📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict
← Blog
FedRAMP20x-changelog

20x Changelog — Week of May 11, 2026

This is the first entry in a weekly brief on FedRAMP 20x. Format: short, mechanical, oriented around what changed and what's coming up. The goal is a single place to check once a week for the state of the program — RFC movements, cohort updates, schema deltas, and vendor activity that matters to CSPs on either authorization path.

Subscribe by bookmarking /blog?tag=20x-changelog.

Program status

  • Phase 2 (Moderate) in progress. Cohort 1 — Confluent Cloud for Government, Meridian LMS, Paramify Cloud — past the January 30 submission deadline. Cohort 2 (up to 7 additional CSPs) submissions ran through March 13. Authorization decisions are the next public signal.
  • Phase 3 (wide adoption) confirmed for Q3 2026. April 2026 draft guidance signals 20x as the default authorization pathway for new CSPs starting Q3. No formal cutover date inside the quarter has been published.

Consolidated Rules 2026

  • Public preview live since May 4 at fedramp.gov/preview/2026. Comment via GitHub Discussions on the FedRAMP/community repo. Finalization target end of June.
  • July 1 effective date. Transition window extends to January 1, 2027 for optional adoption; rules remain in effect through December 31, 2028.
  • Template retirement is the operationally significant change. Excel/Word artifacts are out; structured machine-readable requirements are the new format. Tooling that produces filled-in templates is on a deprecation path.

RFC tracker

Currently open:

  • RFC-0018 (Security Inbox Requirements) — opened September 29, 2025. Vulnerability and incident reporting channel definition.
  • RFC-0019 (Reporting Assessment Costs) — opened January 2026. CSPs report total cost, hours, assessor breakdown for both Rev 5 and 20x.
  • RFC-0020 (Authorization Designations) — opened January 2026. Proposes a six-level designation system replacing Low/Moderate/High.
  • RFC-0026 through RFC-0030 (Rev 5 Updates) — opened March 19, 2026. Cohort of refinements to the traditional baseline alongside the 20x track.

Recently published outcomes:

  • RFC-0024 (Rev 5 Machine-Readable Packages) — outcomes published March 25, 2026. Mandatory for all FedRAMP CSPs effective September 30, 2026. This applies to Rev 5 organizations too, not just 20x. If you have not started on machine-readable package emission, four months is a tight timeline.

Vendor activity worth noting

  • Vanta has publicly listed a FedRAMP 20x Low authorization on their marketplace presence.
  • Stack Armor's Armory20x program continues to position around AI ISVs specifically — adjacent to the FedRAMP AI Prioritization track.
  • Secureframe is publishing Phase 2 implementation guides as cohort participants surface KSI implementation patterns.

What to watch this week

  • Consolidated Rules comment threads. The most active discussions on the public preview are likely to surface in the next 2-3 weeks as organizations finish their reads. Open windows on RFC-0019 and RFC-0020 in particular are worth participating in if six-level designation or cost-reporting affects your authorization plan.
  • Phase 2 Cohort 1 authorization decisions. First Cohort 1 authorization announcements would establish the actual achievable timeline for Phase 2 Moderate. The "under two months" Phase 1 benchmark is the target.

Reference

Live hub page with the full state-of-the-program: /fedramp-20x.

Next changelog: week of May 18.