866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Avani Desai

By: Avani Desai

Print/Save as PDF

FedRAMP 20x Low Baseline Pilot: Modernizing Federal Cloud Authorization

FedRAMP | Federal Assessments

Published: Dec 15, 2025

The new FedRAMP 20x low baseline pilot is the most significant modernization of federal cloud security in more than a decade, and it could represent a big opportunity for cloud service providers looking to enter or expand within the federal marketplace. 

How FedRAMP 20x Shortens the Path to Authorization 

Designed to transform how cloud security is evaluated, FedRAMP 20x removes the agency sponsorship barrier, allowing providers to now move forward independently rather than requiring a sponsoring federal agency before beginning the authorization process.  

Just as impactful is the shift away from a documentation-heavy compliance model. FedRAMP 20x replaces traditional, static paperwork with automation and machine-readable compliance packages, enabling a more efficient and scalable assessment process. Rather than relying on lengthy narratives and manual evidence reviews, providers can now demonstrate compliance through real-time, verifiable data. 

Another fundamental change is the introduction of Key Security Indicators (KSIs). FedRAMP 20x focuses on 51 measurable indicators that emphasize continuous assurance and are designed to show that security controls are not only implemented, but actively operating and effective. 

This shift aligns more closely with how modern cloud environments function and how security is managed in practice, bringing the potential to significantly accelerate timelines, to weeks instead of years. 

Moving Forward with FedRAMP 20x 

The appeal of FedRAMP 20x is already clear and growing. A growing number of cloud-native SaaS organizations are exploring this pathway as a faster, more realistic way to enter the federal space. Many of these companies already rely on automated monitoring, logging, and security tooling and FedRAMP 20x allows them to leverage those existing capabilities, rather than retrofitting their environments to fit outdated compliance models. 

To succeed under the new framework, organizations must still approach FedRAMP 20x with rigor and proper preparation. Mapping existing controls to the KSI framework, building machine-readable compliance artifacts, and integrating automated evidence collection are all critical steps. 

While the FedRAMP 20x Low Baseline Pilot is just the beginning, it sets a strong precedent for how federal cloud security assessments are likely to evolve. For organizations ready to move quickly and demonstrate real-time security maturity, FedRAMP 20x offers a timely path forward, and Schellman can help you navigate this new program.  

Contact us today to learn more about the program or how to begin your FedRAMP 20x authorization journey and in the meantime, discover other helpful insights in these additional resources:  

About Avani Desai

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.