FedRAMP 20x Phase 2 Recap

The FedRAMP Phase 2 pilot ran from November 18, 2025 to the end of March 2026. Where Phase 1 focused only on the Key Security Indicators as proof of concept, Phase 2 plumbed the depth and width of each Key Security Indicator for its effectiveness and burden of the Moderate impact level. Submissions were open only to Phase 1 passing participants, AI prioritized offerings, and critical need services like trust centers and governance, risk, and compliance (GRC) tools. Providers applied for spots within 2 cohorts with the first being limited to 3 participants to meet accelerated timeframes.

FedRAMP received 14 qualifying submissions. The first cohort services received pilot authorizations on March 6, 2026. As of April 27, 2026, pilot authorizations have been granted to 6 additional cloud service providers, with more to come.

Lessons Learned

• The Key Security Indicator based approach is easily adapted to higher levels of security.

• Automated validations can be integrated into existing provider tools and processes.

• Including FedRAMP requirements as Authorized by FedRAMP (AFR) Key Security Indicators was confusing.

• The bespoke approach to demonstrating a service’s security fosters creativity, freeing security teams from the tyranny of checkbox compliance and performative security.

• Practices we observed that significantly sped up review times include:

  • Smooth and timely access to the submission and/or Trust Center.

  • User interface that promoted a good user experience.

  • Machine-readable submissions with consistent schema files.

  • Clear and concise context given to explain the purpose of given evidence.

  • Validation failure criteria clearly defined.

  • Presenting assessor feedback alongside provider validations.

  • Key Security Indicator validation code review performed by assessor.

• More assessor specific guidance and support is needed to provide clarity and consistency on approach and build a community of practice for FedRAMP 20x specifically.

• Trending validation data over time promotes user confidence in provider security program.

Vibes

• The world sees the potential of the FedRAMP 20x approach.

• No more racing to complete paperwork just before an audit.

• Participants appreciated the pilot’s freedom and speed.

• Increased assessor engagement throughout the process is invaluable.

• Assessors highly valued the pilot’s collaborative nature, but faced a lack of clarity regarding the necessary depth and coverage of testing.

• Clear and informative visual depictions of services within the assessment scope that is not a static Rev5 boundary diagram is not only possible, but was successfully and independently presented by multiple providers.

Community Updates & Other Things to Watch

External communication during Phase 1 was at an all time high for FedRAMP with a focus on our Community Updates. For a look back at some of the more interesting discussions during Phase 1 we recommend viewing the following videos:

• FedRAMP 20x Phase 2 Pilot Proposals

• From Checklists to Code: Engineering the Future of FedRAMP w/ Pete Waterman

• Rewriting FedRAMP: Inside the Push to Modernize Federal Cloud Security

• FedRAMP 20x Roadmap and Phase 2 Pilot Community Update

• Using Outcomes as a Security Signal Community Special Event