Phase 2 Pilot Official Participants
A total of 13 cloud services were selected for official participation in the 20x Phase 2 pilot after demonstrating sufficient progress and readiness in a formal pilot proposal made to FedRAMP.
| Provider | Cloud Service | Learn More | Cohort |
|---|---|---|---|
| Confluent | Cloud for Government (CCG) | YouTube | 1 |
| Meridian Knowledge Solutions (MKS) | Meridian LMS | YouTube | 1 |
| Paramify | Paramify Cloud | YouTube | 1 |
| Aeroplicity | Trust Center | YouTube | 2 |
| Anecdotes | Anecdotes Platform | Pending | 2 |
| Assyst | ComplySync ATO | YouTube | 2 |
| Entratus | Entratus ai | YouTube | 2 |
| Filevine | Filevine Platform | Pending | 2 |
| Halo | HaloGRC | YouTube | 2 |
| InfusionPoints | Command Center on XBU40 | Pending | 2 |
| Persona Identities, Inc. (Persona) | Platform | YouTube | 2 |
| Secureframe | Secureframe Trust Center | Pending | 2 |
| Vanta | Trust Management Platform | Pending | 2 |
Phase 2 Pilot Expectations
The Phase 2 pilot is intended to test how cloud service providers can effectively meet automated validation requirements for initial and ongoing FedRAMP authorization, to test how these automated capabilities can be effectively assessed by third parties, and to understand how providers and assessors can work together to deliver innovative evidence of the ongoing security decisions within a cloud service.
FedRAMP 20x is based around Key Security Indicators (KSIs) with significant changes from Phase 1 to Phase 2 - the new Key Security Indicators theme called “Authorization by FedRAMP” (KSI-AFR) contains extensive FedRAMP-specific authorization requirements. The Key Security Indicators in this theme are based on government requirements that commercial providers are unlikely to have adopted for commercial customers.
Most cloud service providers, even those who received a FedRAMP 20x pilot authorization during Phase 1, will not be capable of meeting all of the Phase 2 pilot requirements in the timelines expected for Phase 2 as the level of complexity has increased significantly. For example, Phase 2 will require extensive automation that does not necessarily exist in commercial off-the-shelf tools and assessors that are willing to think entirely outside the box. Cloud service providers are strongly encouraged to review all Phase 2 KSI requirements and discuss them with engineering as well as compliance teams to determine if these requirements are achievable in the required timelines.
Obtaining a FedRAMP 20x authorization will be much simpler in the future when the standards are more informative and third-party tools are widely available. Most cloud service providers should wait until then to begin their FedRAMP 20x journey.
