FedRAMP has operated on roughly the same structural model since it launched in 2011: a cloud service provider works with a third-party assessor, builds a documentation package, goes through a review process, and receives an authorization to operate. That process has been notoriously slow, expensive, and document-heavy. For many cloud providers, the timeline from readiness to authorization ran twelve to eighteen months or longer, and the documentation package could run to thousands of pages.
In 2025, the federal government announced FedRAMP 20x, a significant restructuring of the authorization program. The initiative changes how authorizations are reviewed, what documentation is required, and how compliance is maintained after authorization. For cloud service providers pursuing their first FedRAMP authorization and for those maintaining existing ones, the changes are material enough to warrant a fresh look at what the program now requires.
What changed and why
The FedRAMP Authorization Act, signed into law in December 2022 as part of the National Defense Authorization Act for fiscal year 2023, was the first time FedRAMP was codified in statute rather than operating under OMB policy guidance. Among other things, it directed U.S. General Services Administration (GSA) to automate FedRAMP processes and established a new FedRAMP Board to replace the Joint Authorization Board (JAB) that had operated as the primary review body since the program’s early years.
The JAB, which comprised representatives from the Department of Defense, the Department of Homeland Security, and GSA, wound down in 2023 after issuing its final provisional authorizations. That structural change shifted the primary authorization pathway from a centralized body to individual agency sponsorships, where a federal agency agrees to sponsor and use a cloud service and its authorization becomes available to other agencies through a reuse model.
FedRAMP 20x builds on that foundation with a focus on speed and automation. The core changes include a shift toward machine-readable security documentation using OSCAL, the Open Security Controls Assessment Language developed by NIST. Rather than producing static PDF packages that reviewers read manually, providers are expected to produce structured, machine-readable documentation that can be validated and reviewed automatically. The goal is to compress authorization timelines dramatically and reduce the documentation burden that has historically made FedRAMP inaccessible to smaller providers.
What FedRAMP 20x means in practice
For cloud service providers that have not yet begun a FedRAMP authorization, the direction of travel is toward OSCAL-native documentation from the start. Building a security package in traditional formats and converting it later adds work. Providers starting fresh should understand OSCAL requirements before building their System Security Plan and supporting documentation.
For providers with existing authorizations, under the current Rev5 process, continuous monitoring follows a structured cadence: monthly deliverables, monthly POA&M review, and an annual assessment conducted in collaboration between the CSP and each agency holding an ATO.
FedRAMP 20x envisions a shift toward more automated evidence collection in this process, but that model applies to the 20x certification pathway currently in development, not to providers working within the existing Rev5 framework. Continuous monitoring requirements were already part of FedRAMP, but the 20x model intensifies the expectation that compliance is demonstrated continuously rather than re-proven at each annual review cycle.
Under the current Rev5 process, the 3PAO remains a central actor. A 3PAO conducts the Readiness Assessment, performs the Full Security Assessment including control testing, vulnerability scan validation, and penetration testing, and produces the Security Assessment Report the agency relies on to make its authorization decision. The current Rev5 3PAO requirements remain in effect and fully acceptable through the end of the FedRAMP 20x rollout, which is expected to complete by the end of fiscal year 2027. Providers currently pursuing or maintaining Rev5 authorizations should continue managing their 3PAO relationships as before. Providers with existing 3PAO relationships should monitor GSA guidance on how that relationship is expected to evolve.
The initiative also introduces a concept of reciprocity and reuse that goes further than the existing authorization inheritance model. A provider already authorized by one agency may be able to demonstrate that adequacy to other agencies without repeating the full authorization process. The practical implementation of this is still being developed, but it has significant implications for providers who have historically had to manage separate agency relationships.
Where the FedRAMP20x rollout stands now
FedRAMP 20x is currently in Phase 3. The pilot programs have concluded and GSA has confirmed the new authorization model is permanent. The remaining work is finalizing the formal certification types and opening the submission pipeline.
The FedRAMP Consolidated Rules for 2026, which will contain all requirements for FedRAMP 20x certification, are scheduled to be finalized by the end of the third quarter of fiscal year 2026, which is June 2026. The submission pipeline for new FedRAMP 20x applications is expected to open in the fourth quarter of fiscal year 2026, between July and September 2026.
When the pipeline opens, FedRAMP 20x will initially be available for three certification classes: Class A for pilot participants, Class B covering Low impact systems, and Class C covering Moderate impact systems. High impact systems are not included in the initial rollout. Providers with High impact requirements should continue operating under the existing authorization framework while monitoring GSA guidance on when that pathway will be added.
The current Rev5 authorization process has a formal sunset at the end of fiscal year 2027, which is September 30, 2027. FedRAMP has stated it will limit updates to Rev5 processes and guidance in the meantime. Providers who receive a Rev5 authorization before that date will need to transition to a 20x certification type as the program formalizes the migration path.
For providers currently preparing for a FedRAMP authorization, the practical implication is a specific planning window. If your system falls within the Low or Moderate impact levels and your timeline allows for a submission in late 2026 or beyond, building toward FedRAMP 20x requirements from the start is the more efficient path. If your contract timeline requires authorization before the new pipeline opens, the existing pathway remains active and the work done under it will inform any subsequent 20x submission.
For providers currently mid-authorization under Rev5, FedRAMP’s Balance Improvement Release initiative will incorporate applicable 20x improvements into the Rev5 process before it sunsets. This means some 20x-aligned changes may arrive in the Rev5 framework before providers complete their current authorization, and monitoring the FedRAMP Public Roadmap is the best way to track which improvements are in progress.
What has not changed
The underlying security requirements for cloud services handling federal data have not changed in ways that reduce the security bar. NIST SP 800-53 remains the foundational control framework. FedRAMP Low, Moderate, and High baselines still define the control sets applicable to different impact levels. What has changed is the process for demonstrating compliance with those controls, not the controls themselves.
One thing that has not changed is what FedRAMP authorization actually means. The FedRAMP PMO explicitly states that terms such as ‘FedRAMP Compliant’ or ‘FedRAMP Equivalent’ are not recognized designations. The only valid statuses are FedRAMP Ready, FedRAMP In Process, and FedRAMP Authorized, all of which are verifiable on the FedRAMP Marketplace. For organizations evaluating cloud vendors for federal workloads, this distinction matters when a vendor claims alignment with FedRAMP without holding a verifiable Marketplace designation.
The requirement for an agency sponsor has not changed. A cloud provider cannot self-authorize. An agency must be willing to use and sponsor the service. For providers without an existing agency relationship, finding a sponsor remains the first and often most difficult step in the authorization process.
What this means if you are starting or maintaining a FedRAMP program
The changes FedRAMP 20x introduces are oriented toward providers that can support automated, continuous compliance. That means investing in tooling that produces machine-readable evidence, maintaining control configurations that can be monitored continuously rather than sampled periodically, and building internal processes that support ongoing evidence collection rather than periodic documentation sprints.
For organizations already working through CMMC or other federal compliance requirements, the operational model FedRAMP 20x is moving toward, continuous monitoring, automated evidence, and streamlined documentation, is consistent with the direction those programs are taking. The work done to instrument a compliance program for one federal requirement increasingly has value across others.
Carbide’s advisors work with cloud service providers and government contractors navigating FedRAMP alongside CMMC and other federal compliance requirements. If you are evaluating what FedRAMP 20x means for your program timeline or how to align your compliance infrastructure with the direction the program is heading, a readiness conversation is the right starting point.
Book a FedRAMP readiness consultation
Carbide helps cloud service providers build and maintain compliance programs that meet FedRAMP requirements alongside CMMC, SOC 2, and other frameworks. Book a demo today.
Share
