Blog

FedRAMP 20x - Three Months In and Maximizing Innovation

June 26 | 2025

Three months ago, FedRAMP launched 20x: the idea of a new approach to assessing and authorizing cloud services based on real security outcomes. Two months ago, FedRAMP released draft materials outlining how this approach might work. And one month ago, FedRAMP opened the 20x Phase One pilot to begin testing and evaluating this approach in the real world.

In our 20x Community Working Group panel session with active 20x pilot participants this week, one message came across loud and clear: It works.

There are still more standards to fold in and modernize and always more testing and evaluation to do, but the four complete FedRAMP 20x pilot submissions received in the first month of the pilot are pointing us in the right direction. Next month we expect our first pilot authorizations, and at our current pace we anticipate formalizing the initial FedRAMP 20x Low process as an authorization path within the next two months.

As always, there’s a ton of work to move projects forward like this… but this work at FedRAMP isn’t happening behind the scenes. We continue to default to being open with our strategies, plans, progress, and general communication with a focus on our FedRAMP Community.

Here’s a summary of what we’ve been up to!

An actively maintained FedRAMP roadmap

We quietly released the FedRAMP Roadmap. This roadmap isn’t a set of imaginary goals - it’s the explicit tasks we are planning our work around. It will change every two weeks with the reality of delivery, with some tasks taking longer than expected or others shifting in priority.

Working this roadmap in public shows the unprecedented level of trust FedRAMP places in its stakeholders and community. On it you’ll find:

• One-time activities like strategizing a new Plans of Action & Milestones (POA\&M) standard with steps that are thoughtfully mapped out in sprints;
• Major initiatives that will take a whole-of-government approach for implementation like the authorization reuse playbook for agencies;
• Our delivery teams and their dedicated emphasis areas; and
• Milestones with realistic but fungible target dates.

20x Phase One Pilot Updates

Many participants in the 20x Phase One Pilot have followed FedRAMP’s lead on transparency to increase collaboration in the community and lift the bar for everyone.

Check out these public submissions:

• InfusionPoints: Command Center is the interface for InfusionPoints’ full-lifecycle managed hosting service XBU40 that provides for military grade security for hosting customers’ cloud environments and supported by InfusionPoints’ Cloud Operations and Security Operations teams. AuditShield provides CSPs, 3PAOs, and Agency stakeholders alike with a reports view and gathers actionable insights for security and compliance status in real-time.

• Vanta: The Vanta Trust Management Platform provides customers with an end-to-end security and compliance automation suite that focuses on continuous and automated governance, risk, and compliance (GRC); vendor risk management; questionnaire automation; and up-to-date security program description displayed on the customers’ Trust Center website.

• Flock Safety: Flock Safety is a public safety solution that assists cities, businesses, schools, and law enforcement agencies in collaboratively eliminating crime and maintaining community safety. Flock develops and manufactures license plate reading (LPR) technology, audio recognition sensors, video cameras, and accompanying software to capture objective evidence required by law enforcement to solve crimes.

• Knox: Knox provides a comprehensive FedRAMP Authorized cloud platform that offers a distinguished record of secure and compliant operational performance. This robust and mature environment is specifically engineered to streamline the FedRAMP authorization journey for SaaS providers, enabling them to achieve their compliance objectives with efficiency and confidence. Knox AI represents a paradigm shift from traditional manual compliance processes to real-time, pull-based security validation.

Any reference on our website to any specific commercial product or the use of any corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by GSA.

Rev 5 Balance Improvements

There’s no one-way street towards FedRAMP modernization. 20x is one pathway and legacy Rev 5 is the other. We’re already charting the course for Rev 5 improvements by starting up closed beta tests for the Significant Change Notification process and will apply that to Rev 5 with more to follow. There’s a lot more on our planned approach to balancing Rev 5 in our community here.

Community Outreach and Engagement

The team continues to host and participate in industry events to push the modernization needle forward:

• On June 24 the Office of Management and Budget (OMB) hosted FedRAMP Day for over 100 federal agency partners that are focused on operationalizing FedRAMP and authorizing cloud providers, and held Executive panels with representation from OMB, GSA, DHS, CISA, and VA. The day demonstrated support for FedRAMP’s transformation from the highest levels of government, and focused on how agencies could reuse FedRAMP authorizations at a higher, faster rate.
• On June 25 our biweekly 20x working group had real discussions surrounding real-life pilot experiences from cloud providers and third party organizations, with over 300 cloud security experts in attendance.
• FedRAMP returned to have frank conversations about FedRAMP 20x and Rev 5 balancing with the cloud community at two industry association meetings: the Alliance for Digital Innovation (ADI) and the Cloud Service Providers – Advisory Board (CSP-AB).
• We’re holding a closed session with Federal Secure Cloud Advisory Committee (FSCAC) members to discuss how we can better align their advisory role to meet the growing needs of GSA and FedRAMP.
• We spoke at the Cloud Exchange 2025 virtual conference about the history of FedRAMP and why today’s program is entirely different.
• We closed out the annual RAMPCon event by delivering a popular keynote session on 20x to hundreds of attendees
• We started the month off strong with a biweekly 20x working group session that ended with a live AMA with the FedRAMP team.
• We incorporated insights from CWG feedback and public comments from closed RFCs to publish updated guidelines for Significant Change Notification Requirements and new Machine Readable Requirements for 20x security package documentation.
• We responded to 1111 ticket messages sent to [email protected], including 763 access requests and 197 general questions about FedRAMP.

Continuing a Record-breaking Year of Authorizations

We’re continuing to make significant strides in authorizations, particularly with legacy Rev 5 reviews. The authorization life cycle is coming in at 30 days or less from submission to authorization, and we also:

• Authorized a total of nine new cloud services this month, bringing the fiscal year total to 104 authorized products
• Granted five new cloud services FedRAMP Ready designations, for a total of 44 this fiscal year
• Listed seven new In Process cloud services for Rev 5 Agency Authorizations
• Received 12 Rev 5 Agency Authorization packages and six readiness assessment reports (RARs) for final review
• ​​Recognized one third party assessment organization (3PAO)

Our Goals for July

We’re closing out Q3 with a lot of activity and preparation for what’s coming next. As folks are taking a break and enjoying summer vacations, we’re going full speed ahead for July. Lookout for:

• First-round of 20xP1 12-month Low authorizations on the FedRAMP Marketplace
• A FedRAMP Brand Champion Toolkit to amplify and message new 20xP1 authorized offerings to the public
• A refreshed website with a new look and feel that’s responsive and designed for a better user experience
• Significant Change Notification Closed Beta for Rev5

As we look to what we will deliver in Q4, we remain dedicated to advancing FedRAMP 20x, and innovating on other ideas and concepts along the way to adapt so FedRAMP can effectively serve the needs of both government and industry.

Beginning next month, you will see a different blog post style that provides less narrative content with more links to the website or the community forum so you can find as much or as little information as you need. After you see that new blog style, let us know how we’re doing and if we need to reconsider this approach. Your continued engagement is vital to this shared success.

Cheers, from the entire FedRAMP team!

Back to Blogs