In early 2025, the Federal Risk and Authorization Management Program (FedRAMP) kicked off a new initiative called FedRAMP 20X. Let’s unpack what it is and what it means for your business.
What is FedRAMP 20X?
In short, 20X is a program that modernizes cloud security verification for government systems. While FedRAMP remains one of the most stringent security frameworks in the world, it was designed for an era when threats evolved more slowly. With artificial intelligence (AI), automation, and quantum computing accelerating change, risks now evolve in hours instead of years. 20X aims to keep FedRAMP the global gold standard by bringing compliance into real time.
“In Real Time?” What Does That Mean?
Today, the way FedRAMP makes sure your systems remain compliant is through periodic assessments and extensive documentation. With 20X, that verification process is replaced with live monitoring and automated reporting. It’s a continuous feedback loop that surfaces issues as they occur. Instead of waiting for the next assessment, companies can see and fix vulnerabilities right away, hardening systems in the process.
The Vision Behind 20X
To understand why this shift matters, it helps to get to know what FedRAMP 20X wants to achieve. It has five stated goals:
1. Make compliance easier to automate.
Most security requirements will be automatically checked by software instead of explained in long documents. Technical controls will align with common configurations, and vendors will compete to offer automation tools that fit different business needs.
2. Build on what companies already have.
If your organization already follows strong commercial security frameworks, you shouldn’t have to start from scratch. FedRAMP plans to accept existing policies and use community templates to cover what’s missing, with less paperwork and more code-based documentation.
3. Monitor security continuously, not once a year.
Instead of big annual audits, systems will be checked automatically and continuously. Tools will send standardized, machine-readable updates to FedRAMP so problems can be caught and fixed quickly, not months later.
4. Strengthen trust between government and industry.
Providers and agencies will communicate directly to review and maintain security. Industry groups can set shared procedures that meet FedRAMP’s minimum standards, while companies retain control over their own data and IP.
5. Support innovation without slowing it down.
Automated checks will replace manual reviews, so updates and improvements won’t get stuck waiting for oversight. Big changes will follow clear, consistent rules that make the process faster and fairer for everyone.
Put simply, FedRAMP wants to make compliance less about red tape and more about keeping systems secure in real time.
Why Is It Called a Pilot?
“Pilot,” in this context, simply means test phase. Instead of immediately rolling it out as the new FedRAMP standard, 20X is being evaluated with a small number of cloud service providers. This way, FedRAMP can test new automation tools, gather feedback, and refine the process overall before scaling it across the entire marketplace. Remember: There are more than 400 offerings listed across three levels of compliance–it gets complicated very quickly.
This limited rollout is divided into staggered phases. From there, the goal will be to move all compliant offerings over to 20X in the near future.
Explain These Phases to Me.
As of publication date 08 October 2025:
Phase One focused on low-impact systems and was open to the public. Any provider could apply to participate and help FedRAMP test automation and reporting. That phase is now closed, but it offered valuable feedback on how continuous reporting can work in practice.
On the other hand, Phase Two will test the 20X model against systems that need stronger controls: It’s a bridge toward Moderate-level authorizations.
Phase Two’s submission window begins in late October (although ongoing federal delays may push the date further out). Unlike Phase One, it’s only open to a handful of providers: You have to either be already part of the process, or have specific capabilities that FedRAMP wants to test. These capabilities include AI, automated governance features, and trust center integration–these mirror the direction federal IT demand is headed.
Will there be further phases? Yes, but FedRAMP hasn’t made a lot of information about them public yet. Stay tuned.
Will 20X Become The New Standard? What Will Happen to My ATO?
Based on early results of the pilot program, it seems likely that 20X will replace the existing FedRAMP frameworks in the next 24-36 months. If your organization has a FedRAMP Authority to Operate now, it will remain valid until the pilot program finishes and the new frameworks are both standardized and required.
If you don’t yet have a FedRAMP ATO, there’s no better time to get ready. 38North Security can evaluate your current environment against both the existing FedRAMP and emerging 20X standards, helping position you for success. Talk to our team today.
