FedRAMP 20x — Program reference

The state of FedRAMP 20x, kept current.

FedRAMP 20x is the most significant reshape of the program since inception. This page is the single-screen reference: where the program is, what the rules say, which RFCs shaped it, which CSPs are in the cohorts, and what the Consolidated Rules 2026 change.

Last updated 2026-07-11 · Timeline · RFCs · KSI baselines · Cohorts · Our take

In one paragraph

What 20x actually changes.

FedRAMP 20x replaces the 325+ NIST 800-53 controls with about 60 Key Security Indicators per impact level — measurable, automatable outcomes evaluated continuously rather than narratively. Authorization packages move from filled-in Word and Excel templates to machine-readable artifacts emitted from inside the boundary. Continuous monitoring becomes a stream — for Moderate, validated at least every three days — not a monthly deliverable. The result, in the pilots so far: authorization in under two months versus the 12-to-24 month historical norm.

Timeline

Phases and dates.

Three phases, two years. The June 25, 2026 launch of the Consolidated Rules (CR26) is the date most organizations should anchor planning to.

Phase 1 complete
Apr – Sep 2025

Low-impact pilot. 26 complete submissions, 12 CSPs authorized. Established the KSI evaluation model and the first authorization-in-under-two-months benchmark.

Phase 2 complete
Nov 2025 – Mar 2026

Moderate-impact pilot. Cohort 1 (3 CSPs) selected Dec 10, 2025 and authorized Mar 6, 2026; Cohort 2 (up to 7 CSPs) ran Jan–Mar 2026, with six more CSPs authorized by late April. Pilot concluded end of Q2 FY26.

Phase 3 in progress
Q3 2026 onward

Wide availability arrived through the Consolidated Rules for 2026 (CR26), finalized June 25, 2026. Marketplace listings opened July 6; the Class A authorization pipeline opens Aug 3 and Class B/C on Aug 31. CR26 becomes mandatory for all stakeholders Jan 1, 2027.

milestones / 2026 – 2028
May 4, 2026 Consolidated Rules 2026 public preview published
Jun 25, 2026 Consolidated Rules 2026 (CR26) finalized and launched
Jul 6, 2026 20x marketplace listings open
Jul 28, 2026 FedRAMP Ready designation moves to Legacy
Aug 3, 2026 Class A authorization pipeline opens
Aug 31, 2026 Class B / C authorization pipelines open
Jan 1, 2027 CR26 becomes mandatory for all stakeholders
Jun 11, 2027 Last new Rev 5 Certification applications accepted
Dec 31, 2028 Consolidated Rules 2026 valid through

RFC tracker

What the program is currently writing down.

FedRAMP runs its rulemaking through public RFCs on GitHub. The recent set has now closed with outcomes published — useful both for understanding the trajectory and for reading the decisions now baked into CR26.

RFC-0006 closed
Phase One Key Security Indicators

Established the 56-KSI Low baseline. The first machine-readable security spec FedRAMP published.

closed: May 25, 2025
RFC-0018 closed
Security Inbox Requirements

Vulnerability and incident reporting requirements for the program. Defines the inbound channel for the FedRAMP PMO.

closed: Nov 17, 2025
RFC-0019 closed
Reporting Assessment Costs

CSPs report total assessment cost, hours, and assessor breakdown. Visibility for FedRAMP without publishing sensitive pricing.

closed: Feb 12, 2026
RFC-0020 closed
Authorization Designations

Proposed numbered designation levels in place of Low/Moderate/High. The outcome became the A/B/C/D certification impact classes adopted May 2026 and formalized in CR26.

closed: Feb 19, 2026
RFC-0024 outcomes published
Rev 5 Machine-Readable Packages

Mandates machine-readable authorization packages for all CSPs (Rev 5 and 20x); outcome in NOTICE-0009 (Mar 25). The rollout timeline was revised into 2027 and folded into CR26.

closed: Mar 11, 2026
RFC-0026–0030 closed
Rev 5 Updates & Improvements

Cohort refining the Rev 5 control baseline (CA-7 ConMon plus control-family updates) alongside the 20x track. Outcomes published in NOTICE-0013 (Jun 16, 2026).

closed: Apr 22, 2026
RFC-0031 closed
Updated Incident Communications Procedures

Revised incident-communication procedures for the program; outcome in NOTICE-0012 (Jun 3, 2026). Highest-numbered RFC as of mid-2026.

closed: May 12, 2026

Authoritative source: github.com/FedRAMP/community. The Novaprospect 20x changelog tracks movements weekly.

KSI baselines

Seven categories. 56 Low. 61 Moderate.

Each Key Security Indicator is a single, automatable outcome. The categories below cover the Moderate baseline as published in the FedRAMP 20x KSI spec. The 56-KSI Low total is the authoritative figure; per-category counts are best estimates.

CodeCategoryLowModerateExamples
KSI-CNACloud Native Architecture1112Immutable containers, micro-services, segmented infrastructure
KSI-IAMIdentity & Access Management910Phishing-resistant MFA (FIDO2/WebAuthn), zero-trust, RBAC
KSI-SVCService Configuration1011Encrypted network traffic, restricted east-west, hardened defaults
KSI-CMTChange Management78Immutable infrastructure, redeploy not patch, change attestation
KSI-MLAMonitoring, Logging, Auditing89Centralized log retention, signed audit trail, alerting
KSI-RPLRecovery Planning66Tested RTO/RPO, drill cadence, restoration evidence
KSI-PIYPolicy & Inventory55Asset inventory, policy-as-code attestation
Total5661

Authoritative spec: fedramp.gov/2026/reference/key-security-indicators · machine-readable rules: github.com/FedRAMP/rules.

Cohorts

Who has been through the pilots.

Pilot participation is the closest signal of what a 20x authorization actually requires in practice. Phase 1 (Low) and Phase 2 (Moderate) participants below are the public-record cohort.

Phase 1 — Low

complete

12 CSPs authorized. Publicly named participants include:

  • Secureframe GRC platform
  • Knox Systems (Knox AI) Compliance automation
  • Meridian LMS Learning management

Phase 2 Cohort 1 — Moderate

authorized

3 CSPs selected Dec 10, 2025; authorized Mar 6, 2026.

  • Confluent Cloud for Government Moderate
  • Meridian LMS Moderate
  • Paramify Cloud Moderate

Phase 2 Cohort 2 (up to 7 additional CSPs) ran January–March 2026; six more CSPs were authorized by late April 2026, concluding the Moderate pilot. Authoritative source: FedRAMP cohort announcement.

Our take

What we think CSPs should be doing right now.

The architectural decisions are load-bearing. KSI emission requires that infrastructure state be readable, not narrated. Teams whose compliance posture is currently maintained in spreadsheets and institutional knowledge will need to invest in infrastructure-derived control state before they can move at 20x cadence — regardless of which vendor they choose for the tooling layer.

The machine-readable package mandate is the forcing function. RFC-0024's package mandate applies to all CSPs, Rev 5 and 20x alike. The rollout timeline was revised into 2027 and folded into CR26, but the direction is set — even organizations not pursuing 20x in the immediate term need to be ready to emit the new package format.

The cadence change is the bigger operational shift. Three-day persistent validation eliminates the quarterly sprint of evidence assembly. The right ConMon investment now is in the emission pipeline, not in better tools for the old monthly cycle.

The pilots are over — this is production now. With CR26 finalized (June 25) and the marketplace open (July 6), new authorizations run through the CR26 pipelines rather than a pilot cohort. The Class A pipeline opens Aug 3 and Class B/C on Aug 31, so the organizations that prepared their emission pipeline during the pilots are the ones positioned to move first.

Building for 20x. Want to be a design partner?

We're working with a small cohort of CSPs adopting 20x under the Consolidated Rules for 2026. If your authorization timeline overlaps, there's a seat at the table.

See the design-partner program