Elevate

FedRAMP Compliance 2026: What NTC-0004 and NTC-0005 Mean for Your Cloud Security Strategy

FedRAMP compliance is undergoing its most significant restructuring through Change Request 26 (CR26), which introduces two critical notices: NTC-0004 and NTC-0005. These changes fundamentally alter how cloud service providers obtain and maintain federal authorization. NTC-0004 replaces the existing authorization terminology with a unified “FedRAMP Certified” designation and introduces certification classes A through D. Meanwhile, NTC-0005 modifies marketplace listing requirements and assessment protocols. This article explains what these changes mean for your organization and how to build an effective compliance roadmap before the June 2026 implementation deadline.

Understanding FedRAMP CR26: NTC-0004 and NTC-0005 Overview

On February 25, 2026, FedRAMP published two interconnected notices that establish the framework for its 2026 Consolidated Rules. Both notices represent the initial outcomes from public comment periods that closed on February 19, 2026, addressing separate but complementary aspects of the program’s evolution.

Change Notice Who it impacts Practical effect
“FedRAMP Certified” becomes the official label NTC-0004 CSPs / agencies / procurement Standardize wording across proposals + websites.
Certification Classes A–D replace “levels” NTC-0004 CSPs / agencies Clearer baseline labeling; less DoD IL confusion.
No Marketplace pricing publication NTC-0005 CSPs / 3PAOs / advisors Removes a major listing friction point.
3PAO recognition requires 2 assessments every 2 years NTC-0005 3PAOs Forces market clarity; filters out “paper-only” assessors.
Program Certification must pick Rev5 or 20x NTC-0005 CSPs Prevents duplicative FedRAMP effort; requires strategy choice.

What NTC-0004 and NTC-0005 Change in FedRAMP Program

NTC-0004 addresses authorization designations through RFC-0020. The notice establishes “FedRAMP Certification” or “FedRAMP Certified” as the single official label for all FedRAMP authorizations, aligning with the statutory definition in the FedRAMP Authorization Act that defines a FedRAMP authorization as a certification by FedRAMP. Any cloud service with a FedRAMP Certification meets the requirement for statutory or regulatory purposes, including adequacy for use by an agency to authorize operation within a federal information system.

The notice eliminates separate designations like “FedRAMP Validated” to distinguish between 20x and Rev 5 paths. Instead, Marketplace filters will differentiate these authorization paths. FedRAMP will adopt Certification Classes A through D rather than “levels” to avoid confusion with DoD and DON Impact Levels, emphasizing that baselines reflect the scope and depth of assessment materials provided, not overall security quality.

NTC-0005 tackles marketplace participation rules through RFC-0021, which received 41 comments during its public comment period. FedRAMP will not request, store, or publish pricing information for cloud services, independent assessors, or advisory services on the Marketplace. The MKT-GEN-SPI Service Pricing Information requirement will be struck entirely, along with modifications to MKT-ADV-WEB and MKT-RIA-WEB Website Requirements.

Advisory attestation requirements will become optional under MKT-ADV-ATT, removing the mandate for advisory services to maintain positive attestations from cloud service providers for listing eligibility. Similarly, independent assessors must complete at least 2 assessments every 2 years to maintain recognition, with the clock starting from either the recognition date or publishing date, whichever is most recent.

CR26 Publication Timeline and Validity Period

FedRAMP will publish the Consolidated Rules for 2026 by the end of June 2026. These rules remain valid until December 31, 2028, providing a 30-month operational window for the new framework. The publication consolidates program rules, marketplace requirements, and updated terminology into a unified ruleset.

CR26 will include a JSON schema for required web information for independent assessors and advisory services, updating MKT-ADV-WEB and MKT-RIA-WEB Website Requirements to incorporate validation guidance. All final rules will align with the most recent naming conventions in FedRAMP Machine Readable Documentation.

Why FedRAMP is Restructuring Authorization Designations Now

FedRAMP frames these changes as part of a major program shift following the FedRAMP Authorization Act and OMB Memorandum M-24-15. According to FedRAMP, M-24-15 rescinded and replaced the previous FedRAMP policy memo, effectively creating what the program describes as a “new program with the same name” with different authorities and responsibilities.

Public comments revealed persistent misconceptions about FedRAMP assessment baselines. Many commenters incorrectly assumed that a FedRAMP assessment baseline labeled with a FIPS 199 security category represented de facto risk acceptance for agency use at that category. FedRAMP clarifies that assessment baselines identify the depth and complexity of information provided by the cloud service provider, not the overall security of a system. The outcome produces reusable materials to simplify agency risk review processes, categorized by the amount of information available rather than predetermined security adequacy.

NTC-0004 Changes: FedRAMP Certification Terminology and Class Structure

NTC-0004 introduces five fundamental changes to FedRAMP compliance terminology and baseline structure that directly affect procurement language, marketplace positioning, and authorization documentation across all cloud service providers.

Single Official Label: FedRAMP Certification Replaces Mixed Terminology

The FedRAMP Authorization Act defines a FedRAMP authorization as “a certification that a cloud computing product or service has completed a FedRAMP authorization process.” Correspondingly, NTC-0004 establishes “FedRAMP Certification” or “FedRAMP Certified” as the exclusive official designation for all authorizations. This terminology applies uniformly regardless of authorization path, baseline level, or sponsoring entity.

The change eliminates inconsistent usage of terms like “authorized,” “approved,” or path-specific branding across documentation, websites, and procurement materials. Cloud service providers must update all external collateral to reflect this standardized label.

No Separate Validated Designation for 20x vs Rev 5

FedRAMP explicitly states it will not create separate labels such as “FedRAMP Validated” to distinguish 20x authorizations from Rev 5 authorizations. The program abandons any designation hierarchy that might imply one path holds greater validity than another.

Marketplace filters will differentiate between 20x and Rev 5 paths for agencies requiring specific baseline information during procurement. This filter-driven approach maintains technical differentiation without introducing confusing label variations that complicate vendor messaging and agency understanding.

Certification Classes A-D Replace Impact Levels

FedRAMP will adopt the term “FedRAMP Certification Class” followed by A, B, C, or D instead of continuing “levels” terminology. This shift addresses confusion with DoD and DON Impact Levels, which use similar numerical or categorical designations but serve different purposes within defense authorization frameworks.

The Classes emphasize that baselines reflect the scope and depth of assessment materials a cloud service provider must produce, not a judgment about overall security quality or inherent system protection. FedRAMP notes that public comments revealed persistent misunderstanding about this distinction, with stakeholders incorrectly treating baseline labels as security ratings.

Planned Class Mapping: Rev 5 Baseline Alignment

FedRAMP provides specific mapping for Rev 5 baselines under the new Class structure:

  • Class A: New pilot baseline
  • Class B: Current Li-SaaS plus Low baseline requirements
  • Class C: Current Moderate baseline requirements
  • Class D: Current High baseline requirements

The 20x requirements will be formalized in CR26 and aligned with corresponding Rev 5 Classes to maintain consistency across authorization paths. This mapping preserves existing assessment scopes while reorganizing their categorical labels.

Key Clarification: Baselines vs Agency Risk Acceptance

FedRAMP reiterates that a FedRAMP Certification does not guarantee a service meets all requirements for appropriateness at any given FIPS 199 security category. FedRAMP lacks authority to make such determinations on behalf of agency authorizing officials.

Agencies must authorize cloud service operation within their information systems following the Risk Management Framework, using the FedRAMP Certification Package as foundational material for their authorization decisions. OMB Memorandum M-24-15 and modern FedRAMP policies explicitly encourage agencies to use FedRAMP materials at different security categories than the Certification baseline itself, recognizing that agency-specific risk tolerance and system architecture drive final authorization decisions.

NTC-0005 Changes: Marketplace Rules and Assessment Requirements

RFC-0021 received 41 comments during its public review period, prompting FedRAMP to adjust marketplace participation rules while preserving core program objectives. These modifications remove friction points for industry participation while establishing clearer performance expectations for assessment providers.

Pricing Information Removal from Marketplace Listings

FedRAMP will strike the MKT-GEN-SPI Service Pricing Information requirement entirely. The program will not request, store, or publish pricing information for cloud services, independent assessors, or advisory services on the Marketplace. Correspondingly, MKT-ADV-WEB Website Requirements and MKT-RIA-WEB Website Requirements will be modified to remove pricing disclosure obligations. Public comments revealed strong industry resistance to centralized pricing publication despite agency preference for this information. FedRAMP acknowledges this gives the program a documented explanation for why pricing data remains unavailable through official channels.

Advisory Services Attestation Requirements Become Optional

MKT-ADV-ATT Attestation Requirements will be rewritten as optional rather than mandatory. Advisory services no longer need to maintain positive attestations from cloud service providers to qualify for Marketplace listing. This change reduces entry barriers for advisory firms while FedRAMP determines whether quality demonstration mechanisms warrant future implementation. The program explicitly states that advisory service listings will not require quality demonstration at launch.

3PAO Recognition: 2 Assessments Every 2 Years Requirement

Independent assessors must complete at least 2 assessments (initial or annual) every 2 years to maintain FedRAMP recognition under modified MKT-RIA-ATT Attestation Requirements. The two-year clock begins at either the FedRAMP recognition date or the most recent publishing date, whichever is later. This provides all current and future recognized assessors a full two-year window before the requirement applies indefinitely. A six-month grace period continues under the updated rule, with an added pathway to prevent recognition loss when assessors demonstrate intent to perform required assessments but face timelines outside their control. FedRAMP clarifies this requirement targets companies seeking recognition without actually providing assessment services, not active assessors facing circumstantial delays.

Ongoing Demand Rule Applies Only to Services Without Agency ATO

MKT-GEN-DOD Demonstration of Ongoing Demand will apply exclusively to cloud services lacking an agency authorization to operate. FedRAMP emphasizes this requirement justifies government resource allocation for Program Certification processes through aggregate demand data, not as an oversight mechanism to penalize providers experiencing demand challenges.

Program Certification Must Pick Rev 5 or 20x Path

MKT-GEN-PKO Pick One: 20x or Rev5 applies specifically to Program Certification, the FedRAMP-sponsored path outlined in RFC-0023. Cloud services holding a 20x Certification may pursue agency-sponsored authorization to obtain and maintain a separate Rev 5 Certification, though these would require independent maintenance following distinct processes. FedRAMP notes this dual-path approach creates operational complexity and potential confusion but lacks grounds to prohibit it for agency-sponsored authorizations.

Continuous Progress Measured Against CSP-Stated Goals

MKT-PRE-DCP Demonstrating Continuous Progress will clarify that providers measure continuous progress against goals they include in Ongoing Authorization Reports. FedRAMP positions this as a customer-facing marketing and transparency opportunity, allowing businesses to showcase their security improvement trajectory in ways potential customers can review.

Impact on Cloud Security Strategy by Organization Type

CR26’s dual notices create distinct operational impacts across the FedRAMP ecosystem, requiring organizations to reassess their compliance strategies based on their role in the authorization process.

CSP Strategy Adjustments: Marketing and Certification Path Planning

Cloud service providers must immediately audit all external collateral to replace mixed authorization terminology with “FedRAMP Certified” across websites, sales materials, and procurement responses. Marketplace discoverability shifts to filter-driven navigation between 20x and Rev 5 paths rather than label-based differentiation. Providers pursuing Program Certification face a mandatory path selection between Rev 5 and 20x, with FedRAMP explicitly prohibiting dual-track maintenance to avoid duplicative review resource consumption.

Ongoing Authorization Reports become customer-facing performance signals under the continuous progress requirement. Providers must articulate defensible, measurable goals that demonstrate security posture evolution rather than static compliance maintenance. This transparency mechanism functions as both a marketplace differentiator and an accountability framework.

3PAO and Independent Assessor Pipeline Requirements

Assessment organizations face a clearly stated performance threshold: at least 2 assessments every 2 years to maintain FedRAMP recognition. The clock starts from either recognition date or most recent publishing date, with a 6-month grace period plus an intent-demonstration pathway when delays occur outside assessor control. This requirement filters organizations that sought recognition without actually providing assessment services.

Assessors must implement JSON schema-compliant website disclosures under updated MKT-RIA-WEB Website Requirements in CR26, adding structured data validation to marketplace participation.

Advisory Service Firms: Reduced Listing Barriers

Advisory firms gain marketplace access without maintaining positive CSP attestations. MKT-ADV-ATT shifts from mandatory to optional, eliminating the demonstration-of-quality requirement at program launch. Firms still face JSON schema compliance for website requirements but avoid the relationship-dependent attestation burden that previously complicated new entrant participation.

Agency and Procurement Team Considerations

Federal buyers navigate simplified terminology without “validated versus authorized” distinctions across procurement documentation. Marketplace filters replace designation hierarchies for differentiating 20x from Rev 5 authorizations during vendor evaluation. Certification Class labels (A-D) reduce confusion with DoD Impact Levels in joint authorization scenarios.

Risk Management Framework Implementation Under New Labels

Agencies continue authorizing cloud service operation following RMF procedures using FedRAMP Certification Packages as foundational materials. The Class structure clarifies that baselines indicate assessment scope rather than predetermined risk acceptance, reinforcing that agency authorizing officials maintain final determination authority for system appropriateness at specific FIPS 199 categories.

Building Your CR26 Compliance Roadmap

Organizations must translate CR26 requirements into actionable compliance steps before the June 2026 implementation deadline. Six operational areas require immediate attention to maintain marketplace eligibility and program participation.

Update Security Documentation and Collateral to FedRAMP Certified

Audit all customer-facing materials, proposal templates, website content, and security documentation for legacy terminology. Replace references to “FedRAMP authorized,” “FedRAMP approved,” or path-specific branding with “FedRAMP Certified” to align with statutory language. Prepare explanatory materials for procurement teams addressing how Certification Classes A through D map to existing baseline structures, particularly for customers familiar with Low, Moderate, and High designations.

Assess and Choose Your Certification Path Strategy

Providers pursuing Program Certification must select either Rev 5 or 20x as their primary path, since FedRAMP prohibits dual-track maintenance for sponsored authorizations. Evaluate this decision against customer base requirements, existing assessment investments, and long-term federal market positioning. Document the rationale for your chosen path to address customer questions during the transition period.

Prepare Marketplace Metadata and JSON Schema Requirements

CR26 will provide a JSON schema for required web information covering independent assessors and advisory services. Prepare technical infrastructure to support schema-compliant data publication and validation processes. Review current Marketplace listings to identify gaps between existing metadata and anticipated structured data requirements.

Operationalize Continuous Progress Reporting

Draft Ongoing Authorization Report goals that are defensible, measurable, and customer-readable. FedRAMP explicitly positions continuous progress as a marketplace-facing transparency signal rather than internal compliance documentation. Establish baseline metrics and improvement targets that demonstrate security posture evolution over time.

Implement Package Quality Gates to Avoid Submission Penalties

FedRAMP clarifies that the one-month penalty under MKT-FRX-TAT Target Authorization Time applies to repeatedly insufficient submissions, not minor issues easily corrected. Establish internal package quality assurance processes to verify submission completeness before FedRAMP review, preventing situations where the program must repeatedly request additional information.

Timeline: What to Complete Before June 2026

Prioritize terminology updates and path selection decisions for immediate execution. JSON schema preparation and continuous progress framework development require coordination with technical and security teams. Complete all marketplace preparation activities before CR26 publication to enable rapid adaptation once final validation requirements become available.

Practical impact by audience

If you’re a Cloud Service Provider (CSP)

What to update now

  • Update your collateral: shift language toward “FedRAMP Certified” rather than mixing “authorized/validated” terminology.
  • Plan for Marketplace discoverability being filter-driven (20x vs Rev 5) rather than label-driven.
  • If pursuing Program Certification, expect you must pick 20x or Rev 5 (as clarified), and treat dual-path maintenance as a deliberate complexity tradeoff.
  • Re-check how you’ll articulate “continuous progress” in Ongoing Authorization Reports, because FedRAMP is explicitly positioning this as customer-visible performance and transparency.

If you’re a 3PAO / independent assessor

  • Prepare for a clearly stated performance expectation: at least 2 assessments every 2 years to maintain recognition, plus rules around the clock start, grace period, and an “intent” pathway.
  • Expect more structured website disclosures via JSON schema and validation rules in CR26.

If you’re an advisory firm

  • Marketplace listing friction decreases: pricing info won’t be collected, and positive attestations won’t be mandatory (at least as described in the initial outcome).
  • Still plan to meet machine-readable listing requirements (JSON schema).

If you’re an agency / procurement team

  • Standard terminology: “FedRAMP Certified” becomes the umbrella label.
  • You’ll rely on Marketplace filters (not extra labels) to distinguish authorization paths.
  • FedRAMP reiterates the baseline is about assessment scope/material depth—not a blanket risk acceptance at a FIPS 199 category—so procurement language should avoid treating baselines as automatic “agency risk decisions.”

Timeline you should plan around

  • Feb 19, 2026: RFC-0020 and RFC-0021 closed
  • Feb 25, 2026: NTC-0004 and NTC-0005 published
  • End of June 2026: FedRAMP plans to publish CR26
  • Through Dec 31, 2028: CR26 validity window

Readiness checklist (what to do before CR26 drops)

  1. Update your vocabulary now: Replace inconsistent language (“authorized/validated”) with FedRAMP Certified (and prepare to map to Classes A–D).
  1. Prepare Marketplace metadata: If you support assessors/advisors: anticipate JSON-schema-driven listing requirements and validation.
  1. Assess path strategy: If you’re going for Program Certification, decide whether you’re committing to 20x or Rev 5 under FedRAMP sponsorship, and document why.
  1. Operationalize “continuous progress”: Draft Ongoing Authorization Report goals that are defensible, measurable, and customer-readable (because FedRAMP is treating this as a marketplace-facing signal).
  1. Avoid submission penalties via quality gates: Implement internal package QA so you’re never in “repeatedly insufficient submission” territory (where FedRAMP is clearly targeting the 1-month penalty).

Conclusion

CR26 represents the most significant restructuring in FedRAMP history. Organizations must adapt their compliance strategies before the June 2026 deadline to maintain marketplace eligibility and federal market access.

Specifically, cloud service providers need to standardize all collateral with “FedRAMP Certified” terminology, select their certification path, and establish measurable continuous progress goals. Independent assessors face clear performance thresholds, while advisory services benefit from reduced listing barriers. Federal agencies gain simplified procurement language through Certification Classes A-D.

As a result, organizations that proactively implement these changes will position themselves competitively in the evolving federal cloud marketplace. The consolidated rules provide a stable 30-month framework through December 2028, making immediate action critical for long-term program success.

FAQs

What is the new official term for a FedRAMP authorization?

FedRAMP’s planned single official label is FedRAMP Certification (or FedRAMP Certified).

Will FedRAMP create separate labels for 20x vs Rev 5 (like “validated”)?

No. FedRAMP plans no separate designations like “FedRAMP Validated”; differentiation will be via Marketplace filters.

What are FedRAMP Certification Classes (A–D)?

FedRAMP plans to label baselines as Certification Classes A–D instead of “levels,” emphasizing scope/depth of assessment materials, not “security quality.”

Will FedRAMP publish pricing for CSPs, assessors, or advisory services in the Marketplace?

No. FedRAMP plans to not request, store, or publish pricing information in the Marketplace.

Are advisory services required to maintain positive attestations to be listed?

FedRAMP plans to make advisory attestations optional, not required for listing.

How does an independent assessor maintain FedRAMP recognition (per the initial outcome)?

FedRAMP plans to require an assessor to complete at least 2 assessments every 2 years, with additional clock/grace-period details and an “intent” pathway.

When will CR26 be published, and how long will it be valid?

FedRAMP says end of June 2026, valid until December 31, 2028.