Skip to main content
Knox has achieved our 16th federal sponsor, FEMA for Fed High authorization.

FedRAMP 20x Pilot: Participants, KSIs & Timelines

Written by: 
Team Knox
Published on: 
May 28, 2026

FedRAMP 20x is moving more slowly than many SaaS vendors can afford to assume. The Federal Risk and Authorization Management Program (FedRAMP) 20x pilot Phase 1 closed in September 2025 after producing 12 Low-impact authorizations from 26 total submission packages, and Phase 2 is currently underway as the FedRAMP 20x Moderate pilot. 

A government shutdown from October 1 through November 12, 2025, pushed all planned phases further out, and wide-scale public availability of the 20x Low and Moderate authorization paths now targets fiscal year 2026 (FY26) Q3 at the earliest.

For SaaS vendors with federal budget approved this fiscal year, the decision is straightforward but consequential: pursue Revision 5 (Rev5) authorization now, pause and wait for finalized 20x standards, or find a path that covers both options. Each choice carries a different cost, and the underlying math shifts depending on what is actually happening inside the pilot.

The sections below walk through the pilot's structure, the participants, the specific Key Security Indicators (KSIs) under evaluation, the realistic timeline for when 20x becomes broadly available, and how the gap between those dates and the next federal deal shapes vendor planning.

Key Takeaways

  • Phase 1 closed with 12 provisional Low authorizations, and Phase 2 is a closed cohort of 13 cloud services targeting completion by March 31, 2026.
  • Public availability of 20x Low and Moderate now targets FY26 Q3 at the earliest, pushing realistic vendor authorization windows into late 2026 or early 2027.
  • 20x replaces the static SSP with machine-readable KSIs, requiring phishing-resistant MFA, immutable infrastructure, and automated configuration management.
  • Rev5 procurement continues during the pilot, so vendors who wait risk losing the federal pipeline to Rev5-authorized competitors closing multi-year deals.

What the FedRAMP 20x Pilot Is

FedRAMP 20x is the FedRAMP Program Management Office's (PMO) attempt to replace its long-standing authorization model with one that more closely resembles how modern cloud companies actually run security.

From a Static SSP to Machine-Readable KSIs

Under Rev5, FedRAMP authorization centers on a System Security Plan (SSP), an extensive written narrative describing how each of hundreds of National Institute of Standards and Technology (NIST) 800-53 controls is implemented. 

The SSP captures security posture at a single point in time, and the PMO has publicly described the difficulty this format creates for new cloud services seeking authorization, particularly the time and cost required to assemble and update the package.

FedRAMP 20x replaces the SSP with KSIs: machine-readable, binary-resolution (true or false) assessments that can be regenerated on demand and updated continuously. The PMO's core concepts page puts the goal directly: "No provider should worry about preparing for a point-in-time audit since the security of the cloud service is continuously and automatically enforced, monitored, and reported."

The Structural Shifts Beyond Documentation

The differences between Rev5 and 20x extend well beyond how security posture is documented. Two structural changes matter most for vendors evaluating the pilot:

  • Agency sponsorship is eliminated: Under Rev5, vendors pursuing the traditional path generally need an agency sponsor before the formal authorization process for Moderate or High can begin. Under 20x, FedRAMP reviews initial authorization requests directly, removing the agency sponsor requirement.
  • Continuous validation replaces annual assessments: Phase 2 sets an automation requirement in which automated validation must cover at least 70% of KSIs, shifting the assessment model from a yearly audit to an always-on data feed.

The PMO is testing this model now because the previous system carried a 90-service backlog awaiting authorization at the time of the Office of Management and Budget (OMB) Memorandum M-24-15 in July 2024, against a plan that targeted only 50 authorizations for FY25. Because the bottleneck was structural, adding throughput to the existing process would only move the same constraint downstream. The pilot is therefore the PMO's attempt to prove a fundamentally different model before retiring Rev5, and the composition of the vendors who showed up to test it shapes what the early results actually tell us.

Who Is in the Pilot

The pilot ran in two distinct phases with very different participant pools. Phase 1 was open and self-selecting, which produced a specific kind of cohort. Phase 2 is closed and curated, which produced a different one.

  • Phase 1 (April through September 2025): An open submission model produced 26 total submission packages and 12 Low-impact authorizations. The first four cloud service providers (CSPs) to receive FedRAMP 20x Low pilot authorizations were Flock Safety, InfusionPoints, Meridian Knowledge Solutions, and Vanta. Governance, risk, and compliance (GRC) tools represented the largest category of submissions, since these companies already had the automated evidence infrastructure that 20x demands.
  • Phase 2 (Moderate pilot, currently underway): A closed cohort of 13 cloud services was selected after the PMO determined that future pilots must be limited in scope to prevent an "overwhelming frenzy of participation." Publicly identified Phase 2 participants include Confluent Cloud for Government, Meridian Learning Management System (LMS), and Paramify Cloud, with Confluent Cloud for Government also having participated in Phase 1. Selection criteria were not publicly specified, although CSPs targeting artificial intelligence (AI) use cases received priority consideration.

Two qualifications matter for any vendor reading the participant list. First, all Phase 1 authorizations are provisional, and holders have up to 12 months to adopt Phase 2 standards. Second, the buyer side of the equation has yet to match the vendor side: no agency Chief Information Security Officer (CISO), Chief Information Officer (CIO), or authorizing official has publicly committed to accepting 20x-authorized products in any major federal IT trade publication.

What Is Being Tested

The KSI index spans 11 themes in total. Phase 1 tested 10 themes, and Phase 2 added KSI Authorization, FedRAMP, and Reporting (KSI-AFR). Across those themes, four areas concentrate the requirements most likely to force architectural changes for vendors that have not designed around them from the start:

  • Phishing-resistant MFA only (KSI-IAM-01): Phishing-resistant multi-factor authentication (MFA) is required for all user authentication, which rules out Time-based One-Time Password (TOTP) and Short Message Service (SMS)-based MFA. The standard leaves method selection open, making Fast Identity Online 2 (FIDO2), Web Authentication (WebAuthn), Personal Identity Verification (PIV), and Common Access Card (CAC) hardware tokens the practical options.
  • Immutable infrastructure (KSI-CNA-04): Immutable infrastructure with strictly defined functionality and privileges by default is required as an architectural constraint that goes beyond a policy artifact. Documentation alone cannot satisfy it.
  • Automated configuration management (KSI-SVC): Configuration management must be automated, and Phase 1 validation includes Infrastructure-as-Code (IaC) and configuration scanning. Manual configuration processes fall short of the requirement.
  • Government-specific operational standards (KSI-AFR): KSI-AFR introduces 10 FedRAMP-specific standards, including Minimum Assessment Scope, Vulnerability Detection and Response, and Collaborative Continuous Monitoring.

Beyond the four architectural areas, CSPs must also maintain a FedRAMP-compatible trust center: a user-friendly repository through which authorization data and materials are made available, including via Application Programming Interface (API).

The enforcement mechanism behind these requirements has real teeth. Under Request for Comment (RFC)-0026, a CSP that fails its continuous monitoring obligations 5 times within 12 months will have its certification revoked and the service removed from the Marketplace for at least 6 months. The 20x model trades the front-loaded cost of a Rev5 audit for ongoing operational discipline, with concrete penalties attached to any lapse in that discipline.

What the Pilot Results Mean for Vendors

Set against the participant pool and KSI requirements, the published pilot calendar and the Rev5 retirement plan together translate into a planning picture rather than a guessing game. The five implications below break down what the published dates actually mean for a SaaS vendor with a budget approved this fiscal year, and what waiting on the program will cost in concrete terms.

1. A Pure 20x Path Will Not Yield Authorization Until Late 2026 at the Earliest

The PMO timeline shows Phase 1 closed after granting 12 Low authorizations from April through September 2025, Phase 2 targeting completion by March 31, 2026, and 20x Low and Moderate public availability targeting FY26 Q3 to Q4 (approximately July through December 2026), with shutdown-related delays pushing the earliest realistic milestone to FY26 Q3. The 20x High pilot opens FY26 Q4 at the earliest. 

For a SaaS vendor with a budget approved this fiscal year, a pure 20x-only strategy yields a realistic authorization window of late 2026 to early 2027, assuming the PMO holds its schedule against an FY26 roadmap that simultaneously targets clearing the Rev5 backlog, running Phase 2, opening 20x to the public, and launching 20x High with a 28-person workforce.

2. Rev5 Is the Only Authorization Path With Active Procurement Today

Federal procurement has continued at full pace through the pilot. FedRAMP issued 350 Reuse Authority to Operate (ATO) approvals and 131 new Rev5 authorizations in FY25, all of which represent deals that closed while the pilot was already running. Rev5 Low and Moderate authorizations are expected to sunset in Q3 to Q4 2027, while Rev5 High retires around FY27 Q3 to Q4, leaving roughly two more fiscal years of active Rev5 procurement ahead.

A February 2026 NextGov commentary captured the agency-side dynamic: "Without standard guidance, agencies will sidestep 20x-authorized apps to avoid violating government compliance mandates to which they are subject." Rev5 remains where the federal contract pipeline actually lives.

3. Machine-Readable Evidence Becomes Mandatory Before 20x Goes Public

The September 30, 2026, milestone begins machine-readable authorization package requirements for new FedRAMP packages on applicable timelines, with some related requirements carrying later, assessment-based timelines. Existing authorized services receive a grace period ending September 30, 2027, with revocation risk for noncompliance.

The practical consequence is that Rev5 vendors must adopt Open Security Controls Assessment Language (OSCAL)-based automation regardless of whether 20x ever applies to them, and OSCAL is the same foundation on which 20x is built. KSIs will remain specific to 20x, while the underlying machine-readable evidence model carries across both standards. Vendors that automate now position themselves to transition operationally rather than rebuild from scratch later.

4. Agency Demand Has Not Caught Up With Vendor Supply

FedRAMP Director Pete Waterman confirmed in February 2026 that agency-side demand development is an FY2026 objective that is just beginning to take shape, and the PMO's December 2025 announcement stated that it plans to "sit down directly with agencies to walk them through the authorization package," starting with only FedRAMP Board member agencies. Across major federal IT publications, no agency CISO or CIO has publicly committed to accepting 20x-authorized products.

5. Every Quarter Spent Waiting on 20x Carries Direct Cost

For every quarter a SaaS vendor waits for finalized 20x standards, Rev5-authorized competitors close federal deals that, once awarded, lock in for multi-year contract terms. Vendors attempting to run both paths face their own arithmetic: building a FedRAMP boundary from scratch produces two parallel compliance projects, one for Rev5 documentation and one for 20x automation, effectively doubling the work.

The math only changes for vendors whose infrastructure already produces the automated, machine-readable evidence both standards require. The strategic question is therefore whether a path captures current Rev5 demand while sparing the vendor a second infrastructure rebuild later.

Skip the FedRAMP 20x Pilot Wait and Authorize Now

Waiting on the FedRAMP 20x pilot means handing over two budget cycles of federal pipeline to Rev5-authorized competitors, since the traditional 18-plus-month authorization path continues to run while the PMO finishes Phase 2, trains agency authorizing officials, and deploys tooling across 200-plus agencies.

Knox Systems closes that gap with a pre-authorized Knox FedRAMP boundary spanning Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), and supporting FedRAMP Moderate, FedRAMP High, and Department of Defense Impact Level 4 (DoD IL4). Vendors on the Knox FedRAMP boundary inherit 60 to 80% of the required security controls and authorization in approximately 90 days, on infrastructure already engineered to meet 20x machine-readable reporting requirements when KSI standards are finalized.

Book a meeting to map your authorization path.

Book a Meeting