The FedRAMP 20x Phase Two Timeline

Michael Peters

2 days ago

FedRAMP has long been the backbone of how U.S. federal agencies evaluate and trust cloud services. For more than a decade, it has provided a standardized approach to assessing security controls, granting authorizations, and maintaining ongoing oversight. Yet as cloud architectures evolved, software delivery accelerated, and agencies increasingly relied on modern DevSecOps practices, the original FedRAMP model began to show its age.

With the launch of Phase Two of the 20x pilot, the program has moved beyond experimentation and into a more consequential stage that will shape how cloud services are authorized across the federal government in the coming years.

The Ongoing Move to FedRAMP 20x

Both government agencies and industry participants raised concerns that the existing authorization process had become a barrier to innovation rather than an enabler of secure cloud adoption. Authorization timelines could stretch well beyond a year… a scale that couldn’t address the increasing demand for cloud computing platforms that can support SaaS software, AI, and analytics.

Under the traditional FedRAMP model, cloud providers demonstrated compliance primarily through extensive narrative documentation mapped to NIST SP 800-53 controls.

Authorization decisions were heavily dependent on point-in-time assessments, followed by periodic, continuous-monitoring documents. This approach was rigorous but slow and costly.
FedRAMP 20x emphasizes demonstrable outcomes supported by machine-verifiable evidence. Security is evaluated based on whether key safeguards are continuously operating as intended, not simply whether documentation exists to describe them.

Core Design Principles Behind FedRAMP 20x

FedRAMP 20x is built around several connected principles:

Automation is Foundational: The program prioritizes evidence that can be generated, collected, and validated through automated means, reducing reliance on manual attestations and subjective interpretation. This not only improves speed but also increases confidence in the consistency and accuracy of security assessments.
Continuous Assurance: Instead of focusing primarily on whether a system met requirements at a single point in time, 20x emphasizes whether it continues to meet those requirements as it evolves. This aligns more closely with modern threat landscapes, where risks emerge and change rapidly.
Transparency and Reusability: Authorization data is intended to be more standardized and machine-readable, enabling agencies to understand risk decisions better and reuse evidence across multiple authorizations where appropriate. Over time, this could significantly reduce duplication of effort across the federal ecosystem.
Iterative Deployment: FedRAMP 20x is being rolled out in phases, with pilots designed to surface practical challenges, validate assumptions, and refine requirements before broader adoption.

What is Phase Two Of The FedRAMP 20x Pilot?

Rather than opening to the entire cloud provider market, Phase Two is a controlled pilot limited to a small number of Moderate-impact cloud services. This tighter cohort model enables FedRAMP to collaborate deeply with participants, walk through novel 20x expectations, and validate the processes that will underpin the broader rollout of 20x authorizations.

Under the current FedRAMP plan, the pilot is scheduled to run through the first quarter of 2026, with several defined milestones that shape readiness, submission, and evaluation. The timeline reflects both the agency’s intention to methodically validate 20x concepts and its broader objective of positioning 20x for a government-wide release in mid-2026:

Cohort 1 Application and Selection (Late 2025): Prior to the calendar year turning, an initial application window closed in early December 2025, allowing a limited group of cloud services to submit early proposals demonstrating how they intend to meet Phase Two requirements.
Cohort 2 Application Window (January 5–9, 2026): A second, brief application period opens immediately after the new year, allowing additional eligible cloud services to propose their approaches and be selected for participation.
Final Submission Deadlines (Q1 2026): Once selected, Phase Two participants are given clear deadlines to deliver complete authorization packages: the first cohort has a deadline in late January 2026, and the second cohort must finalize its submission by early March 2026.
End of Phase Two (March 31, 2026): FedRAMP plans to conclude the Phase Two pilot by the end of March 2026, aligning with the second quarter of the federal fiscal year. This end date is not arbitrary—it positions the pilot to feed directly into the program’s broader shift toward full implementation across the federal cloud marketplace.

Once Phase Two closes, FedRAMP will synthesize lessons learned, refine automation models, adjust evidence expectations, and finalize the framework that will apply to Low and Moderate 20x authorizations available to all providers in 2026.

Implications For Cloud Service Providers And Agencies

The shift embodied by FedRAMP 20x carries significant implications for both providers and government consumers of cloud services. For cloud service providers, achieving a 20x success rate requires operational maturity beyond compliance. Providers must be able to generate reliable security metrics and reports and demonstrate that security is embedded into day-to-day operations rather than bolted on for assessment purposes.

At the same time, both sides will need to adapt. Automated evidence does not eliminate the need for human judgment; it changes where that judgment is applied. Risk acceptance decisions, architectural evaluations, and mission-specific considerations will remain critical, even as the mechanics of compliance evolve.

Meeting the Challenges of 2026 with Lazarus Alliance

By reducing friction in the authorization process while strengthening continuous assurance, 20x is reshaping the speed of innovation in federal cloud systems. It signals a recognition that security cannot be frozen in time, and that automation and dynamic compliance are the future.

To learn more about how Lazarus Alliance can help, contact us.

[wpforms id=”137574″]