If you provide cloud services, or plan to, to U.S. federal agencies, a major shift is happening that could dramatically impact your path to authorization. FedRAMP 20x is transforming how cloud security compliance works for government use, and the changes are already delivering results.

What’s Changing?

The Federal Risk and Authorization Management Program (FedRAMP) is moving away from paperwork-heavy, year-long authorization processes toward automated, real-time security validation. Think of it as shifting from annual audits to continuous monitoring of cybersecurity compliance.

The Phased Approach

FedRAMP 20x is being delivered incrementally in phases, starting with pilot efforts and expanding based on real-world testing and feedback. That means you’ll see changes over time to what evidence is required, how it’s assessed, and how authorizations are reviewed. For cloud providers, this matters because it affects how you should plan readiness work, tooling, and timelines.

• Phase One (FedRAMP Low pilot) — completed: FedRAMP tested the new 20x approach in public with Low-impact services. FedRAMP reports 12 pilot Low authorizations completed from 26 pilot submissions (with additional pilot authorizations expected to follow), helping prove out the model and clear legacy backlog.
• Phase Two (FedRAMP Moderate pilot) — underway: FedRAMP is continuing small-scale, real-world testing for Moderate-impact services. Participation is limited (not open to the public) and FedRAMP is targeting approximately 10 Moderate pilot authorizations. Requirements and recommendations can change during the pilot, and FedRAMP expects to make adjustments before any 20x process is formalized for wide-scale adoption.
• Next (post‑pilot formalization and broader availability): After pilot learnings are incorporated, FedRAMP plans to refine and formalize the 20x approach for wider use. For providers, this means building toward repeatable, automation-friendly evidence now so you can adopt the formal 20x path as it becomes available.

The traditional FedRAMP process could take 12 to 18 months or more, creating a barrier that only enterprise companies with massive budgets could overcome. Under FedRAMP 20x, that timeline is dropping to weeks—and as the phased approach advances, more of the work shifts from one-time documentation to ongoing, automated proof. In fact, the average agency authorization review time is now approximately five weeks.

Why It Matters

For companies that have been locked out of federal opportunities due to prohibitive compliance costs, FedRAMP 20x opens the door. Instead of producing extensive FedRAMP-specific documentation from scratch, you can increasingly submit existing security policies and evidence aligned to widely adopted commercial frameworks; reducing redundancy and easing the burden on smaller and mid-sized cloud providers.

The program is also prioritizing AI-based cloud services, recognizing that the government needs access to the same cutting-edge technology the private sector uses. This creates opportunities for innovative companies that previously couldn’t afford the compliance investment.

The Bottom Line

In less than six months, FedRAMP completed 114 authorizations in fiscal year 2025—more than double the number completed in fiscal year 2024. That’s proof the new model works.

For cloud providers, now is the time to reassess your FedRAMP game plan. FedRAMP 20x isn’t just making authorization faster; it’s making federal adoption more attainable for a broader tier of providers.

Explore related insights

Explore Insights & Resources

• • Article

  •

  April 21, 2026

  What Families Need to Know About Trump Accounts and the New IRS Rules

  Read more: What Families Need to Know About Trump Accounts and the New IRS Rules

  

• • Video

  •

  April 16, 2026

  Stablecoins Unpacked: What Organizations Need to Know Now

  Read more: Stablecoins Unpacked: What Organizations Need to Know Now