The federal cloud marketplace is undergoing its most significant transformation since FedRAMP’s inception. On March 24, 2025, the General Services Administration announced FedRAMP 20X—a fundamental redesign of the authorization process that replaces manual documentation with automated validation and continuous monitoring.
For cloud service providers navigating federal compliance, this shift represents both opportunity and urgency. Authorization timelines that previously stretched into years may soon be measured in weeks.
But the change requires rethinking how an organization’s security posture is documented, validated, and maintained.
The Problem FedRAMP 20X Solves
The traditional FedRAMP authorization process has long been criticized for its paper-based approach and lengthy timelines. Historically, achieving FedRAMP authorization is a process that can take months or even years, involving extensive manual documentation and narrative explanations for hundreds of complex security controls based on NIST SP 800-53 Revision 5.
At times, such procedural complexity has contributed to the following:
- Delayed access to innovative cloud technologies for federal agencies
- High costs for cloud service providers seeking authorization
- Delayed response to changes requiring significant change requests for security
- Manual continuous monitoring processes that struggle to keep pace with modern threat environments
FedRAMP 20X addresses these challenges by establishing a cloud-native authorization approach designed for automation.
Automation at the Core: The 80% Goal
The centerpiece of FedRAMP 20X is its automation requirement. The program aims to automate validation of at least 80% of FedRAMP security requirements, fundamentally shifting away from evidence that includes screenshots and lengthy narratives and toward machine-readable data formats.
This automation-first approach means security assessments can occur continuously, rather than reviews that only consider a moment in time. Instead of periodic manual reviews, cloud service providers demonstrate compliance through continuous automated validation based on actual system configurations.
Key Security Indicators
To enable this automation, FedRAMP 20X has introduced Key Security Indicators (KSIs). KSIs are meant to be measurable translations of traditional controls verifiable through automation. They represent an abstraction layer that simplifies assessment compared to the control-by-control approach required under NIST SP 800-53.
All FedRAMP 20X packages must be submitted in a machine-readable format that can be regenerated on demand. This structured data approach enables automated processing and validation.
Implementation Timeline and Current Status
FedRAMP 20X is being delivered in phases, with each phase informing the next based on stakeholder feedback and measured outcomes.
Phase 1 launched as a pilot focused on FedRAMP Low authorizations. The pilot required eligible cloud services to be deployed on existing FedRAMP-authorized platforms and use primarily cloud-native services. From 26 pilot submissions, 12 received FedRAMP 20X Low authorizations.
The pilot demonstrated substantial industry interest and validated the feasibility of an automation-based approach.
20X Phase 2 began only recently, expanding to FedRAMP Moderate authorizations while incorporating lessons from Phase 1.
Looking ahead, FedRAMP plans to open a Phase 3 pilot for FedRAMP High authorizations targeting hyperscale infrastructure and platform providers. The goal is to retire the traditional Rev5 authorization path for Low and Moderate by mid-fiscal year 2027, with High to follow by the end of fiscal year 2027.
Pilot Phase
It is important to note, however, that as of the date of this blog post (December 2025), FedRAMP 20x is still in the pilot phase.
This means that FedRAMP Rev 5 is still the only path to FedRAMP authorization for all systems. The pilot phase for FedRAMP 20x (focused on the Low baseline) has closed, and there is no current adoption of 20x across the government.
Eliminating the Change Request Bottleneck
One of the most significant improvements in FedRAMP 20X is the replacement of the Significant Change Request process with Significant Change Notifications. Under the traditional model, cloud service providers had to obtain FedRAMP approval before making significant changes to their services—a process that could be complex and lengthy.
The new Significant Change Notification standard asserts that authorizations granted to cloud service providers include the authority to make changes in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases. This allows commercial services to operate consistent with their authorized business practices while ensuring agency customers have sufficient information to understand how their authorized service is changing.
Continuous Monitoring Shifts to Agencies
FedRAMP previously managed continuous compliance monitoring for services that received authorizations through the now-dissolved Joint Authorization Board. FedRAMP has ceased this centralized monitoring, making continuous monitoring the responsibility of each individual agency.
KSIs assist and are designed for Continuous Authority to Operate (cATO), allowing agencies to trust cloud services through ongoing data feeds rather than yearly audits.
This decentralization aligns with FedRAMP 20X’s vision of agencies acting as informed consumers rather than requiring centralized approval for every aspect of cloud service operations.
The Role of GRC Automation Platforms
The shift to automation-based compliance creates both challenges and opportunities for governance, risk, and compliance platforms. Tools that can ingest machine-readable KSI data, perform automated validation, and provide continuous monitoring capabilities will be essential for cloud service providers navigating FedRAMP 20X.
The focus is on continuous technical validation rather than documentation production—moving from screenshots and narratives to automated queries of actual system configurations that can be verified in real time.
Xacta is FedRAMP 20X-Ready
Xacta for FedRAMP streamlines the entire authorization process, from initial documentation through continuous monitoring. The platform serves as a central hub where teams can build audit-ready packages, conduct gap assessments, and collaborate with 3PAOs (Third Party Assessment Organizations).
Xacta automates critical tasks, such as generating POA&Ms (Plans of Action and Milestones), mapping scan findings to controls, and assembling an audit-ready package for submission. During the continuous monitoring phase, it automatically ingests security scans and tracks remediation activities, helping organizations maintain compliance while managing ongoing cybersecurity risks.
Now, Xacta has been updated for FedRAMP 20X, with a KSI dashboard that shows your current KSI ratings compared to your FedRAMP Rev 5 assessment, allowing you to address project gaps immediately.
Looking Ahead
FedRAMP 20X represents a fundamental reimagining of how federal cloud authorization works. By embracing automation, machine-readable data, and continuous validation, the program aims to accelerate secure cloud adoption across federal agencies while reducing the compliance burden on cloud service providers.
For providers currently pursuing or planning FedRAMP authorization, the message is clear: automation capabilities will be essential. Those who can demonstrate security posture through continuous automated validation rather than periodic manual documentation will be positioned to succeed in the new framework.
The timeline is aggressive—FedRAMP intends to retire the traditional authorization path within three years. Cloud service providers should evaluate their automation capabilities now and consider participating in the public working groups shaping FedRAMP 20X standards.
The federal cloud marketplace is evolving rapidly. Organizations that adapt their compliance approaches to this automation-first model will gain a significant competitive advantage in serving federal customers.
