Phase One of the FedRAMP 20x Pilot is officially wrapped and tied up in a bow. Let’s look at what that means for the program—and where we go from here.
Also called 20xP1, the first stage of the FedRAMP overhaul tested whether automated, machine-readable compliance could work in practice. The answer is a resounding yes. In fact, the program has come out the other end with 18 cloud service providers having earned FedRAMP 20x Low Authorizations.
There were good signs early on: As the first four authorizations set the tone, Pete Waterman, FedRAMP Director, announced, “The learning is, this has worked out really exactly like we dreamed, almost more than we dreamed. What we have found is that the proof of concept works. You can use automated capabilities to validate some fair majority of real security decisions and controls, and you can do that via first party and via third party tools, which is really awesome.”
First time learning about FedRAMP 20x? Read our primer -> FedRAMP 20x Pilot in Plain English: What’s New, What’s Next, and Why It Matters
Why the FedRAMP 20x Pilot Phase One Matters
Phase One wasn’t just a technical milestone: It was a philosophical one. It proved that automation and continuous validation can stand in for the heavy documentation cycles that have defined FedRAMP since its creation.
It also validated the FedRAMP PMO’s own ability to process and trust machine-readable data, a critical step toward scaling 20x beyond low-impact systems.
With these results in hand, the FedRAMP Program Management Office (PMO) can move into the next wave of testing: Moderate-level authorizations, deeper automation, and near real-time reporting across multiple partners and tools.
Onto Phase Two—and Beyond
Unlike the earlier stage, FedRAMP 20x Pilot Phase Two is not open to the public. Participation is limited to 10 companies: those who either completed the pilot, or meet specific technical criteria set by the FedRAMP PMO (automation, GRC, and AI).
If Phase One was about proving that automated, machine-readable compliance could work, Phase Two is about scaling that compliance, and testing whether that model holds up for more complex environments.
This next stage will evaluate systems aligned to Moderate-level authorization, which represent a much higher bar for security and validation.
When Phase Two concludes, it will establish two critical proofs for the entire program:
- That automation can replace periodic assessment even for complex, Moderate-level systems.
- That the government itself can process, trust, and act on that live security data at scale.
Those findings will directly inform how FedRAMP transitions all existing authorizations—starting with Moderate, then High—into the 20X framework over the next few years.
What This Means for Your SaaS Product (And: Do You Need FedRAMP 20x?)
For companies building or maintaining federal-ready environments, the takeaway is straightforward: The shift to continuous validation is permanent.
This is no longer a pilot or a proof of concept: We are watching, in real-time, the foundation of how FedRAMP will operate moving forward getting built.
Should you prepare now? Yes. Building automation, telemetry, and traceability into your security controls today will make the transition much easier once 20x becomes the standard model for authorization.
At time of publication, the current trajectory for all existing FedRAMP Rev 5 authorizations to move into the 20x framework is 24-36 months.
Learn more -> FedRAMP 20x vs. Legacy Rev 5: A Technical Dive
If your product already holds an authorization, you won’t need to start over. However, you will need to update your environment and processes to meet 20x’s real-time reporting expectations.
If you’re pursuing your first authorization, it’s worth aligning your architecture and documentation practices to 20x principles from the start.
If you’re not sure which framework best fits your system (or if you want to know how close you already are), 38North Security can help. Our advisors have deep experience with both Legacy / FedRAMP Rev 5 and the emerging 20x model. Get in touch with a cybersecurity advisor today.
