Everything you need to know about the FedRAMP 20x Phase Two
FedRAMP 20x is a major modernization effort to streamline cloud security authorization for federal agencies and cloud service providers (CSPs). After decades of paperwork-heavy processes, the goal of 20x is to replace bureaucracy with automation, speed, and stronger security assurance.
FedRAMP 20x Phase Two, set to roll out in late 2025, is a significant milestone in this transformation. It builds on the pilot programs from Phase one and sets the stage for the widespread adoption planned for FY26.
But what exactly is 20x Phase Two, who is it for, and how can CSPs get involved?
Let’s break it down.
What is FedRAMP 20x Phase Two?
20x Phase Two is the next stage in the 20x modernization journey. It focuses on finalizing requirements, introducing automation-driven processes, and expanding participation from CSPs and federal agencies.
Where Phase One was more about experimentation and pilot submissions, Phase Two is about operationalizing the framework, turning ideas into workable standards that will carry FedRAMP forward.
The emphasis will be on:
- Automated security validation replacing manual paperwork.
- Industry-driven innovation through community working groups.
- Laying the foundation for broader adoption in FY26.
Dates and Milestones for 20x Phase Two
Phase Two is scheduled to run during the final quarter of 2025. The key dates to remember are:
| Date | Milestone |
| October 16–23, 2025 | FedRAMP finalizes Phase Two requirements and opens the submission window. |
| December 16, 2025 | End of the Phase Two submission window. |
CSPs and agencies that want to shape the future of FedRAMP should be ready to participate within this short timeline.
Why FedRAMP 20x Phase Two matters
Phase Two isn’t just another update; it’s the first real shift from paperwork-based compliance toward automation-driven assurance. By reducing the burden on CSPs and agencies, Phase Two promises:
- Faster FedRAMP authorizations.
- Reduced costs for CSPs.
- Improved security outcomes through continuous monitoring.
- A system that scales to meet the needs of modern cloud environments.
It also sets the foundation for the next big step: FY26 adoption at scale.
Who can participate in Phase Two
FedRAMP has set stricter participation rules for Phase Two, focusing on providers that are already deeply engaged with the 20x program or bring advanced capabilities to the table. This ensures the pilot can move forward with mature solutions that support automation, AI adoption, and modernized trust models.
CSPs most likely to qualify for Phase Two fall into the following groups:
- Phase One participants who stayed active: If a provider submitted a complete package in Phase One and remained in good standing, they can continue into Phase Two.
- AI-driven services: Cloud offerings that directly support FedRAMP AI Prioritization criteria are prioritized, reflecting the government’s focus on securing artificial intelligence use cases.
- Platforms with GRC automation: Providers that can already handle machine-readable data for authorization reviews are strong candidates, since they align with the automation goals of 20x.
- Services with trust center capabilities: Platforms that can provide transparent, FedRAMP-compatible trust centers are also eligible, helping agencies access real-time security data.
For CSPs aiming to participate under the automation or trust center categories, FedRAMP requires proof that these capabilities are functional, not just theoretical. In practice, this means demonstrating the system in action and showing measurable progress toward meeting the December 2025 requirements.
Even for providers that aren’t eligible to submit, there’s still a role to play. FedRAMP continues to invite public participation through Community Working Groups. Here, industry stakeholders can help shape processes, templates, and automation models that will define the future of federal cloud security.
What 20x Phase Two is built on
Phase Two builds directly on the foundation laid in FY25. It leverages the Morton Foundation and policy updates from FY25 to deliver more standardized processes and automation pathways.
The idea is simple: lay the groundwork in FY25, validate it in Phase Two, and scale it massively in FY26.
Looking ahead: FedRAMP 20x goals for FY26
FedRAMP 20x Phase Two is not the finish line; it’s the bridge to a much larger transformation planned for FY26. The focus will shift from pilots and early adoption to wide-scale deployment across government and industry.
FedRAMP aims to ensure that 20x processes, tools, and policies become the new standard, replacing outdated, paperwork-heavy models.
The roadmap for FY26 is ambitious:
- Q1 2026: Complete the Phase Two pilot, finalize Moderate 20x authorizations, and support the first government-wide adoption of critical AI services.
- Q2 2026: Open Moderate and Low 20x authorizations to the public, backed by clear standards, early frameworks, and third-party tools designed for fast adoption.
- Q3 2026: Drive large-scale federal agency adoption, ensuring all agencies have access to GRC automation tools aligned with 20x.
- Q4 2026: Launch a High 20x pilot, starting with hyperscale IaaS and PaaS providers, to complete the new authorization pathway.
The long-term objective is bold: by mid-FY27, the old Rev5 low and moderate agency authorization paths will be retired, followed by High authorizations by the end of FY27. In less than three years, FedRAMP expects to fully transition into a modernized, government-wide compliance program that aligns with the FedRAMP Authorization Act and M-24-15.
Takeaway
FedRAMP 20x Phase Two is a turning point in the modernization of federal cloud security. By introducing automation, reducing paperwork, and building a framework designed by both industry and government, it sets the stage for widespread adoption in FY26.
For CSPs, Phase Two offers an opportunity to actively participate in shaping the future of compliance. It also helps prepare for a system that promises faster authorizations, reduced costs, and stronger security outcomes.
FAQs
What is FedRAMP 20x Phase Two?
Phase Two is the next stage of the FedRAMP 20x modernization effort, focused on finalizing requirements, introducing automation, and preparing for large-scale adoption in FY26.
When does Phase Two take place?
The Phase Two submission window runs from October 16–23, 2025, with the window closing on December 16, 2025.
Who can participate in Phase Two?
Only select cloud service providers (CSPs) can submit for Phase Two authorizations. Those who advanced from Phase One, offer AI-prioritized services, support GRC automation, or provide FedRAMP-compatible trust centers.
What is the main benefit of Phase Two?
It reduces compliance costs and timelines by replacing paperwork with automation while improving overall security outcomes.
What happens after Phase Two?
Phase Two leads directly into the FY26 adoption phase, which focuses on scaling FedRAMP 20x across agencies and providers, with the goal of 30-day authorizations by FY27.
