FedRAMP 20x Phase 2 concluded in late March 2026 after two pilot cohorts. The Program Management Office’s review window ran through March 31. Phase 3, the wide-adoption phase that opens 20x to general submission, is expected to open in the second half of 2026. The cloud service providers who get into the first wide-adoption cohort will be the ones who treated Phase 2 as a public-facing dry run rather than a private beta.
The 20x Program Management Office published the policy. It did not publish a first-shell submission walkthrough. Twelve vendor blogs paraphrase the same FedRAMP marketing page. None of them describe what to put in the package, in what order, with what evidence. A first-time submitter who reads those blogs and starts assembling their first-shell submission finds that the artifact list is implicit, the sequence is implicit, and the four gating questions the Program Management Office actually asks before accepting the shell are implicit. The cycle window closes faster than the first re-submission round can complete.
This article is the first-shell submission walkthrough. It names the artifacts, sequences them, and documents the four gating questions FedRAMP PMO actually asks. It is written for the Chief Information Security Officer or compliance lead who is doing this for the first time and cannot afford to waste a cohort cycle.
Bottom Line Up Front. FedRAMP 20x Phase 2 concluded in late March 2026, and Phase 3 wide adoption is expected to open in the second half of 2026. Most first-time submitters lose three to six weeks because they package the first-shell submission in the wrong order and miss the PMO’s gating questions. This article gives you the artifact list, the sequence, and the four questions you have to answer before submission. It is written for the CISO or compliance lead who is doing this for the first time and cannot afford to waste a cohort cycle.
What 20x Is and Why the Shell Matters
FedRAMP 20x is the program’s modernization initiative, designed to compress authorization timelines by replacing static documents with continuous, machine-readable artifacts under RFC-0024. The traditional FedRAMP authorization runs 12 to 18 months from kickoff to authorized status; 20x is targeting a fraction of that for cloud service offerings whose architectures support continuous evidence. FedRAMP 20x is the official program reference; the FedRAMP roadmap is the most current source for phase timelines.
The shell is the initial submission package. It is not the full authorization package. It is the document that tells the PMO who you are, what your service does, what your security posture looks like, and why your offering is a good candidate for 20x. The PMO uses the shell to make a binary acceptance decision: this submitter belongs in this cohort, or does not. A rejected shell is not failed; it is returned for revision. A revision plus re-submission inside the same cohort window is operationally possible but tight. A revision that misses the cohort window pushes the submitter into the next cohort, which is a multi-month delay.
A FedRAMP 20x first-shell submission that reads like a sales document rather than an evidence package is the most common cause of those three- to six-week delays. The PMO is not buying the cloud service. The PMO is evaluating whether the offering’s architecture, evidence posture, and program maturity make it suitable for the 20x model. The shell is an evidence document, not a sales document.
The Artifact List, Sequenced
The shell submission has eight artifacts. They are ordered below in the sequence the Program Management Office reads them, which is also the sequence in which they should be assembled. Producing artifact six before artifact two is the operational mistake that produces re-submission cycles.
| # | Artifact | What It Establishes | Typical Length |
|---|---|---|---|
| 1 | Service Description | What the offering does in plain language; the agency use case | 2-4 pages |
| 2 | System Architecture Diagram (logical and data flow) | Trust boundaries, data flows, components, integrations | 2-3 diagrams plus narrative |
| 3 | Boundary Definition | What is in scope, what is out of scope, why | 3-5 pages |
| 4 | Impact Categorization (FIPS 199) | Confidentiality, integrity, availability ratings with rationale | 2-3 pages |
| 5 | Control Implementation Summary | How the baseline controls are implemented, with continuous-evidence approach | 10-15 pages |
| 6 | Continuous Monitoring and Telemetry Plan | What evidence is produced continuously, in what format, accessible how | 5-8 pages |
| 7 | Sponsoring Agency Letter or Sponsorship Plan | Agency relationship status; named sponsor or sponsorship strategy | 1-2 pages |
| 8 | Program Maturity Statement | Existing security program, frameworks held, audit history | 3-5 pages |
The Service Description and the System Architecture Diagram are the two artifacts the PMO reads first to orient itself. A submitter who buries the architecture diagram in an appendix is asking the PMO to do the work of finding it. Put the architecture in the front. Make the diagram clean, the boundary obvious, and the data flows explicit.
The Boundary Definition is where 20x submissions most often fail. The boundary is not the diagram; the boundary is the written argument for why what is in scope is in scope and what is out of scope is out of scope. Boundary arguments that wave at AWS or Azure responsibility models without naming the controls each side owns get returned for revision. Boundary arguments that are explicit about shared responsibility, that name the upstream cloud provider’s authorization that is being inherited, and that show the contractor’s controls layered on top, get accepted.
The Impact Categorization is straightforward when the offering targets one impact level. It becomes more complex when the offering supports multiple impact levels. A shell that proposes a Moderate baseline today and reserves the option to add a High variant later should say so explicitly and explain how the architecture supports the future expansion without re-baselining.
The Control Implementation Summary is the longest artifact and the one that distinguishes 20x submissions from traditional authorization packages. Traditional packages describe controls. 20x submissions describe the continuous-evidence approach for each control family. The summary should not list every control. It should describe how the architecture produces continuous evidence for each control family, with examples of the evidence telemetry and the format in which it is produced.
The Continuous Monitoring and Telemetry Plan is the artifact that earns the 20x acceptance. The PMO is selecting cohort participants whose architectures will support the modernized authorization model. A telemetry plan that names the data sources, the collection pipeline, the format the evidence takes, and the access mechanism for PMO consumption is the artifact that signals the offering belongs in 20x. A telemetry plan that says “we will set up monitoring” is the artifact that signals the offering belongs in the traditional process.
The Sponsoring Agency Letter is the variable that most submitters get wrong. The 20x model permits submission without a named agency sponsor at the shell stage; the PMO will accept a Sponsorship Plan that demonstrates a credible agency-engagement strategy. The mistake is to submit a Sponsorship Plan that names agencies the submitter has never spoken to. The PMO can verify agency engagement, and a fictional plan is a fast path to rejection. A real Sponsorship Plan names two or three agencies the submitter has had documented conversations with, includes the names of the agency contacts, and shows the use cases the submitter and the agency have discussed.
The Program Maturity Statement is the credibility artifact. It is short, factual, and citation-backed. Existing FedRAMP authorizations of any kind, ISO 27001 certifications, SOC 2 Type II reports, StateRAMP authorizations, and other independent third-party attestations all count. The statement should name the certifying body, the date, and the scope. A submitter with no prior third-party attestations is not disqualified, but should be transparent about that fact and explain how the submission compensates with continuous evidence.
The Four Gating Questions FedRAMP PMO Actually Asks
The Program Management Office’s evaluation of the shell turns on four questions. They are not formally documented as gating criteria, but they are the questions whose answers determine whether the shell is accepted, returned for revision, or rejected. A submitter whose package answers all four questions clearly is a submitter whose shell is accepted in the first cycle.
Gating Question One: Is the Architecture Continuous-Evidence Compatible?
20x is built around continuous evidence. The architecture either supports it or does not. An offering whose security posture is documented in screenshots, manual processes, and quarterly reviews is not continuous-evidence compatible. The PMO is reading the System Architecture Diagram and the Continuous Monitoring and Telemetry Plan together to answer this question. The answer should be obvious from the artifacts; if the PMO has to infer it, the answer is no.
Gating Question Two: Is the Boundary Defensible?
The boundary defines what the authorization covers. A boundary that is too tight excludes components that an agency customer would consider in scope; a boundary that is too loose covers components the contractor cannot actually authorize. The PMO is reading the Boundary Definition and the System Architecture Diagram together. A defensible boundary names the components, names the data flows that cross the boundary, names the inherited authorizations, and names the controls the contractor adds on top. A defensible boundary holds up to a contracting-officer challenge from a future agency customer.
Gating Question Three: Is the Sponsorship Real?
The PMO does not require a signed agency sponsorship letter at the shell stage, but the PMO does require credible evidence that the offering has agency demand. A Sponsorship Plan that names agencies and contacts, with documented conversations, is credible. A Sponsorship Plan that names agencies and contacts the submitter has never engaged with is not credible. The PMO will verify on a sample basis. A submission whose sponsorship is fabricated does not get accepted into 20x; it gets the submitter’s name on a shortlist that disadvantages future submissions.
Gating Question Four: Is the Program Maturity Plausible for the Cohort?
20x cohorts are calibrated to the program’s review capacity. The PMO has a finite team and a finite review window per cohort. A submitter whose program is materially less mature than the cohort’s median imposes a higher review burden, which the PMO accommodates by rejecting at the shell stage rather than by stretching the cohort review window. Mature programs with prior third-party attestations are favored. Less mature programs that compensate with strong continuous-evidence architectures are favored. Less mature programs that compensate with marketing language are not.
The Three Cohort-Cycle Operational Lessons
Three operational lessons emerged from Phase 2 Cohorts 1 and 2 that should inform Phase 3 submissions.
The first lesson is that the cohort window is the binding constraint. Cohort 1 closed in late January 2026; Cohort 2 closed in mid-March 2026 (verify exact dates at fedramp.gov/20x before your Phase 3 submission timeline). A submitter who missed Cohort 1 by a week was not free to submit two weeks later; they waited several weeks for Cohort 2. Phase 3 is expected to open with similar cadence. The submission timeline should be built around the cohort window, not around internal milestones.
The second lesson is that re-submission inside the same cohort is possible but tight. A shell returned for revision in week one of the review window can typically be revised and re-submitted by week three. A shell returned for revision in week three has insufficient runway. Submitting early in the cohort window, even at the cost of a less-polished package, dominates submitting late with a more-polished package, because the early submission preserves re-submission optionality.
The third lesson is that PMO feedback is specific and actionable. The PMO does not return a shell with vague guidance. It returns specific findings with specific revision asks. A submitter who treats the feedback as suggestions rather than requirements re-submits a package that is rejected on the same grounds. A submitter who treats the feedback as the rubric and revises against it gets accepted on the second submission.
The 60-Day Pre-Submission Plan
For a submitter targeting Phase 3 wide-adoption submission in the second half of 2026, the 60-day pre-submission plan is the operational sequence that produces a defensible shell.
Days 1 through 10: Architecture and Boundary. Produce the System Architecture Diagram and the Boundary Definition first. These two artifacts gate the rest of the package because every subsequent artifact references them. A boundary that gets revised in week eight forces re-work in artifacts produced in weeks two through seven.
Days 11 through 20: Impact Categorization and Control Implementation Summary. With the boundary fixed, the categorization is straightforward and the Control Implementation Summary can be drafted against the right baseline. The Summary should be drafted at outline level first, with detailed implementation language added in days 21 through 30.
Days 21 through 30: Continuous Monitoring and Telemetry Plan. This is the longest artifact in elapsed time because it requires real coordination with engineering. The plan must reflect the actual telemetry capabilities, not aspirational ones. A plan that describes telemetry the architecture does not produce is the artifact that fails Gating Question One.
Days 31 through 40: Sponsorship and Program Maturity. Use this window to confirm sponsorship-engagement conversations, document what was discussed, and finalize the Program Maturity Statement. A submitter whose Sponsorship Plan is being assembled in days 51 through 60 is a submitter whose plan reads as fabricated.
Days 41 through 50: Internal Review and Revision. Run the assembled package through a full internal review with security architecture, compliance, engineering, and a senior executive who will sign the submission. Internal review surfaces gaps the assemblers cannot see. Revisions made in this window are cheap; the same revisions made after PMO feedback are expensive.
Days 51 through 60: Final Polish and Submission Window Alignment. Final pass for clarity, citation accuracy, and consistency across artifacts. Confirm the cohort submission window. Submit on day one of the window, not day fifteen.
Frequently Asked Questions
Do I need a sponsoring agency before submitting?
No. The 20x model accepts a Sponsorship Plan in lieu of a signed sponsor letter at the shell stage. The plan must be credible: named agencies, named contacts, documented conversations. Fabricated sponsorship is detected and is fatal to the submission.
Can I submit at FedRAMP High in 20x?
The Phase 2 cohorts focused on Moderate baselines. Phase 3 is expected to open access to High baselines as well, though specific guidance has not been published. A High-baseline submitter should monitor the FedRAMP roadmap for the relevant Phase 3 cohort criteria and weigh the cost differential between Moderate and High before committing to a High submission.
What happens if my shell is rejected?
Shells are not formally “rejected” in most cases; they are returned for revision. A returned shell can be revised and re-submitted within the cohort window if time allows. A returned shell that misses the cohort window must wait for the next cohort.
How long is the cohort review window?
Phase 2 cohort review windows ran approximately six to eight weeks from cohort close to acceptance decisions. Phase 3 windows are expected to be similar but have not been formally announced.
Can I submit if I already have FedRAMP authorization through the traditional process?
Yes. Existing FedRAMP authorization is a strong Program Maturity signal. Some existing-authorization submitters are using 20x for new offerings or new variants of authorized offerings.
What format should the artifacts be in?
The PMO accepts traditional document formats for shell submissions. Continuous-evidence artifacts are expected in machine-readable formats consistent with OSCAL where applicable. The Continuous Monitoring and Telemetry Plan should describe the formats; the shell does not require the actual telemetry to be operational at submission, but the plan must show the telemetry will be operational at authorization.
The verdict. The 20x shell is an evidence package, not a marketing package. The submitters who get accepted into early cohorts have done three things: produced clean architecture and boundary artifacts, built telemetry plans grounded in real engineering capability, and managed sponsorship conversations as documented relationships rather than as form-fields. The Phase 3 wide-adoption window is a one-time positioning opportunity for cloud service providers without prior FedRAMP authorization; the submitters who treat the 60-day pre-submission window with discipline will be the ones who land in the first wide-adoption cohort. The submitters who treat 20x as a traditional FedRAMP package with a different cover sheet will not.
