A New Federal Market Opportunity: How Your SOC 2 Type II Opens the Door to FedRAMP Certification

If you’ve heard “FedRAMP” and immediately thought “that’s a year-long, million-dollar project we’re not ready for” — this post is for you. A lot has changed. The program's new Class A certification tier was built specifically for companies that have already done the hard work of achieving SOC 2 Type II. Here’s what your SOC 2 actually gets you, and why the path to the federal marketplace may be shorter than you think. 

FedRAMP Class A Certification FAQ

Q: I keep hearing about “FedRAMP 20x.” What is it, and why does it matter? 

FedRAMP, the Federal Risk and Authorization Management Program, is the government’s standardized framework for authorizing cloud services used by federal agencies. If you want to sell your cloud product to the federal government, FedRAMP is almost always part of the conversation.

For years under the traditional Rev 5 certification path, the FedRAMP process meant assembling a massive documentation package, finding a federal agency willing to sponsor your authorization, and investing 12–18 months and hundreds of thousands of dollars before you ever set foot on the FedRAMP Marketplace.

FedRAMP 20x, introduced in 2025, is a ground-up redesign built for companies looking to break into the federal market while investing to improve their security posture. It’s a cloud-native framework that focuses on continuous, automated validation of security posture rather than point-in-time documentation reviews. Instead of writing lengthy narratives about how you meet each security control, 20x is centered on demonstrating your security in near real-time through Key Security Indicators (KSIs), which are measurable, machine-readable signals that show your controls are actually working.

The practical difference is that 20x is faster, more flexible, and far more accessible for commercially-mature cloud companies that have already invested in security and compliance. The FedRAMP PMO formally opens 20x submissions in August 2026, meaning the window to get ahead of the market is right now.

Q: What is FedRAMP Class A, and why does it matter? 

Within the new 20x framework, FedRAMP certifications are organized into four classes, spanning from A through D, with each representing a different depth of assessment and ongoing reporting commitment. Class A is the entry point, and it was specifically designed to create a faster, more accessible path to the federal marketplace by leveraging frameworks that organizations already have.

Here’s what makes 20x Class A different from everything that came before it:

• It builds directly on existing commercial compliance programs. Class A is designed to leverage SOC 2 Type II reports as well as GovRAMP or FedRAMP Rev 5 reports as a foundational starting point. If you already have a SOC 2 Type II, you’ve done much of the heavy lifting. 

• It gets you on the FedRAMP Marketplace. A Class A certification is a full FedRAMP Certification, not a provisional status or a “ready” designation. It means you’re listed, searchable, and certified. 
• It’s a commercial opportunity, not just a compliance checkbox. Being on the Marketplace means you can reference your FedRAMP Certification when responding to federal RFPs, as part of product marketing and go-to-market efforts, and even as part of private sector procurement reviews. It’s a differentiator that opens doors. 

Despite being classified as a full FedRAMP Certification, Class A is designed to be a stepping stone. Once you’ve established federal market presence and are actively working with agencies, you’ll be expected to progress to a Class B, C, or D certification in the future. But Class A gets you in, and that first step has historically been the hardest one to accomplish. 

Q: What is the FedRAMP Marketplace, and why should I care about it? 

The FedRAMP Marketplace is the official, publicly searchable database of FedRAMP-certified cloud services. Federal agencies are required to use it as their primary reference when evaluating cloud vendors. There are currently over 500 certified offerings listed. 

For your business, being on the Marketplace matters in a few concrete ways: 

• It’s a significant differentiator. It starts conversations with agencies who search the Marketplace when building vendor shortlists. If you’re not listed, you often don’t make it into the conversation regardless of how good your product is. 

• It signals trust at scale. Listing on the Marketplace tells every potential federal customer, and many commercial enterprise customers, that an independent, government-recognized process has validated your security posture. 

Being “FedRAMP Certified” is a recognized trust mark you can use in sales materials, on your website, and in responses to security questionnaires from customers. 

Q: We already have a SOC 2 Type II. Does that mean we’re close to Class A Certification? 

Already having a SOC 2 Type II Report means you’re closer to achieving Class A certification than you might think. 

SOC 2 Type II is one of the primary qualifying frameworks for Class A certification. FedRAMP specifically identified SOC 2 Type II as a foundational baseline because of its widespread adoption among commercial SaaS companies. 

That said, a SOC 2 alone doesn’t get you across the finish line. Depending on your existing SOC 2 coverage, there are approximately 35-55 additional FedRAMP-specific requirements that must be addressed as part of your Class A submission. While some of these additional requirements may be fully addressed and reusable from your SOC 2 report, there will be areas that your SOC 2 report won’t fully address, including government specific incident response procedures and reporting requirements. 

The good news is that many of these additional requirements are relatively low-lift items for organizations that already run a mature security program. You’re not starting from scratch but rather filling targeted gaps on top of a solid foundation. For most companies with a SOC 2, the question isn’t whether you can do it. It’s whether you know exactly what’s missing and how to close those gaps efficiently. 

Q: Do we need a federal agency to sponsor our FedRAMP authorization? 

Federal agency sponsorship is no longer required for FedRAMP authorization, and this is one of the most significant changes in the new 20x framework. 

Under the traditional FedRAMP model, finding an agency sponsor was one of the biggest obstacles to authorization, causing notable delays. Agencies were cautious about committing to an unproven vendor, and many companies spent months (or years) trying to secure a sponsor before they could even begin the authorization process. 

Class A certification is issued directly by the FedRAMP PMO through what’s called a Program Certification. You submit your package, the PMO reviews it, and — if it meets requirements — you receive your certification. No agency sponsor is required. 

This removes what was historically the longest, most uncertain part of the entire process, now lowering the barrier to entry for many organizations. You’re no longer dependent on finding a federal champion before you can get started. 

Q: How does Schellman help organizations pursue a Class A certification? 

A third-party assessment is not technically required to submit a Class A package to the FedRAMP PMO. But here’s the practical reality: the submission requirements are new, the gap between SOC 2 and Class A has nuance and complexity, and packages that are incomplete or misaligned get rejected, setting your timeline back significantly. 

Working with an Independent Assessor like Schellman means you have a team that is fully engrained in the FedRAMP requirements, understands exactly where SOC 2 leaves off and Class A begins, and can help you move from gap identification to submission without the false starts and rework. 

Schellman is the #1 ranked FedRAMP Independent Assessor (formerly referred to as 3PAO) on the FedRAMP Marketplace. Beyond our FedRAMP capabilities, we’re a leading provider of SOC compliance and attestation services, offering a one-stop-shop for consolidated compliance efforts. We’ve purpose-built a Class A service offering structured around where you are in your compliance journey: 

You can start at Tier 0 or 1 if you’re still evaluating whether Class A makes sense for your business — or jump directly to Tier 2 if you’ve already decided to move forward. And if you’re not sure where to start, we can help you decide the best path forward based on your current standing. 

Ready To Explore What Class A Could Mean for Your Business? 

If your organization has a SOC 2 Type II and any interest in the federal market, Class A is worth serious consideration. The barriers that made FedRAMP feel out of reach, including the agency sponsor requirement, the 12+ month timelines, the six-figure investment costs, have been fundamentally restructured. 

The Marketplace submissions window opens in August 2026. Organizations that move now will be positioned to be among the first Class A-certified cloud services listed. 

Get in touch with Schellman’s Federal Practice team to start the conversation.