The Alliance for Digital Innovation (ADI) and Federal Risk and Authorization Management Program (FedRAMP) hosted a public event unveiling the next phase of a major modernization effort: FedRAMP 20x Phase II. The initiative, spearheaded by the General Services Administration (GSA), aims to radically accelerate and automate the cloud service authorization process for federal use and cut down time, effort, and paperwork in favor of efficiency, trust, and cybersecurity transparency.

A Shift from Paper to Automation

Federal CIO Greg Barbaccia kicked off the event with a clear message: the days of slow, manual compliance processes are numbered. He highlighted efforts underway to replace outdated paper-based systems with automation-driven solutions. Barbaccia emphasized “prioritizing tech that agencies need and want most,” stating that he along with the CIO Council are assembling a “top-tier list” of high-demand tech services, with a particular focus on conversational AI tools, to be fast-tracked in the FedRAMP pipeline for authorization and approval. 

Barbaccia also floated a “presumption of adequacy” approach, encouraging agencies to reuse existing FedRAMP authorizations instead of launching duplicative reviews, unless additional risk warrants it. This is all part of a larger cultural shift he says is needed to build trust in modernization efforts across government.

Phase II and the Road Ahead

FedRAMP Director Pete Waterman followed with a detailed look back over the last six months of Phase I of the pilot as well as outlining what the future holds for the modernization effort.

He recapped Phase I of the FedRAMP 20x pilot, completed in September, which focused on Low-impact systems and resulted in 12-month provisional authorizations for participating cloud providers.

With Phase II underway this turns the spotlight on Moderate-level security authorizations. This phase is specifically targeting cloud services that offer AI capabilities, automated governance features, and trust center integration: a reflection of where federal IT demand is headed. This phase will not be open to the public, and will be targeting approximately 10 pilot authorizations with stricter requirements, especially for automation. 

Submissions for Phase II are open from mid-October to mid-December.

Waterman was also quick to remind the audience that FedRAMP 20x is not just a compliance checklist. It’s truly a tool for cloud service providers to assess, improve, and track their cybersecurity maturity in real time.

However, the pilot is not without its challenges. FedRAMP’s staffing has been cut from 80+ employees to 28, and its FY25 budget was slashed from $22 million to $11 million. Despite these setbacks, Waterman praised ongoing internal support from both GSA and Office of Management and Budget (OMB) leadership on this revamp.

What’s Next for FedRAMP 20x?

Waterman offered a sneak peek into the future phases of the 20x pilot:

• Phase III (FY26 Q2): 20x Formalization of Low and Moderate; wide-scale agency adoption begins.
• Phase IV (FY26 Q4): 20x High Pilot focused on hyperscale IaaS/PaaS; every agency has all the AI and GRC automation tools they need. 
• Phase V (FY27 Q2): All FedRAMP authorized cloud service providers will be required to have completed a transition to fully machine-readable authorization data; no new Rev5 Low or Moderate FR authorizations. 
• Phase VI (FY27 Q4): Marks the end of all FR authorizations for Rev5; establish a timeline for retiring existing FR Rev5 authorizations. 

The event drew strong participation from across government and industry, signaling broad momentum behind efforts to modernize how the federal government vets cloud services. With rising demand for AI, cybersecurity, and automation tools, FedRAMP 20x is shaping up to be a crucial vehicle for digital transformation.

‍