U.S. flag

An official website of the United States government

Mountain background

Focus on FedRAMP® Blog

Discover what’s happening in the FedRAMP world.

The Work Continues: Key FedRAMP Updates After the Shutdown

The Work Continues: Key FedRAMP Updates After the Shutdown

November 18, 2025

FedRAMP may have taken a break from public communications during the recent government shutdown but the work didn’t stop entirely. As the entire team comes back on-line and communication opens up again, here is an update on what we’ve been up to and how plans have changed:

  1. All five open RFCs were closed yesterday after considerable involvement from the public.

  2. The FedRAMP 20x Phase 2 pilot requirements and plans have been updated in response to changes in the operating environment - all planned 20x phases have been delayed by approximately 3 months.

  3. FedRAMP Rev5 documentation has been through a massive overhaul with many outdated documents removed and parts of others combined into playbooks.

  4. All Community Working Group meetings were temporarily canceled; we are reassessing the approach and plan to launch updated Community Working Group meetings by the end of the calendar year.

  5. In case you missed it, we presented an incredibly detailed look back at FedRAMP’s entire FY25 right before the shutdown: FedRAMP Built a Modern Foundation in FY25 to Deliver Massive Improvements in FY26

More details on a few of these key updates are available below.

FedRAMP 20x Phase 2 Updates

The authorization requirements, including all standards, have now been finalized for the FedRAMP 20x Phase 2 pilot! This includes considerable changes based on public comment and lessons learned during the Phase 1 pilot. The Phase 2 landing page now contains a considerable amount of detail about the pilot process and requirements for authorization.

Key changes include the following:

  1. Timelines and expectations for each 20x phase have been updated, with specific changes to the timeline for Phase 2 based on the planned pilot adjustments.

  2. There is now a hard cap of 10 general participants in the Phase 2 pilot. Eligible participants will be required to apply to join the pilot by making a pilot proposal to FedRAMP that demonstrates their understanding of the 20x pilot process along with their plan to meet all of the requirements. The Phase 2 page explains why we made this decision and how it will benefit everyone.

  3. A new “Authorization by FedRAMP” (KSI-AFR) theme has been added to the Key Security Indicators to clarify how all FedRAMP 20x requirements and recommendations must be applied. This was added after far too many potential participants in the Phase 2 pilot indicated they had not reviewed other FedRAMP materials.

  4. The Phase 2 pilot will open participation for two cohorts, with one beginning in December and the other in January. Each participant will engage in collaborative workshops with FedRAMP to review all aspects of their approach in detail in advance of preparing and submitting an assessment package.

  5. Human-readable versions of FedRAMP 20x documentation have been moved from the FedRAMP Machine-Readable Docs repository on GitHub to an embedded documentation site at fedramp.gov/docs to improve readability. The underlying JSON files remain available in GitHub.

  6. We finalized Phase 2 requirements and recommendations from all five recent RFCs and added two new sets of materials that simplify existing FedRAMP policies for 20x. There are now 11 standards and policies that apply as well as the FedRAMP Definitions.

  7. Bonus: All requirements now have short supplemental human-readable names for quick reference!

The entire FedRAMP 20x section on the website has been updated based on what we’ve learned to date and what our plans are for Phase 2. We strongly recommend that folks review all of the updated content for the latest perspective.

FedRAMP Rev5 Updates

The FedRAMP ConMon Playbook is a new publication that consolidates nine standalone documents related to ConMon activities. By consolidating these documents and retiring the standalone documents, we were able to eliminate roughly 100 pages of redundant and outdated content.

The Agency Authorization Playbook was updated to remove and correct outdated information.

The CSP Authorization Playbook went through a major revision at the end of September 2025 and has undergone a second update to account for the updates above.

New: FedRAMP Security Inbox Requirements

RFC-0018 is closed and is formalized into a new set of requirements that vary from the original RFC in many important ways. Overall, this set of requirements is now designed to focus only on ensuring that communications from FedRAMP to cloud service providers are received and handled properly. There’s a special new subset of requirements in this document - explicit requirements for FedRAMP itself!

The new formal FedRAMP Security Inbox Requirements will apply to all cloud service providers, including both 20x and Rev5, beginning January 5, 2026. The first test of these Security Inboxes will be performed in FY26 Q2 (January - March, 2026). Cloud service providers can expect extra communication about this over the next couple of months to prepare.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov