The Schellman Blog

Schellman, the nation's No. 1 FedRAMP Independent Assessor, breaks down the most significant restructuring of the federal cloud security program since its 2011 inception.

On June 24, 2026, FedRAMP published the Consolidated Rules for 2026, featuring a sweeping overhaul of the policies, requirements, and terminology that govern how cloud service providers (CSPs) obtain and maintain FedRAMP Certification. The rules are effective July 4, 2026, for 20x CSPs and replace a patchwork of legacy guidance documents, memoranda, and program policies with a single machine-readable, structured ruleset. For existing Rev5 CSPs, most requirements become mandatory on January 1, 2027, with optional early adoption available immediately.

ISO/IEC 42001:2023 is the first international standard for an Artificial Intelligence Management System (AIMS). Structured similarly to other ISO management system standards, like ISO 27001, with mandatory clauses 4 through 10 and an Annex A control set, it shares the same Plan-Do-Check-Act logic familiar to any management system practitioner.

This article was drafted based on a LinkedIn Live discussion between Schellman’s Matt Hungate (Managing Principal, Federal Practice) and Jacob Karp (VP of Strategic Sales). View their full conversation here.

The California Consumer Privacy Act (CCPA) has fundamentally reshaped how organizations approach data protection, but the recent cybersecurity audit regulation has added a new layer of complexity to compliance obligations. For many companies, this represents both a challenge and an opportunity to build a unified compliance strategy that addresses multiple regulations, standards, and frameworks simultaneously.

This article was drafted based on a LinkedIn Live discussion between Danny Manimbo (Managing Principal, Schellman) and Christian Hyatt (CEO & Co-Founder, risk3sixty). Watch their full session here. The regulatory landscape for AI is shifting rapidly between evolving federal policies, an explosion of state-level legislation, and the emergence of industry-specific compliance requirements. Many organizations know they need AI governance but may face uncertainty about how to navigate the evolving landscape.

Schellman is the industry’s #1 FedRAMP Third Party Assessment Organization (3PAO) and has become the first to assess over 200 cloud service offerings on the FedRAMP Marketplace. From over a decade of experience, we’ve accumulated a significant amount of firsthand experience and hard-earned insights into what it actually takes to achieve and maintain federal authorization.

On May 7, 2026, HITRUST announced the release of CSF version 11.8.0. The HITRUST Common Security Framework (CSF) has become a cornerstone compliance standard for organizations across healthcare, financial services, and other regulated industries. By consolidating requirements from multiple frameworks like HIPAA, HITECH, and ISO 27001, HITRUST CSF provides a unified, risk-based approach to security and compliance that many organizations have built their entire control environments around.