When FedRAMP 20X was first introduced, one thing was immediately clear: this wasn’t just another incremental update to the authorization process. It was a fundamental shift in how compliance, security, and trust are proven in cloud environments.

On a recent episode of the Behind the Shield podcast, Gary Daemer and I sat down to talk through what FedRAMP 20X actually looks like in practice—how it has evolved from an early pilot into something much closer to production-ready, and what that means for cloud service providers (CSPs), auditors, and agencies alike.

FedRAMP 20X: From Experiment to Execution

When 20X first launched, it felt like a pilot in every sense of the word. New concepts appeared almost overnight—Key Security Indicators (KSIs), machine-readable evidence, and a departure from traditional control-family thinking. 

For organizations like InfusionPoints, this wasn’t entirely new territory. We had already been automating evidence collection, leaning on cloud-native telemetry, and moving away from screenshots long before 20X existed. Still, the pilot phase required something more than technical capability—it required trust.

Trust from 3PAOs. 
Trust from agencies. 
Trust that the data being pulled was accurate, complete, and tamper-proof.

That first phase was about proving a simple but powerful idea: security and compliance can be validated automatically, continuously, and transparently.

Phase two is where things mature.

Phase Two: Proving Effectiveness, Not Just Existence

One of the biggest shifts in FedRAMP 20X phase two is the move from asking:

“Is the control there?”

to:

“Is the control actually working—and how well?”

It’s the difference between saying you have security groups and proving that they’re actively blocking what they’re supposed to block. It’s not enough to show configuration anymore; effectiveness and persistence now matter.

KSIs have expanded. Checks are deeper. Explanations are required.

At InfusionPoints, one of the simplest but most impactful additions we made in phase two was embedding explainability into our KSIs—clearly articulating not just what the system reports, but why the evidence can be trusted and how it meets the intent of the requirement.

That narrative matters, especially when agencies are evaluating whether 20X is something they can rely on operationally.

Continuous and Persistent: The End of Point-in-Time Compliance

Traditional FedRAMP audits were point-in-time snapshots—screenshots frozen in place, often weeks or months old by the time anyone reviewed them.

FedRAMP 20X replaces that model with something far more powerful: persistent validation.

Controls are checked continuously. 
Baselines are established. 
Drift is detected immediately.

From a security operations perspective, this is a game-changer. Many real-world incidents don’t happen because controls were never implemented—they happen because something changed. A troubleshooting rule left behind. A temporary exception that became permanent.

With continuous checks, that kind of drift doesn’t hide for months. It triggers alerts. It creates tickets. It gets addressed before it becomes an incident.

For agencies, this creates a new level of confidence. You didn’t just prove compliance yesterday—you’re proving it right now.

Machine-Readable Evidence and Faster Authorizations

“Machine-readable” has become one of the most important phrases in the 20X conversation, and for good reason.

When evidence is structured, consistent, and accessible via APIs:

• 3PAOs can automate reviews
• Agencies can validate findings independently
• The FedRAMP PMO can accelerate approvals

This doesn’t just shorten audits—it reshapes them.

Instead of drowning in hundreds of thousands of pages of documentation, reviewers can analyze trends, spot risks, and even look backward in time to see how an environment has behaved historically.

That visibility enables something entirely new: ATO monitoring.

Agencies can see, at a glance, whether their authorized systems remain compliant over time—and intervene early when something starts to slip.

Transparency as a Security Principle

One word kept coming up in our discussion: transparency.

FedRAMP 20X encourages CSPs to expose the truth of their environments—good or bad—through real data. This aligns closely with how modern security operations already work. Threat intelligence, indicators of compromise, and shared telemetry make everyone stronger.

The same principle applies to compliance.

Transparency builds trust. 
Trust accelerates adoption. 
Adoption strengthens the ecosystem.

That’s why InfusionPoints has always pushed against information gatekeeping. Whether through tooling, partnerships, or conversations like this podcast, informed customers make better security and business decisions.

Who Is Ready for FedRAMP 20X?

Not every CSP will be ready for 20X the moment the pilot concludes—and that’s okay.

The organizations best positioned to move quickly tend to:

• Use cloud-native architectures
• Leverage built-in security services (Config, GuardDuty, Security Hub, etc.)
• Expose data through APIs
• Operate modern CI/CD pipelines

For those providers, the question isn’t if they should pursue 20X, but how fast they want to get to market.

That’s where platforms like XBU40 come into play—providing a hardened, pre-authorized foundation that already satisfies the majority of KSIs, leaving CSPs to focus on what makes their application unique.

Build, Manage, Defend—Evolved for 20X

FedRAMP 20X reinforces something we’ve believed for years: authorization isn’t a milestone, it’s an operating model.

Security must be:

• Engineered
• Maintained
• Measured continuously

Our “Build, Manage, Defend” approach has evolved alongside this reality. Testing didn’t disappear—it became embedded into operations. Evidence didn’t vanish—it became live data. Compliance didn’t slow innovation—it enabled faster delivery.

And that’s the real promise of FedRAMP 20X.

Looking Ahead

Six to nine months ago, FedRAMP 20X felt like a high-speed train pulling into the station. Fast. Unfamiliar. Risky.

Today, it feels like the right direction.

The ecosystem is forming. The tooling is maturing. Agencies are paying attention. And for organizations willing to trust the process, the payoff is clear: faster authorizations, stronger security, and real-time assurance.

FedRAMP isn’t just changing how we authorize systems—it’s changing how we think about trust in the cloud.

And that’s long overdue.

Check out the full discussion here: FedRAMP 20x Phase 2: Building Trust, Transparency, and ATO Monitoring at Scale