FedRAMP 20x Roadmap: Key Dates and Phases (2026)

As of June 2026, FedRAMP 20x has finished its two pilot phases and entered Phase 3, wide-scale adoption. The Low pilot (Phase 1) and Moderate pilot (Phase 2) are both complete, FedRAMP is finalizing the Consolidated Rules for 2026 (CR26) by the end of June 2026, and the public submission pipeline for 20x Certifications is expected to open in FY26 Q4 (July–September 2026). A High-impact pilot is signaled for FY27.

Key takeaways

• FedRAMP 20x is in Phase 3 as of April 2026; this is the move from pilots to a permanent, publicly available program.
• Phase 1 (Low pilot) ran April–September 2025 and produced an initial set of 20x Low authorizations from 26 public submissions.
• Phase 2 (Moderate pilot) ran November 2025–March 2026 and produced an initial set of 20x Moderate authorizations from 14 submissions.
• The Consolidated Rules for 2026 (CR26) are due by the end of June 2026 and will remain valid through December 31, 2028.
• Per NTC-0004, FedRAMP settled on a single label — FedRAMP Certification — with four assessment baselines named Class A, B, C, and D, not separate "Validated" designations or numbered levels.
• The 20x submission pipeline is expected to open in FY26 Q4, initially for Class A (Pilot), Class B (Low), and Class C (Moderate).

What are the FedRAMP 20x phases?

FedRAMP 20x is being delivered in five planned phases. Rather than launching a finished program all at once, FedRAMP designed each phase to test concepts publicly, gather real submissions, and adjust the rules before the next phase begins. The official phase plan as of June 2026 looks like this:

Phase	What it covers	Timeline	Status (June 2026)
Phase 1	20x Low pilot and proof of concept	FY25 Q3–Q4 (Apr–Sep 2025)	Completed
Phase 2	20x Moderate pilot	FY26 Q1–Q2 (Nov 2025–Mar 2026)	Completed
Phase 3	Wide-scale adoption; formalize all 20x requirements	FY26 Q3–Q4 (Apr–Sep 2026)	Active
Phase 4	High-impact (Class D) pilot for cloud-native services	FY27 Q1–Q2	Future
Phase 5	End of life for cloud-native Rev 5 Certifications	FY27 Q3–Q4	Future

Source: FedRAMP 20x Phased Implementation — fedramp.gov/20x/phases

The phases are sequential but overlapping in practice. FedRAMP continued reviewing Phase 1 submissions during Phase 2, and the rules that govern Phase 3 are still being finalized even though Phase 3 is already active. FedRAMP has been explicit that these timelines are estimated goals, not firm commitments, and that they shift based on real-world impact and the operating environment.

What happened in the Phase 1 and Phase 2 pilots?

The two pilots are the reason 20x exists in its current form — they tested whether automation-based validation could replace static, once-a-year manual assessments, and the answer was yes.

Phase 1 — the Low pilot (April–September 2025). This pilot focused almost entirely on Key Security Indicators (KSIs) as a proof of concept for automated validation. Submissions were open to the public to maximize participation. FedRAMP received 26 complete submission packages during a window that ran from May 30 to August 18, 2025, granted the first cohorts of pilot authorizations in late July 2025, and completed reviews of 13 submissions during the phase. The historical timeline records an initial 12 FedRAMP 20x Low pilot authorizations from those 26 submissions, with more to follow as reviews continued. Phase 1 closed out at the end of FY25 alongside a broader milestone: FedRAMP completed 144 authorizations for the year and eliminated its long-standing authorization backlog.

Phase 2 — the Moderate pilot (November 2025–March 2026). Phase 2 added the requirements needed for the FedRAMP Moderate baseline, testing the additional automated validation that a higher-sensitivity baseline demands. It started late — November 2025 — because of the longest lapse in federal appropriations on record, which paused FedRAMP's ability to meet with providers. The pilot completed in March 2026 with an initial 8 FedRAMP 20x Moderate pilot authorizations from 14 submissions, again with more reviews continuing afterward.

One result from Phase 1 worth flagging for any provider planning a 20x path: no participants were interested in reusing existing external framework assessments such as SOC 2, and the largest single category of submissions was GRC tooling — a direct consequence of 20x allowing program authorizations without an agency sponsor.

Source: Phase 1 Recap and FedRAMP 20x Historical Timeline

What is the timeline for 2026?

2026 is the year FedRAMP 20x stops being a pilot and becomes a program any qualifying provider can pursue. The near-term calendar is dense, and most of the load-bearing dates fall in the second and third quarters.

Milestone	Date	What it means
RFC-0020 (Authorization Designations) closed	February 19, 2026	Public comment ended on how FedRAMP authorizations would be labeled
NTC-0004 published	February 25, 2026	FedRAMP announced the final designation decisions (see below)
Phase 2 Moderate pilot completed	March 2026	Initial 20x Moderate authorizations issued; CR26 preparation begins
Phase 3 begins	April 2026	Wide-scale adoption phase starts; pilots officially over
Consolidated Rules for 2026 (CR26) finalized	End of June 2026	All 20x requirements formalized; rules valid through Dec 31, 2028
20x submission pipeline opens	FY26 Q4 (Jul–Sep 2026)	Public can submit for 20x Certification (Class A, B, and C)

Source: NTC-0004 — Initial Outcome from RFC-0020 and FedRAMP 20x Phase 3

The single most important shift to understand from this stretch is the naming outcome in NTC-0004. RFC-0020 originally floated separate designations and additional baselines, but after public comment FedRAMP simplified everything:

• There is one official label: a cloud service is FedRAMP Certified, full stop. FedRAMP decided against separate "FedRAMP Validated" branding for 20x versus Rev 5, on the grounds that two labels would confuse procurement. The two paths will instead be distinguished by filters in the FedRAMP Marketplace.
• FedRAMP declined to use "levels" or numbers for the baselines, to avoid confusion with the DoD Impact Level (IL) system. Instead, the four assessment baselines are labeled Class A, B, C, and D.
• For Rev 5: Class A is a new pilot baseline, Class B covers the current LiSaaS and Low baselines, Class C covers Moderate, and Class D covers High. 20x baselines will align to the same Class structure inside CR26.

A FedRAMP Certification is not, by itself, an agency authorization to operate. The Class label describes the depth and type of information a provider supplies for assessment — not a guarantee that the service is appropriate for a given agency at a given FIPS 199 category. Agencies still make their own risk decisions using the certification package.

What is coming next after Phase 3?

After Phase 3 formalizes the program, two future phases extend 20x to higher-sensitivity systems and begin sunsetting the legacy path for cloud-native services.

Phase 4 — High-impact (Class D) pilot, FY27 Q1–Q2. FedRAMP plans to pilot a 20x path for High-impact, cloud-native services (the Class D baseline) while wide-scale adoption continues. This phase is also where FedRAMP intends to determine the future of certification for platform services that are not cloud-native — a meaningful open question for providers whose architecture doesn't fit the automation-first model.

Phase 5 — end of life for cloud-native Rev 5 Certifications, FY27 Q3–Q4. At the end of this phase, FedRAMP plans to stop accepting new Rev 5 Certifications for cloud-native services and to publish a clear path and timeline for migrating existing cloud-native Rev 5 offerings to 20x. FedRAMP has signaled this transition is likely to include multi-year deadlines, so existing Rev 5 authorizations are not at near-term risk — but the long-run direction for new cloud-native services is unambiguously 20x.

For a side-by-side of how the two models differ in practice, see our breakdown of FedRAMP 20x vs Rev 5. If you are weighing the investment, our FedRAMP 20x cost analysis covers what changes when assessment shifts from documentation to continuous validation. And because both paths now resolve to a single "FedRAMP Certified" label differentiated only by marketplace filters, our guide to the FedRAMP Marketplace explains how buyers will actually tell the paths apart.

How should providers read this roadmap right now?

The practical message for a provider in mid-2026 is that the window between "pilot" and "open program" is short, and preparation done now compounds. The pilots proved that the bottleneck in 20x is not paperwork — it is whether your engineering telemetry can continuously prove KSI outcomes. Providers that wait for CR26 to publish before building inventory, evidence pipelines, and automated validation will start Phase 3 behind providers that treated the pilots as a preview.

Three concrete moves hold up regardless of how the remaining dates shift:

• Map your boundary and inventory now. Minimum Assessment Scope is the same input whether you pursue Class B or Class C, and a clean inventory is the foundation every KSI sits on.
• Instrument KSI evidence as machine-readable, not screenshot-based. The pilots rewarded providers who could generate validation from live system data and penalized those relying on static narratives.
• Decide your Class early. Class B (Low) and Class C (Moderate) open first in FY26 Q4; Class D (High) is not piloted until FY27. If you need High, plan around the later timeline rather than assuming day-one availability.

Frequently asked questions

What phase is FedRAMP 20x in as of June 2026?

FedRAMP 20x is in Phase 3 — wide-scale adoption, which began in April 2026. Both pilot phases (Low and Moderate) are complete, and FedRAMP is finalizing the Consolidated Rules for 2026 by the end of June 2026.

When can companies actually submit for a 20x Certification?

The public submission pipeline for FedRAMP 20x is expected to open in FY26 Q4 (July–September 2026), initially for Class A (Pilot), Class B (Low), and Class C (Moderate) Certifications. This date is an estimated goal and may shift.

What are the Consolidated Rules for 2026 (CR26)?

CR26 is the document that formalizes all FedRAMP 20x requirements for cloud service providers. FedRAMP plans to finalize it by the end of June 2026, and the rules will remain valid through December 31, 2028.

Did FedRAMP adopt numbered levels or "FedRAMP Validated" designations?

No. Per NTC-0004 (published February 25, 2026), FedRAMP chose a single label — FedRAMP Certification / FedRAMP Certified — and declined to use numbered levels or a separate "FedRAMP Validated" designation. The four assessment baselines are labeled Class A, B, C, and D, and the 20x versus Rev 5 distinction will be shown through Marketplace filters instead of separate labels.

What is the difference between the Class A, B, C, and D baselines?

The Class label describes the depth and type of information a provider supplies for assessment. For Rev 5: Class A is a new pilot baseline, Class B covers the current LiSaaS and Low baselines, Class C covers Moderate, and Class D covers High. 20x baselines align to the same structure under CR26.

When will FedRAMP 20x support High-impact systems?

A High-impact (Class D) pilot for cloud-native services is planned for Phase 4, FY27 Q1–Q2. As of June 2026, 20x is opening first for the Class A, B, and C baselines.

Is Rev 5 going away?

Not immediately. FedRAMP plans to stop accepting new Rev 5 Certifications for cloud-native services at the end of Phase 5 (FY27 Q3–Q4) and to publish a migration path with what it has signaled will likely be multi-year deadlines. Existing Rev 5 authorizations are not at near-term risk.

Sources

• FedRAMP 20x Overview — fedramp.gov/20x
• FedRAMP 20x Phased Implementation — fedramp.gov/20x/phases
• FedRAMP 20x Phase 1 Recap — fedramp.gov/20x/phases/1
• FedRAMP 20x Phase 3 — fedramp.gov/20x/phases/3
• FedRAMP 20x Historical Timeline — fedramp.gov/20x/timeline
• RFC-0020 FedRAMP Authorization Designations — fedramp.gov/rfcs/0020
• NTC-0004 Initial Outcome from RFC-0020 — fedramp.gov/notices/0004

---

Last updated: June 2026. Written by the Boundera team.