The Federal Risk and Authorization Management Program (FedRAMP) has long served as the benchmark for cloud security in U.S. federal agencies. However, traditional FedRAMP processes have often been lengthy, manual, and complex, creating barriers for cloud service providers (CSPs) and agencies alike. To modernize the approach, the U.S. General Services Administration (GSA) launched FedRAMP 20x in March 2025.

 

FedRAMP 20x introduces automation, streamlined documentation, and continuous monitoring to make cloud adoption faster and more secure. For organizations offering cloud services to federal agencies, understanding this update is essential.

 

So, let’s understand the key changes being added in FedRAMP 20x.

 

What is FedRAMP 20x?

 

FedRAMP 20x is a cloud-native approach to federal security authorization. Unlike traditional methods, it emphasizes automation, machine-readable documentation, and continuous compliance. Its main goal is to reduce the time, cost, and complexity of achieving FedRAMP authorization while maintaining high security standards.

 

With FedRAMP 20x, CSPs can gain provisional authorization more quickly, and agencies can adopt secure cloud solutions with less overhead.

 

Why FedRAMP is being updated

 

The original FedRAMP process, while effective, posed several challenges:

 

• Authorization timelines often exceeded a year, slowing down cloud adoption.
• Documentation requirements were extensive and manual, creating bottlenecks.
• Limited automation meant repeated effort for audits and evidence collection.

 

By shifting from a highly bureaucratic, paperwork-heavy process to an automation-driven compliance framework, FedRAMP 20x addresses these issues and aims to achieve two main objectives:

 

• Lower compliance burden and costs for CSPs: The new framework makes FedRAMP authorization faster and more affordable while maintaining strong security standards.

 

• Faster access for federal agencies: Agencies can obtain FedRAMP reports, audits, and authorization packages more quickly, enabling them to adopt secure cloud services without unnecessary delays.

 

FedRAMP 20x reflects lessons learned from decades of federal cloud adoption and aligns with modern cyber security best practices. This will make the authorization process more efficient and effective for both CSPs and agencies.

 

Key changes in FedRAMP 20x

 

FedRAMP 20x introduces several expected changes designed to modernize cloud security authorization while reducing complexity for CSPs and agencies:

 

1. Automated application and validation

 

Most security requirements (over 80%) will have automated validation, replacing the need for lengthy narrative explanations. Technical controls will align with standard configurations, and industry solutions will provide flexibility for different business needs.

 

2. Leverage existing security investments

 

Companies can reduce new FedRAMP documentation by using their existing security and change management policies. Optional templates from community working groups will support remaining requirements, and tools will document technical systems programmatically rather than narratively.

 

3. Continuous security monitoring

 

Continuous, machine-readable validation of critical controls will replace manual checks. Automated enforcement and secure-by-design principles will ensure consistent security without hands-on intervention.

 

4. Direct trust between providers and agencies

 

CSPs and federal agencies will interact directly through established business channels. Industry trade groups or individual companies can establish shared procedures while maintaining control over intellectual property.

 

5. Rapid continuous innovation

 

Automated checks will replace annual assessments, and approved changes following established processes won’t require additional oversight. Clear guidelines will ensure innovation while maintaining consistent security standards across providers.

 

 

FedRAMP 20x: Timeline and phases

 

FedRAMP 20x is being rolled out in phases to help cloud service providers (CSPs) and federal agencies transition smoothly from traditional processes to the new automated framework. 

 

Each phase focuses on different levels of cloud impact, ensuring that both low- and moderate-impact services can adopt the updated authorization process efficiently.

 

Phase	Focus	Details	Timeline
Phase One (20xP1)	Low-impact cloud services	CSPs can participate without an agency sponsor; submit machine-readable documentation.	May 30, 2025: Pilot officially begins and submissions open. August 19, 2025: Final day for pilot submissions
Phase Two	Moderate-impact cloud services	Builds on lessons from Phase One; includes more rigorous requirements	October 16–23, 2025: FedRAMP finalizes requirements and submission window opens. December 16, 2025: Submission window closes

 

Benefits for CSPs and federal agencies

 

FedRAMP 20x offers tangible advantages for both cloud service providers and federal agencies by streamlining authorization and improving security:

 

• Faster authorization timelines: Automated processes and machine-readable documentation reduce approval times from months to weeks, helping CSPs bring services to market more quickly.

 

• Lower compliance costs: By leveraging existing security frameworks and reducing manual documentation, CSPs can achieve FedRAMP authorization more efficiently and affordably.

 

• Continuous security monitoring: Automated validation of critical controls ensures consistent enforcement, lowering the risk of misconfigurations or human error.

 

• Direct collaboration: CSPs and federal agencies can interact directly, simplifying communication and speeding up issue resolution without unnecessary intermediaries.

 

• Encourages innovation: Automation and clear guidelines allow CSPs to implement security improvements and innovations continuously, without delays caused by annual assessments or bureaucratic checkpoints.

 

Quick link: FedRAMP 20x Phase Two

 

How CSPs can participate

 

Cloud service providers (CSPs) can actively engage in FedRAMP 20x by following practical steps to ensure a smooth and efficient authorization process:

 

• Join community working groups: Collaborate with industry peers and FedRAMP experts to help develop, refine, and provide feedback on the 20x processes.

 

• Prepare machine-readable documentation: Align your security evidence with automated validation requirements to streamline submissions and reduce manual effort.

 

• Engage a 3PAO: Partner with a FedRAMP-accredited Third Party Assessment Organization to independently validate your security controls and ensure compliance.

 

• Leverage existing certifications: Map existing standards such as SOC 2, ISO 27001, or other recognized certifications to minimize duplication and simplify your FedRAMP 20x submission.

 

Takeaway

 

FedRAMP 20x marks a significant evolution in federal cloud security authorization. By shifting from manual, paperwork-heavy processes to an automation-driven framework, it reduces compliance costs, accelerates timelines, and ensures continuous security monitoring. 

 

Cloud service providers can actively participate through community working groups, leverage existing certifications, and engage with FedRAMP-accredited assessors to streamline the authorization process. 

 

Agencies benefit from faster access to secure cloud services and improved collaboration with providers. Overall, FedRAMP 20x is designed to make cloud compliance faster, more efficient, and more reliable for both CSPs and federal agencies.

 

 

FedRAMP 20x FAQs