FedRAMP 20x Public Notices: What CSPs and Assessors Need to Know

Описание: FedRAMP modernization is moving quickly, and one of the newest developments is the introduction of FedRAMP Public Notices. In this episode of Behind the Shield, the team breaks down what these notices are, why the FedRAMP PMO created them, and what they reveal about the future direction of FedRAMP 20x.

Public Notices serve as a formal communication channel designed to provide transparency and a chronological record of key program updates. Instead of relying solely on blogs or scattered announcements, the FedRAMP Public Notices page provides a centralized place where industry stakeholders can track important developments, including outcomes from Requests for Comment (RFCs), operational updates, and emergency directives.

During the conversation, the team walks through the first seven FedRAMP Public Notices, highlighting what they mean for Cloud Service Providers (CSPs), assessors, and advisors navigating the evolving FedRAMP ecosystem. They discuss the outcomes of several recent RFCs, including changes to authorization terminology, updates to the FedRAMP Marketplace, and how the program is responding to industry feedback.

The episode also explores operational updates such as security inbox testing requirements, which will now occur quarterly, and the role of emergency directives that may require CSPs to respond quickly to potential vulnerabilities. These notices create an official paper trail that improves transparency and accountability across the program.

Another major focus of the discussion is RFC 20 and RFC 22, which introduce significant changes to how FedRAMP authorizations will be categorized and how organizations can enter the marketplace. The team explains the shift toward FedRAMP “Certified” designations, the introduction of class-based certification levels (A through D), and how the program may begin leveraging external frameworks like SOC 2 Type II to help accelerate early-stage participation.

The conversation also touches on the broader FedRAMP 20x modernization effort, including the push toward automation, machine-readable evidence, and reducing barriers to entry for cloud providers that want to support federal customers. With a consolidated rules framework expected in the future, these early public notices provide valuable signals about where the program is headed.

Whether you are a cloud service provider pursuing FedRAMP, a 3PAO assessor, or part of the broader government technology ecosystem, understanding these notices is essential for staying ahead of the evolving compliance landscape.

Chapters:

00:08 Understanding FedRAMP Notices and Their Importance
03:09 Navigating FedRAMP Notices
05:55 Understanding Security Assessments
08:12 Changes in Authorization Designations
10:59 Marketplace Updates and CSP Pathways
13:50 Emergency Directives and Testing Procedures
17:24 Leveraging External Frameworks for Certification
28:35 Conclusion and Future Outlook
30:09 Update: RFC-0023 Notice added
34:14 Alternate Intro Outtake



What You’ll Learn:

• What FedRAMP Public Notices are and why the FedRAMP PMO introduced them
• Key updates and initial outcomes from RFC 19, RFC 20, RFC 21, and RFC 22
• The shift toward FedRAMP Certified designations and new class-based certification levels (A–D)
• New security inbox monitoring and quarterly testing expectations for Cloud Service Providers (CSPs)
• How FedRAMP may begin leveraging external frameworks like SOC 2 Type II
• What these changes signal about the future direction of FedRAMP 20x and cloud authorization modernization

Resource Link:
https://www.fedramp.gov/notices/

Interested in FedRAMP 20x? Checkout our upcoming webinar: https://xbu40.com/20x-cohort

InfusionPoints Links:

Jason Shropshire, COO-   / shrop  
Mike Strohecker, VP of Engineering and Operations:   / michael-strohecker-238326172  
Tanner Bailey, Senior Consultant/FedRAMP 20x Lead:   / tanner-b-37a50a132  
Blog: https://infusionpoints.com/blogs/fedr...

  / infusionpoints  
https://www.InfusionPoints.com
https://infusionpoints.com/contact-us

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.