Case Study

Secureframe Navigates FedRAMP 20x Pilot and Future of Federal Compliance with Coalfire

February 20, 2026

As more cloud providers compete for federal buyers, the ability to produce credible, continuously updated security evidence has become a baseline expectation.

Secureframe — an AI-powered compliance automation platform — helps thousands of companies generate exactly that kind of evidence across security frameworks. As one of the first companies to get CMMC Level 2 certified, Secureframe has continued to build on momentum in federal compliance and innovation to support Defense Industrial Base organizations pursuing CMMC. To deepen trust with federal customers, Secureframe pursued FedRAMP authorization through the 20x program, starting with 20x Low and now with Moderate.

Challenge

Secureframe pursued FedRAMP 20x authorization when the program was still in pilot phase. The timing offered a strategic advantage. Early movers could establish credibility in the federal market. But it posed obvious challenges, too:

Intentionally vague requirements: The 20x pilot was designed to test what an automation-first compliance model should look like rather than prescribe exactly how to achieve it. Secureframe believed in the mission of 20x and was eager to support it, but volunteering this early could backfire if they weren’t prepared.
Interpreting Key Security Indicators: Unlike traditional FedRAMP, which relies on extensive documentation and narrative evidence, 20x uses Key Security Indicators—measurable signals that require organizations to demonstrate their security posture through actual automation and continuous monitoring. The KSIs were less prescriptive than traditional controls, so Secureframe needed to figure out what implementation approaches would satisfy each indicator and what evidence would hold up under assessment.
Building custom automation infrastructure: Phase Two (Moderate authorization) demanded significant engineering investment beyond existing tooling, such as custom automation and validation systems that could continuously demonstrate security posture, not snapshots.
Finding the right 3PAO partner: Secureframe needed an assessor who could help navigate these unknowns while maintaining rigorous independent assessment standards.

Solution

Secureframe selected Coalfire Systems as their 3PAO for both FedRAMP 20x Low authorization and the Moderate pilot. Coalfire brought deep experience in federal assessments and a track record with many of Secureframe's own customers, which established trust from the start. More importantly, Coalfire was willing to do what the pilot required: iterate through ambiguity without losing assessment rigor.

The work started with translation. Coalfire helped translate abstract KSI requirements into clear guidance. As experts in both advisory services and assessments, Coalfire could interpret what FedRAMP expected to see in practice — not just what the requirements said on paper, but what evidence would hold up under assessment, even as the standards were being shaped.

For the Moderate authorization, the relationship changed significantly. FedRAMP 20x explicitly permits assessors to advise cloud service providers on techniques and procedures that improve security posture, as long as it doesn't compromise assessment objectivity. This meant Coalfire could answer Secureframe's questions about how to implement specific requirements, offer perspective on different approaches, and help them build stronger validation capabilities.

“Having a partner who can navigate this uncharted territory with us while maintaining the rigor of an independent assessment was crucial. Coalfire brought deep 3PAO experience and was a highly trusted audit partner who had worked with many of our customers. Without that partnership approach, the entire process could have broken down. We're very pleased with the services they delivered.”
- Cavan Leung, Senior Compliance Manager, Secureframe

Impact

Secureframe achieved FedRAMP 20x Low authorization and advanced to the Moderate pilot. The authorization validated their platform's security capabilities and built trust with federal customers looking for FedRAMP-authorized solutions.
The engagement validated and strengthened Secureframe's security program. Phase One confirmed the platform's existing automation capabilities, while Phase Two's more rigorous requirements drove further investment in custom automation and continuous validation infrastructure that demonstrated a reliably strong security posture rather than point-in-time snapshots.
The experience also positioned Secureframe to better serve its customers. Having navigated FedRAMP 20x themselves,, their compliance automation platform reflects firsthand knowledge of what federal authorization requires and how to build evidence that holds up under rigorous assessment.

Conclusion

As an early participant in the 20x pilot, Secureframe established credibility as a leader in federal compliance innovation and demonstrated their commitment to government customers in a tangible way. Coalfire Systems guided them through the uncertainty, helping translate abstract requirements into working security programs.

If your organization is pursuing FedRAMP authorization, we can help you understand what's required and how to build it. Reach out to learn more about our FedRAMP 20x services.

Company

Secureframe

Secureframe, founded in 2020 by Shrav Mehta and Natasja Nielsen, is a San Francisco-based company offering an end-to-end security compliance automation platform. This platform utilizes AI and automation to help businesses achieve and maintain compliance

Featured Coalfire Solutions

FedRAMP®
CMMC

Advisory

Assessment

Security

Federal

Resources