Phase 2 Pilot Eligibility and Participation Criteria

The Phase 2 pilot is intended to test how cloud service providers can effectively meet automated validation requirements for initial and ongoing FedRAMP authorization, to test how these automated capabilities can be effectively assessed by third parties, and to understand how providers and assessors can work together to deliver innovative evidence of the ongoing security decisions within a cloud service. 

FedRAMP 20x is based around Key Security Indicators (KSIs) with significant changes from Phase 1 to Phase 2 - the new Key Security Indicators theme called “Authorization by FedRAMP” (KSI-AFR) contains extensive FedRAMP-specific authorization requirements. The Key Security Indicators in this theme are based on government requirements that commercial providers are unlikely to have adopted for commercial customers. 

Most cloud service providers, even those who received a FedRAMP 20x pilot authorization during Phase 1, will not be capable of meeting all of the Phase 2 pilot requirements in the timelines expected for Phase 2 as the level of complexity has increased significantly. For example, Phase 2 will require extensive automation that does not necessarily exist in commercial off-the-shelf tools and assessors that are willing to think entirely outside the box. Cloud service providers are strongly encouraged to review all Phase 2 KSI requirements and discuss them with engineering as well as compliance teams to determine if these requirements are achievable in the required timelines.

Obtaining a FedRAMP 20x authorization will be much simpler in the future when the standards are more informative and third-party tools are widely available. Most cloud service providers should wait until then to begin their FedRAMP 20x journey.

Eligibility

All providers that have met the criteria to be prioritized and listed on the FedRAMP AI Prioritization page are eligible for participation without additional steps or requirements.

All cloud service providers who submitted a complete package during Phase 1 that was not rejected or withdrawn are eligible to apply for the Phase 2 pilot, including:

• A-LIGN - A-SCEND

• Anitian - FedFlex

• Black Kite - Third-Party Risk Intelligence System (TRIS)

• Confluent - Cloud for Government (CCG)

• Drata - Trust Management Platform

• Entratus - ai

• Filevine - Filevine Platform

• Flock Safety - Flock Core

• InfusionPoints - Command Center on XBU40

• IntelliGRC - IntelliGRC

• Longevity Consulting - Riskuity

• MapLarge - MapLarge

• Meridian Knowledge Solutions (MKS) - Meridian LMS

• Paramify - Paramify Cloud

• Persona Identities, Inc. (Persona) - Platform

• Rizkly - Rizkly

• Secureframe - Secureframe Trust Center

• Spectro Cloud - Palette VerteX

• stackArmor - The Armory20x

• Syneren - CMAP

• Transform9 - Transform9

• Vanta - Trust Management Platform

• Vyond - Vyond for Government

Cloud service providers who meet one of the following criteria may be eligible to apply for the Phase 2 pilot after eligibility is confirmed by FedRAMP:

• GRC Platforms that provide automation capabilities that can consume FedRAMP 20x machine-readable information from 20x Authorized services to enable review of initial and ongoing authorization data by federal agencies. These services must demonstrate their compatibility and interoperability with at least three FedRAMP 20x Authorized services.

• Trust Centers that provide capabilities for FedRAMP-compatible trust centers. These services must demonstrate support for the requirements for trust centers outlined in the FedRAMP Authorization Data Sharing standard.

Applying for Participation

Cloud service providers must take the following steps to apply for participation in the Phase 2 pilot:

1. Confirm eligibility by reviewing the criteria above or contacting pete@fedramp.gov to discuss. If you are a 20x GRC Platform or a Trust Center, please include links to information about your product that demonstrates your progress towards meeting the requirements for consuming FedRAMP 20x machine-readable information or providing FedRAMP-compatible trust centers. Confirm that you have reviewed all requirements in advance and will be capable of submitting a complete package within the timeframes required.

2. Once eligibility is confirmed, please review the requirements and timeframes in depth and consider if you are able to build the necessary capabilities within the timeframe expected. Also review the Phase 2 pilot authorization process information to ensure you can support the additional workshops and collaboration expected.  Most cloud service providers will not be able to meet the Phase 2 pilot requirements in the timeframe expected.

3. Once you have confirmed the expected timeframe for completing all requirements, review the two cohort application periods to determine if you wish to apply for the first or second cohort. Prepare a pilot proposal that meets the requirements outlined below, then notify 20x@fedramp.gov of your intent to apply for participation in the Phase 2 pilot. FedRAMP will send you a form to complete with additional information and help you schedule a pilot proposal.

4. After the Phase 2 pilot proposal is completed, FedRAMP will provide initial feedback and a determination on qualification for the pilot within 3 business days. Providers who do not qualify for the pilot after their proposal will not be able to submit during the Phase 2 pilot. Providers are strongly encouraged to consider all authorization criteria in depth to assess the reasonable feasibility of building to all of those requirements themselves prior to considering a pilot proposal pitch.

The Phase 2 pilot proposal must address:

1. How the cloud service provider will approach defining objectives and validation criteria for Key Security Indicators.

2. The planned high-level approach to addressing all requirements and recommendations in the KSI-AFR theme, including how authorization data will be shared in alignment with KSI-AFR-03 (ADS).

3. How automated validation will be performed at scale.

4. How assessment will be performed.

The Phase 2 pilot proposal should be presented with support from the cloud service provider’s senior leadership and include representatives from their independent assessor. The pitch for this proposal should be designed to be made in a live presentation to the FedRAMP team with an agenda as follows:

• 20 min: Proposal from the cloud service provider explaining the Phase 2 pilot approach.

• 5 min: Explanation from the third-party assessor reviewing their intended assessment approach.

• 20 min: Q&A with the FedRAMP team

If granted permission by the cloud service provider, FedRAMP intends to publish videos of the pilot proposal for candidates that are accepted into the Phase 2 pilot so the public can follow along with our priorities.

Phase 1 Pilot In Progress Reviews

A number of Phase 1 pilot participants are still in review with FedRAMP; these reviews will continue until all participants have advanced through the Phase 1 process. Not all participants are guaranteed a pilot authorization but FedRAMP will continue to work with participants to complete their Low authorization during Phase 2 unless the participant qualifies for participation in the Phase 2 pilot. 

If a Phase 1 participant is selected for participation in Phase 2 then all work on the Phase 1 review will immediately be terminated as both FedRAMP and the cloud service provider focus on meeting the requirements for Phase 2.