus on our Community Working Groups. For a look back at some of the more interesting discussions during Phase 1 we recommend viewing the following videos:
FedRAMP 20x Featuring Phase 1 Pilot CSPs and 3PAOs (June 25, 2025 Community Working Group)
FedRAMP 20x Demos of 20x (July 23, 2025 Community Working Group)
FedRAMP Vulnerability Management Special Event (July 30, 2025 Community Working Group)
FedRAMP 20x Roundtable on the Paramify Podcast
Engineering the Future of FedRAMP on the GRC Engineering Podcast
You can also read back through our monthly announcements to see how FedRAMP evolved during this time:
FedRAMP in 2025
March 24, 2025
Last year FedRAMP underwent a major overhaul after more than a decade.
FedRAMP 20x - One Month In and Moving Fast
April 24, 2025
Exactly one month ago today GSA announced, aninitiative to rapidly modernize FedRAMP in...
FedRAMP 20x - Two Months In and Taking Off
May 29, 2025
We’re sharing an inside look at FedRAMP’s progress again this month, in our second update on the...
FedRAMP 20x - Three Months In and Maximizing Innovation
June 26, 2025
Three months ago, FedRAMP launched 20x: the idea of a new approach to...
FedRAMP 20x - Four Months In and Authorizing
July 30, 2025
Last year at this time, FedRAMP had authorized less than 350 cloud services in ten years...
FedRAMP 20x - Five Months In and Full of Surprises
August 28, 2025
Twenty-six cloud service providers rallied around the idea of FedRAMP 20x...
FedRAMP Built a Modern Foundation in FY25 to Deliver Massive Improvements in FY26
September 30, 2025
FedRAMP was a program operating in crisis at the beginning of FY25. Final authorization times were...
