FedRAMP 20x - Four Months In and Authorizing

July 30 | 2025

Last year at this time, FedRAMP had authorized less than 350 cloud services in ten years, built a backlog of 75+ agency authorized services waiting for FedRAMP review, and averaged under 50 authorizations per year for the last five years. The Office of Management and Budget (OMB) Memorandum M-24-15 Modernizing the Federal Risk and Authorization Management Program (FedRAMP) was released a year ago to replace the old FedRAMP with something new— including a new vision, new scope, and new governance. M-24-15 envisioned FedRAMP as a technology-forward program optimized for efficiency and consistency that would scale to many thousands of authorized commercial cloud services.

Six months ago, the new administration directed FedRAMP to prioritize and accelerate this transformation… and to show significant, demonstrable progress within six months. Building a technical foundation that could scale to thousands of authorized commercial cloud services required an entirely new approach and FedRAMP has delivered:

We authorized 100+ cloud services in the past six months. The average agency authorization review queue remains under 15 cloud services with a typical review time of under five weeks.
Responding to a specific requirement in M-24-15, we released an updated Significant Change Notification process beta for Rev5 that will remove one of the largest barriers for government access to technology and began a closed beta test to carefully evaluate the impact of this requirement.
We built, announced, and began a pilot for a new type of automated authorization that could scale FedRAMP to thousands of services called FedRAMP 20x. In less than four months from launch, the first cloud services have now received a FedRAMP 20x Low Pilot Authorization.

A year later, it’s worth looking back at M-24-15 and remembering the strategic goals and responsibilities behind everything we’re building:

Lead an information security program grounded in technical expertise and risk management.
Rapidly increase the size of the FedRAMP Marketplace by evolving and offering additional FedRAMP authorization paths.
Streamline processes through automation.
Leverage shared infrastructure between the Federal Government and private sector.

20x Phase One Pilot Updates

Join us in congratulating the first cohort of cloud providers that received FedRAMP 20x Low pilot authorizations this month: Flock Safety, Infusion Points, Meridian Knowledge Solutions, and Vanta!
The innovation we’re seeing from 20x is absolutely incredible—whether it’s the brilliant ideation sparked in forum discussions or the dozen or so formal submission packages we’ve already received. 20xP1 is full steam ahead but coming to an end. The public submission period for Phase One wraps up on August 19, 2025, at 11:59 PM ET so we can focus on completing review of all submitted 20xP1 packages.
We’re making the monthly 20x community working group sessions more interactive by hosting live demos (not memos!) that feature industry partners walking attendees through their pilot experience—from drafting submissions to achieving 20x Low authorization designations. Check out last week’s demo and register for future 20x demonstrations!
Last month, we shared details on the four 20x final package submissions that were in our review queue. The good news is the reality of a streamlined submission process and quicker authorization pipeline have clearly been a win-win for both industry and government. Stay informed and keep track of 20x phase one pilot submissions in our Community; here are individual links to the latest round of public submissions:
- VILLA-TECH Inc
- NextLabs
- Mark43
- Anitian
- Paramify

Any reference on our website to any specific commercial product or the use of any corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by GSA.

Setting a New Standard: RFC-0012

Earlier this month, we released RFC-0012: Continuous Vulnerability Management Standard that explains how cloud services should handle security risks with the goal of providing future guidance on having a clear, consistent approach to identifying and addressing vulnerabilities.
We hosted a special event on continuous vulnerability management where a lineup of leading commercial cloud providers shared how they manage cybersecurity threats and other best practices. The recording of this event is available on our YouTube channel here!
On Wednesday, August 6, we’re taking over the monthly Rev 5 community working group and partnering with the FedRAMP Technical Advisory Group (TAG) for another discussion on RFC-0012 and the Significant Change Notification outcomes. Be sure to register to attend this session and place your questions in advance here.

Hitting Milestones for Authorizations

We started the quarter off STRONG!

This month we hit 69 Rev 5 package submissions this FY. Until now, the highest number received in an entire fiscal year was back in FY23 with 67 submissions.
Authorizations are still trending high. We’ve also received 45 readiness assessment reports (RAR) so far this FY. Our highest number in an entire FY was 31 (also in FY23).
Authorized a total of ten new cloud services this month, bringing the fiscal year total to 118 authorized products.
Granted nine new cloud services FedRAMP Ready designations, for a total of 53 this fiscal year.
Listed 13 new In Process cloud services for Rev 5 Agency Authorizations.
Received six Rev 5 Agency Authorization packages and seven readiness assessment reports (RARs) for final review.

Closing

The energy and progress we’ve seen with FedRAMP 20x are undeniable. This journey is a collaborative one and your continued engagement is vital as we build the FedRAMP of tomorrow, today.

So keep sharing your insights, participating in discussions, and leveraging these new pathways in future pilot phases—together, we are transforming cloud security for the entire government.

Cheers!

Back to Blogs