FedRAMP 20x vs. FedRAMP Rev5: What's Changing and What Cloud Service Providers Need to Know
FedRAMP 20x is here, and Rev5 is on the clock. Here’s what’s changing, and which path you should take.

FedRAMP 20x is a huge change from the traditional Rev5 authorization path. Both are built on the same NIST 800-53 controls and require the same level of security, but the way you prove compliance is totally different.
FedRAMP 20x swaps static documents for machine-readable evidence, drops the agency sponsor requirement, and replaces annual audits with continuous validation. It also puts Rev5 itself on a countdown to retirement, with FedRAMP announcing it will stop accepting new Rev5 certifications in June 2027.
This article breaks down each change and what it means for your path to FedRAMP authorization.
What are the Differences Between FedRAMP 20x and Rev5?
Here’s an overview of what’s changing with the rollout of FedRAMP 20x:
How KSIs Replace Rev5 Control Narratives and SSPs
The biggest change is how FedRAMP assesses your controls and compliance. With Rev5, you’re required to produce an SSP (System Security Plan) that describes, control by control, how your system meets each requirement.
If you’ve been through commercial frameworks like SOC 2 or ISO 27001, the rhythm will feel familiar. You write the narratives, collect the evidence, and the assessor will assess your package as part of an audit.
Instead, 20x asks your system to show continuous, real-time compliance via Key Security Indicators which replace the narrative SSP with a live feed.
Key Security Indicator (KSI) A measurable security signal that demonstrates whether a specific safeguard is working. FedRAMP defines the KSIs, and each one maps on the back end to a set of NIST 800-53 controls. A single KSI can cover anywhere from a handful of controls to twenty or more.
With KSIs, your systems need to share machine-readable files, in OSCAL (the Open Security Controls Assessment Language), that validate compliance continuously. The continuous monitoring is designed to catch any drift in your controls so fixes can be deployed immediately.
Under Rev5, you had to write narrative descriptions for every control in your baseline: 156 controls at Low and 323 at Moderate. 20x collapses that into a much smaller set of KSIs. (The pilots ran somewhere in the fifties for Low and low sixties for Moderate, and the exact counts are being finalized under the 2026 rules.)
Does FedRAMP 20x Require an Agency Sponsor?
Another significant change from Rev5 is that FedRAMP 20x does not require an agency sponsor. This opens the door to a far larger pool of SaaS and cloud-native businesses that would have previously been locked out of FedRAMP.
Under Rev5, an agency sponsor was needed before you could start working towards FedRAMP authorization. Through 20x, the authorization is signed by the FedRAMP Director, which means FedRAMP itself assesses your posture and makes it reusable by any agency, with no sponsor required to start.
In 12 to 15 years, only around 400-500 companies ever completed traditional FedRAMP, and the sponsor requirement is a big reason why. By removing it, more companies will be able to list in the FedRAMP Marketplace and open up to federal work.
FedRAMP 20x Shifts Cost From the Audit to System Design
FedRAMP 20x is designed to make authorization faster and cheaper than the traditional Rev5 route. But the standards don’t change, your systems still need to meet the same NIST 800-53 controls.
When working towards 20x, there’s a shift in where your time is spent. Under Rev5, an enormous amount of time would be spent on assembling evidence and writing your SSP. 20x flips that, so you’ll spend the majority of your time designing systems and implementing KSIs that continuously monitor and validate your controls.
The audit timeline for 20x is also much shorter, with assessors in the pilot completing Low (Class B) assessments in roughly two to three weeks, and the expectation is that Moderate (Class C) lands in a similar range.
Rev5 Is Being Phased Out by the End of 2028
With 20x gradually being rolled out across each baseline, FedRAMP has announced it plans to stop accepting new Rev5 authorizations from June 11, 2027, with existing Rev5 authorizations set to sunset by December 31, 2028.
Here’s the full timeline:
- June 25, 2026: The 2026 Consolidated Rules make FedRAMP 20x widely available.
- August 3, 2026: Class A certification pipeline opens.
- August 31, 2026: Class B and Class C pipelines open.
- June 11, 2027: FedRAMP stops accepting applications for new Rev5 certifications.
- December 31, 2028: Rev5 authorizations are set to sunset.
FedRAMP is also changing the naming convention behind its certification levels. Instead of Low, Moderate, High, FedRAMP will now have Class A (a new entry-level tier), Class B (Low), Class C (Moderate), and Class D (High), with Class B, C, and D mapping cleanly onto the old Low, Moderate, and High baselines.
What Is FedRAMP Class A?
FedRAMP Class A is a new certification level (without a Rev5 equivalent). It’s designed to offer an on-ramp to the FedRAMP Marketplace for organizations coming from the commercial world, using an existing commercial security certification, with no agency sponsor required.
With Class A, modern, cloud-native businesses can use a recognized commercial certification completed in the last 12 months to open the door to FedRAMP. These certifications are:
- A SOC 2 Type II report
- A GovRAMP authorization (any historical impact level)
- An existing FedRAMP Rev5 or FedRAMP Ready assessment
SOC 2 Type II will be the main route into Class A for most organizations that are new to federal compliance.
But Class A is an on-ramp, not a destination. You get roughly two years to upgrade to a full Class B, C, or D certification if you want to stay in the Marketplace. It’s also essential to know that SOC 2 alone won't get you into the FedRAMP Marketplace. Alongside your SOC 2 Type II report, you’ll also need to implement a number of KSIs and 25 additional mandatory FedRAMP rules.
Class A lowers the barrier to entry but still requires a significant amount of work on top of your existing SOC 2 Type II report.
Should You Choose FedRAMP 20x or Rev5?
The right choice largely depends on your current situation.
If you currently have a Rev5 authorization, you have a fair amount of runway until it sunsets on December 31, 2028. But you should start planning your move to 20x and machine-readable, continuous compliance now, because eventually every authorized provider will transition to 20x.
If you’re a commercial company eyeing the federal market for the first time. 20x is the right path to get into the FedRAMP Marketplace. You’ll need to do a fair amount of work to implement the controls required to meet FedRAMP standards and with the entire program moving to 20x, machine-readable, continuous compliance, it’s the best place to start for any business that’s new to FedRAMP. The biggest decision you’ll have to make is which impact level or class to go after — Class A is the fastest route, but is only a short-term on-ramp to Class B, C, or D.
Start Engineering for 20x Before the Clock Runs Out
FedRAMP 20x is here. If the federal market is on your roadmap, it’s time to start looking at how to implement KSIs and continuous monitoring before the Rev5 path is sunset.
If you want to know what it would take to achieve 20x for your company, our public sector practice runs both Rev5 and 20x programs for cloud providers. We can help you figure out the best path forward and take on as much of the technical and implementation work as required to help you meet 20x standards on your own timeline. Want to learn more about our FedRAMP work? Book a call with our team here.

