KSIs vs NIST Controls: How FedRAMP 20x is Changing Compliance

With the FedRAMP 20x wide adoption rollout (Phase 3) approaching, a lot of people are wondering how FedRAMP 20x's Key Security Indicators actually relate to the NIST control families?

One of the core goals of 20x is to simplify FedRAMP compliance. But as KSIs are a new concept, we’re hearing some concerns about how they work — and how much extra work they may create for teams eyeing up federal cybersecurity compliance. 

In short: KSIs are a new (and different) way of providing your security posture meets FedRAMP requirements, not an extra layer of controls on top of the existing NIST 800-53 controls. In this guide, we'll break down what KSIs are, how KSIs relate to NIST controls, and what this means for organizations looking to pursue FedRAMP 20x.

Controls Tell, KSIs Show

With traditional FedRAMP (Rev5), you meet NIST 800-53 controls by writing narrative descriptions in a System Security Plan (SSP). You write about each control and how you’ve configured it. You compile screenshots, attach evidence, and submit it for assessment. An assessor reads through it and verifies your statements.

With FedRAMP 20x, KSIs ask you to prove the same things as an SSP, but with machine-readable evidence that your systems generate continuously rather than a narrative document. So instead of writing about your MFA policy, you output data in a machine-readable OSCAL format showing that MFA is enforced in real time.

There’s no difference in the standards required to meet FedRAMP Low or Moderate with 20x — all the same controls still need to be in place, the difference is mostly in the evidence you need to prove compliance. With FedRAMP Rev 5, it was an SSP. Now, for FedRAMP 20x, you need KSIs to prove continuous compliance. 

The Relationship Between NIST Controls and KSIs

KSIs weren’t created to replace NIST controls. KSIs are part of FedRAMP’s modernization efforts to make security assessments more efficient, scalable, and cloud-native. They are designed to streamline compliance, making it easier to validate continuously via code. 

The underlying NIST 800-53 controls still exist and are still required to meet FedRAMP standards, they're just grouped and assessed differently. Rather than focusing on prescriptive processes and narratives explaining how you’ve met controls, KSIs focus on measurable outcomes to give cloud service providers more flexibility in how they demonstrate compliance.

Each KSI maps to multiple NIST 800-53 controls, so a single KSI around identity and access management might cover access control, authentication, and account management controls that all touch the same systems.

During the FedRAMP 20x Phase 2 pilot there are 56 KSIs for the Low baseline and 61 for Moderate and FedRAMP requires automated validation for at least 70% of them. 

What a KSI Validation Actually Looks Like

To see the difference in practice, take identity and access management as an example.

The old way (Rev5 access controls): Your compliance team would describe your access control policy, how MFA is configured, who has admin access, and what your review process looks like. They’d then take screenshots of your identity provider settings, your access review logs, your admin account inventory and submit it to an assessor in your SSP to review.

With KSIs: Your Identity and Access Management (IAM) tools like Okta, Microsoft Entra ID, or AWS IAM continuously output machine-readable data showing MFA enforcement status and an automated validation checks this data against the KSI requirements and flags when something falls out of compliance. 

NIST 800-53 Rev 5 Controls Excluded from FedRAMP 20x

Several NIST 800-53 control families are excluded entirely from the 20x KSI set. Here’s a breakdown of what’s excluded:

• Maintenance (MA): Hardware maintenance procedures were excluded as cloud providers don't maintain physical servers (that falls on their providers).
• Media Protection (MP): Handling physical media like hard drives and backup tapes. 
• Physical and Environmental Protection (PE): Data center physical security, fire suppression, power redundancy. AWS, Azure, and GCP handle this.

These exclusions make sense because 20x is designed for cloud-native companies that run on modern tech stacks. If you're running on AWS, you're not the one badging people into data centers. 

On the flip side, two controls were added to the 20x KSI set that weren't in the original FedRAMP Low baseline: AC-23 (Data Sharing) and AT-6 (Training Feedback). 

How 20x Changes Where Your Time Goes

Achieving traditional FedRAMP authorization could take anywhere from 12-18 months and between $500K to over $2M. A big chunk of that time and money goes to building SSPs, collecting evidence manually, and walking assessors through documentation.

FedRAMP 20x drastically reduces that timeline. Assessors in the Phase 1 pilot completed Low assessments in two to three weeks, and they expect similar timelines for Moderate. However, it’s worth noting that those results are from a small batch of pilot authorizations (2 Low authorizations during Phase 1, 13 participants in the Phase 2 Moderate pilot), so it may take a little longer when wide adoption rolls out during Phase 3. 

Instead of spending time writing policies and SSPs, you’re spending time designing continuous monitoring systems and building KSI validations. And the audit itself is much, much faster because you've set up the system to automatically collect the evidence.

FedRAMP 20x is a Joint Effort

Traditional FedRAMP was largely a documentation exercise. Compliance teams wrote control narratives, collected evidence, and managed SSPs. 

With 20x, engineering teams need to be heavily engaged. You're designing systems that output machine-readable validations and building automated checks that continuously prove your security posture. 

FedRAMP itself noted during the Phase 1 pilot that "cloud service providers would need to heavily engage engineering teams to adopt a different approach." 

If your company is considering FedRAMP 20x, engineering needs to be looped in from the off. 

Final Thoughts

KSIs and NIST controls aren't actually in competition with each other. KSIs are just a different way of proving you meet the existing NIST 800-53 controls required for FedRAMP compliance. 

For companies coming from SOC 2 or ISO 27001, you probably already have some of the tooling in place. The work is mapping those tools to the 20x KSIs, filling any compliance gaps, and building the automated validations that continuously demonstrate compliance. It's a higher bar than commercial frameworks, but the path is clear.

Our public sector practice is built around helping modern cloud service providers achieve FedRAMp authorization. If you're exploring FedRAMP 20x and want to understand what it would look like for your company, talk to our team. We'll walk you through where you stand and what it would take to get authorized.