The General Services Administration (GSA) officially unveiled the Federal Risk and Authorization Management Program (FedRAMP) 20x Phase Two pilot on Wednesday afternoon, following the successful completion of Phase One last month.
GSA’s FedRAMP aims to provide a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
In March, the program launched FedRAMP 20x, a revamp effort focused on automation to accelerate the approval of secure cloud services.
“The thing that we learned the most in Phase One, and the thing that we want to really just drive home, is to stop thinking about FedRAMP as a compliance bar where you hit the minimum and then you’re in, and then you’re done,” FedRAMP Director Pete Waterman said on Wednesday at an event held by the Alliance for Digital Innovation.
“This is not what it’s about,” he added. “FedRAMP is a tool for you as a business to set goals for yourself and assess your progress and success towards them.”
The Phase One pilot focused on a new approach to FedRAMP Low authorization, and it was open to the public. Qualifying cloud service offerings that successfully complete Phase One will receive a 12-month FedRAMP Low authorization.
Waterman announced on Wednesday that Phase Two is not open to the public and will be strictly limited. FedRAMP is targeting 10 Moderate pilot authorizations during Phase Two, which will run from mid-October to mid-December.
Those who are allowed to participate in Phase Two include providers who submitted a complete package for Phase One that was not rejected or withdrawn; cloud service offerings that meet all of the FedRAMP AI Prioritization criteria; cloud services with governance, risk, and compliance (GRC) automation capabilities that are designed for 20x; and cloud services that provide FedRAMP-compatible trust centers.
Waterman said that FedRAMP is making these changes to “focus on quality over quantity” in Phase Two.
“We got too many submissions in the first round. We weren’t prepared for it. We didn’t have the staff for it, and too many of them were not good enough, and they took a lot of our time,” Waterman said. “That’s my bad. That’s not your bad. I said, ‘Send me something, and we’ll look at it.’ And y’all did. So, thank you so much for participating.”
The FedRAMP director said that the program is down to 28 employees after losing over 50 employees in fiscal year (FY) 2025. Additionally, he noted FedRAMP’s budget has gone from $22 million to $11 million during this fiscal year.
In FY 2026, Waterman explained the target staff is approximately 43, but he candidly said he’s not sure if FedRAMP will get there.
“As far as my team hiring, that’s tough. We’re in a tough situation. That’s probably going to be one of our biggest problems over the next few months,” Waterman said, adding, “It will affect our ability to deliver, full stop.”
Phases to Come
Going forward, Waterman said that FedRAMP wants to create “realistic targets” that allow his team to continue to improve 20x. In doing so, he expects that Phase Three formalization can address problems detected during Phase One and Two.
Phase Three will start “at the beginning of next year,” according to Waterman, and will formalize 20x Low and Moderate and make them available as a standard authorization to the public. Waterman noted that in Phase Three, FedRAMP plans to “hopefully train new staff.”
Phase Four is expected to launch about a year from now, he said, and will be a 20x High pilot. This will focus on hyperscale infrastructure as a service (IaaS), as well as platform as a service (PaaS).
“We want to start bringing the big players forward into 20x by the end of next year,” Waterman said. “A success measurement for us will be that every single agency has access to every single AI, GRC automation tool that they need to go about their daily lives.”
Halfway through FY 2027, Waterman said that if cloud service providers are still on Rev 5, they will be required to have completed a transition to fully machine-readable authorization data.
“If you’re going to stick around on Rev 5, you need to be machine-readable. The tools exist. Agencies will have the tools,” he stressed.
Also at that time, Waterman said FedRAMP expects to stop doing new Rev 5 Low or Moderate authorizations. Waterman anticipates that will happen “because demand has just tapered off and is gone” for Rev 5.
Finally, two years from now, in the fourth quarter of 2027, Waterman said there will be a “full stop” of new FedRAMP authorizations for Rev 5. He said his team will establish a timeline for retiring existing FedRAMP Rev 5 authorizations.