FedRAMP 20x is the first major update to the program in more than a decade. The goal isn’t to reinvent the wheel, but to modernize how compliance is demonstrated and maintained. Instead of relying on static paperwork and point-in-time evidence, 20x is shifting toward continuous validation and risk-based prioritization. 

Right now, there are three areas generating the most attention: 

Each one changes the way organizations prove and maintain compliance. Here’s what’s different, what it looks like in practice, and what the impact will be. 

In the past, proving compliance meant submittingartifacts: screenshots, policies, and narrative descriptions. Under 20x, compliance will hinge on machine-readable metrics — Key Security Indicators — that provide real-time validation instead of static evidence. 

Previously, to show that multi-factor authentication (MFA) was in place, you might have uploaded a screenshot of your identity provider settings and a copy of your access policy. With KSIs, you’ll need to demonstrate through automated data feeds how many active accounts exist, how many have MFA enabled, and where exceptions remain. 


This doesn’t eliminate the need for policies or oversight, but it fundamentally changes how compliance is proven. Organizations must ensure their tools generate data at the right level of detail, and their GRC platforms can ingest and analyze that data in real time. Continuous monitoring becomes the baseline expectation. 

2. Risk-Based Vulnerability Management (POA&Ms) 

 
Remediation timelines are no longer one-size-fits-all. Critical vulnerabilities will carry shorter deadlines, while other findings may be assigned more flexible windows depending on context and exploitability. 


A scanner flags 200 vulnerabilities. Under the old model, “highs” had to be closed in 30 days and “moderates” in 90 — regardless of where they sat or whether they were realistically exploitable. With 20x: 

An internet-facing flaw with a known exploit must be closed quickly. 

A high-severity issue buried behind two layers of authentication may have a longer remediation window. 


The total workload isn’t reduced. Every vulnerability still has to be addressed. What changes is that timelines are now tied to actual risk rather than scanner ratings alone. That allows teams to move faster on what matters most, while still relying on patch management and configuration management cycles to handle the full volume of issues. The challenge is proving — with evidence — that you are prioritizing effectively. 

For actionable insights from industry experts on integrating AI into your cyber risk management and governance strategy, download the Cyber Leadership Playbook. 

Get the Cyber Leadership Playbook 

3. Significant Change Notifications (SCNs)


SCNs are being reworked to bring more structure and predictability to how system changes are reported and reviewed. The goal is to reduce ambiguity while maintaining oversight. 


Today, adding a new system component or changing your authorization boundary often triggers lengthy back-and-forths with an agency sponsor. Under 20x, the SCN process will be standardized, with clearer definitions of what counts as “significant” and more consistent handling of reviews. 


This doesn’t remove scrutiny. Agencies will still want to understand how changes affect your security posture. But a more structured SCN process means fewer delays, less confusion, and a smoother path for organizations making necessary updates to their environments. 

These three changes point to a bigger truth: FedRAMP 20x raises the operational bar. Organizations will need platforms that can: 

Normalize it into evidence that maps to KSIs 

Provide analytics to show compliance in real time 

Support structured processes like SCNs without derailing operations 

Not every GRC platform can handle that scale, and not every stack is ready to feed data at the depth required. That’s why early preparation — and the right partners — matter. The same urgency applies to defense contractors navigating the newly finalized CMMC rule; 

It’s tempting to wait until 20x is fully rolled out before making changes. But by then, the gap between prepared and unprepared organizations will be wide. Preparing now means: 

Reviewing your vulnerability management process

who already have FedRAMP authorization and experience navigating these requirements. 

FedRAMP 20x doesn’t change the mission: protecting federal data in the cloud. What it changes is the method. By tying compliance to KSIs, risk-based remediation, and structured change management, the program is demanding evidence that security is real, continuous, and measurable. Organizations that start adapting now — with the right tools and partners — will be the ones ready to succeed in this new FedRAMP era. 

FedRAMP 20x is raising the bar for cloud compliance. Find out how Diligent helps organizations stay ahead with real-time evidence, structured workflows, and FedRAMP-ready solutions 

FedRAMP 20x: What’s actually changing and why it matters 

Sal Newberry has served as the clerk for a seven-member municipal council for 10 years. While she enjoys the variety of responsibilities her role entails, she places particular importance on one task: taking minutes at council meetings. She knows that clear, accurate meeting minutes are essential not only for the council’s internal recordkeeping but also for maintaining transparency with the public. Over time, however, the pace and complexity of meetings have increased. In addition to minute-taking, Newberry must enforce Robert’s Rules of Order and manage technical aspects like livestreaming, which can divert her attention from capturing key details.

To keep up with these demands, Newberry sees the value in using a meeting minutes template. A well-structured template allows her to input essential information before the meeting begins, helping her stay organized and focused during fast-paced discussions. It also enables her to deliver finalized minutes to board members, leadership and the community more quickly and efficiently. For clerks like Newberry, a meeting minutes template isn’t just a convenience — it’s a vital tool for accuracy, speed and professionalism.

Why a meeting minutes template for municipal clerks is helpful

Meeting minutes are a legal and official record of meetings. Minutes can be called into court proceedings as legal evidence, so it’s important that they are true and accurate.

Taking meeting minutes manually is time-consuming. Meeting discussions can go fast, so it’s possible for you to miss important points while writing down notes.

With a template, you can prefill routine details — such as the meeting date, location, and attendees — before the meeting begins, allowing them to focus on capturing key decisions and discussions in real time. This not only improves the accuracy of the minutes but also speeds up the entire documentation process, making it easier to share records with board members and the public promptly.

 offer a templated live minutes feature where much of the information is automatically filled in from the agenda before the meeting starts. This helps to streamline the rest of the process so clerks can focus on the proceedings and capture decisions as they happen. 

Information to include in council meeting minutes

 yourselves or use a template, they should include the following items at a minimum: 

Names of any members present, including elected officials and staff.

Names of board members who arrive late or leave early.

A description of each action item, motion, proposal or resolution.

The identity of anyone making and seconding a motion, along with the name of each person voting for or against each proposal.

Notes about complying with specific legal procedures

Using a standardized template aligned with your agenda and local policies ensures consistency across all meeting records, whether for full council sessions or committee gatherings. It simplifies the process for you by providing a repeatable structure that can be adapted as needed, reducing the time spent formatting and organizing notes.

With a reliable template in place, you can focus more on capturing the substance of discussions and decisions, confident that the framework supports legal compliance and public transparency. Over time, this consistency also helps build trust with stakeholders who rely on clear, accessible records of government proceedings.

A template for minutes for a local government or council meeting

If you’ve never used a template for minutes before, your current minutes can help you structure a template. Your state or local government may also have policies on how minutes are to be recorded and what should be included.

Since minutes follow the order of the agenda, the agenda will also give you an indication of how to format and order council meeting minutes. Templates also should allow for some flexibility to change between full board meetings and committee or council meetings.

The Georgia Municipal Association recommends the following order for 

Bids, contracts, expenditures and agreements

Rather than starting from scratch each time, a meeting minutes template allows you to work smarter by organizing recurring elements in a consistent format. This not only reduces the risk of missing key details but also ensures that all required information is captured efficiently and accurately.

Here's an example of a council meeting minutes template available on Diligent Community:

Templates can be tailored to reflect the structure of council meetings, making it easier to follow the agenda and record actions in real time. By eliminating repetitive formatting tasks, you can focus on the substance of the meeting and produce minutes that are both thorough and timely.

Once you experience the time-saving benefits of using a meeting minutes template, the next logical step is to enhance that efficiency with technology. Digital tools not only support the use of templates but also automate and streamline the entire agenda, board pack creation and minute-taking process — helping you stay focused, organized and accurate during even the most fast-paced meetings.

Diligent Community is designed to streamline the minute-taking process for clerks. With automated tools, you can focus on recording accurate meeting minutes rather than getting bogged down with formatting and data entry.

The software has other features that save time, enhance and make minute-taking more effective:

 The software allows you to prefill essential details in a template, such as date, time, location, attendees, standing headings and items reducing the amount of manual data entry required

 During meetings, you can add notes directly to the corresponding sections of the minutes template, which enhances accuracy and efficiency. 

 After reviewing for accuracy, you can publish the meeting minutes to elected officials, stakeholders and the public with just one click, mirroring the publishing process for agendas. 

 Quickly and easily add minutes to your next meeting agenda for official adoption.

 All meeting agendas and minutes are stored securely online, allowing for easy access and searches. This feature helps ensure that important records are never lost and can be retrieved quickly. 

 The transparency website allows the public to access council meeting agendas and minutes easily, promoting transparency. 

“Resolute Bay has worked with Diligent to add the required language capability to the Diligent Community product so meeting minutes can now be accessed by citizens via the public site in their native tongue.” Ian Dudla, Chief Administration Officer, Municipality of Resolute Bay

Diligent Community also offers artificial intelligence (AI) support for minute-taking. AI Meeting Minutes feature allows you to generate relevant, high-quality meeting minutes based on your public meeting livestream transcripts.

Articulate key takeaways and track decisions and actions.

Enhance accuracy and efficiency in creating meeting minutes, even during fast-paced discussions.

Ensure that all actions and motions are accurately captured and documented.

Suggest updates to text based on past meeting records, easily added to minutes with a single click.

Diligent Community not only supports you and other municipal clerks in maintaining accurate records but also enhances overall meeting productivity, making the entire process faster and more organized. 

 today to see how we can help support the work of your local government.

Why every municipal clerk needs a meeting minutes template 

This article originally appeared in our September 11, 2025 edition of the Diligent Minute Newsletter. For more insights like these, delivered straight to your inbox, subscribe

Governance leaders feel more confident about AI these days, if the findings from our latest 

We asked GCs their key areas of risk right now, and only 8% mentioned technological disruption. This calm was a little surprising to me, given the current frenzy to integrate AI and see results as soon as possible.

AI risk perceptions among governance leaders

recent episode of the Corporate Director Podcast

 particularly timely. We talked to Beena Ammanath, Global Head of the Deloitte AI Institute and a faculty member for Diligent’s AI Ethics and Board Oversight Program. Ammanath’s literally written the book — 

 — on navigating tech disruption, and I always find her take on things very thoughtful, nuanced and reassuring, as you’ll see in these expert tips for AI strategy and adoption. 

Sticking with our GC theme, the paralegals who support them have typically followed an established career path. Early on, they spend a lot of time looking up statutes and contracts and reviewing documents. The information they learn along the way equips them for more senior roles.

But now AI has automated the whole process, transforming the team’s workload and profession’s overall pipeline and career trajectory. It leaves paralegals understandably worried — especially when they hear promises that AI will take away the boring parts of their work and make their jobs easier.

“Leaders have a responsibility to go beyond the clichés,” Ammanath said. “What happens to the workday when organizations make the job easier? If AI is going to create new jobs, what are those roles?”

“I think leaders have a huge responsibility to proactively think about that,” Ammanath said, citing the need to create organizational structures for new career paths and provide both targeted upskilling and general AI training to build fluency across the workforce.

Then there’s the matter of the human/machine relationship. “How can leaders thrive and succeed in this era of AI where humans and machines are working so closely together?” Ammanath asked. “To work in the best possible way, where can we get the maximum benefit with the minimum side effects?”

We’ve all seen cautionary tales about students outsourcing the entirety of their coursework to ChatGPT. This should go without saying but: Don’t do that in your organization.

In the podcast, my cohost Meghan Day and I talked about studies of what people’s brain waves look like when they use AI at different levels. The heaviest AI use showed the lowest brain function — almost like people were asleep. More optimal EKG activity happened when AI users started a task with their brains and then added ChatGPT.

“Personally, I’ve been most successful embracing AI in my job in areas where I already know what good looks like,” Day said. “And AI is able to speed my work along.”

AI also promises big potential for board members. You can train different agents to have different personalities and perspectives so they can frame problems in new ways for you, for example. But you’ll still need to oversee them and evaluate their output with your own human expertise to ensure accuracy and nuance.

3. Make continuous education — and hands-on use — a cultural norm

Navigating AI’s risks and rewards requires knowledge of AI itself.

This doesn’t mean dropping everything to become an AI expert (although those nine-figure job offers make it tempting). It means having a basic understanding of core AI principles, like machine learning, deep learning and computer vision — and what these principles look like in action.

“As corporate directors, it's important to focus the time and energy to not only learn about AI, but start using AI tools in your job,” Ammanath said.

AI is changing the way we work and the way we lead. For practical strategies and insights from Beena Ammanath,

listen to the full conversation on the Corporate Director Podcast: AI leadership strategies for a changing world.

This article originally appeared in our August 28 edition of the Diligent Minute Newsletter. For more insights like these, delivered straight to your inbox, subscribe 

My colleague Josh Black, Vice President of Editorial at Diligent, doesn’t use words like “eventful” and “unconventional” lightly. So, when I saw them front and center in the editor’s forward of this year’s Proxy Season Review, which Diligent Market Intelligence prepares in association with Olshan Frome Wolosky and Campaign Management, I paid even more attention than usual.

“It is difficult to recall a more eventful or unconventional proxy season since the first year of the pandemic,” Black declared. 

Relentless market volatility is only part of it

. Activists have beena dopting new tactics and advancing stronger director candidates to achieve their desired objectives, especially in the U.S. “It feels very much like an inflection point,” Black added.

Proxy season 2025: Evolving shareholder engagement strategies

In this year’s review, his team examines this inflection point, connecting the dots between what we’ve seen in this year’s proxy season and what these trends mean for boards and advisors right now. Here are a few key takeaways, starting with shareholder engagement.

You’ve probably observed a noted decline in proactive communications by institutional investors lately. Regulatory developments, like revised guidance on Schedule 13D/G eligibility, are a big part of this.“ Norms have unmistakably evolved,” Campaign Management CEO and Founder Michael Fein pointed out in his analysis. “Institutional investors paused outreach, reassessed compliance exposure, and pulled back from dialogue just as several proxy campaigns were gathering momentum.”

Shareholders still care deeply about board structure, accountability, and transparency — critical contributors to strong corporate performance in uncertain times.

In the first half of the year, 33 governance-focused proposals passed with majority support. Board composition has been a common target, with director shuffles at Phillips 66 and Penn Entertainment far from isolated anomalies. We’ve also seen a significant increase in withhold campaigns for driving director changes and other demands.

2. Make real-time data and shareholder sentiment a board priority

Amid this perfect storm of new tactics, heightened scrutiny and radio silence from institutional investors, it’s harder than ever to anticipate vote dynamics and activist positioning.

Is a withhold campaign targeted pressure for governance enhancements, or a prelude to a full-blown proxy fight? Your company’s future depends on answering questions like these quickly and well. And this means moving beyond historical data, guesswork and ad hoc interpretation to real-time intelligence.

Now is the time to invest in systems and processes that deliver accurate, actionable data on investor sentiment, proxy trends, and governance benchmarks.

It’s time to look beyond business as usual for shareholder engagement as well. This means rethinking how your organization interacts with institutional investors. What new touchpoints can you leverage to fill in communication gaps? How can you proactively share your governance story — especially future-focused strategies and positive milestones — in a way that responds to current trends and sentiment?

Think about harnessing all of the data collected in the steps above, like 

 and proposal outcomes, to shape your narrative. “The 2025 proxy season made clear that activists will not sit on the sidelines waiting for more ideal economic conditions,” Andrew Freedman, Chair of Olshan Frome Wolosky’s Shareholder Activism Practice Group, warned in this year’s review. And here’s what he recommends: “Stay prepared to respond to well-crafted demands and sharp strategies, underscored by an unwavering focus on performance and accountability.”

Keep reading for more on the 2025 proxy season

Dive into our full analysis — AI, ESG, 2025’s wildest campaigns and much more — in the full report: The Proxy Season Review 2025.

Want regular access to original research in the field of GRC? Bookmark our 

 for the latest surveys, podcasts and reports.

Diligent

Blog

FedRAMP 20x: What’s actually changing and why it matters

Why every municipal clerk needs a meeting minutes template

Your Data Matters