FedRAMP 20x — Program reference
The state of FedRAMP 20x, kept current.
FedRAMP 20x is the most significant reshape of the program since inception. This page is the single-screen reference: where the program is, what the rules say, which RFCs are open, which CSPs are in the cohorts, and what the Consolidated Rules 2026 change.
In one paragraph
What 20x actually changes.
FedRAMP 20x replaces the 325+ NIST 800-53 controls with about 60 Key Security Indicators per impact level — measurable, automatable outcomes evaluated continuously rather than narratively. Authorization packages move from filled-in Word and Excel templates to machine-readable artifacts emitted from inside the boundary. Continuous monitoring becomes a stream — for Moderate, validated at least every three days — not a monthly deliverable. The result, in the pilots so far: authorization in under two months versus the 12-to-24 month historical norm.
Timeline
Phases and dates.
Three phases, two years. Default-by-Q3-2026 is the date most organizations should anchor planning to.
Low-impact pilot. 26 complete submissions, 12 CSPs authorized. Established the KSI evaluation model and the first authorization-in-under-two-months benchmark.
Moderate-impact pilot. Cohort 1 (3 CSPs) selected Dec 10, 2025; Cohort 2 (up to 7 CSPs) opened January. Final submissions through Mar 13.
Wide-scale adoption for Low and Moderate. 20x becomes the default authorization pathway for new CSPs starting Q3 2026 per April 2026 draft guidance.
RFC tracker
What the program is currently writing down.
FedRAMP runs its rulemaking through public RFCs on GitHub. This is what is currently open or recently outcome-published. Useful both for understanding the trajectory and for getting comments in before windows close.
Established the 56-KSI Low baseline. The first machine-readable security spec FedRAMP published.
Vulnerability and incident reporting requirements for the program. Defines the inbound channel for the FedRAMP PMO.
CSPs report total assessment cost, hours, and assessor breakdown. Visibility for FedRAMP without publishing sensitive pricing.
Proposes a six-level designation system replacing Low/Moderate/High. Aligns with continuous validation and the machine-readable package model.
Mandates machine-readable authorization packages for all FedRAMP CSPs (Rev 5 and 20x). Effective Sep 30, 2026.
Cohort of RFCs refining the Rev 5 control baseline alongside the 20x track.
Authoritative source: github.com/FedRAMP/community. The Novaprospect 20x changelog tracks movements weekly.
KSI baselines
Seven categories. 56 Low. 61 Moderate.
Each Key Security Indicator is a single, automatable outcome. The categories below cover the Phase 2 Moderate baseline as published in the FedRAMP 20x KSI spec. Per-category counts are best estimates pending the consolidated rules finalization.
| Code | Category | Low | Moderate | Examples |
|---|---|---|---|---|
| KSI-CNA | Cloud Native Architecture | 11 | 12 | Immutable containers, micro-services, segmented infrastructure |
| KSI-IAM | Identity & Access Management | 9 | 10 | Phishing-resistant MFA (FIDO2/WebAuthn), zero-trust, RBAC |
| KSI-SVC | Service Configuration | 10 | 11 | Encrypted network traffic, restricted east-west, hardened defaults |
| KSI-CMT | Change Management | 7 | 8 | Immutable infrastructure, redeploy not patch, change attestation |
| KSI-MLA | Monitoring, Logging, Auditing | 8 | 9 | Centralized log retention, signed audit trail, alerting |
| KSI-RPL | Recovery Planning | 6 | 6 | Tested RTO/RPO, drill cadence, restoration evidence |
| KSI-PIY | Policy & Inventory | 5 | 5 | Asset inventory, policy-as-code attestation |
| Total | 56 | 61 |
Authoritative spec: fedramp.gov/docs/20x/key-security-indicators · machine-readable repo: github.com/FedRAMP/docs.
Cohorts
Who has been through the pilots.
Pilot participation is the closest signal of what a 20x authorization actually requires in practice. Phase 1 (Low) and Phase 2 (Moderate) participants below are the public-record cohort.
Phase 1 — Low
complete12 CSPs authorized. Publicly named participants include:
- Secureframe GRC platform
- Knox Systems (Knox AI) Compliance automation
- Meridian LMS Learning management
Phase 2 Cohort 1 — Moderate
in progress3 CSPs selected Dec 10, 2025. Final submissions Jan 30, 2026.
- Confluent Cloud for Government Moderate
- Meridian LMS Moderate
- Paramify Cloud Moderate
Phase 2 Cohort 2 (up to 7 additional CSPs) selection window opened January 2026; final submissions Mar 13, 2026. Authoritative source: FedRAMP cohort announcement.
Our take
What we think CSPs should be doing right now.
The architectural decisions are load-bearing. KSI emission requires that infrastructure state be readable, not narrated. Teams whose compliance posture is currently maintained in spreadsheets and institutional knowledge will need to invest in infrastructure-derived control state before they can move at 20x cadence — regardless of which vendor they choose for the tooling layer.
The machine-readable package mandate is the forcing function. RFC-0024's September 30 deadline applies to all CSPs, Rev 5 and 20x alike. Even organizations not pursuing 20x in the immediate term need to be ready to emit the new package format.
The cadence change is the bigger operational shift. Three-day persistent validation eliminates the quarterly sprint of evidence assembly. The right ConMon investment now is in the emission pipeline, not in better tools for the old monthly cycle.
Cohort participation is still open. Phase 2 Cohort 2 selection ran through January, and Phase 3 wide-scale adoption opens in Q3. Organizations whose timelines fit should apply rather than waiting for Phase 3 — the feedback loop with the FedRAMP team during pilot is materially different from a standard authorization run.
Tooling
What we build for the 20x stack.
Two products are specifically designed for the 20x authorization model. The third and fourth feed evidence into them.
Beacon →
Reads infrastructure state continuously and emits signed Key Security Indicator evidence. Three-day cadence floor, RFC-0024 package format, ed25519 signing inside your boundary.
FedRAMP Management Engine →
Holds the authorization package as the authoritative record. Emits the 20x machine-readable package and Rev 5 OSCAL artifacts side by side for organizations in transition.
Citadel →
Signed osquery results feeding Beacon as the host-side input for KSI-CNA and KSI-CMT categories.
NAICOM →
AI-SDLC session receipts feeding Beacon as evidence for KSI-MLA (monitoring/logging) categories.
Resources
Where to go next.
FedRAMP Library →
Curated index of every Rev 5 template, NIST upstream, and OMB memo.
20x changelog →
Recurring brief on RFC movements, cohort updates, and schema deltas.
Beacon design partners →
Apply to the Phase 2/3-aligned design partner cohort.
KSI Quick Check →
Paste an Okta policy or Terraform plan; get a 20x KSI pass/fail in your browser. Nothing leaves the tab.
20x program page ↗
The program's own canonical overview.
FedRAMP/community ↗
Where RFCs are published and comment threads live.
Consolidated Rules 2026 preview ↗
The May 4 public preview finalizing end of June.
Building for 20x. Want to be a design partner?
We're working with a small cohort of CSPs through the Phase 2 and early Phase 3 window. If your authorization timeline overlaps, there's a seat at the table.
See the design-partner program