What Is FedRAMP? And Why It's Changing

The US federal government is one of the largest buyers of cloud software on the planet. But if you want to sell to the government and its agencies you first need FedRAMP certification. 

FedRAMP stands for Federal Risk and Authorization Management Program and its a set of criteria cloud service providers (CSPs) need to meet in order to work with the US government. 

The FedRAMP program has been in place for more than a decade. However, in that time, only around 400-500 organizations have completed the process  — mostly down to the costs $500-$1m+) and timeframe (12-18 months) required to achieve certification. 

That number is about to change dramatically, because the program is going through its biggest overhaul since its inception. In this guide, I’ll share what FedRAMP is, why it matters, and how FedRAMP 20x is about to open up the federal market for more innovative startups. 

What is FedRAMP? (And Why it Exists)

FedRAMP was designed to standardize how cloud services prove they're secure enough to handle federal data. 

The program is built on NIST 800-53 standards, which is the federal government's core catalog of security controls covering everything from access management to incident response to encryption.

The idea behind FedRAMP is "authorize once, reuse many times." So instead of every federal agency running its own security assessment of your product, you go through FedRAMP once and any agency can accept that authorization. That's a big deal when there are hundreds of agencies and departments buying software.

Any CSP that wants to sell to a federal agency needs FedRAMP authorization. That includes SaaS products, IaaS platforms, and PaaS offerings. Without it, you're locked out of federal contracts that require it. 

FedRAMP has three impact levels: Low, Moderate, and High. These correspond to the sensitivity of the data your product will process: 

• Low covers systems where a breach would have limited impact. 
• Moderate covers systems where a breach would have a serious impact on operations, assets, or individuals, which is where most government SaaS use cases fall. 
• High is reserved for systems where a breach could have severe or catastrophic impact, like law enforcement and emergency services. 

How Traditional FedRAMP Authorization Works

The traditional FedRAMP process (known as Rev 5) has been the only path for over a decade, and it's not easy.

First, you need an agency sponsor, meaning a specific federal agency has to agree to champion your authorization. Without one, you can't even start. That alone has been a dealbreaker for most companies, especially startups with no existing federal relationships.

The core deliverable is a System Security Plan (SSP), a long narrative document where you describe how you meet each NIST 800-53 control. For a Moderate authorization, you're looking at hundreds of controls that each need a written narrative explaining your policy and technical implementation. I'd describe SSPs as largely static documents. They're created for each audit cycle, listing out policies and implementations for each control. 

The whole process can take anything from 12-18 months and cost anything from $500,000 to $1M+ including assessment, remediation, and documentation

The combination of costs, timeline, and agency sponsors explain why only about 400 companies have been authorized in over 12 years.

What's Changing With FedRAMP 20x?

FedRAMP 20x is a new authorization path announced by the General Services Administration (GSA) in March 2025. It was built on the authority established by the FedRAMP Authorization Act and the Office of Management and Budget's Memorandum M-24-15 (July 2024), which laid out a new vision for the program focused on automation, speed, and growing the FedRAMP Marketplace.

In order to open up the federal market to more innovative startups and CSPs, FedRAMP 20x reports the need for an agency sponsor — opening the door for companies that don’t currently have federal relationships. 

A major motivation for the government here is getting access to companies building new technologies and leveraging AI, not just the large established government contractors that have historically dominated the market. 

At Workstreet, we're working with companies that I never would have imagined going down the FedRAMP route before 20x. These are modern SaaS businesses looking at the federal government as a massive expansion opportunity that was previously closed to them.

Another huge change is the speed of authorizations. Assessors who participated in the Phase 1 pilot completed FedRAMP Low assessments in two to three weeks, and they expect Moderate to be similar. Compare that to the 12 to 18 months of the traditional route. Worth noting: those timelines come from a small pilot with 12 authorizations, so they may shift as the program scales. But even if assessments take a couple of months at full scale, that's still a fraction of the old Rev 5 timeline.

FedRAMP 20x also introduces continuous monitoring, where your systems provide ongoing evidence that you're meeting requirements. When something in your infrastructure falls out of compliance with your policies, those systems should trigger alerts. The goal is that you always know your security posture, not just once a year during an audit.

How FedRAMP 20x Actually Works

We're currently working with customers going through both the traditional Rev 5 route and 20x at the same time, and the difference in approach is significant. The technical shift with 20x is from narrative documents to machine-readable, automated evidence. This all revolves around Key Security Indicators (KSIs).

KSIs sit on top of NIST 800-53 controls. Each KSI maps to multiple underlying controls. So a single KSI around identity and access management might cover access control, authentication, and account management controls simultaneously. Companies working towards 20x certification are required to build automated validations that pull data from their log management systems, their authentication tools, their infrastructure, and output it in a machine-readable format like OSCAL that proves they're meeting each KSI.

Think of it as compliance as code. Instead of writing about your MFA policy in a document, you codify that policy into your infrastructure configuration and your systems validate that it's enforced on an ongoing basis. Whatever's in your policy, you've codified into your technical implementation, and the machine-readable output your systems produce is the evidence.

Where You Spend Your Time Flips

With traditional FedRAMP, you'd spend months post-implementation collecting manual screenshots and writing evidence for the audit. With 20x, you spend more time upfront designing monitoring and automated validation. But the audit itself is fast because the evidence already exists and is being generated around the clock. The assessor is verifying automated output, not reading a static document.

Where the Program Stands Today

FedRAMP 20x has moved fast. The GSA set what many people (myself included) thought were pretty aggressive timelines for the rollout, and so far they've hit every milestone..

Here's where things stand:

• Phase 1 (Low pilot): Completed September 2025. Open to the public, 26 submissions, 12 pilot authorizations granted. Proved the concept works.
• Phase 2 (Moderate pilot): Active now with 13 selected participants. Invite-only because the overwhelming interest in Phase 1 nearly overwhelmed the FedRAMP review team.
• Phase 3 (wide-scale Low + Moderate): Targeted for the second half of 2026. This is when the program opens to everyone, not just selected pilot participants.
• Phase 4-5 (High pilot, end of Rev 5): FY27. By the end of Phase 5, 20x becomes the only path for new authorizations.

Companies that already hold Rev 5 authorizations will have a multi-year transition window, but all new authorizations for Low and Moderate will go through 20x after Phase 3 is introduced. 

How to Start Preparing for FedRAMP 20x

Most of the companies we're talking to about 20x are coming from the commercial side with existing compliance programs. There's a lot of common ground between SOC 2, ISO 27001, and NIST 800-53 in areas like access control, incident response, and change management. 

However, FedRAMP is a much higher bar than SOC 2 or ISO 27001 and there’s significant work required to move from a commercial compliance to a public sector-ready compliance program. 

A lot of the work is in mapping your existing tooling to KSIs and filling gaps in areas like encryption validation or automated inventory tracking. With 20x, your systems need to produce evidence on an ongoing basis in a machine-readable format. 

What we're thinking about with our customers goes beyond audit evidence. When we move from commercial to public sector compliance, you’re maturing your security program so you have the foundational pieces in place to monitor environments and compliance around the clock. In a lot of cases, going down the FedRAMP 20x route is driving discussions about how to improve a company's overall security posture, not just check a compliance box.

If I was looking for a partner to help build a FedRAMP 20x program, I'd look for experience building modern security programs.  FedRAMP 20x is written for companies building modern security programs with modern technologies, and you want a partner who has that same mindset and the experience to implement it. Our public sector practice is built around helping modern cloud service providers extend their commercial compliance programs into FedRAMP 20x.

The Federal Market Is Opening Up, Will You Be Ready?

The federal government is a massive market for SaaS companies. Federal agencies offer a huge market opportunity for CSPs across a range of categories from CRMs to security platforms to developer tools. FedRAMP has historically been the barrier that kept most companies out but with 20x, that barrier is becoming less of a blocker with no agency sponsor required, assessments speeding up, and a process designed for modern cloud-native companies.

Wide-scale access to FedRAMP 20x Low and Moderate opens in the second half of 2026. The companies that start preparing now, while the program is still in pilot, will be first in line when it does.

If you're exploring FedRAMP 20x and want to understand what it would look like for your company, talk to our public sector team.