Articles

Notes on FedRAMP 20x, compliance automation, and what it actually takes to ship a federal authorization.

• 17 May 2026 · 6 min read · Part 3 of 5

  FedRAMP says your MFA probably doesn't count. Here's why.

  FedRAMP requires phishing-resistant MFA — FIDO2 keys or PIV cards, not TOTP or push. Why your existing MFA likely fails the requirement, how to read any KSI for yourself, and what to do this month.

• 15 May 2026 · 6 min read · Part 2 of 5

  FedRAMP just got a new authorization track. Here's what it looks like.

  FedRAMP 20x replaces narrative System Security Plans with machine-readable FRMR JSON organized around 64 Key Security Indicators. What's different, what's not, and what to do this year.

• 13 May 2026 · 6 min read · Part 1 of 5

  So your CEO just said we need FedRAMP. Start here.

  What FedRAMP Class C (Moderate) actually costs and takes in 2026, what's changing with FedRAMP 20x and CR26, and three things to do this week.

More in this series coming soon: Part 4 (cost & time math), Part 5 (the 2028 horizon).