📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict
← Blog
FedRAMPComplianceGRC

20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June

Ten days ago we wrote about what 20x prep actually looks like from inside a CSP that hadn't started yet, on the morning the Phase One pilot draft window opened. That post was about a rehearsal — a process the program was still using a draft window to evaluate.

The rehearsal is over.

FedRAMP 20x has moved into Phase 3. The pilots have concluded, and GSA has confirmed the 20x authorization model as permanent — not an experiment running alongside the traditional path, but the path. The Consolidated Rules for 2026, which gather every requirement for both the Rev 5 track and 20x general availability into one place, are set to finalize by the end of June, take effect July 1, 2026, and stay valid through December 31, 2028. Many provisions carry an optional transition window out to January 1, 2027. The pipeline that actually accepts 20x submissions opens in FY26 Q4 — July through September.

So the headline question shifts. For months it was "will this stick?" It's now "the dates are real, what do we do about them?"

What "permanent" actually changes

When something is a pilot, treating it as optional is a defensible posture. You can watch the cohorts, read the changelog, and start when the picture clears. That posture has an expiration date now, and it's roughly a month out.

A few things follow from permanence that didn't follow from a pilot:

  • There's a clock with real dates on it. Rules finalized end of June, effective July 1, pipeline open in Q4, validity through 2028. These aren't aspirational milestones in a slide deck — they're the schedule the program is committing to operate against. Prep that was reasonable to defer while the format was in flux is now prep with a deadline.
  • FedRAMP Ready is being retired. The designation a lot of CSPs treated as the on-ramp is going away under the consolidated framework. If your go-to-market story depended on it, that story needs rewriting.
  • The format stops moving. The Consolidated Rules are written as plain-language rule statements rather than narrative guidance — "here is the rule, here is the timeline" — and they're meant to hold steady through 2028. That stability is the point. It's also what makes it worth building real tooling against now, because you're building against something that won't be redrawn next quarter.

The prep that was always load-bearing is still load-bearing

We made this argument when the pilot window opened and it's worth restating now that the timeline is firm: the documentation burden dropping is not the same as the work dropping. The 80%-less-paperwork headline is real. The part it doesn't cover is that machine-readable packages make your actual security posture the thing under examination, with fewer narrative pages to absorb the gaps.

A package that asserts a control is met has to be backed by evidence a machine can check. That moves the center of gravity from "can we describe what we do" to "can we demonstrate it, continuously, in the shape the package expects." The teams who've come through the Phase One Low and Phase 2 Moderate cohorts proved the path works — and what's left after the templates go away is exactly the part that was always the hard part. It's just more visible now, not less.

Where this leaves prep, concretely

If you're a CSP looking at these dates, the useful framing isn't "start the 20x project." It's "get the underlying posture into a state where a 20x package is a report you can generate, not a document you have to write." A few things we'd put near the top:

  • Know your boundary in machine-readable terms. The package format assumes you can enumerate what's in scope and prove its configuration. If that lives in diagrams and tribal knowledge, that's the first conversion.
  • Treat evidence as a standing output, not an assessment-time scramble. The systems that do well here are the ones already collecting the before-and-after as a normal operational byproduct — the same muscle that makes a KEV clock a normal Tuesday.
  • Map yourself to the catalog now. The control set and the 20x Key Security Indicators aren't going to surprise you — they're published. Knowing where you stand against them before the pipeline opens is the difference between Q4 being a submission and Q4 being a discovery exercise.

What we keep coming back to

We built the Novaprospect audit suite around a bet that this is exactly where FedRAMP was heading: machine-readable packages, continuous evidence, a catalog you can actually run your environment against rather than describe in prose. The browsable Rev 5 Moderate + 20x KSI catalog at /fedramp/controls is the same catalog the engine evaluates against, and it's live today.

The permanence announcement doesn't change that direction — it confirms it. A pilot can be reversed. A permanent model with finalized rules valid through 2028 is the program telling you what the next two and a half years look like. The teams getting their posture and evidence pipeline in shape before the Q4 pipeline opens won't be rushing in the fall — they'll be generating a report.

Reference