What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

FedRAMP 20x Roadmap | Phase 1 to Phase 5 and CR26 Through 2028

From pilot to program-wide

How the 20x Rollout Is Structured

The FedRAMP 20x phased rollout began with the April 2025 launch of the Low baseline pilot and runs through the planned Rev5 sunset in FY27 Q3 to Q4. The phase structure is designed to narrow scope, validate approach, and progressively expand the population of eligible cloud service providers. Each phase has a defined entry criteria, a target outcome, and an operational handoff to the next phase. The whole program is anchored by the FedRAMP Authorization Act of 2022 (44 U.S.C. Sec 3609) and OMB Memorandum M-24-15, which together direct the General Services Administration to modernize cloud assessment and reuse.

The most important operational fact for any cloud provider planning federal market entry is not the Phase 3 GA window, it is the September 2026 OSCAL deadline. RFC-0024, issued January 13, 2026, mandates machine-readable submission packages for every FedRAMP provider by September 2026, regardless of which baseline or path they are on. That deadline is closer than Phase 3 GA and applies to the entire program. Providers that have not yet adopted OSCAL tooling are already behind the curve.

April 2025 to September 2025

Phase 1: 20x Low Pilot, Complete

The Phase 1 pilot validated the core thesis of 20x: that compliance-as-code and machine-readable evidence can substitute for narrative documentation, and that automated continuous validation can replace much of the manual point-in-time assessment work. The pilot was open to the public and focused on Low-impact cloud service offerings on FedRAMP-authorized infrastructure.

Scope

Low-impact cloud service offerings, cloud-native services deployed on existing FedRAMP-authorized infrastructure, using primarily cloud-native services and FedRAMP-authorized third-party information resources. Participation was open to the public.

Volume

FedRAMP received 26 complete submission packages in just under three months, demonstrating strong provider interest in the accelerated path.

First Authorizations

By late July 2025, the first organizations were authorized through the Phase 1 pilot, compressing the path from kickoff to authorization from the legacy 18-plus months to weeks for qualifying providers.

Key Security Indicators

The pilot operationalized the initial Key Security Indicators standard published May 30, 2025. The Low baseline KSI set included 56 indicators across identity, system protection, cloud-native architecture, monitoring, and supporting clusters.

Evidence Automation

Phase 1 required at least 70 percent of submission evidence to be automated, validating that the continuous-validation model could carry the assessment workload for cloud-native providers.

Outcome

Phase 1 closed in September 2025 with the program validated and the foundation laid for the Moderate baseline pilot. Authorizations granted under Phase 1 remain valid; providers continue continuous monitoring under the 20x model.

November 2025 through Q2 2026

Phase 2: 20x Moderate Pilot, Active

Phase 2 began in November 2025 and runs through Q2 2026. Participation is closed: 13 cloud service providers selected from the Phase 1 cohort are working with FedRAMP and assessors to extend the 20x model to Moderate baseline systems. The Phase 2 cohort tests Key Security Indicators for Moderate, validation by third-party assessors operating as continuous collaborators rather than annual auditors, and the operational mechanics of continuous validation at the Moderate scope. The Phase 2 Moderate KSI set expanded to 61 indicators, building on the Phase 1 Low set of 56 indicators with additional coverage for the Moderate-specific control surface. The Moderate baseline involves substantially more controls than Low (approximately 323 to 325 controls under Rev5 versus approximately 156 for Low), so the operational lift of producing continuous evidence at Moderate is meaningfully higher. Phase 2 is not open to general public participation. Cloud providers planning Moderate authorizations on the 20x path wait for Phase 3. During the Phase 2 window, providers should be instrumenting their continuous validation telemetry, adopting OSCAL tooling, and positioning their authorization package for Phase 3 entry. Cybertorch and NISTCompliance.AI together provide the continuous-validation telemetry surface and the OSCAL generation pipeline that Phase 3 entrants will need.

MDR vs EDR vs SIEM vs MSSP vs XDR comparison

Q3 to Q4 2026

Phase 3: General Availability, Second Half of 2026

Phase 3 is the structural inflection point that opens the 20x model from a closed pilot to a market-wide option. At Phase 3 launch, any cloud-native cloud service provider running on FedRAMP-authorized infrastructure can pursue a 20x authorization through either the Agency authorization path or the new Program Certification path.

Scope at Launch

Phase 3 opens 20x for both the Low (Class B) and Moderate (Class C) baselines. Class D (the former High baseline) is not currently in scope for Phase 3; High-baseline services remain on Rev5 paths through Phase 5.

Authorization Paths

Two paths are available at Phase 3. The Agency authorization path uses traditional agency sponsorship. The Program Certification path, introduced under RFC-0023, allows providers to pursue Class B or C certification directly from the FedRAMP PMO without securing an agency sponsor first.

Class A On-Ramp

For providers entering federal participation through external frameworks (initially SOC 2 Type II), the Class A on-ramp is available through Program Certification with a two-year window to obtain a full Class B, C, or D certification.

Provider Readiness

Providers entering Phase 3 should have completed OSCAL adoption (RFC-0024 deadline is September 2026), have continuous validation telemetry instrumented for the KSI families in their baseline, and have inheritance documented from any FedRAMP-authorized platforms they operate on.

Assessor Relationship

3PAOs operating in Phase 3 transition from annual auditors to continuous collaborators. The assessor relationship under 20x is closer to a code review than to a point-in-time audit, with continuous evidence review and Significant Change Notice reviews replacing the legacy annual assessment cycle.

Authorization Timeline

For cloud-native providers operating on authorized infrastructure with substantial inheritance, Phase 3 targets authorization timelines measured in weeks rather than the 18-plus months typical under Rev5. The exact timeline depends on the baseline, the provider's existing instrumentation, and the depth of inheritance from underlying platforms.

The stable baseline through 2028

Consolidated Rules 2026 (CR26), Phase 4, and Phase 5

CR26 is the policy package that finalizes the 20x rule set. Phase 4 and Phase 5 continue the program's evolution beyond initial GA into the Rev5 sunset window. Together these set the medium-term horizon for federal cloud authorization.

CR26: Released Mid-2026, Stable Through 2028 Consolidated Rules 2026 is released in mid-2026 with full effect by end of year. CR26 sets a stable baseline expected to remain in place for roughly 2.5 years through 2028. This is the first time in a decade the FedRAMP rule set has had a predictable multi-year horizon, which lets cloud providers and their assessors plan budgets and engineering work without expecting the ground to shift every six months.

CR26 Formalizes the Class A Through D Structure Under CR26, the FIPS 199 impact-level labels (Low, Moderate, High) are formally retired in favor of Certification Classes A, B, C, and D. The rebrand resolves the long-standing confusion with the Department of Defense Impact Level designations (IL2 through IL6) and the Department of the Navy's parallel labels. Class B replaces Low and Li-SaaS. Class C replaces Moderate. Class D replaces High. Class A is a new transitional designation through external frameworks (initially SOC 2 Type II).

CR26 Formalizes FedRAMP Certified Terminology The program's terminology shifts from FedRAMP Authorized to FedRAMP Certified. Legally, FedRAMP has always certified that a cloud service completed the assessment process; only an agency can issue an Authority to Operate. The legacy language conflated the two. CR26 aligns the program's vocabulary to the legal reality. Existing FedRAMP Authorized services retain their status.

Phase 4: Early to Mid 2027, Reciprocity Work Phase 4 expands 20x scope and refines reciprocity with CMMC Level 2 (the explicit reciprocity goal of the modernization program). The reciprocity work is operationally significant for Defense Industrial Base contractors and for cloud providers whose customer base spans both federal civilian and DoD missions. NISTCompliance.AI handles the cross-framework mapping so a single evidence base satisfies FedRAMP, CMMC Level 2, and FISMA Moderate.

Phase 5: FY27 Q3 to Q4, Rev5 Sunset Phase 5 is the planned end of life for new Rev5 authorizations. After Phase 5, all new FedRAMP authorizations move to the 20x path. Existing Rev5 authorizations remain valid through their renewal cycles. Class D services may continue to require Rev5 paths until a 20x path for Class D is established.

September 2026: The Universal OSCAL Deadline RFC-0024 mandates machine-readable OSCAL submission packages for all FedRAMP providers by September 2026, regardless of which baseline or path they are on. The deadline applies to the entire program, not just 20x participants. Cloud providers that have not yet adopted OSCAL tooling should be planning that adoption now.

Quzara's Operating Position Quzara Cybertorch is FedRAMP Certified at Class D (Marketplace ID FR2214150164) on Azure Government with U.S.-citizen 24/7 SOC, providing the continuous-validation telemetry surface the 20x KSI families require and inheritable controls across the Audit and Accountability, Incident Response, and Continuous Monitoring families. NISTCompliance.AI generates the OSCAL packages RFC-0024 requires by September 2026, across 800-plus NIST SP 800-53 Rev 5 controls, with cross-framework mapping to CMMC Level 2 and FISMA Moderate from a single evidence base.

Common Questions About the FedRAMP 20x Roadmap

When does FedRAMP 20x Phase 3 open to all providers? The current target window for Phase 3 General Availability is Q3 to Q4 2026. At Phase 3 launch, any cloud-native cloud service provider running on FedRAMP-authorized infrastructure can pursue 20x authorization through either the Agency path or the new Program Certification path. Class D (the former High baseline) is not currently in scope for Phase 3; High-baseline services continue on Rev5 paths.

Can I apply for FedRAMP 20x today? It depends on the baseline. For Low (now Class B), Phase 1 ran from April through September 2025 and is closed. For Moderate (Class C), the Phase 2 pilot is closed to general participation. Phase 3 opens both baselines to all qualifying providers in the second half of 2026. Class D has no 20x path currently defined.

What is the most urgent operational deadline? September 2026 for OSCAL adoption. RFC-0024 mandates machine-readable submission packages in OSCAL format for all FedRAMP providers by that date, not just 20x participants. The deadline applies to Rev5 services in continuous monitoring as well as new authorizations.

What is CR26 and when does it take effect? Consolidated Rules 2026 is the policy package that finalizes the 20x rule set. It is released in mid-2026 with full effect by end of year. CR26 sets a stable baseline expected to remain in place for roughly 2.5 years through 2028. CR26 formalizes the Class A through D structure and the FedRAMP Authorized to FedRAMP Certified terminology shift.

What happens to Rev5 authorizations during the transition? Existing Rev5 authorizations remain valid through their renewal cycles. Phase 5, in FY27 Q3 to Q4, is the planned end of life for new Rev5 authorizations. After Phase 5, all new FedRAMP authorizations move to the 20x path.

Is FedRAMP 20x available for the High baseline (Class D)? Not currently. No 20x path is defined for Class D. High-baseline cloud services remain on Rev5 paths through Phase 5 and possibly beyond. Quzara Cybertorch is FedRAMP Certified at Class D on a Rev5 authorization.

What is the difference between Agency authorization and Program Certification? Agency authorization is the traditional path: a federal agency sponsors the cloud service through the assessment process. Program Certification, introduced under RFC-0023, allows providers to pursue Class A, B, or C certification directly from the FedRAMP PMO without securing an agency sponsor. Class D continues to require Agency authorization; there is no Program Certification path at Class D.

How many cloud providers are in Phase 2? Phase 2 is a closed cohort of 13 cloud service providers selected from the Phase 1 participants. Phase 2 is not open to additional participation; providers planning Moderate authorizations on the 20x path wait for Phase 3.

Will Phase 4 affect Defense Industrial Base contractors? Yes. Phase 4 in 2027 refines reciprocity between FedRAMP authorization and CMMC Level 2 assessment, which is operationally significant for DIB contractors handling Controlled Unclassified Information. NISTCompliance.AI handles the cross-framework mapping so a single evidence base satisfies FedRAMP, CMMC Level 2, and FISMA Moderate.

What should a cloud provider be doing right now? Three things, in priority order. First, adopt OSCAL tooling before the September 2026 deadline. Second, instrument continuous validation telemetry for the KSI families in your target baseline. Third, document control inheritance from any FedRAMP-authorized platforms you operate on. NISTCompliance.AI generates OSCAL packages from underlying control evidence; Cybertorch provides inheritable Class D controls and continuous-validation telemetry.

How long does a 20x authorization take? For cloud-native providers operating on FedRAMP-authorized infrastructure with substantial inheritance, the Phase 1 pilot demonstrated authorizations in weeks rather than the 18-plus months typical under Rev5. The exact timeline depends on the baseline, the provider's existing instrumentation, and the depth of inheritance.

How does NISTCompliance.AI fit the 20x timeline? NISTCompliance.AI generates the OSCAL packages RFC-0024 requires by September 2026, across 800-plus NIST SP 800-53 Rev 5 controls. The platform handles SSP generation, POA&M tracking, the inheritance matrix referencing platform component definitions, and an Auditor Co-Pilot capability for 3PAO evidence walkthroughs. For cloud providers entering Phase 3 GA in late 2026, NISTCompliance.AI is the OSCAL production pipeline that converts existing control evidence into the submission package the program requires.

FedRAMP 20x Roadmap