Initial Outcome from RFC-0023 Rev5 Program Certifications

NTC-0008 published at Fri, 06 Mar 2026 18:40:00 GMT // Markdown Version

RFC-0023 Rev5 Program Certifications proposed a short-term option to help cloud service providers that had already heavily invested in the FedRAMP Rev5 agency authorization path but either lost their agency sponsor or have struggled to obtain an agency sponsor during the last year due to unexpected government-wide staffing and budget changes.

A full traditional Rev5 security assessment review is expensive and time consuming for the government and requires careful balancing and planning for an agency. FedRAMP relies on the distribution of assessment review across the government to scale the program because it has never been funded or staffed to tackle assessment review on behalf of the entire government. This situation has not changed, and FedRAMP has no intention of removing sponsorship or taking on the full traditional Rev5 assessment review for everyone; FedRAMP is simply not capable of doing so without multiple years of increased targeted appropriations and planning.

To address this problem in the long term, FedRAMP has been building a new approach that reduces the initial review burden so that it can directly handle the initial assessment review on behalf of all agencies for a base level of demand, then scale with resources and personnel as additional funding is unlocked as a result of its success. This approach is well-known as FedRAMP 20x and FedRAMP has been applying lessons learned in the 20x approach to Rev5 via mostly optional Balance Improvement Releases.

Rev5 Program Certification, with initial assessment review and ongoing certification via continuous monitoring being performed directly by FedRAMP, can only be available to a limited number of cloud service providers that adopt the Balance Improvement Releases necessary to lower the burden for FedRAMP. Any cloud service provider that is unable to adopt these requirements will need to pursue the agency sponsor path to locate a government agency that has the funding and resources to perform the more burdensome traditional review and continuous monitoring.

A Quick Recap

Many of the details in this Initial Outcome will be confusing for stakeholders who have not kept up with recent RFCs and their initial outcomes posted by FedRAMP over the past few months. The information below is a quick recap of relevant information, though stakeholders are strongly encouraged to read the full set of RFCs and their outcomes for context.

1. FedRAMP Consolidated Rules for 2026 will be published by the end of June 2026. These will integrate many changes, apply to all cloud service providers by December 31, 2026, and will be valid until December 31, 2028.

2. FedRAMP Certification will be the new label for a FedRAMP authorization. This is to avoid the frequent confusion between a FedRAMP authorization (done by FedRAMP) and an authorization to operate (done by agencies).

3. FedRAMP will transition labels for requirements and baselines from impact levels to Certification Classes. Class A Certifications will be time-limited for initial testing and piloting while Class B, C, and D Certifications will initially map to historical FR Low/Li-SaaS, FR Moderate, and FR High requirements.

4. FedRAMP Certifications of various types and classes will be available via the current Agency Authorization or new Program Certification paths. The Agency Authorization path is the traditional “agency sponsor” path for initial review that allows an agency to invest the resources up front by sponsoring a FedRAMP Certification for a cloud service it wants to use. The Program Certification path allows FedRAMP to review the product initially and does not require an agency sponsor, but has considerable restrictions on availability.

All types of FedRAMP Certifications as well as all current and historical FedRAMP authorizations regardless of name or title are not government-wide authorizations to operate that allow any agency to use the product without meeting statutory and policy requirements for an authorization to operate. Many public commenters continue to misunderstand this fundamental fact of the law: an agency will always be required to perform a review of the security materials in a FedRAMP package to determine the risk of using it and current policy requires them to follow the NIST Risk Management Framework to implement an authorization to operate.

FedRAMP’s goal is to make this process dead simple for agencies so that they can make such determinations and perform an ATO within days or weeks.

Initial Outcome for FedRAMP Ready

The full details for implementing next steps for FedRAMP Ready will be published in the Consolidated Rules for 2026, however FedRAMP will immediately begin publicizing the pending retirement of FedRAMP Ready as planned.

The high level initial outcomes from RFC-0023 for FedRAMP Ready are:

1. FedRAMP will retire FedRAMP Ready on July 28, 2026 as proposed in RFC-0023. No FedRAMP Ready submissions will be accepted after this date.

   a. Rev5 Class A Certifications will be available at this time and these requirements will not vary considerably from those for FedRAMP Ready so that cloud services working towards FedRAMP Ready can shift easily into the new profile.

2. Instead of simply retiring FedRAMP Ready as proposed in RFC-0023, FedRAMP will provide an alternative path for cloud service providers to convert their FedRAMP Ready or FedRAMP Ready assessment into a Class A FedRAMP Certification.

   b. Cloud services that do not wish to or do not meet the requirements for conversion will be renamed “Legacy FedRAMP Ready” and otherwise retired as proposed in RFC-0023.

Initial Outcome for Implementing Program Certification

FedRAMP will establish a tightly scoped Rev5 Program Certification with strict application criteria and limited commitments; the full criteria, requirements, and expectations will be published as part of the FedRAMP Consolidated Rules for 2026 by the end of June 2026.

This Rev5 Program Certification option will be deployed in stages, as follows:

1. Stage 1: Rev5 Class A Certifications will be available to cloud services that are FedRAMP Ready. Rev5 Class A Certifications will replace FedRAMP Ready. Providers will need to meet a few requirements to convert from FedRAMP Ready but it will be light touch initially.

2. Stage 2: Rev5 Class B and Class C Certifications will be available through Program Certification to cloud services that are willing to adopt the required Balance Improvement Releases and met at least one of the following criteria between 1/1/2025 and 3/1/2026:

   a. FedRAMP Ready on the FR Marketplace

   b. In Process on the FR Marketplace

   c. Completed a FedRAMP Ready assessment with a Readiness Assessment (RAR)

   d. Completed a full FedRAMP assessment with a Security Assessment Plan and Security Assessment Report (SAP/SAR)

Additional instructions and requirements will align with those proposed in RFC-0023 and will be shared publicly prior to opening the pipeline for Program Certifications. This opportunity for qualifying cloud services will be available until Rev5 is retired.

Please do not reach out to FedRAMP about additional information or next steps until the formal criteria, path, and requirements are published! All relevant details will be shared with the public at the same time to ensure fairness.

During Stage 1 and 2, FedRAMP will evaluate the impact to the program and establish requirements and timelines for additional stages based on real-world metrics.

In Stage 3, tentatively, FedRAMP hopes to open Rev5 Class A Certifications to any cloud service provider using an external security framework that is 80%+ compatible with FedRAMP Rev5 requirements. Then to open Rev5 Class B and C Certifications to specific types of GRC automation tools and services with proven agency demand.

Additional Initial Outcome Specifics

Additional specific outcomes from RFC-0023 that will be implemented in the Consolidated Rules for 2026 follow:

1. FedRAMP will not implement the proposed “trusted assessor” definition or related requirements proposed in RFC-0023.

   a. Thanks to astute public comment, FedRAMP is particularly concerned that this requirement might lead to cloud service providers establishing a contract with a “trusted assessor” that loses that status prior to completing the assessment, creating an issue that is beyond the control of the cloud service provider while unfairly punishing them.

   b. LPC-GEN-ATA Assessment By Trusted Assessor will not be implemented.

2. LPC-GEN-MBA Mandatory Balance Improvement Release Adoption will not be implemented.

3. LPC-GEN-LMR Legacy Machine-Readable Package Requirements will not be implemented specifically for Rev5 Program Certifications.

4. LPC-GEN-LVL Level Limited will be updated to Class Limited and clarify that FedRAMP will only provide sponsorless Class A, B, or C FedRAMP Certifications. Class D FedRAMP Certifications will continue to require an agency sponsor.

   a. Cloud service providers that are unable to secure an agency sponsor for a Class D FedRAMP Certification are welcome to apply for a Class C FedRAMP Certification from FedRAMP directly and make any additional control implementations available in an addendum to their authorization package for agencies to encourage adoption in agency information systems with a High security objective.

5. LPC-TIM-EOL End of Life for Legacy Program Certification will be updated to align the end of life for the end of legacy program certification with the end of life for new Rev5 authorizations overall. (this is currently planned to be in 20x Phase 5, FY27 Q3 to FY Q4)

   a. This change will ensure a sponsorless option is available during the entire remaining lifecycle of the FedRAMP Rev5 Certification path.

6. LPC-FRX-GRC Prioritization of Some GRC Tools will be reworked along with an entirely different pipeline process; in general, GRC tools that can be used by agencies to ingest machine-readable authorization data from other cloud services will continue to be prioritized.

7. LPC-GEN-IBR Implement Balance Releases will be implemented without any significant change in response to public comment.

   a. Program Certification for Rev5 is available only because of the Balance Improvement Release process. If a cloud service provider is unable to implement the requirements in these Balance Improvement Releases then FedRAMP would not be able to provide sufficient resources to maintain their Program Certification.

   b. Cloud service providers that are not able to implement Balance Improvement Releases can still obtain a FedRAMP Certification through a sponsoring agency.

8. LPC-GEN-IRI Included Required Information will be implemented without any significant change in response to public comment beyond striking the loss of “trusted assessor” status as such no longer applies.

9. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.