FedRAMP 20x Phase Two Pilot, FedRAMP Trust Centers, and Agency Struggles
FedRAMP 20x
In March 2025, the General Services Administration (GSA) launched FedRAMP 20x, a modernization initiative aimed at increasing efficiency in how Cloud Service Providers (CSPs) pursue, obtain, and maintain FedRAMP compliance. This effort emphasizes automation and continuous validation of Key Security Indicators (KSIs), requiring FedRAMP-authorized solutions to prove their security posture through ongoing, real-time checks.
FedRAMP 20x Phase Two
On September 24, 2025, GSA officially announced the FedRAMP 20x Phase Two Pilot, detailing plans to accept and review packages from CSPs seeking FedRAMP Moderate Authorization under the 20x framework. During this announcement, the FedRAMP Program Management Office (PMO) outlined prioritization criteria for Phase Two participants, including a focus on cloud services that provide FedRAMP-compatible trust centers. This prioritization validates InfusionPoints’ strategic investment in developing Command Center on XBU40, particularly the AuditShield module, which was built with the Trust Center concept in mind.
InfusionPoints XBU40
InfusionPoints’ XBU40 platform is a secure, automated landing zone deployment solution designed to accelerate compliance for cloud service offerings targeting FedRAMP and beyond—including authorizations up to DoD Impact Level 5 (IL5). Built with high-assurance environments in mind, XBU40 supports deployment in AWS GovCloud (US) and US East/West regions, and enforces strict controls around information flow, boundary protection, separation of duties, and audit integrity.
The platform integrates native AWS services with enhanced security tooling such as Graylog for SIEM, Nessus and Burp for vulnerability scanning, and supports DevSecOps workflows. It is backed by InfusionPoints’ VNSOC360°, a 24/7/365 Virtual Network and Security Operations Center staffed by U.S. citizens on U.S. soil, providing real-time monitoring, incident response, and forensic analysis.
XBU40 customers also receive Continuous Monitoring and Security Operations services from InfusionPoints’ Cloud Operations and Security Operations teams:
Continuous Monitoring Services
InfusionPoints monitors security controls, configuration changes, and system health across the authorization boundary. Vulnerability scans, POA&M updates, and deviation tracking are integrated into dashboards for real-time visibility and reporting to authorizing officials.
Security Operations Services
InfusionPoints delivers Managed Detection and Response (MDR), threat analysis, incident coordination, and forensic support. Customers benefit from monthly security reviews, tailored threat intelligence, and hands-on support during audits and authorization reviews.
Audit-Ready Architecture
XBU40 is designed to make cloud offerings audit-ready, minimizing the effort required by CSPs to implement and document FedRAMP and DoD controls. It includes pre-defined roles, managed identity and access services, and remote access via AWS Workspaces. The platform also integrates with the Command Center, enabling centralized management of compliance artifacts, continuous monitoring dashboards, and validation workflows—all essential for meeting the demands of FedRAMP 20x Phase Two.
FedRAMP Authorization Data Sharing Standard
The FedRAMP Authorization Data Sharing Standard was released to support the goals of FedRAMP 20x by enabling secure, scalable, and reusable access to authorization data across federal agencies. It outlines how cloud service providers must store and share FedRAMP-related materials in a way that supports automation, transparency, and continuous validation.
Key Requirements of the Standard:
Trust Center Visibility: Must be prominently placed on the provider’s core website and clearly labeled as FedRAMP-related.
Marketplace Integration: Must include a direct link to the FedRAMP Marketplace listing.
Public Information: Must share service descriptions, contact methods for restricted data, and general FedRAMP materials.
Stored Authorization Data: Must include SSPs, POA&Ms, SCNs, incident reports, leveraged services, and other required artifacts.
Machine Access: Must provide well-documented APIs for federal agencies.
Dual Format Availability: Must offer data in both human-readable and machine-readable formats.
Migration Transparency: Providers migrating from the USDA Connect Portal must provide migration details (if applicable).
Best Practices Alignment: Should follow FedRAMP’s guidance on storing and sharing data.
Access Management: Providers are responsible for managing access and protecting intellectual property.
InfusionPoints designed the XBU40 platform with these principles in mind—prior to the formal release of the standard. The team has worked proactively to develop a Trust Center that meets and exceeds these requirements, integrating real-time validation, automated evidence collection, and centralized access to authorization data for agencies, 3PAOs, and CSPs.
Mapping Implementation to FRMR.ADS Requirements
1. Trust Center Visibility and Marketplace Integration
Command Center’s Trust Center will be embedded in XBU40’s main site and designed to be easily discoverable by federal stakeholders. It is structured to meet visibility requirements and supports integration with the FedRAMP Marketplace.
2. Publicly Shared Information
Service descriptions within the FedRAMP authorization scope are sourced directly from the System Security Plan (SSP). Public contact channels, including a support email and request form, will be made available for stakeholders seeking access to restricted materials. These elements ensure transparency and accessibility in line with FedRAMP’s expectations.
3. Stored Authorization Data
InfusionPoints maintains a comprehensive document repository that hosts SSPs, assessment artifacts from Fortreum, and incident reports. The Continuous Monitoring (ConMon) dashboard displays POA&Ms, Significant Change Notifications (SCNs), and monthly monitoring outputs. A ticketing dashboard tracks SCNs and incident attachments, while references to leveraged FedRAMP services are included in the SSP. Together, these components fulfill the requirement to store and share all relevant authorization data.
4. Machine Access via API
AuditShield provides live evidence views and artifact mapping to KSIs through well-documented APIs. These APIs, supported by serverless calls, enable real-time validation and attestation, offering federal agencies direct machine access to authorization data.
5. Human-Readable and Machine-Readable Formats
AuditShield outputs are available in both JSON and PDF formats, ensuring that authorization data is accessible in human-readable and machine-readable forms. Dashboards support visual inspection and exportable data views, aligning with FedRAMP’s dual-format requirement.
6. Migration from USDA Connect Portal
This requirement is not applicable to InfusionPoints, as the organization is not migrating from the USDA Connect Secure Repository.
7. Best Practices and Technical Assistance
Authorization data is centralized within Command Center modules such as AuditShield and ConMon. These modules are designed to follow FedRAMP’s best practices for storing and sharing data, and align with both RFC-0011 and the FRMR.ADS standard.
8. Provider Access Responsibilities
The public-facing Trust Center is accessible without login, allowing stakeholders to view general FedRAMP-related materials openly. For access to the private view, InfusionPoints will manage account provisioning upon request from federal agencies. This ensures that sensitive authorization data is securely shared while maintaining control over intellectual property and access permissions.
Addressing Agency Needs
At FedRAMP Day, agency officials voiced concerns about the complexity of managing multiple ATOs. InfusionPoints’ Trust Center approach directly addresses these challenges by automating evidence collection, centralizing reporting, and enabling continuous validation. We support the PMO’s prioritization of Trust Centers and remain committed to advancing secure, efficient FedRAMP compliance
