FedRAMP 20x Phase Two (20xP2)
The 20xP2 pilot will continue to explore an automation-based approach to assessment, validation, and review of security decisions made by cloud service providers seeking authorization from FedRAMP to be widely used in the federal government.
Phase Two is not open to the public and submissions will be strictly limited to optimize the delivery of this new process as a formal authorization path. This pilot will continue to be iterative, transparent, and collaborative but will have more structured requirements than Phase One.
Once the Phase Two pilot is completed, FedRAMP will move to prepare the wide-scale release of 2026 standards for FedRAMP 20x in Phase Three and open 20x Low and 20x Moderate authorizations to the public in Phase Four.
FedRAMP is targeting approximately 10 Moderate pilot authorizations during Phase Two. Submissions after the first 10 qualifying submissions will be prioritized for review in Phase Three.
FedRAMP’s Disclaimer of Liability is particularly relevant to the content on this page, especially regarding plans, dates, timelines, etc. You can always find the latest plans and timelines, updated based on real-world impact assessments every two weeks, on FedRAMP’s Public Roadmap.
Dates and Milestones
| Date | Milestone |
|---|---|
| Estimated: ~3-4 weeks after the government shutdown ends | FedRAMP finalizes all Phase Two requirements and the submission window opens. |
| Estimated: ~2 months after opening submissions | End of the Phase Two submission window. |
You Might Have Questions
FedRAMP is entirely focused on answering questions publicly and transparently. If you have questions about Phase Two, are looking for additional information or clarification, or just want to share some thoughts with the FedRAMP team or the world, please use our Community Working Group:
General questions about Phase Two that are sent via email to FedRAMP inboxes will not receive responses unless the question is entirely irrelevant to the public.
Participation
Active pilot submissions will be strictly limited but the public will be able to continue to participate in the development and refinement of 20x via FedRAMP’s Community Working Groups.
Phase Two submissions will only be accepted from cloud service providers who meet one of the following criteria:
Providers who submitted a complete package for Phase One that was not rejected or withdrawn.
Cloud service offerings that meet all of the FedRAMP AI Prioritization criteria.
Cloud services with GRC automation capabilities that can consume FedRAMP 20x machine-readable information from 20x Authorized services to enable review of initial and ongoing authorization data by federal agencies (note: this information is not standardized and will require working with other participants in the Phase Two pilot).
Cloud services that provide FedRAMP-compatible trust centers.
If you believe your cloud service meets #3 or #4 above and you are certain you can meet the Phase Two Authorization Requirements by the end of December 2025, please fill out the following form. If it seems the service might qualify, you will be asked to give a demo showing the relevant capabilities and your progress with FedRAMP 20x.
Phase Two Authorization Requirements
Cloud service providers and assessors must address every requirement and recommendation in all 20x Phase Two standards to submit a qualifying package for Phase Two review, by doing one of the following in the submission package:
Showing how the requirement or recommendation is implemented
Sharing a plan to implement requirements or recommendations within the next six months
Explaining the valid reasons behind not implementing recommendations
Finalized Standards
The full list of standards that must be addressed and additional information that must be included with them will be finalized prior to opening the submission window, but providers can anticipate at least the following:
| Standard | Details |
|---|---|
| Minimum Assessment Standard (MAS) | The MAS documentation MUST be supplied as a standalone summary for initial review. |
| Key Security Indicators (KSIs) | At least 70% of KSIs MUST be addressed via automated validation pulled directly from the production environment (use of existing system security plans or basic review of policies is not acceptable, find a thing to measure and measure it). |
| Significant Change Notification Requirements (SCN) | Share at least one draft/demo Significant Change Notification of each type. |
| Authorization Data and Sharing Standard | Store and share your 20x package information in alignment with FedRAMP requirements. |
| Vulnerability Detection and Response Standard (VDR) |
|
Draft Standards
The following standards are currently open for public comment and are likely to change before being finalized for Phase Two. Providers should reference the RFC and expect to meet the underlying requirements and recommendations in Phase Two:
RFC-0014 Phase Two Key Security Indicators (KSIs)
- Previously released Low KSIs have been updated and five (5) new moderate KSIs have been added
RFC-0015 Recommended Secure Configuration Standard (RSC)
- Outlines how cloud service providers (CSPs) should establish, maintain, and demonstrate secure configurations consistent with FedRAMP baselines.
RFC-0016 Collaborative Continuous Monitoring Standard
- Updates how continuous monitoring is conducted, with a focus on more collaboration between CSPs and agencies
RFC-0017 Persistent Validation and Assessment Standard
- Ensuring continuous, ongoing validation and assessment of CSO security using automation as a security enhancement
Initial Phase Two submissions that do not effectively meet the requirements outlined above will be deprioritized for the remainder of Phase Two and not count towards the submission cap.
Next Steps
Additional information will be provided over the coming weeks as we get closer to opening Phase Two submissions. Interested parties should please take the following steps to monitor the progress of preparations and the status of Phase Two over time:
Sign up for the monthly FedRAMP 20x Community Working Group meetings
Bookmark, star, and regularly visit the FedRAMP 20x Pilot Discussion section on our GitHub Community
Subscribe to receive our community announcements about FedRAMP 20x and other FedRAMP updates
Follow and engage with us on social media! LinkedIn | YouTube | X
Stay connected and up-to-date by reading our Focus on FedRAMP blog posts
