FedRAMP 20x — Program reference
The state of FedRAMP 20x, kept current.
FedRAMP 20x is the most significant reshape of the program since inception. This page is the single-screen reference: where the program is, what the rules say, which RFCs shaped it, which CSPs are in the cohorts, and what the Consolidated Rules 2026 change.
In one paragraph
What 20x actually changes.
FedRAMP 20x replaces the 325+ NIST 800-53 controls with about 60 Key Security Indicators per impact level — measurable, automatable outcomes evaluated continuously rather than narratively. Authorization packages move from filled-in Word and Excel templates to machine-readable artifacts emitted from inside the boundary. Continuous monitoring becomes a stream — for Moderate, validated at least every three days — not a monthly deliverable. The result, in the pilots so far: authorization in under two months versus the 12-to-24 month historical norm.
Timeline
Phases and dates.
Three phases, two years. The June 25, 2026 launch of the Consolidated Rules (CR26) is the date most organizations should anchor planning to.
Low-impact pilot. 26 complete submissions, 12 CSPs authorized. Established the KSI evaluation model and the first authorization-in-under-two-months benchmark.
Moderate-impact pilot. Cohort 1 (3 CSPs) selected Dec 10, 2025 and authorized Mar 6, 2026; Cohort 2 (up to 7 CSPs) ran Jan–Mar 2026, with six more CSPs authorized by late April. Pilot concluded end of Q2 FY26.
Wide availability arrived through the Consolidated Rules for 2026 (CR26), finalized June 25, 2026. Marketplace listings opened July 6; the Class A authorization pipeline opens Aug 3 and Class B/C on Aug 31. CR26 becomes mandatory for all stakeholders Jan 1, 2027.
RFC tracker
What the program is currently writing down.
FedRAMP runs its rulemaking through public RFCs on GitHub. The recent set has now closed with outcomes published — useful both for understanding the trajectory and for reading the decisions now baked into CR26.
Established the 56-KSI Low baseline. The first machine-readable security spec FedRAMP published.
Vulnerability and incident reporting requirements for the program. Defines the inbound channel for the FedRAMP PMO.
CSPs report total assessment cost, hours, and assessor breakdown. Visibility for FedRAMP without publishing sensitive pricing.
Proposed numbered designation levels in place of Low/Moderate/High. The outcome became the A/B/C/D certification impact classes adopted May 2026 and formalized in CR26.
Mandates machine-readable authorization packages for all CSPs (Rev 5 and 20x); outcome in NOTICE-0009 (Mar 25). The rollout timeline was revised into 2027 and folded into CR26.
Cohort refining the Rev 5 control baseline (CA-7 ConMon plus control-family updates) alongside the 20x track. Outcomes published in NOTICE-0013 (Jun 16, 2026).
Revised incident-communication procedures for the program; outcome in NOTICE-0012 (Jun 3, 2026). Highest-numbered RFC as of mid-2026.
Authoritative source: github.com/FedRAMP/community. The Novaprospect 20x changelog tracks movements weekly.
KSI baselines
Seven categories. 56 Low. 61 Moderate.
Each Key Security Indicator is a single, automatable outcome. The categories below cover the Moderate baseline as published in the FedRAMP 20x KSI spec. The 56-KSI Low total is the authoritative figure; per-category counts are best estimates.
| Code | Category | Low | Moderate | Examples |
|---|---|---|---|---|
| KSI-CNA | Cloud Native Architecture | 11 | 12 | Immutable containers, micro-services, segmented infrastructure |
| KSI-IAM | Identity & Access Management | 9 | 10 | Phishing-resistant MFA (FIDO2/WebAuthn), zero-trust, RBAC |
| KSI-SVC | Service Configuration | 10 | 11 | Encrypted network traffic, restricted east-west, hardened defaults |
| KSI-CMT | Change Management | 7 | 8 | Immutable infrastructure, redeploy not patch, change attestation |
| KSI-MLA | Monitoring, Logging, Auditing | 8 | 9 | Centralized log retention, signed audit trail, alerting |
| KSI-RPL | Recovery Planning | 6 | 6 | Tested RTO/RPO, drill cadence, restoration evidence |
| KSI-PIY | Policy & Inventory | 5 | 5 | Asset inventory, policy-as-code attestation |
| Total | 56 | 61 |
Authoritative spec: fedramp.gov/2026/reference/key-security-indicators · machine-readable rules: github.com/FedRAMP/rules.
Cohorts
Who has been through the pilots.
Pilot participation is the closest signal of what a 20x authorization actually requires in practice. Phase 1 (Low) and Phase 2 (Moderate) participants below are the public-record cohort.
Phase 1 — Low
complete12 CSPs authorized. Publicly named participants include:
- Secureframe GRC platform
- Knox Systems (Knox AI) Compliance automation
- Meridian LMS Learning management
Phase 2 Cohort 1 — Moderate
authorized3 CSPs selected Dec 10, 2025; authorized Mar 6, 2026.
- Confluent Cloud for Government Moderate
- Meridian LMS Moderate
- Paramify Cloud Moderate
Phase 2 Cohort 2 (up to 7 additional CSPs) ran January–March 2026; six more CSPs were authorized by late April 2026, concluding the Moderate pilot. Authoritative source: FedRAMP cohort announcement.
Our take
What we think CSPs should be doing right now.
The architectural decisions are load-bearing. KSI emission requires that infrastructure state be readable, not narrated. Teams whose compliance posture is currently maintained in spreadsheets and institutional knowledge will need to invest in infrastructure-derived control state before they can move at 20x cadence — regardless of which vendor they choose for the tooling layer.
The machine-readable package mandate is the forcing function. RFC-0024's package mandate applies to all CSPs, Rev 5 and 20x alike. The rollout timeline was revised into 2027 and folded into CR26, but the direction is set — even organizations not pursuing 20x in the immediate term need to be ready to emit the new package format.
The cadence change is the bigger operational shift. Three-day persistent validation eliminates the quarterly sprint of evidence assembly. The right ConMon investment now is in the emission pipeline, not in better tools for the old monthly cycle.
The pilots are over — this is production now. With CR26 finalized (June 25) and the marketplace open (July 6), new authorizations run through the CR26 pipelines rather than a pilot cohort. The Class A pipeline opens Aug 3 and Class B/C on Aug 31, so the organizations that prepared their emission pipeline during the pilots are the ones positioned to move first.
Tooling
What we build for the 20x stack.
Two products are specifically designed for the 20x authorization model. The third and fourth feed evidence into them.
Beacon →
Reads infrastructure state continuously and emits signed Key Security Indicator evidence. Three-day cadence floor, RFC-0024 package format, ed25519 signing inside your boundary.
FedRAMP Management Engine →
Holds the authorization package as the authoritative record. Emits the 20x machine-readable package and Rev 5 OSCAL artifacts side by side for organizations in transition.
Citadel →
Signed osquery results feeding Beacon as the host-side input for KSI-CNA and KSI-CMT categories.
NAICOM →
AI-SDLC session receipts feeding Beacon as evidence for KSI-MLA (monitoring/logging) categories.
Resources
Where to go next.
FedRAMP Library →
Curated index of every Rev 5 template, NIST upstream, and OMB memo.
20x changelog →
Recurring brief on RFC movements, cohort updates, and schema deltas.
Beacon design partners →
Apply to the 20x-aligned design partner cohort.
KSI Quick Check →
Paste an Okta policy or Terraform plan; get a 20x KSI pass/fail in your browser. Nothing leaves the tab.
20x program page ↗
The program's own canonical overview.
FedRAMP/community ↗
Where RFCs are published and comment threads live.
Consolidated Rules 2026 launch ↗
The CR26 ruleset, finalized and launched June 25, 2026.
Building for 20x. Want to be a design partner?
We're working with a small cohort of CSPs adopting 20x under the Consolidated Rules for 2026. If your authorization timeline overlaps, there's a seat at the table.
See the design-partner program