FedRAMP 20x: What Vendors Need to Know About the Next Evolution of Federal Cloud Security

By Kathy Stershic /

Venable LLP recently hosted an insightful session on FedRAMP 20x – Launching Phase II. Presenting to a packed room, Pete Waterman, FedRAMP Director at the Government Services Administration, explained key changes in the 15-year old Federal Risk and Authorization Management Program (FedRAMP) that was initiated to facilitate federal agencies’ secure cloud adoption―but which many in industry have long criticized for being slow, expensive and overly burdensome.

As Waterman explained, the FedRAMP 20x initiative marks a significant transformation that should alleviate many industry challenges. The goal is to make the process more predictable, agile and aligned with how technology companies innovate. Cloud service providers (CSPs), software companies and managed service providers need to understand the changes to align their products with these new federal requirements.

FedRAMP 20xemphasizes three key shifts:

  1. Automation Over Paperwork

FedRAMP 20x is moving from static, paper-heavy compliance to automated, machine-readable processes. The intent is “do it once, use it many times.” By leveraging commercial frameworks and standardized outputs, companies can reuse security documentation across agencies instead of starting from scratch for each authorization.

  1. Clearer Demand Signals from Government

The government will communicate more transparently about the cloud technologies agencies most want, like AI and security automation. This reduces guessing whether solutions are aligned with agency needs.

  1. Presumption of Adequacy

The goal is to build trust in FedRAMP’s process so that an authorization isn’t just a badge but a real foundation for broader adoption.

Key Policy and Process Changes

Several new standards directly address long-standing pain points:

  • Significant Change Notifications: CSPs will no longer need government permission for every change, reducing delays and allowing innovation at speed.
  • Elimination of Plans of Action & Milestones: Providers will disclose vulnerabilities and impacts directly to agency customers, enabling agencies to make informed risk decisions.
  • Continuous Collaboration and Trust Centers: Companies will own and share data through secure trust centers, improving transparency and reuse while retaining their security documentation as proprietary business information.
  • Vulnerability Detection and Response: New standards prioritize what Waterman describes as “real security work” over paperwork-heavy reporting.
  • Balanced Improvement Path: Many of these changes are optional but available to current FedRAMP Rev 5 providers, allowing them to adopt improvements as business needs dictate.

FedRAMP 20x is being rolled out in multiple phases, with continuous iteration based on industry and agency feedback.

  • Phase 1 (Completed – FY2025). The first pilot phase included 26 companies testing new assessment models and standards. It revealed strong industry demand for this streamlined approach and highlighted the need for more explicit guidance to prevent companies from reverting to old compliance mindsets.
  • Phase 2 (October–December 2025). Currently underway, this moderate-level pilot emphasizes AI and governance, risk, and compliance (GRC) automation. The bar for automation is higher. Vendors need to go beyond screenshots to demonstrate true implementation of FedRAMP 20x standards.
  • Phase 3 (Early 2026). This phase will formalize the Low and Moderate authorization paths. It will also push wider agency adoption, with the goal of every CFO at an agency reusing at least one 20x authorization. Supporting playbooks and reuse guidance for agencies are planned.
  • Beyond Phase 3 (FY2027 and beyond)
    By mid-FY2027, all providers still on FedRAMP Rev 5 will need to transition to machine-readable formats. FedRAMP will also sunset new Rev 5 authorizations at Low and Moderate impact levels, making 20x the default path. High-level authorizations will enter pilot around late 2026, particularly targeting hyperscale platform-as-a-service (PaaS) providers.

Key FedRAMP Considerations for B2G Organizations

Here are a few things for businesses eyeing the federal market to keep in mind:

  • Shorter Time to Market: Automation and reuse will lower barriers to entry, making it easier to achieve and maintain authorization.
  • Higher Expectations for Quality: The FedRAMP Program Management Office is raising the bar. Phase 2 participants, for example, risk disqualification if their submissions fall short. Companies must shift from a “checklist compliance” mentality to a goal-driven security culture.
  • Investment in Machine Readability: By 2027, machine-readable security documentation will be mandatory. Companies that build automation into their compliance processes now will be better positioned for success later.
  • Greater Reuse Across Agencies: The presumption of adequacy means that once authorized, solutions should see faster, broader adoption across the federal government—critical for recouping the significant investment in FedRAMP.
  • Strategic Alignment: Companies should view FedRAMP 20x not just as a certification hurdle but as a business enabler. The new model rewards organizations that set ambitious security goals, validate them, and continuously improve.

FedRAMP 20x represents a cultural and procedural shift in how the government approaches cloud security. Companies that embrace this vision will find themselves well-positioned to thrive in the evolving federal marketplace.