What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

High-end managed detection and response center, realistic futuristic SOC environment, modern security operations center with multiple monitors displaying threat intelligence, cybersecurity analysts at workstations, real-time threat detection das...-2

What Is FedRAMP 20x?

FedRAMP 20x is the most significant restructuring of the Federal Risk and Authorization Management Program since its founding in 2011. This guide explains what 20x is, how it replaces narrative compliance with automated validation, the three foundational changes (Key Security Indicators, OSCAL machine-readable packages, continuous validation), the new Class A through D certification structure, and what cloud service providers should do now.

Federal Cloud Authorization, Rebuilt

FedRAMP 20x Defined

FedRAMP 20x is the operational name for the Federal Risk and Authorization Management Program's transition from narrative-driven, point-in-time compliance to automated, evidence-driven continuous validation. It is anchored by the FedRAMP Authorization Act of 2022 (44 U.S.C. Sec 3609) and OMB Memorandum M-24-15 (June 2024), which together direct the General Services Administration to modernize how cloud services are assessed and reused across federal agencies. The 20x program began with a Phase 1 pilot in April 2025 for the Low baseline, expanded to a closed Phase 2 Moderate pilot in November 2025, and opens to all qualifying cloud service providers in Phase 3 during the second half of 2026.

The underlying security requirements do not relax. 20x continues to map to NIST SP 800-53 Rev 5 controls, with the FedRAMP baselines retaining the same control sets that Low, Moderate, and High covered under Rev5. Under Consolidated Rules 2026 (CR26), those baselines are renamed Certification Classes A, B, C, and D. What changes is how compliance is proven, not what compliance is. Providers no longer write paragraphs describing how a control is implemented; they emit machine-readable evidence that the control is running, validated continuously through the assessment lifecycle.

From narrative to evidence

The Three Foundational Changes Under FedRAMP 20x

FedRAMP 20x rests on three interconnected changes. Each replaces a familiar legacy process with one engineered for the way modern cloud services actually operate.

Change 1: Key Security Indicators Replace Narrative Controls

Under Rev5, providers wrote paragraphs explaining how each control was implemented. Under 20x, providers emit machine-readable evidence that the control is running in production. The FedRAMP PMO published the initial Key Security Indicators standard in May 2025 with 56 indicators for the Low baseline. The Phase 2 Moderate set expanded to 61 indicators. KSIs are grouped into clusters covering identity (KSI-IAM), system and communications protection (KSI-SC), cloud-native architecture (KSI-CNA), monitoring, logging, and auditing (KSI-MLA), and additional families covering incident response, vulnerability management, data protection, and supply chain.

Change 2: OSCAL Machine-Readable Packages Replace PDFs

RFC-0024, issued January 13, 2026, mandates machine-readable submission packages for all FedRAMP providers by September 2026, not only 20x participants. The required format is the Open Security Controls Assessment Language (OSCAL), a NIST-developed standard expressing security controls, system descriptions, assessment plans, results, and plans of action in structured JSON, XML, or YAML. Every cloud provider in the federal market is on this clock, regardless of whether they pursue Rev5 or 20x authorization.

Change 3: Continuous Validation Replaces Annual Assessment

Rev5 relied on annual third-party assessments with monthly Plan of Action and Milestones updates. 20x targets 80 percent or higher continuous automated validation of the control set, with assessors transitioning from annual auditors into ongoing collaborative reviewers. The legacy Significant Change Request process is replaced by Significant Change Notices, shifting the operating model from prior approval to continuous notification with continuous evidence. The Phase 1 pilot required at least 70 percent of evidence to be automated; the program targets higher automation as the model matures.

The new alphabetical structure

Certification Classes A Through D Under CR26

Under Consolidated Rules 2026, FedRAMP retires the FIPS 199 impact-level labels of Low, Moderate, and High and adopts Certification Classes A, B, C, and D. The rebrand resolves long-standing confusion with the Department of Defense's parallel Impact Level designations (IL2 through IL6) and aligns the program's language to the legal reality. FedRAMP itself does not authorize cloud services for federal use; agencies do, under the NIST Risk Management Framework. FedRAMP certifies that the assessment was completed. The terminology shifts from FedRAMP Authorized to FedRAMP Certified to reflect this distinction. Class A is a transitional designation available only through Program Certification (directly from the FedRAMP PMO, no agency sponsor required) for cloud services entering federal participation through external frameworks. The initial external framework accepted is SOC 2 Type II. Class A holders receive a two-year window to obtain a Class B, C, or D certification through full FedRAMP assessment. Class B replaces the legacy Low and Li-SaaS designations, covering approximately 156 controls. It is the entry-level full certification, available through either Agency authorization or Program Certification, and is the most accessible class for new federal market entrants. Class C replaces Moderate, covering approximately 323 to 325 controls. Class C represents roughly 80 percent of FedRAMP-certified services and is available under FedRAMP 20x for cloud-native services beginning at Phase 3 GA. Class D replaces High, covering approximately 410 to 421 controls. Two structural rules apply to Class D: it must always go through the Agency authorization path (no Program Certification route at Class D), and no 20x path currently exists for Class D. High-baseline cloud services remain on Rev5 through Phase 5 in FY27 Q3 to Q4. Quzara Cybertorch is FedRAMP Certified at Class D on Azure Government, Marketplace ID FR2214150164. Operating at Class D provides the inheritance backbone for cloud services at any class, because controls implemented to the Class D standard over-satisfy the requirements of Class B and Class C services that inherit from the platform.

MDR vs EDR vs SIEM vs MSSP vs XDR comparison

The September 2026 clock

What Cloud Service Providers Should Do Now

Whether a cloud provider pursues Rev5 or 20x, the operational requirements below apply now. The September 2026 OSCAL deadline applies to the entire program. The other items position a provider to enter or accelerate within the 20x model as Phase 3 opens.

Adopt OSCAL Tooling Before September 2026

RFC-0024 makes OSCAL machine-readable packages mandatory for every FedRAMP provider, not just 20x participants. A Moderate baseline SSP in OSCAL JSON runs thousands of lines with exact cross-references and unforgiving schema validation. Hand-writing OSCAL does not scale. NISTCompliance.AI generates OSCAL packages from underlying control evidence across 800-plus NIST SP 800-53 Rev 5 controls, with cross-framework mapping to CMMC Level 2 and FISMA Moderate from a single evidence base.

Instrument Continuous Validation Telemetry

KSIs require continuous evidence that controls are running, not periodic snapshots. The Phase 1 pilot required at least 70 percent automated evidence. Producing that evidence at the cadence 20x expects requires centralized identity, infrastructure-as-code, centralized logging, a SIEM, and automated configuration management. Cybertorch operates a FedRAMP Certified Class D SIEM, log collection, and 24/7 incident response on Azure Government with U.S.-citizen analysts, emitting the telemetry that KSI-MLA and overlapping clusters require.

Map Control Inheritance From Authorized Platforms

A cloud service operating on top of a FedRAMP-authorized platform inherits controls from that platform, reducing the surface area of the service's own certification. Inheritance from a Class D platform delivers controls implemented to the High baseline standard, over-satisfying Class B and Class C requirements. The inheritance matrix becomes part of the OSCAL component definition the platform publishes, and the provider's OSCAL SSP references it directly. NISTCompliance.AI generates the inheritance matrix automatically from the source component definition.

Plan for Significant Change Notices, Not Requests

The legacy Significant Change Request process required prior approval before implementing material changes. Under 20x, Significant Change Notices replace SCRs: providers notify the agency of the change and provide evidence the security posture is maintained. SCNs are themselves machine-readable artifacts integrated with the OSCAL package, so the SSP update, control re-validation, and notification all flow from the same evidence pipeline.

Choose the Right Class for Your Customer Mission

The class is determined by the data the customer agencies need to process, not by provider preference. Cloud services serving agencies that handle CUI require Class C at minimum. Services supporting missions that handle national security information require Class D. The Class A on-ramp through SOC 2 Type II is useful for providers entering the federal market without an existing authorization who want a faster path to initial certification while building toward a full assessment, but it is explicitly transitional, not a destination.

Track RFCs Within Days of Each Drop

The FedRAMP PMO publishes proposed policy changes as Requests for Comment with structured public-comment windows. The cadence accelerated through 2025 and 2026. The January 13, 2026 release alone published six RFCs covering assessment cost reporting, authorization designations, marketplace expansion, external framework leverage, Rev5 Program Certifications, and OSCAL machine-readable packages. The RFC and Policy Tracker at the Federal MDR Hub maintains current summaries of each active RFC and the operational implications.

From pilot to general availability and Rev5 sunset

FedRAMP 20x Phase Timeline

FedRAMP 20x is rolling out in phases that began in April 2025 and run through 2027. The phase structure narrows scope, validates approach, and progressively expands the population of eligible cloud service providers. The timeline below tracks where the program is today, what is finalized, and what is coming.

Phase 1: 20x Low Pilot (April 2025 to September 2025, complete) The Phase 1 pilot ran from April 2025 through September 2025. It was open to the public and focused on Low-impact cloud service offerings. The pilot validated that compliance-as-code and Key Security Indicators could substitute for narrative documentation, and that automated assessments could replace months of manual evidence collection. FedRAMP received 26 complete submission packages in just under three months. The first organizations were authorized by late July 2025, demonstrating that the path from kickoff to authorization could be compressed from 18-plus months to weeks for cloud-native providers operating on existing FedRAMP-authorized infrastructure.

Phase 2: 20x Moderate Pilot (November 2025 to Q2 2026, active) Phase 2 began in November 2025 and runs through Q2 2026. Participation is closed: 13 cloud service providers selected from the Phase 1 cohort are working with FedRAMP and assessors to extend the 20x model to Moderate baseline systems. The cohort tests Key Security Indicators for Moderate, validation by third-party assessors, and the operational mechanics of continuous validation. Phase 2 is not open to general public participation. Cloud providers planning Moderate authorizations on the 20x path wait for Phase 3.

Phase 3: General Availability (Q3 to Q4 2026) Phase 3 opens 20x to all qualifying cloud service providers for both Low and Moderate baselines. The current target window is Q3 to Q4 2026. At Phase 3 launch, any cloud-native provider running on FedRAMP-authorized infrastructure can pursue a 20x authorization through either the Agency path or the new Program Certification path. Phase 3 is the structural inflection point that opens the 20x model from a closed pilot to a market-wide option.

Consolidated Rules 2026 (CR26) CR26 is the policy package that finalizes the 20x ruleset. Released in mid-2026 with full effect by end of year, it sets a stable baseline expected to remain in place for roughly 2.5 years through 2028. This is the first time in a decade the FedRAMP rule set has had a predictable multi-year horizon, which allows cloud providers and their assessors to plan budgets and engineering work without expecting the ground to shift every six months. CR26 also formalizes the Class A through D structure and the FedRAMP Authorized to FedRAMP Certified terminology shift.

Phase 4 (Early to mid 2027) Phase 4 expands 20x to additional scope and refines reciprocity with CMMC Level 2 (the explicit reciprocity goal of the modernization program). The reciprocity work is operationally significant for Defense Industrial Base contractors and for cloud providers whose customer base spans both federal civilian and DoD missions.

Phase 5: Rev5 Sunset (FY27 Q3 to Q4) Phase 5 is the planned end of life for new Rev5 authorizations. After Phase 5, all new FedRAMP authorizations move to the 20x path. Existing Rev5 authorizations remain valid through their renewal cycles. Class D services may continue to require Rev5 paths until a 20x path for Class D is established.

RFC-0024 Operational Deadline: September 2026 RFC-0024 makes machine-readable OSCAL submission packages mandatory for all FedRAMP providers by September 2026, regardless of which baseline or path they are on. That deadline is closer than the Phase 3 GA window and applies to the entire program, not just 20x participants. Cloud providers that have not yet adopted OSCAL tooling should be planning that adoption now.

Pursuing FedRAMP 20x or Migrating from Rev5?

Quzara operates both sides of the 20x equation. Quzara Cybertorch is FedRAMP Certified Class D on Azure Government with U.S.-citizen 24/7 SOC, emitting the continuous-validation telemetry 20x requires. NISTCompliance.AI generates the OSCAL machine-readable packages RFC-0024 mandates by September 2026. The two work together: Cybertorch produces evidence; NISTCompliance.AI structures evidence into the OSCAL package the program requires. Request a consultation to map your path.

Common Questions About FedRAMP 20x

What does the 20x in FedRAMP 20x stand for? The 20x designation reflects the program's modernization goal of compressing the authorization timeline by an order of magnitude. The legacy Rev5 Moderate authorization typically required 18 to 24 months from kickoff to authorization. The 20x model targets a path that, for cloud-native providers on authorized infrastructure, can be measured in weeks. The name is a directional goal rather than a fixed multiplier.

Is FedRAMP 20x replacing Rev5 entirely? Eventually, yes, but on a multi-year timeline. Phase 5 in FY27 Q3 to Q4 is the planned end of life for new Rev5 authorizations. Existing Rev5 authorizations remain valid through their renewal cycles. Class D (the former High baseline) currently has no 20x path defined, so High-baseline services remain on Rev5 paths through Phase 5 and possibly beyond.

What is a Key Security Indicator (KSI)? A KSI is a specific, measurable security outcome a cloud system has or does not have, validated automatically against the running infrastructure rather than asserted in a written narrative. The Phase 1 Low baseline includes 56 KSIs; the Phase 2 Moderate baseline expanded to 61. KSIs are grouped into clusters by security domain: identity (KSI-IAM), system and communications protection (KSI-SC), cloud-native architecture (KSI-CNA), monitoring/logging/auditing (KSI-MLA), and additional families. Each KSI is validated when a continuous validation pipeline emits evidence the indicator's expected state holds in production.

What is OSCAL and why does it matter under 20x? The Open Security Controls Assessment Language is a NIST-developed standard for expressing security controls, system descriptions, assessment plans, results, and plans of action in machine-readable JSON, XML, or YAML. RFC-0024 (January 2026) mandates OSCAL machine-readable submission packages for all FedRAMP providers by September 2026, not only 20x participants. Every cloud provider in the federal market is required to produce OSCAL-formatted packages by that deadline.

What is the difference between FedRAMP Authorized and FedRAMP Certified? Under CR26, the program's terminology shifts from authorization to certification. Legally, FedRAMP has always certified that a cloud service completed the assessment process; only an agency can issue an Authority to Operate. The legacy language conflated the two. The rebrand aligns the program's vocabulary to the legal reality. Existing FedRAMP Authorized services do not lose their status; they continue to operate under their authorizations, and the language updates as new certifications are issued under CR26.

What are the new Certification Classes A through D? Class A is a transitional designation for services entering federal participation through external frameworks (initially SOC 2 Type II), with a two-year window to obtain a full certification. Class B replaces Low and Li-SaaS, covering approximately 156 controls. Class C replaces Moderate, covering approximately 323 to 325 controls and representing roughly 80 percent of FedRAMP-certified services. Class D replaces High, covering approximately 410 to 421 controls. Class D must go through the Agency authorization path and has no 20x path currently defined.

What is a Significant Change Notice (SCN)? Under Rev5, providers submitted Significant Change Requests and waited for authorizing-official approval before implementing material changes. Under 20x, that becomes a Significant Change Notice: providers notify the agency of the change and provide the evidence demonstrating the security posture is maintained. The SCN is itself a machine-readable artifact integrated with the OSCAL package. The model shifts from prior approval to continuous notification with continuous validation.

When does FedRAMP 20x Phase 3 General Availability open? The current target for Phase 3 GA is the second half of 2026 (Q3 to Q4). At Phase 3 launch, any cloud-native cloud service provider running on FedRAMP-authorized infrastructure can pursue a 20x authorization for the Low or Moderate baseline through either the Agency path or the new Program Certification path. Class D (High) is not currently in scope for Phase 3.

Does FedRAMP 20x relax the security requirements? No. 20x continues to map to the same NIST SP 800-53 Rev 5 control set the legacy baselines covered. Class B covers the same controls Low covered. Class C covers the same controls Moderate covered. Class D covers the same controls High covered. What changes is how compliance is proven, not what compliance is. The 20x model targets 80 percent or higher continuous automated validation, which is more rigorous than the legacy point-in-time assessment model in many respects.

What is the September 2026 deadline? RFC-0024, issued January 13, 2026, mandates that all FedRAMP providers submit machine-readable OSCAL packages by September 2026. The mandate applies to every provider in the program, not just 20x participants and not just new authorizations. Rev5-authorized services in continuous monitoring must also produce OSCAL packages by the deadline. Providers that have not yet adopted OSCAL tooling should be planning that adoption now.

How does CMMC Level 2 reciprocity work under 20x? Reciprocity between FedRAMP authorization and CMMC Level 2 assessment is an explicit goal of the modernization program. The full reciprocity rules are being refined through Phase 4 in 2027. Operationally, a cloud provider authorized under FedRAMP that handles Controlled Unclassified Information for Defense Industrial Base customers can structure inheritance such that the FedRAMP authorization provides substantial coverage of the CMMC Level 2 practices. NISTCompliance.AI handles the cross-framework mapping so a single evidence base satisfies FedRAMP, CMMC Level 2, and FISMA Moderate.

How do Quzara Cybertorch and NISTCompliance.AI fit together under 20x? Cybertorch and NISTCompliance.AI cover the two halves of the 20x equation. Cybertorch is the FedRAMP Certified Class D platform that emits the continuous-validation telemetry KSIs require: 24/7 U.S.-citizen SOC on Azure Government, SIEM, log collection, incident response, and inheritable controls covering the Audit and Accountability, Incident Response, and Continuous Monitoring control families. NISTCompliance.AI is the platform that structures evidence into the OSCAL package the program requires: AI-driven SSP and POA&M generation across 800-plus NIST SP 800-53 Rev 5 controls, with cross-framework mapping to CMMC Level 2 and FISMA Moderate, and an Auditor Co-Pilot capability for 3PAO and C3PAO evidence walkthroughs. The two work together: Cybertorch produces evidence; NISTCompliance.AI structures evidence into the OSCAL package.