Main Menu

FedRAMP Compliance: Guide to FedRAMP Requirements

For modern cloud services supporting U.S. government missions, FedRAMP compliance is non-negotiable. This guide demystifies FedRAMP requirements, the authorization journey, and what federal agencies expect from a cloud service provider seeking an Authorization to Operate (ATO).

You’ll learn how the federal risk and authorization management framework aligns with NIST 800-53 controls, what documentation and testing are required, and how to streamline the compliance process without compromising cloud security.

What Is FedRAMP? And Why Does It Matter?

American flag waving with the Capitol Hill in the background

FedRAMP, short for the Federal Risk and Authorization Management Program, standardizes information security for cloud computing across federal agencies. Established in law by the FedRAMP Authorization Act and overseen by the General Services Administration (GSA), the program establishes baseline security controls and an independent security assessment process to protect federal information at each impact level. 

For cloud providers, achieving FedRAMP authorization opens the door to the FedRAMP Marketplace and agency authorization opportunities.

The Authorization Landscape: FedRAMP 20x

A brightly colored padlock, signifying the protection of FedRAMP Compliance

The FedRAMP authorization landscape has changed significantly in the past year. The legacy dual-path model, JAB Authorization and Agency Authorization, is no longer the framework you need to plan around.

The JAB has been rescinded. As directed by OMB Memorandum M-24-15, the Joint Authorization Board was eliminated, and all cloud services were consolidated under a single FedRAMP Authorized designation.

In its place, FedRAMP proposed FedRAMP 20x in March 2025: a modernized, cloud-native authorization path built on automation and transparency. Key differences from the legacy process:

  • No agency sponsorship required. FedRAMP 20x does not require agency sponsorship and relies heavily on automated validation of security controls rather than manual documentation review.
  • Key Security Indicators (KSIs) replace traditional control checklists, streamlining how compliance is demonstrated and assessed.
  • Rev5 remains active, for now. The existing Agency Authorization path based on FedRAMP Rev. 5 baselines remains valid for those already invested in it, but FedRAMP 20x is the clear direction of travel. Phase 5 of the 20x rollout, planned for FY27 Q3–Q4, is specifically scoped to close off new Rev5 authorizations and provide a transition path for legacy providers. 

Where Things Stand Today (As of April 2026)

FedRAMP 20x is being delivered in phases:

  • Phase 1 (complete): FedRAMP completed 20x Phase One, which included an initial 12 FedRAMP 20x Low pilot authorizations from 26 pilot submissions.
  • Phase 2 (underway): Initially 13 cloud services were selected for official participation in the 20x Phase 2 pilot, testing how cloud service providers can effectively meet automated validation requirements for initial and ongoing FedRAMP authorization at the Moderate impact level, with additional participants potentially joining via a Phase 2 Cohort 2. 
  • Phase 3, wide-scale adoption (coming FY26 Q3–Q4): Wide-scale adoption for Low and Moderate cloud providers is projected for Q3 to Q4 2026. This is when 20x Low and Moderate authorization paths will become publicly available to all providers, not just pilot participants.

Both Rev5 and 20x paths require accredited third-party assessment organizations (3PAOs) and rigorous evidence, but 20x is designed to compress timelines dramatically. Some participating providers achieved authorization in roughly three months during Phase 1, a meaningful shift compared to the 18+ months typical under legacy processes.

Don’t Wait for FedRAMP 20x If You Need High or DoD Impact Levels

Document titled 'Compliance' on a desk with a pen, judge’s gavel, and eyeglasses, representing legal and regulatory adherence.

FedRAMP 20x is a meaningful leap forward, but waiting for it could cost you deals today.

FedRAMP High is not part of 20x’s immediate future. The current 20x phases cover Low and Moderate impact levels only. A 20x High pilot is planned for Phase 4, estimated for FY27 Q1–Q2, and is specifically scoped to hyperscale IaaS and PaaS providers, not general availability for all cloud service offerings. FedRAMP explicitly states that all future phase timelines are estimated goals and not firm commitments. If your prospects need High today, FedRAMP 20x is not a path they can count on.

DoD Impact Levels run through DISA, not FedRAMP 20x. If your target customers include Department of Defense entities operating at IL2, IL4, IL5, or IL6, those authorizations are governed by the Defense Information Systems Agency (DISA) under the DoD Cloud Computing Security Requirements Guide (CC SRG), a separate framework from FedRAMP 20x entirely. Waiting for 20x to mature will not unlock DoD Impact Level opportunities.

The cost of waiting is real. We are hearing directly from prospects who are hesitant to move forward, assuming FedRAMP 20x will simplify or replace the work ahead. For High and DoD IL environments, that assumption is wrong, and every quarter spent waiting is a quarter your competitors are spending winning those contracts.

The bottom line: If you need FedRAMP High or a DoD Impact Level authorization, start now on the Rev5 path. The mission won’t wait for a pilot that’s a year away, scoped to hyperscale providers, and operating on an uncertain timeline.

Core FedRAMP Requirements and Impact Levels

FedRAMP requirements map to NIST SP 800-53 Rev. 5 controls and scale by impact level: Low, Moderate, and High. Many federal agencies operate at Moderate or High impact, requiring additional security controls and evidence.

Key artifacts continue to include:

  • System Security Plan (SSP) and authorization package
  • Control implementation details and security assessment evidence
  • Plan of Actions and Milestones (POA&M)
  • Continuous monitoring deliverables, including vulnerability management reporting

Under FedRAMP 20x, authorization packages are increasingly expected to be machine-readable. FedRAMP Rev5 providers will be required to produce machine-readable authorization packages, with an initial compliance deadline of September 30, 2026, and a hard final deadline of September 30, 2027, after which non-compliant Rev5 authorizations will be revoked, requiring providers to go through a completely new initial authorization process. This is not a soft deadline. Cloud providers should be actively planning for this requirement now. 

The FedRAMP Low and Moderate Authorization Process in 2026

 

For Rev5 (Legacy Path):

  1. Scoping and categorization: Define the cloud service offering boundary, data types, and impact level, leveraging the new Minimum Assessment Scope (MAS) standard to simplify boundary guidance.
  2. Gap analysis: Map current security controls against FedRAMP Rev5 controls to identify gaps.
  3. Documentation and readiness: Develop the SSP and supporting documentation for 3PAO review.
  4. Independent testing: Undergo a 3PAO security assessment; results compiled into an assessment report and authorization package.
  5. Agency authorization: A sponsoring agency reviews and issues the ATO. (Note: JAB authorization no longer exists.)
  6. Continuous monitoring: Maintain compliance through monthly reporting, vulnerability remediation, and change management.

For FedRAMP 20x (Proposed Modernized Path):

  1. Eligibility and scoping: Determine impact level and monitor FedRAMP’s roadmap for when the 20x path opens to your use case.
  2. Key Security Indicators (KSI) mapping: Demonstrate compliance through automated, measurable security indicators rather than manual documentation.
  3. Automated validation: Security posture is validated continuously through automation rather than point-in-time assessment.
  4. Authorization: No agency sponsor required; FedRAMP issues authorization directly based on validated KSIs.
  5. Persistent validation: Ongoing compliance is maintained through continuous automated monitoring rather than traditional periodic reporting cycles.

Note: Most cloud service providers should wait until the 20x standards are more informative and third-party tools are widely available before beginning their FedRAMP 20x journey; that moment is approaching with Phase 3 later this year.

Tips for Meeting FedRAMP Requirements in 2026

Person ensuring their standards meet FedRAMP requirements

  • Understand which path applies to you. If you’re early in your FedRAMP journey, FedRAMP 20x is the strategic path, but wide-scale availability is set to arrive in FY26 Q3–Q4. If you need FedRAMP High or a DoD Impact Level authorization, do not wait for 20x. High is not a guarantee on the 20x roadmap, and DoD IL requirements flow through DISA under its own framework, so start on Rev5 now.
  • Prepare for machine-readable packages now. Whether on Rev5 or 20x, machine-readable authorization data is becoming a core requirement with a hard September 2026 deadline for Rev5 providers.
  • Inherit where possible. Leverage inherited controls from your infrastructure provider. Many cloud platforms provide pre-documented inheritance that reduces your control burden significantly.
  • Automate evidence collection. Policy-as-code, CI/CD pipelines, and automated evidence collection reduce audit friction and are foundational to the 20x model.
  • Monitor the 20x roadmap actively. FedRAMP maintains a living roadmap updated on a biweekly basis, so requirements and timelines continue to evolve as Phase 3 approaches.
  • Build a sustainable continuous monitoring cadence. Whether Rev5 or 20x, ongoing vulnerability management and reporting remain mandatory; 20x raises the bar by expecting persistent, automated validation rather than periodic snapshots.

How UberEther Accelerates ATO

UberEther offers two purpose-built paths to the federal market. ATO Advantage is built for organizations pursuing their own FedRAMP authorization: a pre-configured, pre-accredited platform that inherits a significant portion of required controls, with automated documentation and white-glove coordination with 3PAOs and the FedRAMP PMO. 

Express Advantage takes a different approach, operating as a FedRAMP as a Service model that lets ISVs leverage UberEther’s existing authorizations to start selling to government customers in weeks rather than months, no ATO required. 

Whether you need to move fast now or build a long-term federal foundation, UberEther has a path for you, and as FedRAMP 20x moves toward wide-scale availability in the second half of 2026, we’re positioned to help clients lead that transition rather than scramble to catch up.

Frequently Asked Questions

How long does authorization take in 2026? 

It depends on the path. Rev5 agency authorizations typically take 6–12 months when documentation and testing are well-prepared. FedRAMP 20x is targeting authorization timelines of approximately 3 months for Low and Moderate through automation-driven validation, though wide-scale public availability of 20x is planned for FY26 Q3–Q4.

Is the JAB authorization path still available? 

No. The JAB was rescinded under OMB M-24-15. All authorizations now flow through agency authorization (Rev5) or the new FedRAMP 20x process.

What is FedRAMP 20x and when can I use it? 

FedRAMP 20x is a modernized authorization framework that replaces manual documentation reviews with automated validation using Key Security Indicators. It does not require agency sponsorship. The Moderate pilot is currently underway, with wide-scale public availability of both Low and Moderate paths planned for FY26 Q3–Q4.

What ongoing activities are required after authorization? 

Continuous monitoring remains mandatory: monthly reporting, vulnerability remediation, configuration baselines, and change management. Under FedRAMP 20x, persistent automated validation replaces much of the traditional periodic reporting burden.

Does FedRAMP apply if I only process limited federal information? 

Yes. Any federal information processed, stored, or transmitted by your cloud services can trigger FedRAMP applicability. Scope and impact level determine the depth of controls and testing required.

What if my provider already has strong NIST 800-53 controls? 

You can inherit many platform-level controls. However, you must still document all cloud products and services used, implement any remaining FedRAMP controls, and provide proof through the assessment process; or, under 20x, through automated KSI validation.

Conclusion

Laptop displaying digital padlocks, representing secure online storage of data using an SSP

FedRAMP compliance doesn’t have to stall your roadmap, and in 2026, the program is evolving faster than ever. With the JAB gone, FedRAMP 20x’s Moderate pilot underway, and wide-scale availability of the new authorization paths on the horizon for FY26 Q3–Q4, cloud providers who align now to the automation-first model will have a decisive advantage. 

But modernization doesn’t mean waiting. If your federal opportunities require FedRAMP High or DoD Impact Level certifications, those paths run through DISA and existing Rev5 frameworks today, and the agencies you’re selling to can’t afford to wait for a rollout with an uncertain timeline.

By leveraging inherited security controls, automating evidence, and partnering with experts who track the FedRAMP 20x roadmap in real time, you can reach the FedRAMP Marketplace faster while meeting the evolving needs of federal agencies.

Ready to accelerate your FedRAMP authorization? Talk to UberEther about ATO Advantage or Express Advantage today. Our platform and services are built for FedRAMP High and DoD IL5 environments, and we’re ready to help you navigate the transition to FedRAMP 20x so you can win more missions, faster.