Initial Outcome from RFC-0022 Leveraging External Frameworks

NTC-0007 published at Tue, 03 Mar 2026 22:05:00 GMT // Markdown Version

FedRAMP will publish the FedRAMP Consolidated Rules for 2026 (CR26) by the end of June, 2026; these rules will be valid until December 31, 2028.

These Consolidated Rules will formalize the initial requirements for Class A FedRAMP Certification based on the proposed requirements from RFC-0022 and the initial outcome from public comment shared below. This initial outcome, as written, may only make sense if you have reviewed the original RFC, other concurrent RFCs, and the initial outcome notices from the other concurrent RFCs; if you have not done so you may wish to wait for the FedRAMP Consolidated Rules for 2026 where all of this will be published together in context.

Explanation of Outcome

As explained in RFC-0022, Class A FedRAMP Certifications will exist to meet the specific mandate from M-24-15 to establish a path for leveraging external security frameworks and provide procedures for pilot uses of temporary FedRAMP Certifications. This path addresses gaps in the FedRAMP process that has caused agencies to perform their own pilot authorizations without following the FedRAMP process and promoting government-wide reuse. Agencies should not be required to invest considerable resources up front for sponsoring a cloud service prior to use, and cloud services should not need to invest significant resources in federal-specific processes to be used by agencies.

These updates after public comment clarify the intent of this process, maintain compliance with the underlying mandate from M-24-15, and explain how this path will integrate into other changes as part of the FedRAMP Consolidated Rules for 2026.

Class A FedRAMP Certifications will only be available through Program Certification (directly by the FedRAMP PMO without an agency sponsor) and will be available for both Rev5 and 20x with different requirements. The expected requirements for Rev5 Class A FedRAMP Certifications will be described in the initial outcome from RFC-0023.

In response to public comment, cloud service providers who receive a Class A FedRAMP Certification will be given 2 years (instead of 1 year) to obtain a Class B, C, or D FedRAMP Certification and will have some flexibility around that deadline based on scheduling with an independent assessor. This change will apply to all cloud services in the Preparation phase.

This initial outcome also explains that external frameworks will be adopted incrementally over time, depending on demand, throughput, and relevance. The most frequently leveraged external framework by agencies today for pilot authorizations is SOC 2 Type II and that is where FedRAMP will start for 20x Class A FedRAMP Certifications. FedRAMP is aware of the limitations of this external security framework and will establish some initial guardrails, but Class A FedRAMP Certifications are intended to be transitory and replaced by a Class B, C, or D FedRAMP Certification that will require addressing all relevant FedRAMP rules. FedRAMP is not providing a bridge from external frameworks to other classes of FedRAMP Certification. No reciprocity is intended or will be granted in this process. Any provider seeking long term or non-pilot use by an agency will need to pursue a different class of FedRAMP Certification.

Otherwise, most of the updates outlined in the initial outcome are minor changes and clarifications based on public comment.

Initial Outcome Details

The following changes from the rules proposed in RFC-0022 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

1. Class A FedRAMP Certifications will be the label for cloud services in the Preparation phase that have met initial requirements for negligible or low risk pilot use by agencies.

   1. This will replace the “FedRAMP Validated Level 1” label initially proposed.

   2. Cloud service providers MUST meet the requirements to be listed on the FedRAMP Marketplace in the Preparation phase to apply for a Class A FedRAMP Certification, including being a cloud service within the scope of FedRAMP (intended for direct or indirect use by multiple federal agencies).

2. FedRAMP will provide the materials and process necessary for cloud service providers to request Class A FedRAMP Certifications prior to opening a pipeline.

3. FedRAMP will provide the materials and process necessary for agency adoption of Class A FedRAMP Certifications prior to opening a pipeline.

4. MKT-LEF-MAP Mapping to Key Security Indicators: The primary path for Class A FedRAMP Certifications maintained by FedRAMP will be designed for FedRAMP 20x and reflect the requirements proposed in RFC-0022.

   1. This Certification Class is designed for industry companies that have not invested in the Rev5 path, using initial assessment of security posture via Key Security Indicators and other 20x requirements.

   2. Paths for Rev5 FedRAMP Certification are already available for providers who have invested in the Rev5 path, and an alternative path for Rev5 Class A FedRAMP Certifications will be established based on the outcome from RFC-0023 Rev5 Program Certification.

5. MKT-LEF-ASF Approved Security Frameworks: The list of initial approved security frameworks will be limited initially with specific instructions to ensure gradual and responsible implementation; implementation for specific frameworks will be staggered over time based on the level of effort and the depth of the review pipeline.

   1. SOC 2 Type II, as the widest used external security framework with the least applicability to the Rev5 process, will be leveraged as the initial test case for Class A FedRAMP Certifications of this type. FedRAMP is aware of concerns about the quality and reliability of SOC 2 Type II audits and current trends with these audits as stated in public comment, however, the purpose of this path is to incentivize the investment in a different FedRAMP Certification that requires stricter implementation and assessment before any agency would use the service beyond a negligible or low risk pilot.

6. MKT-LEF-DFV Deadline for FedRAMP Validation will be removed, and separate instructions will be provided to agencies to encourage them to establish conditional agreements during any Authorization to Operate for a pilot or test that the cloud service will invest in a different class of FedRAMP Certification appropriate to the agency use case if the agency wishes to continue use past the pilot.

7. MKT-PRE-DLA Deadline for Authorization, initially proposed in RFC-0021, will be updated to require a cloud service offering to demonstrate that it has scheduled an Independent Verification & Validation (20x) or Independent Assessment (Rev5) for a Class B, C, or D Certification within 2 years of initial listing in the Preparation phase.

   1. This updated requirement will apply to Class A FedRAMP Certified offerings as they will remain in the Preparation phase.

   2. This eases the pressure on cloud services that initiate a Preparation phase listing while providing flexibility in the event they are ready for an assessment but are unable to schedule such before the deadline.

   3. This update was not included in NTC-0005 Initial Outcome from RFC-0021 because it is a result of public comment in this RFC.

8. MKT-LEF-NLR Negligible or Low Risk Use Cases will be removed and MKT-LEF-LIO Low Impact Only will be updated to clarify that agencies SHOULD deploy compensating controls if a Class A FedRAMP Certification is used for an agency ATO with higher security objectives or for non-pilot use cases.

9. MKT-LEF-ROQ Require Ongoing FedRAMP Qualification will be removed and this general principle will be addressed separately in agency guidance (agencies are required by M-24-15 to obtain and maintain FedRAMP Certifications for services they use, so FedRAMP does not need to emphasize this for Class A FedRAMP Certifications).

10. The proposed updates to the Minimum Assessment Scope are no longer necessary after updates to the Minimum Assessment Scope in v0.9.0; MAS-CSO-TPR requires addressing the potential impact to federal customer data from third-party information resources regardless of the FedRAMP Certification status of those resources.

11. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.