We are especially grateful for the considerable thoughtful public comment on this RFC and will work hard to chart a course that aligns the expectations of the government with those that provide commercial services for its use.

Overview

FedRAMP 20x was designed to open the federal market to thousands of new cloud services that invest in automation capabilities to demonstrate continuously validated security metrics. FedRAMP has nearly completed the first two pilot phases for FedRAMP 20x and is nearing release of formal FedRAMP 20x requirements and wide-scale adoption of this new certification type. Every single FedRAMP 20x certification package will include machine-readable authorization data across the entire scope of the authorization package, from initial security materials to ongoing authorization reports including data on significant changes and vulnerabilities. FedRAMP anticipates an explosion in adoption of automation capabilities government-wide as agencies suddenly have access to the exact automation data they have requested for many years.

Cloud service providers with traditional FedRAMP Rev5 certifications will face considerable competition from those with FedRAMP 20x certifications. The difference in initial and ongoing authorization experience for agencies will be stark and difficult to overcome if FedRAMP Rev5 requirements remain focused around manual documentation. FedRAMP cannot simply abandon the 500+ cloud services that have invested in FedRAMP Rev5 certifications by allowing them to stagnate while new services with FedRAMP 20x certifications provide superior continuous assurance and higher quality integrations.

FedRAMP acknowledges that a significant majority of public comments on RFC-0024 expressed deep concerns about the complexity of adopting a modern approach to managing legacy security materials after years of investment in a manual process. FedRAMP must chart a course that ensures adequate information is available to agencies even as the expectations of agencies grow and change, but commenters have nearly universally requested additional time to prepare for adopting a modern approach. Therefore, FedRAMP will update both the expected requirements and timelines to enable gradual adoption over a much longer period of time while still ensuring that all Rev5 providers have modernized their approach within two years.

In the Consolidated Rules for 2026, FedRAMP will outline explicit requirements for machine-readable packages for Rev5, generally aligned with those proposed in RFC-0024. This will include providing detailed instructions of exactly what should be in machine-readable formats and options for the general structure of those formats, along with integration into FedRAMP compatible trust centers to ensure agencies can eventually consume this information via API. This data and these mechanisms will be provided by industry in alignment with FedRAMP’s mandate to set policies that enable industry innovation to provide the solutions.

Members of the community may discuss this initial outcome and ask clarifying questions as needed in the General discussion / Q&A on Rev improvements and changes in 2026 thread in the FedRAMP Community and attend FedRAMP Rev5 Community Updates for live Q&A.

Initial Outcome

Detailed information, requirements, and timelines for all items below will be provided in the Consolidated Rules for 2026.

All of the proposed requirements in RFC-0024 will be modified in the Consolidated Rules for 2026, though many will carry forward in the same spirit.

Broadly, the following changes will be made, based on public comment, to the rules and approach initially proposed in RFC-0024:

1. Comprehensive machine-readable authorization data will only be required for FedRAMP Rev5 Class D (High) certifications.

   a. Rev5 Class D (High) certified providers will be required to create and maintain per-service authorization materials as proposed.

   b. Rev5 Class D (High) certified providers will be required to integrate significant changes into their authorization materials twice per year (once during annual assessment, once halfway between annual assessments) instead of within 30 days of a significant change.

   c. This will cover all authorization materials for both initial and ongoing authorization.

2. Some machine-readable authorization data will be required for FedRAMP Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) certifications; the bulk of authorization data will be required in a semi-structured text format similar to the current approach.

   a. DOCX and XLSX will be retired as an acceptable format in favor of simple text-based equivalents.

   b. This will cover all authorization materials for both initial and ongoing authorization. Detailed information, requirements, and timelines will be provided in the Consolidated Rules for 2026.

3. The following Rev5 Balance Improvement Releases will be folded into the default FedRAMP Rev5 certification requirements (replacing existing requirements as appropriate), including the requirement to produce related materials in a machine-readable format:

   a. Minimum Assessment Scope replaces the traditional authorization boundary approach and eliminates the need for excessively complex authorization boundary diagrams

   b. Significant Change Notifications replaces the traditional significant change request process

   c. Collaborative Continuous Monitoring replaces part of the traditional monthly continuous monitoring approach

   d. Vulnerability Detection and Response replaces the traditional vulnerability scanning and POA&M approach

   e. Authorization Data Sharing replaces the traditional Secure Repository approach for centralizing authorization materials

   f. Each of the above Balance Improvement Releases will have minor adjustments made as they are finalized for the Consolidated Rules for 2026.

4. FedRAMP will not require diagrams or illustrations after the transition to the Minimum Assessment Scope.

   a. There is no expectation in the Minimum Assessment Scope of a traditional Authorization Boundary Diagram that contains every single service and flow in a single diagram. Instead, providers have flexibility to present the structure of their information resources across multiple levels of abstraction and grouping in a way that factors for continuous change within the environment and makes the most sense for their particular service.

5. FedRAMP Rev5 Class C (Moderate) and Class D (High) certifications will strongly encourage the use of machine-generated deterministic telemetry in their authorization data where feasible, with a focus on the Minimum Assessment Scope, Significant Change Notifications, and Vulnerability Detection and Response processes.

   a. Providers will be encouraged to go beyond traditional Rev5 processes and “minimum control requirements” to find ways to demonstrate their security commitments instead of simply writing narrative text about them. This process will include flexibility for providers based on their own unique environment and the best customer experience.

6. All providers will still be required to ensure basic human-readable materials are available as requested by all necessary parties, and will be required to generate these materials from the relevant machine-readable materials during production.

a. FedRAMP will encourage flexibility in human-readable materials to ensure cloud service providers are considering the best customer experience for conveying data about their unique environment. As long as the underlying machine-readable information is consistent, providers will not be penalized for providing an optimal customer experience in their human-readable materials.

b. This will cover all authorization materials for both initial and ongoing authorization.

Partnering with Industry

FedRAMP will not produce, manage, or operate services or software to help cloud service providers produce machine-readable materials. Government programs are not adept at providing this type of service in general due to restrictions and regulations, and attempting to do so would ensure a poor experience for cloud service providers and agencies. Furthermore, building and maintaining such services would require an increase in budget of 3-5x or more for FedRAMP and take several years, neither of which are an option.

Innovative solutions for maintaining and producing security materials must be provided by industry; this is the only way to ensure a wide-ranging set of options and alternatives that can compete to provide better capabilities and improve the customer experience for all stakeholders. To enable and encourage innovative solutions from industry, FedRAMP will establish informal partnerships with non-profit organizations that seek to support open source or other public domain capabilities for enabling the adoption of automation-related capabilities.

The OSCAL Foundation is one such established industry partner that provides capabilities, education, and a community to help cloud service providers modernize their approach to managing security materials, including free general membership. Other organizations that are interested in establishing informal partnerships with FedRAMP should reach out to pete@fedramp.gov to discuss opportunities.

At a minimum, FedRAMP will expect informal partner organizations to produce, maintain, and share templates and other materials that align with FedRAMP requirements and to help providers with transitioning from legacy manual materials. FedRAMP will establish the general requirements and ensure the templates and other materials are adequate for use, but FedRAMP will not dictate the underlying structure or approach. Approved organizations, templates, and other materials will be hosted by the organization and linked to in FedRAMP’s official documentation.

Initial Expected Timelines

The dates and milestones below may change in the final release of the Consolidated Rules for 2026, however none of the dates below will move forward in time.

Dates and Milestones for FedRAMP Certified Services

The following timelines are expected to be published as part of the FedRAMP Consolidated Rules for 2026 related to this notice; these timelines will apply to cloud services that have an active FedRAMP Certification on the date of each milestone:

| Anticipated Deadline | Milestone | | :------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 2027-01-01 | Mandatory adoption of the Significant Change Notifications process for all Rev5 cloud services. | | 2027-01-01 | Mandatory adoption of the Minimum Assessment Scope before or during the next annual assessment for a cloud service. | | 2027-04-02 | Mandatory adoption of the Collaborative Continuous Monitoring process for all Rev5 cloud services. | | 2027-06-01 | Mandatory adoption of the Vulnerability Detection and Response process for all Rev5 cloud services. | | 2027-08-01 | Mandatory adoption of the Authorization Data Sharing process for all Rev5 cloud services. The Connect.gov portal will be retired. | | 2027-11-01 | Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) certified cloud services must provide semi-structured text based authorization data before or during their next annual assessment. | | 2027-11-01 | Rev5 Class D (High) certified cloud services must provide comprehensive machine-readable authorization data before or during their next annual assessment. |

Progressive corrective action for failure to meet the requirements in these milestones will be applied quarterly.

Dates and Milestones for New FedRAMP Certifications

The following timelines are expected to be published as part of the FedRAMP Consolidated Rules for 2026 related to this notice; these timelines will apply to new submissions for FedRAMP Certification after the date of each milestone:

| Anticipated Deadline | Milestone | | :------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 2027-01-01 | Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) submissions for FedRAMP Certification must provide semi-structured text based authorization data and adopt the following Rev5 Balance Improvement Releases: Minimum Assessment Scope Significant Change Notifications Collaborative Continuous Monitoring Vulnerability Detection and Response Authorization Data Sharing (this will apply to changes in the security categorization of a service) A grace period will be applied to any cloud service that was In Process with an Agency prior to 2026-10-01. | | 2027-05-01 | Rev5 Class D (High) submissions for FedRAMP Certification must provide comprehensive machine-readable authorization data and adopt the following Rev5 Balance Improvement Releases: Minimum Assessment Scope Significant Change Notifications Collaborative Continuous Monitoring Vulnerability Detection and Response Authorization Data Sharing (this will apply to changes in the security categorization of a service) A grace period will be applied to any cloud service that was In Process with an Agency prior to 2026-10-01. |

A full traditional Rev5 security assessment review is expensive and time consuming for the government and requires careful balancing and planning for an agency. FedRAMP relies on the distribution of assessment review across the government to scale the program because it has never been funded or staffed to tackle assessment review on behalf of the entire government. This situation has not changed, and FedRAMP has no intention of removing sponsorship or taking on the full traditional Rev5 assessment review for everyone; FedRAMP is simply not capable of doing so without multiple years of increased targeted appropriations and planning.

To address this problem in the long term, FedRAMP has been building a new approach that reduces the initial review burden so that it can directly handle the initial assessment review on behalf of all agencies for a base level of demand, then scale with resources and personnel as additional funding is unlocked as a result of its success. This approach is well-known as FedRAMP 20x and FedRAMP has been applying lessons learned in the 20x approach to Rev5 via mostly optional Balance Improvement Releases.

Rev5 Program Certification, with initial assessment review and ongoing certification via continuous monitoring being performed directly by FedRAMP, can only be available to a limited number of cloud service providers that adopt the Balance Improvement Releases necessary to lower the burden for FedRAMP. Any cloud service provider that is unable to adopt these requirements will need to pursue the agency sponsor path to locate a government agency that has the funding and resources to perform the more burdensome traditional review and continuous monitoring.

A Quick Recap

Many of the details in this Initial Outcome will be confusing for stakeholders who have not kept up with recent RFCs and their initial outcomes posted by FedRAMP over the past few months. The information below is a quick recap of relevant information, though stakeholders are strongly encouraged to read the full set of RFCs and their outcomes for context.

1. FedRAMP Consolidated Rules for 2026 will be published by the end of June 2026. These will integrate many changes, apply to all cloud service providers by December 31, 2026, and will be valid until December 31, 2028.

2. FedRAMP Certification will be the new label for a FedRAMP authorization. This is to avoid the frequent confusion between a FedRAMP authorization (done by FedRAMP) and an authorization to operate (done by agencies).

3. FedRAMP will transition labels for requirements and baselines from impact levels to Certification Classes. Class A Certifications will be time-limited for initial testing and piloting while Class B, C, and D Certifications will initially map to historical FR Low/Li-SaaS, FR Moderate, and FR High requirements.

4. FedRAMP Certifications of various types and classes will be available via the current Agency Authorization or new Program Certification paths. The Agency Authorization path is the traditional “agency sponsor” path for initial review that allows an agency to invest the resources up front by sponsoring a FedRAMP Certification for a cloud service it wants to use. The Program Certification path allows FedRAMP to review the product initially and does not require an agency sponsor, but has considerable restrictions on availability.

All types of FedRAMP Certifications as well as all current and historical FedRAMP authorizations regardless of name or title are not government-wide authorizations to operate that allow any agency to use the product without meeting statutory and policy requirements for an authorization to operate. Many public commenters continue to misunderstand this fundamental fact of the law: an agency will always be required to perform a review of the security materials in a FedRAMP package to determine the risk of using it and current policy requires them to follow the NIST Risk Management Framework to implement an authorization to operate.

FedRAMP’s goal is to make this process dead simple for agencies so that they can make such determinations and perform an ATO within days or weeks.

Initial Outcome for FedRAMP Ready

The full details for implementing next steps for FedRAMP Ready will be published in the Consolidated Rules for 2026, however FedRAMP will immediately begin publicizing the pending retirement of FedRAMP Ready as planned.

The high level initial outcomes from RFC-0023 for FedRAMP Ready are:

1. FedRAMP will retire FedRAMP Ready on July 28, 2026 as proposed in RFC-0023. No FedRAMP Ready submissions will be accepted after this date.

   a. Rev5 Class A Certifications will be available at this time and these requirements will not vary considerably from those for FedRAMP Ready so that cloud services working towards FedRAMP Ready can shift easily into the new profile.

2. Instead of simply retiring FedRAMP Ready as proposed in RFC-0023, FedRAMP will provide an alternative path for cloud service providers to convert their FedRAMP Ready or FedRAMP Ready assessment into a Class A FedRAMP Certification.

   b. Cloud services that do not wish to or do not meet the requirements for conversion will be renamed “Legacy FedRAMP Ready” and otherwise retired as proposed in RFC-0023.

Initial Outcome for Implementing Program Certification

FedRAMP will establish a tightly scoped Rev5 Program Certification with strict application criteria and limited commitments; the full criteria, requirements, and expectations will be published as part of the FedRAMP Consolidated Rules for 2026 by the end of June 2026.

This Rev5 Program Certification option will be deployed in stages, as follows:

1. Stage 1: Rev5 Class A Certifications will be available to cloud services that are FedRAMP Ready. Rev5 Class A Certifications will replace FedRAMP Ready. Providers will need to meet a few requirements to convert from FedRAMP Ready but it will be light touch initially.

2. Stage 2: Rev5 Class B and Class C Certifications will be available through Program Certification to cloud services that are willing to adopt the required Balance Improvement Releases and met at least one of the following criteria between 1/1/2025 and 3/1/2026:

   a. FedRAMP Ready on the FR Marketplace

   b. In Process on the FR Marketplace

   c. Completed a FedRAMP Ready assessment with a Readiness Assessment (RAR)

   d. Completed a full FedRAMP assessment with a Security Assessment Plan and Security Assessment Report (SAP/SAR)

Additional instructions and requirements will align with those proposed in RFC-0023 and will be shared publicly prior to opening the pipeline for Program Certifications. This opportunity for qualifying cloud services will be available until Rev5 is retired.

Please do not reach out to FedRAMP about additional information or next steps until the formal criteria, path, and requirements are published! All relevant details will be shared with the public at the same time to ensure fairness.

During Stage 1 and 2, FedRAMP will evaluate the impact to the program and establish requirements and timelines for additional stages based on real-world metrics.

In Stage 3, tentatively, FedRAMP hopes to open Rev5 Class A Certifications to any cloud service provider using an external security framework that is 80%+ compatible with FedRAMP Rev5 requirements. Then to open Rev5 Class B and C Certifications to specific types of GRC automation tools and services with proven agency demand.

Additional Initial Outcome Specifics

Additional specific outcomes from RFC-0023 that will be implemented in the Consolidated Rules for 2026 follow:

1. FedRAMP will not implement the proposed “trusted assessor” definition or related requirements proposed in RFC-0023.

   a. Thanks to astute public comment, FedRAMP is particularly concerned that this requirement might lead to cloud service providers establishing a contract with a “trusted assessor” that loses that status prior to completing the assessment, creating an issue that is beyond the control of the cloud service provider while unfairly punishing them.

   b. LPC-GEN-ATA Assessment By Trusted Assessor will not be implemented.

2. LPC-GEN-MBA Mandatory Balance Improvement Release Adoption will not be implemented.

3. LPC-GEN-LMR Legacy Machine-Readable Package Requirements will not be implemented specifically for Rev5 Program Certifications.

4. LPC-GEN-LVL Level Limited will be updated to Class Limited and clarify that FedRAMP will only provide sponsorless Class A, B, or C FedRAMP Certifications. Class D FedRAMP Certifications will continue to require an agency sponsor.

   a. Cloud service providers that are unable to secure an agency sponsor for a Class D FedRAMP Certification are welcome to apply for a Class C FedRAMP Certification from FedRAMP directly and make any additional control implementations available in an addendum to their authorization package for agencies to encourage adoption in agency information systems with a High security objective.

5. LPC-TIM-EOL End of Life for Legacy Program Certification will be updated to align the end of life for the end of legacy program certification with the end of life for new Rev5 authorizations overall. (this is currently planned to be in 20x Phase 5, FY27 Q3 to FY Q4)

   a. This change will ensure a sponsorless option is available during the entire remaining lifecycle of the FedRAMP Rev5 Certification path.

6. LPC-FRX-GRC Prioritization of Some GRC Tools will be reworked along with an entirely different pipeline process; in general, GRC tools that can be used by agencies to ingest machine-readable authorization data from other cloud services will continue to be prioritized.

7. LPC-GEN-IBR Implement Balance Releases will be implemented without any significant change in response to public comment.

   a. Program Certification for Rev5 is available only because of the Balance Improvement Release process. If a cloud service provider is unable to implement the requirements in these Balance Improvement Releases then FedRAMP would not be able to provide sufficient resources to maintain their Program Certification.

   b. Cloud service providers that are not able to implement Balance Improvement Releases can still obtain a FedRAMP Certification through a sponsoring agency.

8. LPC-GEN-IRI Included Required Information will be implemented without any significant change in response to public comment beyond striking the loss of “trusted assessor” status as such no longer applies.

9. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.

These Consolidated Rules will formalize the initial requirements for Class A FedRAMP Certification based on the proposed requirements from RFC-0022 and the initial outcome from public comment shared below. This initial outcome, as written, may only make sense if you have reviewed the original RFC, other concurrent RFCs, and the initial outcome notices from the other concurrent RFCs; if you have not done so you may wish to wait for the FedRAMP Consolidated Rules for 2026 where all of this will be published together in context.

Explanation of Outcome

As explained in RFC-0022, Class A FedRAMP Certifications will exist to meet the specific mandate from M-24-15 to establish a path for leveraging external security frameworks and provide procedures for pilot uses of temporary FedRAMP Certifications. This path addresses gaps in the FedRAMP process that has caused agencies to perform their own pilot authorizations without following the FedRAMP process and promoting government-wide reuse. Agencies should not be required to invest considerable resources up front for sponsoring a cloud service prior to use, and cloud services should not need to invest significant resources in federal-specific processes to be used by agencies.

These updates after public comment clarify the intent of this process, maintain compliance with the underlying mandate from M-24-15, and explain how this path will integrate into other changes as part of the FedRAMP Consolidated Rules for 2026.

Class A FedRAMP Certifications will only be available through Program Certification (directly by the FedRAMP PMO without an agency sponsor) and will be available for both Rev5 and 20x with different requirements. The expected requirements for Rev5 Class A FedRAMP Certifications will be described in the initial outcome from RFC-0023.

In response to public comment, cloud service providers who receive a Class A FedRAMP Certification will be given 2 years (instead of 1 year) to obtain a Class B, C, or D FedRAMP Certification and will have some flexibility around that deadline based on scheduling with an independent assessor. This change will apply to all cloud services in the Preparation phase.

This initial outcome also explains that external frameworks will be adopted incrementally over time, depending on demand, throughput, and relevance. The most frequently leveraged external framework by agencies today for pilot authorizations is SOC 2 Type II and that is where FedRAMP will start for 20x Class A FedRAMP Certifications. FedRAMP is aware of the limitations of this external security framework and will establish some initial guardrails, but Class A FedRAMP Certifications are intended to be transitory and replaced by a Class B, C, or D FedRAMP Certification that will require addressing all relevant FedRAMP rules. FedRAMP is not providing a bridge from external frameworks to other classes of FedRAMP Certification. No reciprocity is intended or will be granted in this process. Any provider seeking long term or non-pilot use by an agency will need to pursue a different class of FedRAMP Certification.

Otherwise, most of the updates outlined in the initial outcome are minor changes and clarifications based on public comment.

Initial Outcome Details

The following changes from the rules proposed in RFC-0022 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

1. Class A FedRAMP Certifications will be the label for cloud services in the Preparation phase that have met initial requirements for negligible or low risk pilot use by agencies.

   a. This will replace the “FedRAMP Validated Level 1” label initially proposed.

   b. Cloud service providers MUST meet the requirements to be listed on the FedRAMP Marketplace in the Preparation phase to apply for a Class A FedRAMP Certification, including being a cloud service within the scope of FedRAMP (intended for direct or indirect use by multiple federal agencies).

2. FedRAMP will provide the materials and process necessary for cloud service providers to request Class A FedRAMP Certifications prior to opening a pipeline.

3. FedRAMP will provide the materials and process necessary for agency adoption of Class A FedRAMP Certifications prior to opening a pipeline.

4. MKT-LEF-MAP Mapping to Key Security Indicators: The primary path for Class A FedRAMP Certifications maintained by FedRAMP will be designed for FedRAMP 20x and reflect the requirements proposed in RFC-0022.

   a. This Certification Class is designed for industry companies that have not invested in the Rev5 path, using initial assessment of security posture via Key Security Indicators and other 20x requirements.

   b. Paths for Rev5 FedRAMP Certification are already available for providers who have invested in the Rev5 path, and an alternative path for Rev5 Class A FedRAMP Certifications will be established based on the outcome from RFC-0023 Rev5 Program Certification.

5. MKT-LEF-ASF Approved Security Frameworks: The list of initial approved security frameworks will be limited initially with specific instructions to ensure gradual and responsible implementation; implementation for specific frameworks will be staggered over time based on the level of effort and the depth of the review pipeline.

   a. SOC 2 Type II, as the widest used external security framework with the least applicability to the Rev5 process, will be leveraged as the initial test case for Class A FedRAMP Certifications of this type. FedRAMP is aware of concerns about the quality and reliability of SOC 2 Type II audits and current trends with these audits as stated in public comment, however, the purpose of this path is to incentivize the investment in a different FedRAMP Certification that requires stricter implementation and assessment before any agency would use the service beyond a negligible or low risk pilot.

6. MKT-LEF-DFV Deadline for FedRAMP Validation will be removed, and separate instructions will be provided to agencies to encourage them to establish conditional agreements during any Authorization to Operate for a pilot or test that the cloud service will invest in a different class of FedRAMP Certification appropriate to the agency use case if the agency wishes to continue use past the pilot.

7. MKT-PRE-DLA Deadline for Authorization, initially proposed in RFC-0021, will be updated to require a cloud service offering to demonstrate that it has scheduled an Independent Verification & Validation (20x) or Independent Assessment (Rev5) for a Class B, C, or D Certification within 2 years of initial listing in the Preparation phase.

   a. This updated requirement will apply to Class A FedRAMP Certified offerings as they will remain in the Preparation phase.

   b. This eases the pressure on cloud services that initiate a Preparation phase listing while providing flexibility in the event they are ready for an assessment but are unable to schedule such before the deadline.

   c. This update was not included in NTC-0005 Initial Outcome from RFC-0021 because it is a result of public comment in this RFC.

8. MKT-LEF-NLR Negligible or Low Risk Use Cases will be removed and MKT-LEF-LIO Low Impact Only will be updated to clarify that agencies SHOULD deploy compensating controls if a Class A FedRAMP Certification is used for an agency ATO with higher security objectives or for non-pilot use cases.

9. MKT-LEF-ROQ Require Ongoing FedRAMP Qualification will be removed and this general principle will be addressed separately in agency guidance (agencies are required by M-24-15 to obtain and maintain FedRAMP Certifications for services they use, so FedRAMP does not need to emphasize this for Class A FedRAMP Certifications).

10. The proposed updates to the Minimum Assessment Scope are no longer necessary after updates to the Minimum Assessment Scope in v0.9.0; MAS-CSO-TPR requires addressing the potential impact to federal customer data from third-party information resources regardless of the FedRAMP Certification status of those resources.

11. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.

Subject Line: Emergency: FedRAMP Response to CISA ED 26-03

This is a real emergency and action is required in response to CISA Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco-SD WAN Systems. This is NOT a test.

FedRAMP has been tasked with ensuring all federal agencies have the information they need from cloud services to respond to this Emergency Directive. This will avoid massive duplicative work for agencies and all cloud services.

Providers MUST complete all required actions and report status to FedRAMP (Step 7) by 5:00 PM ET February 27, 2026 regardless of impact level (this timeline has been set by CISA, not FedRAMP).

PLEASE URGENTLY TAKE THE FOLLOWING REQUIRED ACTIONS IN ORDER!

1. Providers MUST review Emergency Directive 26-03 to understand affected systems.

2. Providers MUST identify all in-scope affected systems (Cisco SD-WAN) within the FedRAMP-authorized boundary for their cloud service offering(s).

   If no in-scope systems are identified, skip to step 7.

3. Providers SHOULD collect logs from affected systems as outlined in the Collect section of the Emergency Directive to assist with hunt activities.

4. Providers MUST apply Cisco-provided updates to all of the CVEs identified in the Emergency Directive by 5:00 PM ET February 27, 2026.

5. Providers SHOULD perform hunt and hardening activities as recommended by Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems.

6. Providers MUST upload supplemental information to the Incident Response folder in the FedRAMP repository and notify all agency customer Authorizing Official (or ISSO) POCs with notification of the completed action(s).

   • File Format

     Files should be compatible with modern spreadsheet applications. Acceptable file formats are Comma Separated Values (csv) or Microsoft Excel (xlsx).

   • Filename

     ED-26-03-Response-[FRID]

     Note: Please replace the [FRID] placeholder with your corresponding information.

   • Recommended content

     • List of the type(s) of affected systems.
     • Summary of actions taken and results, including the collection of artifacts, patching, and hunting actions.
     • Additional information you wish to provide to customers

7. Complete FedRAMP’s Emergency Directive 26-03 Response Form by 5:00 PM ET February 27, 2026. (the URL for this form was emailed to cloud service providers directly)

Corrective Action

Corrective actions based on the Security Inbox process DO NOT apply to this notification due to previously announced testing timelines.

Corrective actions MAY apply based on Incident Response or Continuous Monitoring deficiencies relating to this Emergency Directive Response.

Additional Background

If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers.

If you have any questions, please reach out to info@fedramp.gov and CyberDirectives@cisa.dhs.gov.

Initial Outcome

The following changes from the rules proposed in RFC-0021 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

1. FedRAMP will not request, store, or publish pricing information for cloud services, independent assessors, or advisory services on the FedRAMP Marketplace.

   a. MKT-GEN-SPI Service Pricing Information will be struck.

   b. MKT-ADV-WEB Website Requirements and MKT-RIA-WEB Website Requirements will be modified appropriately.

   c. Agencies and other FedRAMP stakeholders have regularly requested that FedRAMP provide this information in a centralized place, however public comment has made it clear that many stakeholders do not want to participate. This gives FedRAMP a clear public explanation for why this information will not be available in the FedRAMP Marketplace.

2. MKT-ADV-ATT Attestation Requirements will be rewritten as an optional rule; FedRAMP will not require advisory services to maintain positive attestations from cloud service providers to be listed on the FedRAMP Marketplace.

3. MKT-RIA-ATT Attestation Requirements will be modified to require an independent assessor to complete at least 2 assessments (initial or annual) every 2 years to maintain recognition.

   a. MKT-RIA-ATT Attestation Requirements will begin the 2 year clock at either the date of FedRAMP recognition OR the date of publishing, whichever is most recent. This provides all current and future FedRAMP-recognized independent assessors 2 years to meet this requirement before it applies indefinitely.

   b. MKT-RIA-ATT Attestation Requirements will continue to include the grace period of 6 months but will add a path to prevent loss of recognition if the independent assessor demonstrates intent to perform the required assessments with the timelines being outside of their control.

   c. Some commenters inadvertently reinforced this requirement by explaining they had paid considerable cost to obtain an A2LA Accreditation with the sole intent of providing advisory services, however A2LA Accreditation and the related FedRAMP recognition process do not assess a company’s knowledge of FedRAMP or their ability to provide advisory services because it is intended only for independent assessors. This problem is exactly the confusion FedRAMP intends to address with this requirement.

4. MKT-GEN-DOD Demonstration of Ongoing Demand will be updated to only apply to cloud services without an agency authorization to operate and the overall application will be clarified.

   a. Providers that are not following the Authorization Data Sharing standard will be exempt from sharing agency package request information as FedRAMP manages that process for USDA Connect.

   b. FedRAMP will add a note clarifying that this is to help FedRAMP justify the use of government resources to support Program Certification and similar processes overall by providing aggregate numbers and is not intended as an oversight mechanism to punish providers who are struggling with demand.

5. MKT-GEN-PKO Pick One: 20x or Rev5 will be updated to be more explicitly clear that Program Certification is the path outlined in RFC-0023 where FedRAMP is the sponsor for initial and ongoing authorization and that the requirement to pick one path applies to Program Certification only.

   a. Cloud services with a 20x Certification are welcome to pursue an agency sponsored authorization to also obtain and maintain a FedRAMP Certification for Rev5. These Certifications would need to be maintained separately, following separate Rev5 and 20x processes. This would be very complicated for a company and likely result in significant confusion but FedRAMP does not have a reason to prevent this today.

   b. FedRAMP itself will not provide a Program Certification for both paths due to the issues mentioned above, however; it would certainly be a waste of time, resources, and effort for FedRAMP to perform duplicative work itself.

6. MKT-PRE-DCP Demonstrating Continuous Progress will be updated to clarify that continuous progress will be measured by the cloud service provider against goals it must include in the Ongoing Authorization Reports.

   a. This is an opportunity for a business to showcase its goals and progress in a way that any potential customer can review and should be seen as a marketing and future customer experience opportunity.

7. MKT-FRX-TAT Target Authorization Time will be updated to clarify that FedRAMP won’t throw someone under a 1 month penalty bus if there is a minor issue with a submission that is easy to correct.

   a. This penalty is for situations when a package is demonstrably insufficient or FedRAMP has to repeatedly ask for additional information such that it is impossible to make a decision in a timely manner without wasting time and resources.

   b. The note incorrectly mentioned a 3 month waiting period; the penalty is intended only to be 1 month.

8. FedRAMP will provide a JSON schema for the required web information for independent assessors and advisory services in the FedRAMP Consolidated Rules for 2026.

   a. MKT-ADV-WEB Website Requirements and MKT-RIA-WEB Website Requirements will be updated to include this JSON schema and information about validation.

9. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.

Explanation

RFC-0021 received 41 comments in total, with a wide variety of focus for the comment content (appropriate to the various themes within RFC-0021). Comments were generally targeted at very specific areas and many aspects of the RFC received little attention. FedRAMP is making adjustments in specific areas that take into account concerns raised by the community where feedback did not conflict with the underlying goal or purpose of a proposed rule.

The adjustments are outlined in detail in the Initial Outcome section and summarized as follows:

1. Pricing information will not be required because pretty much all industry commenters raised concerns, even though pretty much all agency commenters were strongly appreciative of the proposed change.

2. Advisory services and independent assessors will not need to maintain public attestations from customers. At least initially, advisory service listings will not require demonstration of quality.

3. FedRAMP-recognized independent assessors will be expected to perform at least 2 assessments every 2 years, instead of 3, along with many other changes and clarifications. This requirement is directly targeted at withdrawing recognition from companies that are causing confusion by seeking FedRAMP-recognition as an independent assessor when they do not actually intend to actually provide assessment services; it is not intended to punish active assessment services for circumstances outside their control.

4. The limit on Program Certification to either Rev5 or 20x will remain in place because FedRAMP itself can not waste resources on duplicative reviews and continuous monitoring. It’s possible there was some confusion here from commenters because this limit only applied to Program Certification where FedRAMP itself is the primary “sponsor” of a service (FedRAMP 20x is entirely sponsored by FedRAMP, and this rule applies to that and the proposed Rev5 Program Certification sponsored by FedRAMP in RFC-0023).

5. As FedRAMP delivers the Consolidated Rules for 2026, it will clarify that FedRAMP may defer corrective action if early notification with a well documented and achievable corrective action plan is supplied in advance of the corrective action being triggered. Corrective action is not intended to punish services acting in good faith on a technicality; it is for services that are simply failing to meet requirements.

6. Various other requirements and recommendations will be clarified, templates will be provided as appropriate, and everything will be implemented within the full context of the FedRAMP Consolidated Rules for 2026.

Thank you for participating in the FedRAMP public comment process!

Initial Outcome

The following changes from the initial proposed designations in RFC-0020 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

1. The single official label for all FedRAMP authorizations will be FedRAMP Certification or FedRAMP Certified.

   a. This aligns with the definition of a FedRAMP authorization in the FedRAMP Authorization Act which states that a FedRAMP authorization is a certification by FedRAMP.

   b. Any cloud service with a FedRAMP Certification is FedRAMP authorized for the purposes of meeting statutory or regulatory requirements, including adequacy for use by an agency to authorize the operation of that cloud service within a federal information system.

   c. There will not be separate designations (such as “FedRAMP Validated”) for 20x and Rev5; FedRAMP concurs with many commenters that this will ultimately create additional confusion for procurement and other discussions. FedRAMP will provide filters in the marketplace to differentiate these paths instead.

2. FedRAMP will not create additional certification baselines that factor for corrective actions or the implementation of recommendations in the FedRAMP Consolidated Rules for 2026.

   a. Proposing new levels for this caused significant confusion as many commenters believed the requirements for the existing baselines would also change. FedRAMP is not intending to change requirements as part of this process, only to provide labels for the existing requirements that better align to FedRAMP’s responsibility and authority.

   b. FedRAMP will separately share information about optional processes and corrective actions with agencies, using the FedRAMP Marketplace.

3. FedRAMP will not use the term “levels” or numbers for the new baseline labels to avoid confusion with the DOD/DOW Impact Level/IL system.

   a. The new labels for each baseline will align to a FedRAMP Certification Class (A, B, C, or D).

   b. This better reflects that the baseline defines the scope of the assessment and certification by FedRAMP, not the total quality or security of the cloud service.

4. FedRAMP will continue with 4 baselines of assessment in the Consolidated Rules for 2026, with each requiring a different amount (and sometimes type or frequency) of information for FedRAMP Certification as they currently do. There will only be minor changes to the baselines themselves.

   a. The labels for these baselines will change, with a transition period where the old and new labels will be linked. FedRAMP will provide full details and expectations in the Consolidated Rules for 2026.

   b. Rev5: Class A will be a new pilot baseline, Class B will include the current Li-Saas and Low baselines, Class C will include the current Moderate baseline, and Class D will include the current High baseline.

   c. 20x: These requirements will be formalized within the FedRAMP Consolidated Rules for 2026 and will align with Rev5 Classes.

Explanation

A fundamental lifecycle change for FedRAMP occurred when the FedRAMP Authorization Act was passed and OMB Memorandum M-24-15 was released. FedRAMP was not simply established in law or updated by these changes in statute and policy; instead, a very different program was established in its place with the same name.

As FedRAMP continues to align with these massively changed authorities and responsibilities there will be changes that fundamentally alter historical approaches to FedRAMP that are no longer relevant or applicable due to the rescission of the original FedRAMP. We acknowledge that for many stakeholders these changes continue to be confusing or frustrating at times but FedRAMP MUST operate in a different way to meet these new requirements; making changes now will reduce confusion in the future as FedRAMP grows.

The FedRAMP Authorization Act defines a FedRAMP authorization as simply “a certification that a cloud computing product or service has completed a FedRAMP authorization process.” The outcome of this process is a “FedRAMP authorization package” which is defined by the Act as “the essential information that can be used by an agency to determine whether to authorize the operation of an information system.” This naturally leads to the labels FedRAMP Certification for “FedRAMP authorization” and FedRAMP Certification Package for “FedRAMP authorization package.”

As explained in RFC-0020, a FedRAMP Certification is not a guarantee that a cloud service has met all requirements to be appropriate for use by an agency at a given FIPS 199 security category. FedRAMP does not have the authority to make this determination on behalf of an agency authorizing official. Agencies may use a FedRAMP Certification Package to authorize the inclusion of a cloud service in an agency information system at any security category they deem appropriate following the Risk Management Framework. OMB Memorandum M-24-15 and modern FedRAMP policies in general encourage agencies to use FedRAMP materials as the base for such decisions, and explicitly encourage the appropriate use of a FedRAMP Certification at different security categories (“impact levels”) than the FedRAMP Certification itself.

Many commenters inadvertently reinforced the critical misconception that a FedRAMP assessment baseline labeled with a FIPS 199 security category was a de facto acceptance of risk for agency use at that security category. This is incorrect, the FedRAMP assessment baseline identifies the depth and complexity of the information provided by the cloud service provider, not the overall security of a system. The outcome of the FedRAMP assessment and authorization process is a package of reusable materials to massively simplify the process for agencies to review and accept risks themselves, categorized by the amount of information available. This is the government-wide statutory and policy responsibility of FedRAMP today, providing the process for agencies to consistently manage the risk of using cloud services.

For all of these reasons, as proposed in RFC-0020, FedRAMP must establish proper labels that demonstrate the purpose and intent of the new FedRAMP. These labels do not change the requirements, purpose, or use of a FedRAMP authorization but over time will reduce the continuous confusion (clearly indicated in public comment) about the purpose and use of a FedRAMP Certification.

This policy also requires FedRAMP to perform quarterly tests to ensure all cloud service providers are complying with these requirements. FedRAMP is required to share public notice at least 10 business days in advance of such a test to ensure that cloud service providers are not surprised. This message serves as the required public notice (NTC-0003). The public record of this notice is available at https://fedramp.gov/notices/0003.

FY26 Q2 Emergency Test

FedRAMP will trigger the FY26 Q2 Emergency Test during normal business hours (8am-5pm Eastern Time) between March 2 and March 13, 2026.

This Emergency Test email will come from fedramp_security@gsa.gov and will clearly specify the actions that cloud service providers are expected to take in reaction to receiving this message.

The actions FedRAMP will expect cloud services to take for the FY26 Q2 Emergency Test follow:

The email will contain the FedRAMP ID, a unique code for each cloud service offering, and a link to a Google Form. The unique code ensures that the form is submitted in response to the email received from FedRAMP for the correct cloud service offering.

Providers will be required to submit the following information in the Google Form for each cloud service offering:

• The FedRAMP ID of the cloud service offering
• The unique three-word code received in the FedRAMP Emergency Test email
• The name, title, and email of a preferred contact for follow up from FedRAMP if needed
• Are you aware of the FedRAMP Secure Configuration Guide rules that are mandatory for all cloud service providers as of March 1, 2026?
• Have you met the requirements and recommendations in the FedRAMP Secure Configuration Guide rules?
• Where can FedRAMP or federal agencies find your Secure Configuration Guide?

Response times will be tracked and reviewed by FedRAMP; individual response times may be published as a security metric.

FedRAMP Security Team

A Special Email Test

To help cloud service providers ensure they are prepared, FedRAMP will be sending an individual informational notice the FedRAMP Security Inbox email address on file with a copy of this message. If you are a cloud service provider and do not receive an informational notification by Monday, February 23, please contact info@fedramp.gov immediately to begin troubleshooting any possible problems with your FedRAMP Security Inbox.

Cloud service providers and FedRAMP-recognized independent assessment services will not be required to report information to FedRAMP regarding the expenses incurred for any assessment at this time. This determination may be reconsidered in the future, however a new public comment period would be required.

Explanation

On January 13, 2026, FedRAMP proposed reporting requirements to gather assessment costs in RFC-0019 to help address the statutory responsibility in 44 USC § 3609 (a) (10) (A) to "regularly review, in consultation with the FedRAMP Board … the costs associated with independent assessment services…"

RFC-0019 generated more public comments than many previous FedRAMP RFCs, with 30 distinct commenters supplying 48 comments on the proposed requirements. FedRAMP appreciates the many carefully considered comments that addressed the underlying potential impact to industry and the associated concerns for companies. This notice summarizes and explains the outcome from RFC-0019 Reporting Assessment Costs.

The primary theme FedRAMP identified in public comments was that collecting this information would impose a burden on cloud service providers that was not relevant to the assessment and authorization of cloud computing services. Assessment costs are paid by cloud service providers as part of a commercial agreement with an assessment organization that does not involve the government; therefore, FedRAMP would be collecting proprietary business information. Some commenters even indicated that companies might choose to deliberately obfuscate or falsify their assessment cost reporting to protect themselves.

A critical secondary theme was that the cost paid by any particular cloud service provider for an assessment would only be relevant to the experience of that specific provider due to the wide variance in scope and complexity across providers. Commenters indicated that these costs could not and should not be compared across providers.

Overall, public comments have made it clear that implementing the proposed requirements would create a significant problem for some companies who might choose to reject it, would likely create significant problems for FedRAMP in oversight and management of the information, and might cause a slew of other issues due to the perception that, effectively, this is none of FedRAMP’s business and that the cost of services between private-sector entities should be left to private-sector entities to negotiate.

FedRAMP concurs with the public that requiring businesses to report on the costs of assessment services for FedRAMP-related assessment is unreasonable. As a result, FedRAMP will not implement these requirements and will only be able to rely on limited publicly available information to review the cost of assessment services.

This system should make it easier for folks to stay informed or catch up on important updates where action may be necessary. FedRAMP's other communication channels include:

• The FedRAMP Blog provides big picture updates in large information dumps.
• Our email subscriber list regularly communicates smaller updates over email, but these are not archived and may be easy to miss.
• FedRAMP's social media on linkedin actively communicates about smaller updates as well, but are also easy to miss.
• The FedRAMP Community discussions on GitHub are a great place for discussing FedRAMP, but it includes far more than just general notices.

Key Features of FedRAMP Public Notices

• Easy to Catch Up: All historical notices are available in one place with summaries that make it easy to catch up on occasional visits.
• Easy to Follow: An RSS feed allows simple integration into the communication platform of your choice so updates aren't missed.
• Targeted Content: Notices are focused on just the key facts you need to know - we won't use notices to send general reminders or provide social updates that are more appropriate via other channels.

What's Next

Set up your system of choice to monitor the RSS feed for new notices and stand by for key updates!