FedRAMP 20x is rolling out in carefully sequenced phases, starting with Low impact systems and progressively expanding to Moderate and High. Understanding the timeline helps CSPs plan their authorization strategy and decide when to pursue 20x versus maintaining a Rev5 path.
The Four-Phase Rollout
FedRAMP 20x is being implemented through a phased approach that allows GSA to refine standards based on real-world results before expanding to higher impact levels. Each phase involves a pilot period followed by general availability.
Phase 1: Low Baseline (Complete)
Phase 1 launched in 2025 with the Low impact baseline, targeting the simplest category of cloud services. This phase served as the proving ground for the entire 20x concept.
Pilot Results
- 26 submissions received during the pilot period
- 12 successful 20x Low authorizations completed
- Three AI-prioritized CSPs completed their 20x Low authorizations in January 2026
- Authorization timelines were dramatically shorter than the traditional Rev5 process
Current Status
20x Low is now open for general submissions — any CSP pursuing a Low impact authorization can apply through the 20x path. The 56 Low KSIs are stable and published on the FedRAMP documentation site.
Phase 1 Takeaway
The 46% success rate (12 of 26 submissions) in the pilot underscores that while 20x is faster, it is not easier. CSPs still need strong security fundamentals and the technical capability to demonstrate compliance through automated means.
Phase 2: Moderate Baseline (Active)
Phase 2 is the most consequential phase of the 20x rollout. Moderate impact covers roughly 80% of federal cloud workloads, so getting this right is critical to the program's success.
Timeline and Participants
- November 2025: Phase 2 formally began
- January 13, 2026: 13 pilot participants announced
- March 31, 2026: Pilot period concludes
- Target: Approximately 10 Moderate pilot authorizations
New Standards in Phase 2
Phase 2 introduces several new standards and requirements beyond what Phase 1 tested:
- Authorization Data Sharing via Trust Centers: CSPs must make authorization data available through a FedRAMP-compatible trust center with programmatic access. An open beta for data sharing launched February 2, 2026 and runs through May 22, 2026
- Persistent Validation and Assessment: Continuous security monitoring that goes beyond periodic checks
- Recommended Secure Configurations (RFC-0015): Standard configuration baselines for common platforms
- Vulnerability Detection and Response: A major overhaul of how vulnerabilities are identified, tracked, and remediated
- Minimum Assessment Standard: Defining the baseline for what constitutes a sufficient assessment under 20x
Phase 2 Challenges
Development of KPI standards for Moderate has been delayed until at least April 2026, partly due to federal funding constraints and staffing challenges. CSPs in the pilot should monitor FedRAMP announcements closely and be prepared for evolving requirements.
Phase 3: Wide-Scale Rollout (Planned)
Phase 3 is expected in Q3–Q4 2026 and will make FedRAMP 20x the primary authorization path for new Low and Moderate submissions. This is when 20x transitions from pilot to mainstream.
- Low and Moderate baselines will be generally available under 20x
- The FedRAMP PMO will shift resources toward processing 20x submissions
- Rev5 submissions will still be accepted but may receive lower priority
- Trust center integration and automated validation will be expected, not optional
Phase 4: High Baseline (Future)
The High baseline pilot is slated for the first half of 2027. High impact systems handle the most sensitive unclassified federal data and require the most rigorous security assurance.
After the High baseline pilot completes, FedRAMP Rev5 authorizations are expected to be phased out in the second half of 2027. This means all CSPs — whether they have existing Rev5 ATOs or are pursuing new authorizations — will need to transition to the 20x framework.
The Rev5 Transition
If you hold an existing FedRAMP Rev5 authorization, planning for transition is essential:
- Rev5 remains valid through 2027 — there's no need to panic
- Start building 20x capabilities now: OSCAL adoption, automated evidence collection, trust center integration
- Map your Rev5 controls to KSIs: Understand the gaps between your current documentation and KSI requirements
- Engage with RFCs: FedRAMP is actively seeking industry input — shape the standards before they're finalized
Rev5 Is Getting Easier Too
Even as 20x rolls out, the Rev5 process has been improving. Recent data shows that agency authorization review times have been reduced to approximately 5 weeks, and qualified submissions are moving from submission to authorization in 30 days or less. RFC-0023 also proposes eliminating the sponsorship requirement for Rev5 certifications.
Trust Centers: A New Requirement
Trust Centers are a new concept in FedRAMP 20x that require CSPs to maintain a persistent, accessible repository of authorization data:
- Authorization data must be available for at least 3 years
- Programmatic (API) access is required — static document repositories won't suffice
- FedRAMP 20x CSPs must use a FedRAMP-compatible trust center
- Rev5 CSPs may use trust centers or the existing USDA Connect Community Portal
- The authorization data sharing open beta (through May 2026) is the testing ground for trust center requirements
Recent RFCs Shaping the Future
On January 13, 2026, FedRAMP released six new Requests for Comment (RFCs) that will shape the program's future:
- RFC-0019: Reporting Assessment Costs — bringing transparency to what organizations pay for assessments
- RFC-0020: FedRAMP Authorization Designations — refining how authorizations are categorized
- RFC-0021: Expanding the FedRAMP Marketplace — making it easier for agencies to discover and adopt authorized services
- RFC-0022: Leveraging External Frameworks — recognizing security work done under other frameworks (SOC 2, ISO 27001, etc.)
- RFC-0023: Rev5 Program Certifications without a Sponsor — removing the sponsorship requirement for Rev5
- RFC-0024: Rev5 Machine-Readable Packages — bringing OSCAL to the traditional process
Comment periods run from February 12 to March 11, 2026. These are particularly important for organizations planning their authorization strategy, as they signal where the program is headed.
Timeline Summary
| Date | Milestone |
|---|---|
| Dec 2022 | FedRAMP Authorization Act signed into law |
| Jul 2024 | OMB M-24-15 published |
| 2025 | Phase 1 (Low) pilot completed — 12 authorizations |
| Nov 2025 | Phase 2 (Moderate) pilot begins |
| Jan 2026 | Phase 2 participants announced, six RFCs released, Security Inbox requirements effective |
| Feb 2026 | Authorization Data Sharing open beta begins |
| Mar 2026 | Phase 2 pilot concludes |
| Jul 2026 | Federal agencies must use OSCAL format |
| Q3–Q4 2026 | Phase 3: Wide-scale rollout (Low + Moderate generally available) |
| H1 2027 | Phase 4: High baseline pilot |
| H2 2027 | Rev5 end-of-life — full transition to 20x |
Key Takeaways
- Phase 1 (Low) is complete and open for general submissions
- Phase 2 (Moderate) is in active pilot through March 2026 with 13 participants
- Wide-scale rollout of Low and Moderate is expected Q3–Q4 2026
- High baseline pilot is planned for H1 2027, with Rev5 end-of-life in H2 2027
- Trust Centers and data sharing are new requirements that CSPs must prepare for
- Six new RFCs (comment period through March 11, 2026) will shape the program's direction
Next in the series: OSCAL and Automation in FedRAMP — how machine-readable security documentation and automation are transforming FedRAMP compliance.