FedRAMP 20x: What SaaS Vendors Must Know Before 2027

If your SaaS company is eyeing the federal market, the rules just changed in ways that will either cut your time to authorization in half — or catch you completely off guard if you ignore the transition.

FedRAMP 20x is the most significant redesign of federal cloud authorization since the program launched in 2011. It replaces multi-year paperwork marathons and PDF-based System Security Plans with automated, machine-readable validation against your live infrastructure. Four new Certification Classes replace the old Low, Moderate, and High levels. Key Security Indicators replace narrative control descriptions. And a hard OSCAL conversion deadline in September 2027 means every currently authorized SaaS vendor has a countdown clock running right now.

This guide covers every deadline, every class, what KSIs actually require from your engineering team, and how your existing SOC 2 or ISO 27001 investment positions you going into 20x.

Why FedRAMP Needed a Complete Redesign

By early fiscal year 2025, the FedRAMP Program Management Office described itself as operating in crisis. Nearly all team resources had been redirected toward clearing an authorization backlog. New cloud services were facing two- to three-year authorization timelines. All-in costs for a traditional FedRAMP Moderate authorization were routinely running $500K to $2 million or more.

Seven compounding problems drove the redesign. Rev5's authority came from a 2011 Federal CIO memo with no statutory backing. Authorizations were built around written narratives and PDF-based SSPs that bore no relationship to how modern cloud systems actually operate. The PMO processed more than 100 Rev5 authorizations in 2025 without a single submission in the machine-readable OSCAL format the program nominally supported. Duplicate agency reviews layered additional work on top of reviews agencies had already performed.

The 2022 FedRAMP Authorization Act — Public Law 117-263 — gave the program statutory backing for the first time and created the mandate to modernize. FedRAMP 20x is the result. Federal CIO Greg Barbaccia framed the intent plainly at the Phase 2 launch: "We want to accept existing commercial frameworks and documentation, saving you time, saving you money."

The shift is not about making authorization easier. It is about moving where the work lives — from document production to continuous, automated security validation against running systems.

The Four Certification Classes: A Complete Breakdown

Under CR26, the Consolidated Rules for 2026 scheduled for final publication in June 2026, FedRAMP replaces impact level labels with four Certification Classes. Here is exactly what each one covers.

Class A — The Transitional Entry Point

Class A is a new pilot baseline built specifically for providers who already hold qualifying external security frameworks. The most commonly leveraged framework for agency pilot authorizations today is SOC 2 Type II, and that is where FedRAMP is starting for 20x Class A certifications.

Class A is explicitly transitory. Providers who receive a Class A certification are given two years — extended from an originally proposed one year following public comment — to obtain a Class B, C, or D certification. Class A replaces the current "FedRAMP Ready" label, which retires on July 28, 2026. CSPs currently holding a Ready designation can convert to Class A after review by November 2026.

One critical clarification from the FedRAMP PMO: Class A is the only class that leverages external frameworks. No reciprocity is intended or will be granted for Class B, C, or D. Your SOC 2 or ISO 27001 documentation gives you a faster, cleaner path to Class A. It does not give you a shortcut past the KSI requirements for the classes above it.

Class B — Replaces Low

Class B maps to the current low-impact baseline and covers SaaS systems handling public federal information where a breach would have limited adverse effects. It also absorbs the Li-SaaS (Lightweight SaaS) designation.

Class B is where FedRAMP 20x first proved its concept. Phase 1 of the pilot, which ran from April through September 2025, accepted 26 submissions and granted 12 pilot authorizations — in some cases in under two months, compared to the 18 to 24 months typical under Rev5. No agency sponsor is required for Class B under the 20x path. Class B requires meeting 56 Key Security Indicators.

Class C — Replaces Moderate

Class C maps to the current Moderate baseline and requires approximately 323 to 325 controls. It is the center of gravity for the FedRAMP program — roughly 80 percent of currently authorized cloud services operate at this level, and it remains the primary target for most SaaS vendors entering the federal market.

What changes dramatically under Class C is how compliance is demonstrated. Like Class B, providers must meet KSIs, with 61 required for the Moderate baseline. Continuous automated validation replaces the point-in-time annual assessments that characterized Rev5 Moderate authorizations. Phase 2 of the 20x pilot — limited to 13 selected CSPs — tested the Moderate approach through March 2026, and Phase 3 opens Class C to all qualifying providers beginning in Q3 of FY2026, between July and September 2026.

Class D — Replaces High

Class D maps to the current High baseline and is reserved for systems that process, store, or transmit data where a breach would cause severe or catastrophic consequences: law enforcement data, national security information, critical infrastructure, and healthcare records at the highest sensitivity levels.

Class D requires approximately 410-421 controls and is the most demanding tier in the program. Critically, there is no 20x path for Class D — not now, and not in the initial roadmap. Class D must always go through the Agency authorization path with a specific agency sponsor. DoD Moderate Equivalency has no crossover value toward any FedRAMP certification class; FedRAMP will not recognize it and has been explicit about this. The PMO has not announced a specific KSI count for Class D as of May 2026.

At a Glance: The Four Certification Classes

Every Deadline That Matters: The FedRAMP 20x Timeline

The September 2027 OSCAL conversion deadline is the one most currently authorized SaaS vendors are underestimating. It applies to every existing ATO holder — not just new applicants. Providers still operating under legacy documentation workflows without an OSCAL conversion plan will face authorization revocation, not just a delayed renewal.

What KSIs Actually Are — and What They Require From Your Engineering Team

Key Security Indicators are the most important concept change in FedRAMP 20x, and the most frequently misunderstood.

A KSI is not a new security control. It is a measurable security outcome that must be validated through automation rather than described in a narrative document. Instead of writing a narrative stating that you enforce multi-factor authentication, your architecture must output machine-readable logs that prove phishing-resistant MFA is active and enforced. The KSI is verified against your running infrastructure, not against your documentation.

This distinction changes where the compliance work lives. Under Rev5, compliance was primarily a documentation exercise — writing SSPs, control narratives, and evidence packages. Under FedRAMP 20x, compliance is an engineering exercise. Your systems must be designed to continuously emit the evidence that validates your KSIs.

The published KSI clusters, based on Phase 1 and Phase 2 pilot outcomes, cover these security domains:

KSI-IAM — Identity and Access Management. Phishing-resistant multi-factor authentication enforced for all users. Privileged access managed through dedicated accounts with just-in-time provisioning. Non-human identities inventoried and access-reviewed.

KSI-ENCRYPT — Encryption. Data encrypted at rest and in transit using FIPS 140-2 or 140-3 validated cryptographic modules. Key management processes documented and automated.

KSI-VUL — Vulnerability Management. Continuous automated scanning of running infrastructure with documented remediation SLAs by severity class. Evidence generated from live systems, not manual scan reports.

KSI-IR — Incident Response. Automated detection and alerting with documented mean-time-to-detect targets. Incident handling procedures codified and machine-testable.

KSI-CM — Configuration Management. Infrastructure-as-code with version-controlled configurations. Drift detection automated and alerting integrated with your continuous monitoring pipeline.

KSI-AUD — Audit and Logging. Centralized, tamper-evident logging for all privileged actions. Log retention aligned to federal requirements. Evidence exportable in OSCAL-compatible format.

Each KSI maps to multiple underlying NIST SP 800-53 controls. The alignment with NIST remains mandatory — 20x moves the program from proving compliance on paper to proving security in real time, not from dropping the NIST control baseline.

How Your SOC 2 and ISO 27001 Work Carries Over

If you hold a SOC 2 Type II or ISO 27001 certification, you are better positioned for FedRAMP 20x than you may realize — with one important caveat.

What carries over directly:

Your existing access control documentation, encryption configurations, incident response procedures, and audit logging practices are exactly what KSI validation requires. SOC 2 Type II already tests many of these controls through evidence production; the FedRAMP 20x shift asks you to automate that evidence generation rather than produce it manually. The work you have done to pass a SOC 2 audit is foundational, not redundant.

For Class A specifically, SOC 2 Type II is the most common approved framework for initial certification. The FedRAMP PMO identified SOC 2 Type II as the starting point for the external framework leverage program because it is what agencies have most commonly used for pilot authorizations. If you have a current SOC 2 Type II report, you have the core documentation basis for a Class A application.

For Class B and Class C, Workstreet's February 2026 analysis is accurate: "If you've already completed SOC 2 or ISO 27001, the pathway to FedRAMP 20x is much clearer than you may expect." The control foundations transfer. What you must add is the automation layer — the infrastructure that continuously generates machine-readable KSI evidence rather than producing evidence on request for an annual audit.

What does not carry over:

FedRAMP's PMO has been unambiguous: there is no reciprocity between external frameworks and Class B, C, or D certification beyond the transitional Class A path. Your SOC 2 report does not substitute for Class B KSI validation, and it does not reduce the control count for Class C. It gives you a head start on the technical controls that underpin KSI compliance — not a pass on the KSIs themselves.

DoD Moderate Equivalency has zero carryover value. The PMO has explicitly stated FedRAMP will make no commitments based on it.

The OSCAL Requirement: What Every SaaS Vendor Must Do by September 2027

OSCAL — the Open Security Controls Assessment Language — is the machine-readable format that FedRAMP 20x uses for all compliance documentation. It replaces PDF-based System Security Plans with JSON or XML documents that automated tools can validate and process.

RFC-0024, published January 13, 2026, made OSCAL mandatory for all FedRAMP providers — not just 20x applicants. The timeline creates two gates:

September 30, 2026: All new Rev5 authorization submissions must be in OSCAL format. If you are pursuing Rev5 authorization (still valid through FY2027 Q3-Q4) and your submission is not in OSCAL, it will not be accepted.

September 30, 2027: All existing authorized providers must have converted their compliance packages to OSCAL. Failure to convert by this date risks authorization revocation. FedRAMP 20x processed 100+ Rev5 authorizations in 2025 without a single OSCAL submission — the gap between program expectation and actual practice was total. That ends with the September 2026 deadline.

Practical steps to prepare:

First, inventory your existing SSP documentation and identify which sections can be converted from narrative to structured OSCAL JSON. FedRAMP validation tooling is available on GitHub and can check converted files before submission. Second, establish a master compliance data source that can generate OSCAL outputs automatically rather than treating OSCAL as a one-time conversion project. Third, treat compliance as code — store OSCAL documents in version control, automate generation on infrastructure changes, and build OSCAL validation into your CI/CD pipeline as a standard check. Organizations that invest in OSCAL tooling now will have a material advantage in both authorization speed and ongoing continuous monitoring burden reduction.

What to Do in the Next 30 / 60 / 90 Days

Days 1–14: Audit your current compliance position. If you hold a SOC 2 Type II report, identify which controls directly map to FedRAMP KSI clusters — IAM, encryption, vulnerability management, logging, configuration management. This mapping exercise will show you the delta between your current posture and KSI-ready automation.

Days 15–30: Make the Rev5 vs. 20x path decision. If you are currently authorized under Rev5, the question is whether to pursue 20x proactively or convert under the September 2027 mandate. If you are new to FedRAMP, the 20x path for Class B or Class C is almost always preferable to Rev5 given the closing timeline on new Rev5 acceptance. Begin OSCAL tooling evaluation regardless of path.

Days 31–60: If pursuing 20x, instrument your first KSI cluster for automated evidence generation. Start with KSI-IAM — phishing-resistant MFA is the most auditor-visible control and the one most commonly enforced through existing identity provider configurations. Configure your infrastructure to emit the machine-readable evidence KSI-IAM validation requires.

Days 61–90: For existing authorized providers, begin OSCAL conversion planning with a target of completing the conversion well before the September 2027 mandate. A grace period with a hard deadline is not the same as flexibility — organizations that wait until Q2 2027 will find 3PAO capacity constrained by every other provider attempting the same conversion simultaneously.

Frequently Asked Questions

What is FedRAMP 20x and how is it different from Rev5? FedRAMP 20x replaces narrative-based System Security Plans and annual audits with continuous, automated validation using Key Security Indicators (KSIs) and machine-readable OSCAL documentation. It introduces four Certification Classes (A through D) that replace the old Low, Moderate, and High impact levels. The core difference is that Rev5 proved compliance through documentation; FedRAMP 20x proves security through live, automated evidence from running systems.

What are the four FedRAMP 20x Certification Classes? Class A is a transitory entry point leveraging external frameworks like SOC 2 Type II. Class B replaces the Low impact baseline, requiring 56 KSIs and no agency sponsor. Class C replaces Moderate, requiring 61 KSIs and approximately 323 to 325 controls. Class D replaces High, requires an agency sponsor, and has no 20x path — it remains on the Agency authorization track only.

Does my SOC 2 Type II certification help with FedRAMP 20x? Yes, meaningfully — for Class A specifically. SOC 2 Type II is the external framework FedRAMP is using as the starting point for Class A certifications. For Class B and Class C, your SOC 2 work gives you a strong technical foundation and clear control mapping, but FedRAMP provides no formal reciprocity. You must still demonstrate automated KSI validation — SOC 2 cannot substitute for that evidence.

What is OSCAL and when is it required? OSCAL is the Open Security Controls Assessment Language — a machine-readable JSON or XML format for all FedRAMP compliance documentation. All new Rev5 submissions must be in OSCAL format by September 30, 2026. All existing authorized providers must convert their packages to OSCAL by September 30, 2027, or face authorization revocation.

Can I still pursue a traditional Rev5 FedRAMP authorization in 2026? Yes, through approximately mid-2027. FedRAMP plans to stop accepting new Rev5-based authorizations in Q3 or Q4 of FY2027 (April through September 2027). After that point, all new authorizations will follow the 20x path. If you are beginning your FedRAMP journey now, evaluating the 20x path for Class B or Class C is strongly advisable given the limited remaining Rev5 runway.

Build Your FedRAMP 20x Program Before the Market Does It For You

Phase 3 opens to all qualifying providers this quarter. The Consolidated Rules for 2026 publish in June. The FedRAMP Ready label retires July 28. Every SaaS vendor that wants to access the federal market is working from the same compressed timeline — and the ones who start instrumenting KSI evidence and converting to OSCAL now will clear authorization while competitors are still assembling documentation packages.

The path is cleaner than Rev5 for SaaS vendors who invest in the automation layer. It is harder for organizations that mistake FedRAMP 20x for a paperwork shortcut rather than an engineering discipline.

DSALTA's compliance platform maps your existing SOC 2, ISO 27001, and NIST 800-53 evidence directly to FedRAMP 20x KSI requirements — so you can see your gap, close it systematically, and enter your authorization cycle with a defensible, audit-ready posture.