The New FedRAMP Era is Here: Top 10 Updates Every CSP Needs to Know

On June 24, 2026, FedRAMP published the Consolidated Rules for 2026, featuring a sweeping overhaul of the policies, requirements, and terminology that govern how cloud service providers (CSPs) obtain and maintain FedRAMP Certification. The rules are effective July 4, 2026, for 20x CSPs and replace a patchwork of legacy guidance documents, memoranda, and program policies with a single machine-readable, structured ruleset. For existing Rev5 CSPs, most requirements become mandatory on January 1, 2027, with optional early adoption available immediately.

10 Key FedRAMP Updates CSPs Need to Know

For CSPs currently on or building toward the FedRAMP Marketplace, this is not a minor update, but rather a ground-up restructuring of the program. The following 10 considerations represent the changes with the greatest practical impact on CSP GRC and engineering teams.

1. "Authorization" Is Out, "Certification" Is In

FedRAMP has formally retired the term "FedRAMP Authorized" in favor of "FedRAMP Certified." This is not a cosmetic change. The Consolidated Rules define "FedRAMP Certified" as the program term that satisfies the statutory concept of FedRAMP authorization under 44 USC § 3608. Legacy terms like "FedRAMP Authorized" and "FedRAMP Authorization" are listed as alternate synonyms pointing to the new terminology, but the program has moved on.

More consequentially, the rules introduce a formal Certification Path structure: Program Path or Agency Path. All FedRAMP 20x certifications follow the Program Path exclusively, meaning FedRAMP itself serves as the certifying body directly, eliminating the agency sponsor requirement that has historically been one of the most significant barriers to market entry. The Agency Path remains available but is explicitly defined as a legacy path, available only for Rev5, and still requires both agency and FedRAMP review and approval.

For CSPs that previously struggled to find a willing agency sponsor, this structural change opens a direct route to federal market access through 20x.

2. New Certification Classification System Replaces Low, Moderate, and High Baselines

The familiar Low, Moderate, and High impact level baselines are no longer the organizing framework for FedRAMP Certification. In their place, the Consolidated Rules introduce a Certification Class system with four categories: Class A, Class B, Class C, and Class D. Each class represents a spectrum from minimal assurance to significant assurance.

A Certification Profile is now defined as the combination of three elements: Certification Type (Rev5 or 20x), Certification Path (Program or Agency), and Certification Class (A, B, C, or D). CSPs must identify a target profile and apply all relevant FedRAMP Practices accordingly.

While the rules do not publish an explicit Low/Moderate/High to Class B/C/D equivalency table in the Consolidated Rules text, the class structure aligns with those legacy impact levels in terms of assurance expectations. Class A represents a lightweight entry point tied to commercial compliance reuse. Class D represents the highest assurance tier. CSPs upgrading or downgrading Certification Class must apply for a new FedRAMP Certification — the class cannot be adjusted in place.

Additionally, FedRAMP Ready status is being retired. CSPs currently holding FedRAMP Rev5 Ready status must convert to a full FedRAMP Certification before the later of their next annual assessment expiration or November 17, 2026.

3. A New Commercial Compliance Reuse Path Exists

The Consolidated Rules introduce FedRAMP Class A Certification as a new path that allows CSPs to leverage an existing commercial compliance certification to obtain FedRAMP Certification. This is the most significant market expansion mechanism in the new rules.

To qualify, a CSP must have completed an assessment from one of the following approved alternative security frameworks within the past 12 months:

• FedRAMP Rev5 (including FedRAMP Ready) at any historical Impact Level
• SOC 2 Type II
• GovRAMP at any Impact Level

Class A certification requires engagement with a set of mandatory FedRAMP rules beyond the alternative framework materials. CSPs pursuing Class A must still apply directly through FedRAMP.

One important constraint to note is that agencies are advised not to authorize a Class A certified offering for more than 12 months unless that CSP is actively pursuing a Class B, C, or D certification. Class A is designed as an on-ramp, not a permanent destination.

4. The SSP Is Dead: It's Now a Security Decision Record and Certification Package Overview

The System Security Plan (SSP), the foundational documentation artifact of FedRAMP Rev5, is being replaced by two new artifacts that together cover what the SSP historically contained.

The Security Decision Record (SDR) is a persistently maintained, machine-readable record of every security decision made by the CSP across the lifecycle of their cloud service offering. It must be provided in both human-readable and JSON formats, and must include documentation for every applicable FedRAMP rule, every applicable Key Security Indicator, and every Rev5 control. This is not a one-time document. It is a living record expected to stay current.

The Certification Package Overview replaces the base SSP document specifically. It provides a concise, structured summary of the offering and is also required in both human-readable and JSON formats. The FedRAMP Consolidated Rules are explicit: this overview "replaces the historically required base System Security Plan for FedRAMP Rev5."

Rev5 CSPs must obtain SDR compliance by January 1, 2027, with a maintenance deadline of August 1, 2027. The Certification Package Overview must be obtained by January 1, 2027, with a grace period tied to the next assessment.

5. Machine-Readable JSON Is Now Required Program-Wide

The Consolidated Rules introduce a structural requirement that affects nearly every artifact a CSP produces: dual-format delivery in both human-readable and JSON formats. This applies to the Security Decision Record, the Certification Package Overview, Significant Change Notifications, vulnerability reports, public service listings, and certification data generally.

FedRAMP has published JSON schemas for relevant artifacts, and CSPs must supply machine-readable information in JSON documents that are valid against those schemas. Automation is also required to ensure consistency between human-readable and machine-readable versions when both are provided.

For GRC and engineering teams, this is not a documentation update, it is a tooling requirement. Teams producing these artifacts manually will need to build or adopt structured data pipelines. The era of Word and PDF-only FedRAMP compliance packages is ending.

6. Trust Centers Are Now Required — USDA Connect Is Being Phased Out

All FedRAMP Certified CSPs must use a FedRAMP-compatible trust center to store and share their FedRAMP Certification Data with all necessary parties. USDA Connect, the legacy secure folder platform used for package sharing, is being phased out. This means CSPs currently using it must migrate and notify all necessary parties of the transition.

Trust centers must meet specific technical requirements under the Consolidated Rules, including uninterrupted data availability, documented programmatic API access, an inventory of federal agency users with access, and access logging retained for at least six months. CSPs using a trust center rather than USDA Connect must notify FedRAMP within five business days of denying any agency access request.

The practical implication is that CSPs need to select, configure, and validate a compliant trust center platform — and integrate it into their ongoing certification data workflows. This is not optional and is not something that can be addressed at the next annual assessment cycle. Rev5 CSPs have until August 1, 2027 to fully comply, with a grace period extending to February 1, 2028.

7. Quarterly Reviews and Ongoing Certification Reports Replace Monthly ConMon

The traditional FedRAMP continuous monitoring model, centered on monthly POA&M submissions and annual assessments, is being replaced with a structured collaborative monitoring framework built around two recurring obligations.

First, CSPs must publish an Ongoing Certification Report (OCR) to all necessary parties every three months. The OCR must cover all activity since the previous report, be provided in a consistent human-readable format, and include an asynchronous feedback mechanism. CSPs must also publish an anonymized summary of feedback and questions received. A public target date for the next OCR must be maintained in the CSP's FedRAMP Certification Data at all times.

Second, CSPs must host a Quarterly Review, involving a synchronous meeting open to agency customers that is scheduled within 10 business days of each OCR release.

Rev5 CSPs must obtain compliance with these requirements by January 1, 2027, with a maintenance deadline of April 2, 2027, and a grace period through October 1, 2027.

8. A New Vulnerability Management Process Replaces the 30/90/180-Day POA&M Model

The legacy FedRAMP vulnerability remediation model — built around flat 30, 90, and 180-day remediation windows tied to CVSS severity — is replaced under the Consolidated Rules with a risk-contextual framework driven by Potential Agency Impact N-ratings (PAIN) and certification class.

CSPs must now evaluate every detected vulnerability across three dimensions: whether it is likely exploitable, whether it is internet-reachable, and what its potential impact would be on agency customers. The resulting PAIN rating, on a scale of 1 to 5, combined with the CSP's Certification Class determines the applicable remediation timeframe. A Class D CSP with a PAIN-5, internet-reachable, likely exploitable vulnerability must act within 12 hours. The same vulnerability at Class B carries an 8-day window. Non-exploitable vulnerabilities at lower PAIN ratings can extend to 192 days, but at that point they must be formally categorized as accepted vulnerabilities.

The model also assumes automation: CSPs must treat vulnerability detection and response failures as vulnerabilities themselves, and automation is strongly expected for both detection and reporting. Monthly reporting to all necessary parties is still required. Vulnerability reports must distinguish between active vulnerabilities and accepted vulnerabilities, and must include sufficient detail to support agency risk-based decision-making without irresponsibly disclosing exploitation-enabling specifics.

Important timing note: Unlike most other Consolidated Rules requirements, the Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rulesets are mandated by CISA Binding Operational Directive (BOD) 26-04 and carry an earlier mandatory compliance date of December 7, 2026, with a grace period through March 7, 2027. FedRAMP has indicated that CSPs failing to comply with VDR and VER requirements by the grace period deadline risk having their FedRAMP Certification revoked. This is the most urgent near-term deadline in the entire Consolidated Rules package.

9. Significant Change Notifications Are Formalized into Three Tiers

The Consolidated Rules replace ad hoc Significant Change Request (SCR) practices with a structured three-tier Significant Change Notification (SCN) framework that categorizes changes as routine, adaptive, or transformative — each with distinct notification obligations.

Routine changes, meaning recurring operational changes that do not materially affect security, are explicitly exempted from formal notification requirements. Adaptive changes require notification to all necessary parties within 10 business days of completion. Transformative changes carry the most rigorous obligations: initial plan notification at least 30 business days in advance, final plan notification at least 10 business days before execution, post-completion notification within 5 business days, post-validation notification within 5 business days, and updated documentation published within 30 business days of completion.

All Significant Change Notifications must be provided in both human-readable and JSON formats. CSPs must maintain 12 months of historical notifications in their FedRAMP Certification Data. Auditable records of change evaluation activities must be maintained and available to FedRAMP upon request. Emergency changes during active incidents may proceed without advance notification, but must be followed up with full documentation after the fact.

Rev5 CSPs must obtain compliance by January 1, 2027, with a grace period through June 1, 2027.

10. FIPS 140-2 Cryptographic Module Requirements Shift to Risk-Based

The Consolidated Rules replace the historically rigid FIPS 140-2 validated module requirement with a risk-based framework that separates documentation obligations from configuration defaults.

CSPs are now required to document the cryptographic modules used in each service where cryptographic protections are applied to specifically federal customer data — including whether those modules hold active validations under the NIST Cryptographic Module Validation Program (CMVP). The obligation to actually use CMVP-validated modules varies by Certification Class. Class D CSPs must use CMVP-validated cryptographic modules or update streams when protecting federal customer data. Class C CSPs should use them. Class B and Class A CSPs may use them. This class-tiered structure means the cryptographic requirement is now explicitly risk-differentiated rather than uniform across the program.

The purpose language in the rules is explicit: these rules "allow risk-based decisions for some services while still encouraging validated cryptographic modules whenever they are technically feasible and reasonable." For CSPs whose architectures include components where FIPS-validated modules are not practically available, this provides a documented path to compliance that acknowledges real-world constraints — provided the rationale is clearly documented.

Rev5 CSPs must obtain compliance by January 1, 2027, with a grace period through June 1, 2027.

What These FedRAMP Updates Mean for Your Organization

The FedRAMP Consolidated Rules represent the most significant restructuring of the program since its inception in 2011. The changes are not limited to documentation formats or terminology — they affect how CSPs structure their compliance programs, what technology they use to manage and share certification data, how they monitor and report vulnerabilities, and how they communicate with agencies and FedRAMP.

For existing Rev5 CSPs, the core compliance deadlines cluster around January 1, 2027, with several grace periods extending into mid-2027 and beyond. Optional early adoption is available as of July 4, 2026. For CSPs pursuing 20x, the rules are effective immediately.

Schellman's Federal team has conducted a detailed analysis of the Consolidated Rules against both the FedRAMP 20x and Rev5 requirements. If you have questions about what these changes mean for your specific certification profile or assessment timeline, contact us today.

This analysis is based on the final FedRAMP Consolidated Rules v2026.06.24.01, effective July 4, 2026