FedRAMP is the information security framework used by the United States government, and it’s required for any cloud service provider hoping to work with the government in a way that handles sensitive information.
If you’re a cloud service provider and you want to become FedRAMP-authorized, how do you do it? Unfortunately, this is a more difficult question to answer than a lot of people wish. In fact, the FedRAMP board has recently been investing heavily in streamlining the process, so not only is it confusing, it’s changing, too.
So, if you’re confused about ATO and P-ATO, the JAB process, the Agency process, Rev.5 and 20x, or anything else, we’re here to help. Read on for a discussion of authorization paths, browse our blog for more info on the coming changes to the FedRAMP program, or reach out to discuss the details directly.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontFedRAMP is the U.S. government security framework required for cloud providers that handle sensitive data. It now uses a single FedRAMP Board certification, which replaced ATO and JAB/P-ATO paths. Rev.5 and 20x map to four classes: A Ready, B Low, C Moderate, D High. 20x favors machine-readable evidence and faster timelines for B/C; High still needs agency sponsorship. To prepare, scope systems, list controls, create a security plan, collect evidence, and hire a 3PAO.
Up until the end of 2024, FedRAMP maintained two different paths for authorization. These were the ATO (Authority to Operate) and P-ATO (Provisional Authority to Operate) paths.
The ATO path was the more common path, and the one available to most CSPs. In short, it involved the CSP finding a government agency willing to sponsor them through the authorization path. The agency would agree to use the CSP’s services if they achieve authorization, and would help bring them through the authorization path. This is also why the ATO path is often referred to as the Agency Authorization path.
The problem with the ATO path is that it’s not reciprocal or reusable. If a CSP wants to work with one agency, that’s fine. But if the CSP wants to gain multiple government contracts, they would need to go through the ATO path with each agency they wanted to partner with, which could be a surprisingly large number.
Sure, when the work is already done and the proof is already available, it’s easy to repeat the authorization process, but it’s not actually very valuable to do so. What good is another sequential audit to say the same things to a different department?
The P-ATO path was the way around this. With the P-ATO process, often called the leveraged authorization path, the CSP would not work with an agency directly. Instead, they would work with the FedRAMP Joint Authorization Board, or JAB. The JAB would be the sponsor and would issue the provisional authorization to validated CSPs, who could then make the jump to working with a larger number of government departments without all the hassle.
The problem was that the bar was high. The JAB had limited time and ability to sponsor CSPs, so only the largest and most broadly relevant CSPs could use the path, while everyone else had to use the ATO path.
In an effort to streamline all of this, however, major changes have been made. The JAB, and with it the P-ATO process, is dead.
While the JAB itself is dead, FedRAMP formed a new group, called the FedRAMP Board. This board oversees the authorization path for modern FedRAMP, which is now unified and simply called FedRAMP Certified.
This alone is one significant change from the previous path: instead of calling it Authorization, the FedRAMP Board now calls it a Certification, to reflect the fact that FedRAMP is now considered a certification process similar to CMMC or ISO 27001.
Another major difference is that FedRAMP now no longer makes a significant distinction between whether a CSP is certified using the older FedRAMP Rev.5 process or the newer FedRAMP 20x process. 20x is the new iteration of FedRAMP, meant to streamline and optimize the whole process for both CSPs and the government itself.
FedRAMP is also changing from impact levels to certification classes.
- FedRAMP Ready is now Class A
- FedRAMP Li-SaaS/Low is now Class B
- FedRAMP Moderate is now Class C
- FedRAMP High is now Class D
While the names change, the standards remain the same.
Along with this comes another significant change, which is the emphasis on machine-readable data formatting for security control proof and validation. In essence, FedRAMP wants to make it as easy as possible for automated validation of security to occur, so less manual labor is required to authorize a CSP. Class D will require all machine-readable data, while classes A through C will require some machine-readable data but can still use a lot of standard simple text data as well.
One of the biggest benefits of all of this is making the new FedRAMP authorization path similar to the old P-ATO path. It’s essentially a new FedRAMP leveraged authorization; since the proof is more consistent, easier to validate, and adheres to modern standards, a CSP can be certified to work with any department in the government rather than individual agencies.
P-ATO is dead; long live the P-ATO.
The new process for FedRAMP authorization is not quite similar to ATOs or P-ATOs. It’s something new, albeit something that was supposed to exist all along.
It works like this.
CSPs do not need to find a sponsoring agency before they can even begin the authorization process. This was a major roadblock in the past, where a CSP would need to find the right agency, at the right time, with the right impetus, before they could even begin the authorization process.
Instead, CSPs can now work directly with the FedRAMP Board to aim for a certification at a particular class, which maps to previous impact levels. The most common will be Class C, the equivalent of FedRAMP Moderate. Agencies don’t get to be gatekeepers anymore.
The certification process works in much the same way that the ATO process did in the past. The CSP identifies the security controls they need to implement, does the work, gathers proof, and has their work validated by a third-party assessment organization. Once completed, the CSP is issued a certification.
Now certified, the CSP can be added to the FedRAMP marketplace and can be made available to agencies throughout the government.
The agencies still play a critical role in this process, however. A CSP with a certification gets nothing out of it if no agency chooses to work with them. Agencies have the responsibility of determining their required impact level class, and can stipulate adhering to that class in their contracts.
The end result is something very similar to a leveraged authorization path, with easier, more consistent, and more broadly applicable results. All of this is part of the ongoing attempt to streamline FedRAMP for CSPs across the government and private sector, to make it clearer and easier to achieve without sacrificing security.
Is This the New Path to Certification?
Yes and no.
All of this is part of the new FedRAMP 20x plan. However, the FedRAMP 20x plan is still in the pilot stages. Right now, FedRAMP 20x is still in their phase two of the pilot, which is a very small test of less than a dozen CSPs at the Moderate (class C) baseline. This only recently ended at the end of March 2026, but the next phase has not yet started.
Once the results of this pilot are analyzed and any changes are made to 20x based on the results, phase three of the pilot can begin. Phase three will be the wide-scale adoption of the new 20x certification path, specifically for low (class B) and moderate (class C) CSPs. Phase Four of the pilot will be a similar small-scale test of high (class D) baseline CSPs, and is currently scheduled for the start of 2027.
So, if you’re a CSP and you’re hoping to jump into FedRAMP authorization right now, your option is still the traditional ATO process, sponsored by an agency, using the FedRAMP Rev.5 process.
If you’re able to put it off just a bit, it’s expected that the wide-scale launch of the FedRAMP leveraged 20x authorization/certification path will open up in Q3/Q4 of 2026, so just a few short months out from the time of this article.
Note that this does still only apply to Low and Moderate baseline CSPs; if you’re aiming for High, you’ll need to follow the old agency sponsorship path.
The good news is, if you’re able to wait, it’s a huge opportunity to join the cohort of FedRAMP-certified CSPs in a much easier fashion than before.
Changes in Structure, Not in Function
It’s worth making a special note here that all of the changes being made are being made to how the program, the authorization, the certification, and the relationship between CSPs and Agencies function.
It does NOT change anything to do with the actual security standards, security controls, or underlying NIST documents involved in FedRAMP. You may be certified rather than authorized, you may be Class C instead of Moderate, but the list of security controls and proof you need to accumulate is the same as always. So, too, is the 3PAO validation process.
This is a huge benefit to CSPs that are more than willing to do the work, or that have existing security like CMMC or ISO 27001 already in place and can make the jump quickly. Additionally, the shift to more machine-readable data means that it’s easier than ever to maintain one set of artifacts of proof usable by different frameworks and systems.
How to Become FedRAMP Certified in 2026 and Beyond
If you’re a CSP looking to work with the government today, what should you be thinking of and doing, and what are the timelines?
First of all, consider the timelines.
If you were to start your authorization process right now under FedRAMP Rev.5, using the traditional agency authorization process, you would be looking at 9-18 months before being fully authorized.
If you were to wait until the roll-out of FedRAMP 20x for a Class C (Moderate) baseline certification process, you would be waiting 2-5 months before you can begin, and then an additional 1-3 months for the certification process itself. This is because the new streamlined 20x process allows everything to move much faster.
Unless you have a very urgent need to start the process ASAP, your best bet is to hold off and wait for the newer, faster process. The exception is if you’re aiming for High (Class D) certification, in which case the new authorization path won’t be available for another 18+ months.
Since the actual list of security controls you need to implement is not changing substantially, you can still start all of the work necessary.
- Scope your systems and determine your system boundaries.
- Identify and inventory your systems and where CUI would pass through.
- Outline all necessary and applicable security controls and their implementation needs.
- Develop your system security plan and other related documentation.
- Implement and gather proof for your security implementation.
- Start looking for a FedRAMP 3PAO to perform your eventual certification audit.
You can do the bulk of the work and gather the majority of the proof before you even get into the system. As an added benefit, you can take the same time to work on similar, related security and consider applying for CMMC, ISO 27001, or other security standards as well. While reciprocity isn’t 1:1, a lot of the concepts and controls are similar, so the work overlaps.
Throughout this whole process, we can help. Here at Ignyte, we’ve been deeply involved in the FedRAMP ecosystem for many years. We developed the Ignyte Assurance Platform in conjunction with the Air Force to provide a centralized tool for tracking security implementation, gathering documentation, and making auditing easy.
Whether you’re neck-deep in Rev.5 authorization, you’re looking to adapt for a coming renewal under the new 20x rules, or you’re looking to spin up a brand new 20x authorization in the coming months, we can help. Just reach out to our team to book a demo and discuss how the Ignyte Assurance Platform can work for you. We’re also always available to answer questions about FedRAMP and even provide our services as a 3PAO.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.