FedRAMP 20x has created a strange decision moment for cloud providers.
On one hand, the federal market is becoming more accessible. FedRAMP 20x introduces new paths that may reduce sponsor dependency, support more commercial-aligned architectures, and shift authorization away from point-in-time assessment toward continuous validation.
On the other hand, the rules are still evolving. Rev. 5 still exists. Sponsorless paths are emerging. Class A may provide a bridge for some organizations. And cloud providers are trying to make expensive decisions before every detail feels settled.
So should you wait to get FedRAMP? Maybe, but waiting only makes sense if you know what you’re doing while you wait.
Watch the full discussion below:
Prefer reading? See the full breakdown below.
Why Cloud Providers Are Hesitating to Commit to FedRAMP
A lot of cloud providers are trying to decide whether they should pursue Rev. 5 now, wait for FedRAMP 20x, or consider some kind of bridge path.
That decision depends heavily on where the organization is today. If a provider already has an agency sponsor and is actively moving through Rev. 5, finishing that path may still make sense. If a provider is already deep into Rev. 5 but missing a sponsor, sponsorless Rev. 5 may be worth evaluating. But if a provider is just starting now and does not already have an agency sponsor, traditional Rev. 5 may not be the most realistic starting point.
Because of all these options and the general sense that FedRAMP is still “up in the air,” it’s understandable that there’s a lot of hesitation. Waiting, in fact, can feel like the mature and responsible thing to do, especially when guidance is still evolving and the wrong investment could easily become expensive.
However, there is a difference between waiting strategically and simply standing still.
Waiting for the rules to settle is one thing. Waiting with no plan, no scoping work, no understanding of technical lift, and no clear connection to revenue is something else entirely.
Learn more: Watch the FedRAMP 20x Primer for Executives
The Questions Teams Are Really Trying to Answer About FedRAMP
When cloud providers talk to us about FedRAMP pathing, the questions are rarely only about compliance mechanics. They are usually trying to answer a mix of business and technical questions at the same time.
These questions include: How much internal lift will this take? How much of the work belongs to GRC, and how much belongs to engineering? What is actually in scope? Will this slow down the product roadmap? When can the company start talking to federal customers? And most importantly, will this help unlock revenue, or is the organization about to over-invest?
Is FedRAMP 20 right for your business? Download this guide to find out.
Those are reasonable questions. FedRAMP is a major investment, and no team should jump into full execution without understanding what the effort will require. The problem is that when all of those questions remain unresolved, the decision often turns into a waiting game.
That is especially true right now. As of mid-May 2026, FedRAMP has released a public preview of the Consolidated Rules, but the final rules have not yet been issued. That adds another layer of uncertainty for teams that are already trying to decide how to proceed.
What Teams Can Do Before Committing to FedRAMP
Obviously, no cloud provider should jump straight into a full authorization effort immediately. But almost every cloud provider considering the federal market should be working toward a clearer decision.
That starts with understanding which path is realistic based on sponsor status and market strategy. It means identifying which parts of the system are likely in scope, where current processes are still too manual, where engineering will need to be involved, and what the cost, timing, and revenue tradeoffs actually look like.
Learn more: FedRAMP 20x: Preparing for Continuous Validation
This is the work that makes a FedRAMP decision more concrete. It helps teams understand whether Rev. 5, FedRAMP 20x, sponsorless Rev. 5, Class A, or a bridge strategy makes sense. It also helps leadership understand what they can credibly tell buyers before, during, and after authorization.
That matters because federal go-to-market work does not begin only after certification is complete. Customer conversations, internal messaging, seller education, and product planning often need to start earlier. The key is making sure those conversations are accurate, credible, and aligned with the organization’s actual progress.
Learn more: Explore our FedRAMP 20x Information Hub
Waiting is Not Neutral
The point is not to start FedRAMP before the organization is ready, it’s to avoid confusing “waiting” with “doing nothing.”
If federal revenue is part of the business strategy, this period should be used to determine whether the path is viable, what it will require, and how the work connects to revenue. That way, when the path becomes clearer, the organization is not starting cold.
Watching the rules change is not the same thing as preparing the business. And in a market where timing, sponsorship, scope, and engineering readiness all matter, waiting without a plan can quickly become its own risk.
Bottom Line
So, should you wait to get FedRAMP? Maybe. But wait with a plan.
FedRAMP 20x is still evolving, and the right path will not be the same for every cloud provider. What matters now is understanding what options are available, what each path requires, and how those decisions support the larger business case for federal market entry.
If federal revenue is part of your growth strategy, now is the time to understand what FedRAMP path actually makes sense. 38North can help you evaluate your options before the decision gets expensive.
Book a FedRAMP strategy call. Or, find out whether FedRAMP 20x is right for your business.
About the Author
