Choosing the right FedRAMP authorization path can save your organization months of effort and hundreds of thousands of dollars. With the arrival of FedRAMP 20x, CSPs now have three distinct paths to federal authorization — each with different requirements, timelines, and trade-offs.
Understanding Impact Levels
Before choosing a path, you need to determine the FIPS 199 impact level for the data your system will process. This is the foundation that determines which controls apply and how rigorous the assessment will be.
- Low Impact: Loss of confidentiality, integrity, or availability would have a limited adverse effect on organizational operations, assets, or individuals. Think publicly available information or routine administrative data.
- Moderate Impact: Loss would have a serious adverse effect. This covers the vast majority of federal workloads — email, collaboration tools, case management, and most SaaS applications. Roughly 80% of FedRAMP authorizations are at Moderate.
- High Impact: Loss would have severe or catastrophic adverse effect. Reserved for law enforcement, healthcare, financial, and other high-sensitivity systems. Examples include systems handling PII at scale, classified-adjacent data, or critical infrastructure controls.
Path 1: Agency Authorization (Rev5)
Agency Authorization has historically been the most common path. A CSP partners with a specific federal agency that agrees to sponsor the authorization and serve as the initial authorizing official.
How It Works
- Find a sponsor: Identify an agency that wants to use your cloud service and is willing to act as the authorizing body
- Readiness Assessment: Optionally engage a 3PAO for a readiness assessment to identify gaps before the full assessment
- Full Security Assessment: A FedRAMP-accredited Third-Party Assessment Organization (3PAO) conducts a comprehensive evaluation of your security controls
- Authorization package: Submit SSP, SAR, POA&M, and supporting documentation to the agency
- Agency review and ATO: The agency reviews and issues an Authority to Operate (ATO)
- FedRAMP PMO review: The FedRAMP Program Management Office reviews the package for consistency
- Marketplace listing: Once approved, your service is listed on the FedRAMP Marketplace for reuse by other agencies
Pros and Cons
- Pro: Direct relationship with a customer agency who has a vested interest in your success
- Pro: The agency may provide guidance and feedback throughout the process
- Pro: Historically faster than the JAB path for many CSPs
- Con: Requires finding a willing agency sponsor, which can be challenging for new-to-government companies
- Con: Timelines typically run 6 to 12 months from initial assessment to ATO
- Con: Agency priorities can shift, potentially stalling the process
Path 2: JAB Authorization (Rev5)
The Joint Authorization Board path was historically the "gold standard" — a Provisional Authority to Operate (P-ATO) from the JAB carried weight across the entire government. With the FedRAMP Authorization Act, the JAB has been replaced by the FedRAMP Board, though the process is similar in structure.
How It Works
- FedRAMP Connect: Apply through the prioritization process to be selected for a JAB/Board review
- Readiness Assessment: Complete a mandatory readiness assessment with a 3PAO
- Full Assessment: The 3PAO conducts a comprehensive security assessment
- Board Review: The FedRAMP Board reviews the complete authorization package
- P-ATO Issuance: If approved, the Board issues a Provisional ATO
Pros and Cons
- Pro: Highest level of government-wide acceptance
- Pro: No individual agency sponsor needed (the Board sponsors)
- Con: Highly competitive selection process through FedRAMP Connect
- Con: Longest timelines, often 12 to 18 months or more
- Con: Limited capacity — only a small number of CSPs are reviewed per cycle
Path 3: FedRAMP 20x
FedRAMP 20x represents a fundamental reimagining of the authorization process. Instead of the traditional document-heavy, point-in-time assessment model, 20x uses Key Security Indicators (KSIs) and continuous automated validation.
How It Works
- Self-assess against KSIs: Evaluate your system against the applicable Key Security Indicators (56 for Low, 61 for Moderate)
- Submit via Trust Center: Provide authorization data through a FedRAMP-compatible trust center with programmatic access
- Automated review: Machine-readable packages enable faster, more consistent review
- Authorization decision: Target timeline of approximately 3 months from submission
- Continuous validation: Ongoing automated monitoring replaces annual assessments
Pros and Cons
- Pro: No agency sponsorship required — CSPs can pursue authorization independently
- Pro: Dramatically faster target timelines (~3 months vs 12–18 months)
- Pro: Focused KSIs instead of hundreds of individual controls
- Pro: Automation-friendly from the ground up
- Con: Still maturing — Low is generally available, Moderate is in pilot (as of early 2026)
- Con: High baseline not yet available (pilot expected H1 2027)
- Con: Requires technical investment in automation, OSCAL, and trust center integration
- Con: Standards are evolving — some KPI standards are still in development
20x Availability by Impact Level
Low: Open for general submissions (Phase 1 complete). Moderate: Pilot phase through March 2026, with 13 participants (Phase 2). High: Pilot expected first half of 2027 (Phase 4). If you need Moderate or High today, Rev5 paths remain available.
Comparing the Three Paths
| Factor | Agency (Rev5) | JAB/Board (Rev5) | FedRAMP 20x |
|---|---|---|---|
| Sponsor Required | Yes (agency) | No (Board sponsors) | No |
| Typical Timeline | 6–12 months | 12–18 months | ~3 months |
| Framework | NIST 800-53 Rev5 | NIST 800-53 Rev5 | Key Security Indicators |
| Assessment Model | 3PAO + annual review | 3PAO + annual review | Continuous automated |
| Impact Levels | Low, Moderate, High | Low, Moderate, High | Low (GA), Moderate (pilot) |
| Documentation | Extensive (SSP, SAR, POA&M) | Extensive (SSP, SAR, POA&M) | Machine-readable (OSCAL) |
How to Choose
The right path depends on your specific situation:
- Choose Agency Authorization if you already have a federal agency customer ready to sponsor you, particularly for Moderate or High impact levels where 20x isn't yet available
- Choose JAB/Board Authorization if you want the broadest possible government acceptance and can afford the longer timeline — increasingly rare as 20x matures
- Choose FedRAMP 20x if you're pursuing a Low impact authorization today, or if you can wait for the Moderate baseline to open up. Especially attractive for cloud-native companies with strong automation capabilities
Planning Ahead
Even if you need Rev5 today for Moderate or High, start building toward 20x. Invest in OSCAL, automation, and continuous monitoring now — these capabilities will be required when you eventually transition, and they'll strengthen your Rev5 posture in the meantime.
The Role of 3PAOs
Third-Party Assessment Organizations remain important across all paths, though their role is evolving. In the Rev5 world, 3PAOs conduct the comprehensive security assessment and produce the Security Assessment Report. Under 20x, the assessment model is shifting toward continuous validation, but 3PAOs will likely play a role in the emerging Minimum Assessment Standard.
When selecting a 3PAO, look for experience with your specific impact level and technology stack. The FedRAMP Marketplace maintains a current list of accredited assessors.
Key Takeaways
- Impact level (Low, Moderate, High) is the first decision — it determines which paths are available
- Agency Authorization remains the most common Rev5 path, requiring an agency sponsor
- The JAB/Board path offers broad acceptance but has the longest timelines
- FedRAMP 20x removes the sponsorship requirement and dramatically reduces timelines
- 20x is currently available for Low (GA) and Moderate (pilot), with High expected in 2027
- Investing in automation and OSCAL now benefits you regardless of which path you choose
Next in the series: Understanding FedRAMP Rev5 Controls and Documentation — a closer look at NIST 800-53 Rev5 controls, the SSP, and the documentation requirements that define the traditional FedRAMP process.