BLOG
January 28, 2026
decorative
Travis Good

FedRAMP 20x Phase Two: What You Need to Know

Discover what FedRAMP 20x Phase Two means for Cloud Service Providers.

For years, FedRAMP has been the process for how federal agencies evaluate cloud service providers. But the costs and timelines required to meet FedRAMP standards have been prohibitive. With FedRAMP 20x, the government is looking to speed up the process.

With the launch of Phase 2 of the 20x pilot, the program has progressed to small-scale, real-world testing of its new approach. Phase 2 aims to test the new FedRAMP 20x processes to see how it can improve efficiency before rolling out the program government-wide.

Here’s what you need to know about 20x Phase 2…

What is FedRAMP 20x Phase Two?

FedRAMP 20x is a modernization initiative and a significant change intended to make the FedRAMP authorization process faster and less reliant on manual documentation. Though the underlying security requirements aren’t changing, the program aims to reduce the time taken to meet FedRAMP standards, including those outlined in Rev5, through automation and machine-readable compliance.

FedRAMP 20x is expected to reduce long-term compliance burden and time-to-authorization, which, in turn, the federal government hopes will enable a broader range of cloud service providers to participate in the federal marketplace.

The FedRAMP 20x Phase 2 pilot builds on the learnings from Phase One. It’s designed to continue testing the new FedRAMP 20x processes with real-world data and organization. The Phase 2 pilot is only open to around 10 FedRAMP Moderate Cloud Service Providers (CSPs), enabling FedRAMp to work closely with each participant to validate the princesses and gain feedback before a broader FedRAMP 20x rollout that’s planned for later in 2026.

The focus for Phase 2 is on:

  • Automating security validation through machine-readable data.
  • Working closely with a small number of CSPs to refine the authorization process.
  • Working out any issues and streamlining the process before broader rollout, identifying fraction points and ensuring the program is scalable and ready for a government-wide rollout in FY 2026.

Why Isn’t Phase 2 Open to the Public?

The Phase 2 pilot has been intentionally kept small by the FedRAMP Program Management Office (PMO), which operates under the GSA, to ensure it can offer more direct support to participants so it can refine the FedRAMP 20x authorization process so it’s ready for a wider rollout by the end of FY2026.

Phase 2 aims to establish the explicit guardrails and data-driven standards, including robust authorization data, necessary to ensure FedRAMP 20x can eventually handle high demand without compromising cybersecurity or review timelines.

The FedRAMP 20x Phase 2 Roadmap

The Phase 2 pilot authorization requirement and other criteria were finalized and published on November 18, 2025, and the pilot is scheduled to run during Q1 2026.

Here are the current key dates and milestones for the Phase 2 pilot:

  • December 1 - December 5, 2025: Cohort 1 application period, up to 3 cloud services selected.
  • January 5 - January 9, 2026: Cohort 2 application period, up to 7 cloud services selected.
  • January 27, 2026: Final submission deadline for Cohort 1
  • March 10, 2026: Final submission deadline for Cohort 2
  • March 31, 2026: End of 20x Phase 2

Following Phase 2, FedRAMP will formalize and open the 20x authorization path for wide-scale adoption across Low and Moderate impact levels in FY26.

The government and its stakeholders have ambitious plans and timelines for the FedRAMP 20x rollout, requiring real-time adjustments as the program progresses. But everything is subject to change at this stage. For the latest information, check the FedRAMP 20x Public Roadmap on GitHub.

Learn more about the FedRAMP 20x rollout in the below video: 

What Comes After Phase 2?

After FedRAMP 20x Phase 2, the program will head into Phase 3 which is focused on finalizing the process for 20x Low and 20x Moderate authorizations to become widely available to the public.

Phase 3 is targeted to happen during Q3-Q4 2026. In order to make FedRAMP 20x widely available. According to the FedRAMP 20x GitHub, this phase will include:

  1. Ensuring 20x Low and Moderate requirements and expectations are in place and clearly documented
  2. A functional data-driven Marketplace for FedRAMP 20x authorizations
  3. Expectations for assessment, possibly including a 20x-specific assessment certification and continuous monitoring protocols
  4. Transparent data on the queue, timelines, and general expectations for what it will look like to submit a 20x authorization

While Phase 2 and Phase 3 are in progress, FedRAMP is also completing a major redesign of FedRAMP.gov and the FedRAMP marketplace to make it more user-friendly and easier for CSPs to provide their own Marketplace listing.

Opportunities for Cloud Service Providers

FedRAMP 20x is a significant shift. Due to the cost and timelines involved, FedRAMP authorization has only really been accessible to large, enterprise businesses with the cash (often millions of dollars) and resources (full in-house GRC and compliance teams). Only around 400 companies have completed the traditional FedRAMP certification, which is exceptionally low.

The goal of 20x is simple but ambitious: transform FedRAMP from a document-heavy, manual slog into a streamlined, data-driven process — in turn opening up the FedRAMP Marketplace to a larger number of organizations.

Already, we’re working with a range of companies on 20x compliance that wouldn’t previously have considered federal compliance as an option, particularly regarding the rigorous security assessment process and potential vulnerability identification. And these are companies that I never would have thought would go down this route — innovative teams leveraging AI and modern cloud who have previously focused solely on the commercial sector. Because 20x removes the requirement for a agency authorization it essentially unlocks a massive new market for these businesses.

How Workstreet Can Help with FedRAMP Compliance and 20x

When you’ve got a business to run, keeping up with the latest compliance developments can be challenging, especially with something like FedRAMP 20x where things are moving fast. At Workstreet, we can help your business expand into the public sector cloud services market with expert-led implementation of traditional FedRAMP and FedRAMP 20x.

FedRAMP 20x is an exciting development. It opens up access to the world's largest customer (the US government) for innovative startups that were previously locked out by cost and bureaucracy.

Want to work towards achieving FedRAMP 20x for your business? Workstreet is the fastest, most automated, cost-effective route to FedRAMP and GovRAMP authorization.

Turn compliance into a growth engine: Workstreet delivers full-stack solutions that transform security and compliance into growth accelerators. Talk to an expert →
Build trust, accelerate growth.
Workstreet offers Al-first security solutions that help high growth technology companies get compliant, scale securely, and close bigger deals.
Get started
Ready to Transform Security into a Growth Advantage
Schedule a consultation with our trust solutions experts to see how we can accelerate your security program and compliance journey.
Talk to an engineer
Travis Good

Architect of security and privacy programs for 1,000+ hypergrowth companies. Author of "Complete Cloud Compliance," HITRUST 3rd Party Council member, and recognized speaker on startup security.