From pilot to Moderate: Lessons from Vanta’s FedRAMP 20x journey

Vanta is now FedRAMP 20x Moderate authorized.

‍

This milestone follows our FedRAMP 20x Low authorization less than one year ago. It also reflects our continued investment in Vanta for Government, which helps government vendors, federal agencies, and SLED organizations navigate the frameworks, workflows, and requirements shaping public sector security and compliance.

‍

First announced in March 2025, the FedRAMP 20x program is designed to modernize the traditional authorization process, making it faster, more cost-effective, and more streamlined for both cloud service providers and federal agencies. 

‍

Vanta achieved Moderate authorization as part of Phase 2 of the FedRAMP 20x pilot program, which builds on the automation-first approach introduced in Phase 1. Phase 3 will further build on these learnings to encourage wide-scale adoption of 20x Low and Moderate.

‍

Below are three lessons we learned as we progressed from FedRAMP 20x Low to Moderate.

‍

Lesson 1: Broad KSIs benefit from a clear security approach

FedRAMP 20x uses broad Key Security Indicators (KSIs), giving organizations flexibility to define meaningful security in their own environment. Unlike Rev. 5 Moderate—with 300+ highly prescriptive controls—20x shifts the focus to interpreting intent and implementing controls that effectively address it.

‍

How we approached it

At the Moderate level, the expectation is not just to have automated checks, but to ensure those checks comprehensively cover critical areas such as identity, access, and infrastructure.

‍

We started by breaking down the intent behind each KSI. From there, we identified specific, measurable security events that would demonstrate that intent in practice. These events became the foundation for our automated controls.

‍

This approach allowed us to build controls that are both aligned with FedRAMP expectations and tailored to how our systems actually operate. In other words, we were able to focus on meaningful security for our company, which aligns with one of the overall goals of 20x.

‍

Key takeaway: Clarity makes KSIs work

The flexibility of KSIs is a strength, but it requires clarity. Success depends on translating broad security goals into concrete, testable conditions. Organizations that invest upfront in defining what strong security looks like in their environment will be better positioned to build effective, automated controls.

‍

Lesson 2: Raising the bar for automation makes FedRAMP 20x more scalable

The FedRAMP 20x pilot emphasizes automation, machine-readable validation, and KSIs to streamline the authorization process while maintaining a high bar for security.

‍

This shift becomes more pronounced at the Moderate level. As part of the pilot, at least 70% of KSIs were required to be validated through automated, machine-readable methods. This defined threshold helped standardize what “high assurance” looks like in a model that otherwise allows for flexibility, raising the bar compared to traditional Rev. 5 approaches that rely more heavily on manual evidence collection.

‍

How we approached it

Rather than focusing on what evidence to collect, we focused on how to continuously validate security controls in our environment.

‍

For example, after defining our security approach, we developed more than 100 automated tests designed to validate key areas of our security posture on an ongoing basis.

‍

This approach ensures that controls are not just documented, but actively enforced and continuously verified.

‍

Key takeaway: Prioritize continuous, automated validation

This automation transforms compliance from a periodic, audit-driven exercise into an ongoing, engineering-driven process.

‍

With continuous validation in place, issues surface immediately. When tests fail, they reflect real gaps—and can be addressed in real time. This creates a more accurate and actionable view of security posture while significantly improving scalability.

‍

Lesson 3: FedRAMP 20x is a team sport

FedRAMP 20x shifts compliance from a documentation-heavy process to one deeply embedded in how systems are built and operated.

‍

As a result, authorization is no longer confined to GRC or audit teams. Authorization can no longer sit solely with GRC or audit teams; it requires close collaboration across engineering, product, security, IT, and leadership.

‍

How we approached it

At Vanta, we started the 20x program with strong support from our leadership team from the get-go. Both our CISO and CPO were involved in the program, starting with the 20x Low. 

‍

For Moderate authorization, we worked closely across teams responsible for building and maintaining our systems to meet the demands of continuous testing and automation. During the test development phase, we held daily standups and maintained a centralized view of automated tests, ownership, and progress. This ensured alignment and accountability across teams.

‍

Overall, FedRAMP 20x Moderate authorization was a coordinated effort across IT, security, GRC, engineering, product, and leadership. Early investment in collaboration was critical, particularly during the application phase, where we spent several weeks building and refining automated tests to meet program requirements.

‍

Key takeaway: Don’t treat 20x as a compliance-only project

FedRAMP 20x should not be treated as a compliance-only initiative. It is a shared effort that depends on early and sustained collaboration across teams. Organizations that align engineering and security efforts from the outset will be better equipped to build scalable, continuously monitored compliance programs.

‍

Apply Vanta’s learnings to your own program

For organizations considering FedRAMP 20x, the key is to approach it not as a checklist, but as an opportunity to rethink how security is defined, implemented, and measured.

‍

Want to learn more about what your path to FedRAMP authorization could look like with Vanta? Request a demo with the Vanta for Government team.