KSIs vs the SSP: What FedRAMP 20x Changes About Documentation
Under Rev 5, the SSP is a large narrative document describing how a system implements the NIST 800-53 baseline control by control. FedRAMP 20x replaces most of that prose with Key Security Indicators (11 themes) backed by machine-readable and human-readable evidence that is continuously and automatically validated rather than assessed once a year.
In this article
Main question
What is the difference between the FedRAMP Rev 5 SSP and the FedRAMP 20x KSI approach?
KSIs vs the SSP: What FedRAMP 20x Changes About Documentation
Under traditional FedRAMP Rev 5, the System Security Plan (SSP) is a large narrative document that describes, control by control, how your system implements the NIST SP 800-53 baseline. FedRAMP 20x replaces most of that prose with Key Security Indicators (KSIs): defined security goals that you satisfy with machine-readable, human-readable evidence packages that are continuously and automatically validated rather than written up once a year. The SSP does not vanish overnight, but its center of gravity shifts from "describe what you do" to "prove what is true, right now."
Key takeaways
- The Rev 5 SSP is a long written narrative covering the full NIST 800-53 baseline (Low ~156, Moderate 323, High 410 controls). FedRAMP 20x is "designed for automated demonstration of secure configurations and practices" instead of "extensive written narratives describing static security decisions" (fedramp.gov).
- FedRAMP 20x organizes requirements around Key Security Indicators (KSIs) spanning 11 themes, each backed by an evidence package that is both machine-readable and human-readable.
- KSI evidence is persistently validated — checked continuously and automatically — rather than assessed at a single point in time once per year.
- Under the 2026 rules (RFC-0020 / NTC-0004), all FedRAMP authorizations use a single FedRAMP Certified label, with four Certification Classes (A–D) in place of Low/Moderate/High. There is no separate "FedRAMP Validated" designation.
- FedRAMP 20x Phase 1 pilot participants reached authorization in less than two months, versus the years that a traditional Rev 5 SSP-driven authorization typically takes (fedramp.gov).
What is the difference between an SSP and KSIs?
An SSP and a set of KSIs answer the same underlying question — "is this cloud service secure enough?" — in fundamentally different ways.
The SSP (System Security Plan) is the centerpiece of a Rev 5 authorization package. It is a structured Word document, often hundreds of pages, that identifies the system, draws the authorization boundary, categorizes data, and then walks through every applicable NIST SP 800-53 control with a written narrative explaining how that control is implemented. A 3PAO reads those narratives, tests a sample, and reports findings in a Security Assessment Report. The artifact is static between assessments: it describes the design and implementation as of a point in time.
Key Security Indicators (KSIs) flip the model. Instead of a control-by-control essay, FedRAMP 20x defines a set of security goals grouped into 11 themes (for example, identity, configuration, monitoring, and incident response). For each KSI, the provider submits an evidence package that is simultaneously machine-readable (so tools and reviewers can parse and validate it programmatically) and human-readable (so a person can understand the claim). Critically, those packages are persistently validated: the status, progress, and outcomes are, in FedRAMP's words, "automatically enforced and validated without human input whenever possible to enable continuous review and enforce ground truth."
The practical difference: an SSP narrative says a control should happen; a KSI evidence package shows, on an ongoing basis, that it is happening — and flags what will automatically occur if it stops.
How does the SSP compare to the KSI approach?
| Dimension | SSP (FedRAMP Rev 5) | KSI approach (FedRAMP 20x) |
|---|---|---|
| Primary artifact | Large narrative document (System Security Plan) | Key Security Indicator evidence packages across 11 themes |
| Format | Word/PDF prose plus appendices and workbooks | Machine-readable and human-readable evidence |
| Typical length | Hundreds of pages of control narratives | Structured evidence keyed to each KSI, not page count |
| Basis | NIST SP 800-53 Rev 5 baseline (Low ~156, Moderate 323, High 410 controls) | Security goals/outcomes validated by KSIs |
| How it is assessed | 3PAO reads narratives, tests a sample, writes a SAR | Automated validation of secure configurations and practices |
| Cadence of truth | Point-in-time; refreshed at annual assessment | Persistent, continuous, automatic validation |
| Update model | Manual edits to documents when the system changes | Evidence updates as the live environment changes |
| Resulting label (2026) | FedRAMP Certified (via the Rev 5 path) | FedRAMP Certified (via the 20x path) |
| Agency sponsor | Typically required in advance | Not required; FedRAMP reviews requests directly |
| Time to authorization | Often years of preparation | Pilot participants authorized in under two months |
Source: FedRAMP Rev5 vs FedRAMP 20x — fedramp.gov/20x and Rev 5 Documents & Templates — fedramp.gov
Does FedRAMP 20x still require an SSP?
FedRAMP 20x does not lean on the traditional 500-page SSP as the engine of assessment. The program is explicitly "designed for automated demonstration of secure configurations and practices," which is a deliberate move away from Rev 5's "extensive written narratives describing static security decisions."
That said, "no narrative essay" is not the same as "no documentation." A 20x submission still needs to define the cloud service offering, its boundary, and the data it handles so reviewers understand what is being validated. What changes is the form and the weight of that documentation: the burden moves from prose that humans must read and trust to evidence that systems can validate continuously. Foundational context still exists; it just stops being the thing an assessor spends most of their time reading.
If you are pursuing a Rev 5 agency authorization today, the SSP is still required, still uses the official FedRAMP PMO template, and still drives the SAP and SAR. If you are pursuing a 20x path, you should plan your program around producing and maintaining KSI evidence — not around writing and re-writing a giant SSP.
Why is FedRAMP moving away from the 500-page SSP?
FedRAMP's own framing is blunt: Rev 5 was "designed for extensive written narratives describing static security decisions," and that model has well-known failure modes. Narratives drift from reality the moment the system changes. Point-in-time assessments tell you a system was compliant in the past, not that it is secure today. And the sheer volume of writing pushes authorization timelines into years.
The 20x rationale rests on a few principles published on fedramp.gov:
- Accountability over box-checking. "No provider should worry about preparing for a point-in-time audit since the security of the cloud service is continuously and automatically enforced, monitored, and reported."
- Automatic validation. "A policy that a thing must happen means nothing compared to a continuous report showing how that thing is happening over time and what will automatically occur if it stops."
- Speed and adoption. The Phase 1 pilot demonstrated that a KSI-based approach "could successfully demonstrate security posture in near real time to replace static yearly manual assessments and narratives while improving confidence and overall security," with some providers authorized in under two months.
In short, the SSP optimized for a reviewer reading a document. KSIs optimize for evidence a machine can keep checking — which is a better fit for cloud systems that change daily.
What does a KSI evidence package look like in practice?
This is where the SSP-versus-KSI distinction becomes concrete, and where the engineering work actually lives.
Take a single security goal — say, enforcing strong, phishing-resistant authentication. Under Rev 5, you would write a narrative for the relevant IA-family controls describing your MFA configuration, then your 3PAO would sample accounts at assessment time and write up the result. Under 20x, that goal is expressed as a KSI, and you produce an evidence package that:
- Is machine-readable — structured data pulled directly from your identity provider and cloud configuration, so a validator can confirm the state programmatically rather than reading a paragraph about it.
- Is human-readable — accompanied by a clear, plain-language statement of the claim and how the evidence supports it, so a reviewer (or an Authorizing Official) can understand it without parsing raw JSON.
- Is persistently validated — wired so the check runs continuously. If a privileged account drops MFA, the evidence reflects that change instead of waiting for next year's assessment.
At Boundera, this is the core of how we help teams move from Rev 5 habits to 20x. The hard part is rarely writing the claim; it is connecting the claim to live sources (cloud provider APIs, identity platforms, scanners) so each KSI is backed by current, validatable evidence rather than a screenshot taken once. For a deeper walkthrough, see our guide on how to automate KSI evidence, and for the full taxonomy of indicators, the FedRAMP 20x KSI guide.
Which approach is right for you?
The honest answer in mid-2026 is: it depends on your path, your timeline, and the impact level you need.
Choose or stay with the Rev 5 SSP path if:
- You are already deep in an agency authorization, or your sponsoring agency requires it.
- You need a High baseline today, where the Rev 5 process is the established, proven route.
- Your buyers specifically ask for a FedRAMP Certification via the Rev 5 path.
Lean toward the 20x KSI path if:
- You want speed and have engineering capacity to wire up continuous evidence.
- You do not have an agency sponsor lined up — 20x lets FedRAMP review your request directly.
- Your security program already runs on automation, IaC, and live telemetry, so producing machine-readable evidence is a natural extension of how you operate.
For most teams the realistic move is to build the KSI evidence pipeline regardless of path, because continuous, validatable evidence makes a Rev 5 authorization easier and positions you for 20x. The two are not opposites so much as two points on a trajectory away from static paperwork. For a fuller breakdown of the documents involved in the traditional path, see our FedRAMP documentation explained guide.
Frequently asked questions
Is the SSP being eliminated by FedRAMP 20x?
Not exactly. FedRAMP 20x is "designed for automated demonstration of secure configurations and practices" rather than the "extensive written narratives" of Rev 5, so the giant control-by-control SSP narrative is no longer the engine of assessment. You still need to define your service, boundary, and data, but the documentation burden shifts heavily toward machine-readable, continuously validated KSI evidence.
How many KSIs are there?
FedRAMP 20x organizes Key Security Indicators into 11 themes. Each KSI is backed by an evidence package that is both machine-readable and human-readable and is persistently validated rather than checked once a year.
What does "machine-readable and human-readable" evidence mean?
It means the same KSI evidence serves two audiences at once: structured data that automated validators and reviewers can parse and check programmatically, and a clear written claim that a person can understand without reading raw data. This dual format is what enables continuous, automatic validation.
Are FedRAMP's 2026 designations called "Certification Classes A–D"?
Partly. Under the 2026 rules, every authorization carries the single label FedRAMP Certified, and the four assessment baselines are named Certification Class A, B, C, and D (replacing Low/Moderate/High). FedRAMP deliberately avoided numbered "levels" to prevent confusion with DoD Impact Levels, and it declined a separate "FedRAMP Validated" label for the 20x path.
Is FedRAMP 20x faster than the Rev 5 SSP process?
In the Phase 1 pilot, yes. FedRAMP reports that pilot participants received authorization in less than two months from start, compared with the years of preparation typically required for a traditional Rev 5 authorization built around the SSP.
Do I still need a 3PAO under FedRAMP 20x?
Independent assessment remains part of FedRAMP, but its nature changes. FedRAMP noted that the assessment process "would need to change entirely from the traditional control-by-control minimum-bar audit approach" toward evaluating the effectiveness of security decisions and validating evidence, rather than reading and questioning narratives line by line.
Can I reuse my existing Rev 5 SSP for a 20x submission?
Your underlying security implementations carry over, but the SSP narrative itself is not the deliverable a 20x submission is built on. You will need to express your security posture as KSI evidence packages. The good news is that the work of connecting controls to live evidence — which Boundera helps automate — benefits both paths.
Sources
- FedRAMP 20x Overview — fedramp.gov/20x
- FedRAMP 20x Phase 1 Recap — fedramp.gov/20x/phases/1
- Rev 5 Documents & Templates (including the Baseline SSP) — fedramp.gov
- NIST SP 800-53 Rev 5 — csrc.nist.gov
Last updated: June 2026. Written by the Boundera team.
Next step
If you want to turn this guidance into an execution plan, the product side handles control mapping, SSP drafting, and evidence collection.
Related articles
FedRAMP 20x Roadmap: Key Dates and Phases (2026)
Where FedRAMP 20x stands in 2026: completed Low and Moderate pilots, Phase 3 adoption, the CR26 rules, and what's next through FY27.
How Much Does FedRAMP Cost in 2026?
A 2026 breakdown of FedRAMP cost by impact level for Rev 5 and 20x, including 3PAO fees, ConMon, staffing, and the hidden costs CSPs miss.
How to Convert Your SSP to OSCAL: A Step-by-Step Guide
A hands-on guide to converting an existing Word/Excel SSP into OSCAL: map the six-section OSCAL SSP model, use FedRAMP templates, and validate against FedRAMP constraints.