FedRAMP Revision 5 Updates: What CSPs Need to Know
On November 18, 2025, the FedRAMP Program Management Office (PMO) published a blog detailing key updates to FedRAMP Revision 5 documentation, signaling the transition toward FedRAMP 20x and major changes to the FedRAMP Significant Change process and its definition. The future of FedRAMP is here. Keep reading to see our take on what the future holds and the impacts incoming to CSPs.
Summary of the Revision 5 Update
FedRAMP ConMon Playbook
The PMO has consolidated Continuous Monitoring materials into a single document. Additionally, they’ve aligned the Significant Change process with the recently closed Significant Change Notification RFC, defining three categories of significant changes: Routine Recurring, Transformative, and Adaptive.
Routine Recurring Changes
These changes are defined as “performed regularly and routinely by CSPs to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations”.
Transformative Changes
These changes are to be rare occurrences. Transformative changes do not alter the CSO’s risk profile or significantly impact the CSP’s processes to address customer responsibilities. Transformative changes will typically involve major impacts to change system design and/or development and require applicable testing, project planning, budgeting, and marketing. Additionally, Transformative Changes may result in major impacts in how security requirements are tested and/or validated.
Adaptive Changes
These changes are frequently performed and involve service improvements or modifications to existing functionality and deployment of new functionality. These changes are made transparent to customers.
Significant Changes Summary
Change Type | Characteristics | Examples | Require Agency AO Review and Approval? |
Routine Recurring | Performed regularly to address flaws and/or vulnerabilities | Provisioning or deprovisioning capacity to support service elasticity and changing or tuning performance configurations for instances or services
Out of band patches for vulnerability remediation
Updated golden image rotation | No |
Transformative | Major impacts to change system design / development. Requires testing, project planning, budgeting, and/or marketing changes. | Implementation of new MFA provider
Implementation of new change management process (i.e. ticketing system replacement)
Implementation of new external service provider | Yes |
Adaptive | Service improvements/ modifications to existing functionality | Replacing comparable components where required
Larger than normal feature improvements that aren’t considered major new services
Implementing newly validated crypto modules to replace expired modules | Yes |
FedRAMP Agency Authorization & FedRAMP CSP Authorization Playbooks
These documents have been updated to remove outdated versions of guidance. Although there aren’t any major impacts to the Agency Authorization and CSP Authorization processes, these updates continue to prove the PMO’s efforts to make life easier for Agencies and CSPs alike. No groundbreaking changes to the Agency Authorization process are detailed in this document.
FedRAMP 20x Phase 2 Fastly Approaching
In March 2025, GSA announced FedRAMP 20x, marking an industry wide, GSA led initiative focused on making the FedRAMP authorization process more efficient and cost effective with particular focus on automating the evidence gathering for FedRAMP assessments, as well as the streamlining the FedRAMP Assessment process itself. In July, InfusionPoints Command Center on XBU40 received FedRAMP 20x Low Authorization as a part of the first FedRAMP 20x Pilot cohort. This effort involved the development of new automated evidence validation techniques to align with the FedRAMP 20x Key Security Indicators and address agency scalability concerns regarding point-in-time security validation.
The timeline for FedRAMP 20x Phase 2 was finalized on November 18, 2025, as the Federal government shutdown came to an end. The FedRAMP 20x Phase 2 Pilot cohorts open, beginning on December 1, 2025. The authorization process will include a proposal period, initial package submission, a 3PAO assessment, and a final package submission for GSA review.
FedRAMP Rev5 Coming to an End?
The FedRAMP Revision 5 authorization process is coming to an end. This change is expected at the end of Fiscal Year 2027, as detailed in the updated Agency Authorization and CSP Authorization playbooks:
FedRAMP will be transitioning to the FedRAMP 20x Authorization process, reducing the required time for assessments and ensuring agencies and customers have visibility into live security validation status as opposed to relying on point in time security validation evidence gathered during the current FedRAMP Rev5 process. Adopting the FedRAMP 20x Authorization processes will be vital for CSPs to ensure their FedRAMP Authorizations continue once the transition to 20x authorizations across the board is complete. The first wave of new requirements comes due on January 5, 2026.
We have more blogs coming on this soon! Stay tuned!
Reference Material
FedRAMP ConMon Playbook: FedRAMP_ConMon_Playbook_11172025
Agency Authorization Playbook: FedRAMP_Agency_Authorization_Playbook_11172025
CSP Authorization Playbook: FedRAMP_CSP_Authorization_Playbook - 11.17.2025
