FedRAMP 20X: Key Terms to Know
Navigating the key terminology in FedRAMP 20X
By Patrick Clark

Key Terms
FedRAMP, as part of the FedRAMP 20X initiative, has implemented new terminology to describe the process, and it's associated activities. If you are familiar with previous FedRAMP processes, such as the Rev 5 process, this article will help you navigate the new terminology in FedRAMP 20X.
Certification Class
In previous iterations of FedRAMP, systems were classified as either LI-SaaS, Low, Moderate, or High. You may have seen something like "FedRAMP Moderate Authorized". This has completely changed in FedRAMP 20X. The table below outlines the new Certification Classes, and how they map to previous versions of FedRAMP.
| 20X Class A | 20X Class B | 20X Class C | 20X Class D | |
|---|---|---|---|---|
| Who is it for? | Class A was created for the initial Pilot 20X CSOs | Cloud Service Offerings handling low-impact, non-sensitive, public, government data. | Cloud Service Offerings handling moderate-impact government data, including Controlled Unclassified Information (CUI) | Cloud Service Offerings handling high-impact data that could cause severe adverse effects on Federal Government Agency operations. |
| Number of Rules | 30 | 191 | 191 | Not Yet Available1 |
| Previous Impact Level Designation | Pilot/FedRAMP Ready | LI-SaaS/Low | Moderate | High |
1 While FedRAMP has not provided rules for 20X Class D, Rev5 rulesets can be found on the FedRAMP website.
FedRAMP Certified
Replacing FedRAMP Authorized, FedRAMP Certified is now the designation for Cloud Service Offerings that have successfully completed the certification process, and are continuing with Ongoing Certification requirements
Key Security Indicators
Key Security Indicators, or KSIs, do NOT replace NIST SP 800-53 controls. Instead, KSIs provide actionable, technical evidence that a control (or set of controls) is met. This allows Cloud Service Providers to more easily, and effectively, prove their security instead of filling out endless documentation
Deeper Dive
If you are ready to dive deeper into the world of FedRAMP 20X, these definitions and more can be found on FedRAMP's website https://fedramp.gov. Always check the FedRAMP website for the latest information regarding 20X.
About Oculus Security
Oculus Security, LLC was founded in 2025 by Patrick Clark. After spending years in Government, Cloud, and Defense Tech, Patrick wanted to take the principles he had learned and use them to help other companies achieve their compliance goals faster and cheaper.
Ready to get started?
Let's discuss your compliance goals and how we can help you navigate FedRAMP.
Get in touch