FedRAMP 20x Phase 2 Pilot
The FedRAMP 20x Phase 2 pilot continues the small-scale real-world testing of a new approach to assessment and authorization that began in Phase 1. This pilot continues to test viability, identify potential issues, gather user feedback, and make data-driven decisions to manage risks and improve efficiency before committing to a formal process government-wide. There will be considerable changes at the end of the Phase 2 pilot before any 20x process is formalized for wide-scale government adoption. All 20x requirements and recommendations are subject to change at any time, especially during the pilot phases.
Participation in the Phase 2 pilot is limited and is not open to the public. FedRAMP is targeting approximately 10 Moderate pilot authorizations during Phase 2. Interested providers should review FedRAMP’s Phase 2 Pilot Eligibility and Participation Criteria.
Dates and milestones
FedRAMP’s Disclaimer of Liability is particularly relevant to the content on this page, especially regarding plans, dates, timelines, etc. You can always find the latest plans and timelines, updated based on real-world impact assessments every 2 weeks, on FedRAMP’s Public Roadmap.
As of November 14, 2025, FedRAMP is planning the following milestones for the Phase 2 pilot:
| Date | Milestone |
|---|---|
| Nov 18, 2025 | Phase 2 pilot authorization requirement and other criteria are finalized and published |
| Dec 1, 2025 - Dec 5, 2025 | Cohort 1 application period, up to 3 cloud services selected |
| Jan 5, 2026 - Jan 9, 2026 | Cohort 2 application period, up to 7 cloud services selected |
| Jan 27, 2026 | Final submission deadline for Cohort 1 |
| Mar 10, 2026 | Final submission deadline for Cohort 2 |
| March 31, 2026 | End of 20x Phase 2 |
AI Prioritized services will follow a separate timeline customized for each service provider.
Why isn’t the Phase 2 pilot open to the public?
The FedRAMP 20x pilots are intended to be small real-world tests of feasibility. These are tests of an entirely new idea, with relatively minimal guidance, and a significant likelihood that pilot participants would not receive authorization because of how few specific requirements were available. We anticipated that perhaps 5 cloud service providers would participate in the Phase 1 pilot due to these risks, so we opened this pilot up to the public to maximize participation.
Nearly 40 companies actively participated in the Phase 1 pilot and 26 of them were able to submit pilot packages within the submission window. Cloud service providers were given nearly infinite latitude in the Phase 1 pilot to implement the core idea of FedRAMP 20x and the result was a massive variety of approaches that nearly overwhelmed the FedRAMP review team. The pilot was successful in demonstrating both the demand for FedRAMP 20x and the capability of providers to meet FedRAMP requirements via Key Security Indicators, but FedRAMP learned another important lesson: future pilots must be limited to prevent an overwhelming frenzy of participation.
The primary purpose of the Phase 2 pilot is to test the effectiveness, impact, and burden of additional FedRAMP 20x requirements for ongoing authorizations and Moderate impact authorizations. A secondary purpose is to refine requirements and recommendations for how cloud service providers maintain ongoing authorization data that continuously demonstrates their security posture. Phase 3 will focus on documenting these learnings and creating more explicit guardrails for formal FedRAMP 20x packages once the pilots are complete.
FedRAMP is always looking forward - to ensure FedRAMP 20x will be successful as a government-wide program once the pilots are complete, we must limit participation and increase our interaction and support of pilot participants to maximize the value of our pilot. We understand there is strong demand for a modern FedRAMP authorization process that is handled directly by FedRAMP via program authorizations and are dedicated to delivering a scalable version of this government-wide during FY26.
The public can still participate!
The Phase 2 pilot isn’t open to the public but we’ll continue to transparently and publicly develop improvements in a way that ensures all stakeholders have equal access to information about FedRAMP. There are a bunch of ways to track all the latest news and participate in discussions and otherwise contribute as improvements to FedRAMP are developed:
Participate in the FedRAMP Community, with 20x Community Working Group discussions on GitHub and monthly webinars reviewing everything happening with 20x. You can catch up on any FedRAMP Community meeting that you miss on FedRAMP’s YouTube channel within a day or 2 of most meetings.
Subscribe to receive our community announcements about FedRAMP 20x and other FedRAMP updates
Follow and engage with us on social media LinkedIn | YouTube | X
Stay connected and up-to-date by reading our Focus on FedRAMP blog posts
Review pilot FedRAMP 20x requirements and recommendations, especially the Key Security Indicators, and begin integrating them into your own cloud service. These requirements will change at the end of the Phase 2 pilot based on real-world feedback but the general trajectory will likely remain the same!
