U.S. flag

An official website of the United States government

Warning Icon

Important Notice

FedRAMP is operating mission-essential functions only due to the government shutdown. Please visit fedramp.gov/shutdown for more information.

FedRAMP 20x is building a new cloud-native approach to FedRAMP authorization with industry and entirely in public.

FedRAMP 20x Phase Two (20xP2)

The 20xP2 pilot will continue to explore an automation-based approach to assessment, validation, and review of security decisions made by cloud service providers seeking authorization from FedRAMP to be widely used in the federal government.

Phase Two is not open to the public and submissions will be strictly limited to optimize the delivery of this new process as a formal authorization path. This pilot will continue to be iterative, transparent, and collaborative but will have more structured requirements than Phase One. 

Once the Phase Two pilot is completed, FedRAMP will move to prepare the wide-scale release of 2026 standards for FedRAMP 20x in Phase Three and open 20x Low and 20x Moderate authorizations to the public in Phase Four. 

FedRAMP is targeting approximately 10 Moderate pilot authorizations during Phase Two. Submissions after the first 10 qualifying submissions will be prioritized for review in Phase Three.

FedRAMP’s Disclaimer of Liability is particularly relevant to the content on this page, especially regarding plans, dates, timelines, etc. You can always find the latest plans and timelines, updated based on real-world impact assessments every two weeks, on FedRAMP’s Public Roadmap.

Dates and Milestones

DateMilestone
Estimated: ~3-4 weeks after the government shutdown endsFedRAMP finalizes all Phase Two requirements and the submission window opens.
Estimated: ~2 months after opening submissionsEnd of the Phase Two submission window.

You Might Have Questions

FedRAMP is entirely focused on answering questions publicly and transparently. If you have questions about Phase Two, are looking for additional information or clarification, or just want to share some thoughts with the FedRAMP team or the world, please use our Community Working Group:

General questions about Phase Two that are sent via email to FedRAMP inboxes will not receive responses unless the question is entirely irrelevant to the public.

Participation

Active pilot submissions will be strictly limited but the public will be able to continue to participate in the development and refinement of 20x via FedRAMP’s Community Working Groups

Phase Two submissions will only be accepted from cloud service providers who meet one of the following criteria:

  1. Providers who submitted a complete package for Phase One that was not rejected or withdrawn.

  2. Cloud service offerings that meet all of the FedRAMP AI Prioritization criteria.

  3. Cloud services with GRC automation capabilities that can consume FedRAMP 20x machine-readable information from 20x Authorized services to enable review of initial and ongoing authorization data by federal agencies (note: this information is not standardized and will require working with other participants in the Phase Two pilot).

  4. Cloud services that provide FedRAMP-compatible trust centers. 

If you believe your cloud service meets #3 or #4 above and you are certain you can meet the Phase Two Authorization Requirements by the end of December 2025, please fill out the following form. If it seems the service might qualify, you will be asked to give a demo showing the relevant capabilities and your progress with FedRAMP 20x.

Phase Two Authorization Requirements

Cloud service providers and assessors must address every requirement and recommendation in all 20x Phase Two standards to submit a qualifying package for Phase Two review, by doing one of the following in the submission package:

  1. Showing how the requirement or recommendation is implemented

  2. Sharing a plan to implement requirements or recommendations within the next six months

  3. Explaining the valid reasons behind not implementing recommendations

Finalized Standards

The full list of standards that must be addressed and additional information that must be included with them will be finalized prior to opening the submission window, but providers can anticipate at least the following:

StandardDetails
Minimum Assessment Standard (MAS)The MAS documentation MUST be supplied as a standalone summary for initial review.
Key Security Indicators (KSIs)At least 70% of KSIs MUST be addressed via automated validation pulled directly from the production environment (use of existing system security plans or basic review of policies is not acceptable, find a thing to measure and measure it).
Significant Change Notification Requirements (SCN)Share at least one draft/demo Significant Change Notification of each type. 
Authorization Data and Sharing StandardStore and share your 20x package information in alignment with FedRAMP requirements.
Vulnerability Detection and Response Standard (VDR)
  • Share at least one VDR report from the production environment
  • Share at least one draft/demo VDR report that contains example activities and findings if the production report does not have any

Draft Standards

The following standards are currently open for public comment and are likely to change before being finalized for Phase Two. Providers should reference the RFC and expect to meet the underlying requirements and recommendations in Phase Two:

Initial Phase Two submissions that do not effectively meet the requirements outlined above will be deprioritized for the remainder of Phase Two and not count towards the submission cap.

Next Steps

Additional information will be provided over the coming weeks as we get closer to opening Phase Two submissions. Interested parties should please take the following steps to monitor the progress of preparations and the status of Phase Two over time: