Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

We say this just about every time the subject comes up (which is often, given our industry and role in it), but valid information security is not a state of being. It is a moving target and a process. Achieving certification for a certain level of security is a snapshot of a moment in time, but before the hands on the clock swing around again, that snapshot is out of date. Security frameworks like FedRAMP deal with this reality in a few different ways.

By now, you likely know the basics of FedRAMP, especially if you’ve read our robust coverage of the program. But, like all good cybersecurity frameworks, it evolves and changes over time, and our knowledge needs to be updated. One recent development is the 20x pilot program, which entered phase one in March of 2025. What is this pilot program, what does it do, and who is it for? Read on to learn more about 20xP1 and what it means for you.

If your business has to adhere to compliance rules for a framework like FedRAMP, CMMC, or ISO 27001, keeping track of all of the proof of implementation and artifacts is a full-time job. From individual security controls to overall framework compliance to ISMS implementation to stakeholder assignments, it can very easily be a cluttered, disconnected mess. Being able to see it all at a glance can feel like an unattainable dream.

ISO 27001 is one of the most complex security frameworks commonly in use around the world. That complexity comes from the way it is designed: not as a checklist to follow, but rather as a series of guidelines to achieve. The difference between those two things is stark, even if it doesn’t sound like it. The way ISO 27001 works is that you develop an ISMS, or Information Security Management System.

Part of the process of achieving certification with CMMC is undergoing an audit to validate your security posture across all of the relevant security controls. This can’t be done internally; part of maintaining a valid security framework is using third-party assessors to do the validation, to ensure an unbiased and equitable evaluation, no matter who the client is.