FedRAMP 20x - Two Months In and Taking Off
May 29 | 2025
We’re sharing an inside look at FedRAMP’s progress again this month, in our second update on the progress of FedRAMP 20x, an initiative to rapidly modernize FedRAMP in continuous collaboration with industry stakeholders and federal agency experts.
The FedRAMP 20x Phase One pilot is taking off, guidance updates are shipping almost weekly for public comment, the authorization “backlog” is now just a pipeline, community engagement is at an all time high, and all signs are GO for FedRAMP.
20x Phase One pilot launched!
FedRAMP is encouraging innovative demonstrations of security capabilities and industry has stepped up in a big way. We’ll be rigorously testing and evaluating these innovative solutions to refine and standardize the 20x approach for FedRAMP Low as part of the 20x Phase One pilot.
- The pilot soft launched in early May and will be open for formal submissions shortly.
- Eight cloud service providers shared public drafts of their 20x package for community review.
- Over 30 cloud service providers notified FedRAMP of their intent to submit a 20x Phase One package.
Updated FedRAMP guidance
To support the authorization of cloud services during 20x Phase One, FedRAMP integrated hundreds of public comments into formal FedRAMP Standards, reviewed them with the FedRAMP Technical Advisory Group and the FedRAMP Board, and is formally publishing them today.
-
Key Security Indicators (KSI): Aligned to NIST SP 800-53B, this standard summarizes the security capabilities necessary for FedRAMP Low authorization of cloud-native SaaS offerings.
Effective May 30, 2025, all FedRAMP 20x pilot authorizations and formal pilot submissions must be aligned to this standard.
-
Minimum Assessment Scope (MAS): The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.
This standard is effective May 30, 2025 for all FedRAMP 20x pilot authorizations, and June 30, 2025 for limited pilot adoption in Rev 5 authorizations (more information on Rev 5 will follow separately).
Exceeded authorization expectations - again
Public servants and federal agencies need access to a wider range of authorized cloud offerings to support their missions. Here’s how FedRAMP continued to address these needs this month:
- Authorized a total of 21 new cloud services this month, bringing the fiscal year total to 95 authorized products
- Granted two new cloud services FedRAMP Ready designations, for a total of 42 this fiscal year
- Listed eight new In Process cloud services for Rev 5 Agency Authorizations.
- Received eight Rev 5 Agency Authorization packages and four readiness assessment reports (RARs) for final review
- Reduced our review queue down to 11 packages, the lowest it has been this year
- Recognized a new third party assessment organization (3PAO)
Stayed motivated with community engagement and industry outreach
Our relationship with industry is the cornerstone of the work we’re doing with 20x. We’ve maintained strong community engagement:
- Networked with key stakeholders at industry association meetings where we discussed progress and next steps in FedRAMP 20x
- Discussed 20x, cloud security challenges, FedRAMP requirements and cyber incident response with the Government Accountability Office
- Hosted two government-wide Agency Liaisons sessions to keep our partners across government in the loop and hear their concerns
- Responded to 1,466 ticket messages sent to info@fedramp.gov, including 826 access requests and 165 general questions about FedRAMP
- Engaging directly with our audience of over 10,360 followers on our owned social media channels and to over 20k subscribers on our email list with faster, regular updates and important announcements (be sure to follow us and sign-up for notifications on LinkedIn, X/Twitter and YouTube)
Grew - and consolidated - the FedRAMP Community Working Groups
Working publicly with industry to create solutions that solve existing challenges is the heartbeat of 20x. FedRAMP is increasingly active in our Community Working Groups as they become the locus of our engagement with the community. Q\&A threads have become especially critical, bringing a unique opportunity to quickly hear directly from the team in public so everyone benefits.
| # Applying Existing Frameworks | # Automating Assessment | # Continuous Reporting | # Rev 5 Continuous Monitoring |
|---|---|---|---|
| Discussions: 28 | Discussions: 36 | Discussions: 22 | Discussions: 23 |
| Total Comments: 108 | Total Comments: 164 | Total Comments: 80 | Total Comments: 159 |
| Total Replies: 125 | Total Replies: 262 | Total Replies: 72 | Total Replies: 263 |
| Users: 74 | Users: 104 | Users: 45 | Users: 110 |
We’ve tested and evaluated these working groups over the past eight weeks, held over a dozen working group recap meetings and read hundreds of comments across all four working groups. FedRAMP and our community are focused on two broad areas of modernization right now, and it’s become clear these working groups will be more effective aligning to sub-community attributes.
Moving forward, we’re consolidating into two larger community working groups focused on specific sub-communities - Rev 5 and 20x.
Visit our consolidated GitHub discussion forum and our simplified community page to learn more and to update your working group registrations. Thank you for your patience as we implement these changes.
Turned your insights into guidance improvements
Public comment isn’t just required by law for us - it’s an incredible opportunity to formally collect feedback that we can use to address pain points. The FedRAMP leadership team reads every single comment, discusses most of them, and refers to them frequently while updating materials or drafting new ones.
The proof is in the RFCs! In response to public comment and feedback, FedRAMP:
- Clarified the new approach to guidance including Standards, Best Practices, Technical Assistance
- Released two Technical Assistance drafts for public comment
- Released two updated Standards for public comment
- Drafted multiple additional Technical Assistance and Best Practices going through review for publishing next month (including one on federal information)
- Closed three Standard drafts then added definitions, significant clarifications, and in some cases significant rework to align with public comment; two of those have been released already with the third pending next month
- Identified 10+ significant areas that need updated guidance prepared in June or July
Turned the wheel on advisory and governance
Keeping pace with changes in the cloud security community, we are collaborating with our partners to find new technical talent to champion transformative change in our program:
- Drafted five new members from GSA, DoD, HHS, CISA, and VA into the Technical Advisory Group (TAG) after significant departures.
- Appointed three new members to GSA’s Federal Secure Cloud Advisory Committee (FSCAC); one from the federal government, one from a 3PAO, and one from the commercial cloud industry.
- Met with the FedRAMP Board for advice, recommendations, and support as FedRAMP continues to move fast.
Our goals for June
Next month is all about maintaining momentum. Internally, our team is stabilizing at just under thirty combined federal and contracting staff. We’re reorganizing into three teams with clear workstreams to reduce some of our churn and move away from the continuous “all hands on deck” moments of the past few months. That means more focused work at a more predictable delivery cadence.
That focused work for June will include:
- Keeping Rev 5 agency authorizations under 30 days from submission to authorization
- Reviewing and authorizing 20x Phase One pilot submissions while testing and evaluating approaches
- Launching Rev 5 pilots for adopting the Significant Change Notification Standard, the Minimum Assessment Scope Standard, and the Continuous Reporting Standard
- Addressing continued feedback and public comment with updated materials at a staggering pace
- Participating heavily in our community working groups so we can all live, laugh, secure together
Closing
The biggest shift FedRAMP announced in March was an intense focus on engagement and collaboration with industry. The momentum we’ve built since then is based on the support and active participation of so many of you. Thank you. Your feedback and participation are crucial to the success of FedRAMP 20x.
Stay involved - comment on our RFCs, join our community working groups, monitor our social media, and share your thoughts.
