On April 1st, 2026, the FedRAMP Program Management Office held another one of its community-facing sessions and if you weren’t there, you missed a genuinely important update. What follows is an honest, structured recap of everything discussed: from the structural overhaul of how certifications are named and classified, to hard deadlines for machine-readable packages, to clear guidance on who should choose 20x versus Rev5, and why “moderate equivalency” is a term FedRAMP simply refuses to own.
This post covers the official slide content as well as the extended Q&A session, which was characteristically candid and illuminating.
Not sure where your organization stands after reading this? Book a Readiness Call with our team and we’ll help you map your current setup to the right certification path before enforcement kicks in.
Consolidated Rules 2026 (CR26): The Anchor of Everything
The single most important structural development discussed was Consolidated Rules 2026 (CR26). Think of CR26 as FedRAMP’s attempt to replace years of scattered narrative-based guidance, what insiders sometimes call “ghost requirements,” with a single, predictable, machine-readable rule set.
CR26 Key Facts
- Rules are expected to be finalized by end of June 2026
- They will remain valid through December 2028 with only minor changes during that period
- Implementation starts immediately upon release; enforcement begins January 2027
- All RFCs and BIRs released over recent months are being consolidated into CR26
The PMO was emphatic about this: CR26 is not incremental polish. It is a full philosophical shift. Gone are pages of flowing narrative where a 3PAO or CSP might read ten things and interpret twelve. Every rule will be direct, plain-language, and explicit. Providers must do X. Assessors must do Y. No more interpersonal dynamics around ambiguous guidance.
One major feature coming into CR26 is LLM integration: FedRAMP plans to structure its rule files hosted at github.com/fedramp/docs so they are cleanly ingestible by AI agents and language models, making it easier for the community to query and navigate the ruleset programmatically. This is a meaningful step toward genuine machine-readability at the regulatory layer itself.
The Biggest Naming Change in FedRAMP History
Slide NTC-0004 delivered the news that has been quietly anticipated since RFC-0020: FedRAMP Authorization is being renamed FedRAMP Certification. This is not cosmetic. It reflects a structural rethinking of what it means to be compliant.
Authorization Becomes Certification
| Usage | Old Label | New Label |
| Noun | FedRAMP authorization | FedRAMP Certification |
| Adjective | FedRAMP authorized | FedRAMP Certified |
The second major change on this slide: FedRAMP will no longer use FIPS 199 Security Categorizations for certifications. FIPS 199 terms like Low, Moderate, and High have caused persistent confusion among agencies for over a decade. RFC-0020 initially proposed a transition to numbered levels, but based on community feedback, FedRAMP pivoted to lettered classes to avoid confusion.
Two Certification Types
| Type | Designed For |
| FedRAMP 20x | Cloud-native services |
| FedRAMP Rev5 | All other services |
Four Certification Classes
| Class | What FedRAMP Used to Call It | Notes |
| Class A | Pilot, Ready | FedRAMP Ready being retired July 28, 2026; replaced with Rev5 Class A (Pilot), specifics pending |
| Class B | Li-SaaS, Low | |
| Class C | Moderate | |
| Class D | High | High Class D must go through the Agency path, not the Program path |
Certification Profiles: Paths, Types, and What Is Available
A certification profile is a combination of a Type (20x or Rev5), a Path (Agency or Program), and a Class (A through D). Not all combinations are available:
| Type | Path | Available Classes |
| 20x | Agency | NOT AVAILABLE |
| 20x | Program | A, B, C |
| Rev5 | Agency | B, C, D |
| Rev5 | Program | A, B, C (LIMITED) |
The key takeaway: Class D (High impact) always goes through the Agency path under Rev5. There is no 20x path for Class D, and the 20x Agency path does not exist at all.
FedRAMP 20x vs. Rev5: Which Path Is Right for You?
This was the hottest Q&A topic of the session. The PMO was direct: these are entirely different certification types and work done toward one does not transfer to the other. If you are deciding between the two, here is the decision framework laid out during the session.
20x Is Right for You If
- Your offering is well-scoped and cloud-native
- You do not have significant technical debt or a large legacy infrastructure
- You are deploying on containers or using infrastructure as code
- You have a solid continuous monitoring and PRC program
- You are not a massive organization with multiple data centers
- A motivated team can build a solid 20x package in a few weeks
Rev5 Is Right for You If
- You are a large enterprise with complex infrastructure
- You operate multiple data centers
- You are pursuing Class D (High) certification
- You have an existing Rev5 pipeline already underway
Still unsure which path fits your current architecture and timeline? Book a Readiness Call and we will walk through your environment with you.
One pointed Q&A clarification: a CSP asked whether achieving “FedRAMP Rev5 Moderate Equivalency,” a DoD-specific term, gives them a head start toward 20x. The answer was an unambiguous no. The PMO stated clearly: FedRAMP does not have a concept of “moderate equivalency.” It is a DoD/DISA construct. FedRAMP cannot make any commitments based on that status, and CSPs should not assume any crossover.
GovCloud and Commercial as Two Separate Offerings
A nuanced question came up about CSPs that maintain a separate stack for GovCloud under Rev5 and a commercial offering under 20x. The PMO confirmed: these are treated as two distinct Cloud Service Offerings. AWS GovCloud vs. AWS commercial was cited as the canonical example. Each is assessed independently, and this structure is perfectly acceptable.
Machine-Readable Packages: The 2027 Deadline Is Real
NTC-0009, the outcome of RFC-0024, delivered perhaps the most operationally urgent news for providers and assessors: the transition to machine-readable packages is coming with mandatory enforcement dates.
Key Timeline
Now through June 2026 CR26 finalized. Active betas continue. Begin preparing machine-readable data structures.
July 28, 2026 FedRAMP Ready (Class A) designation retired. Replaced by Rev5 Class A (Pilot), specifics pending.
January 2027 CR26 enforcement begins. All current Rev5 BIRs become mandatory.
November 2027 Rev5 Class D (High) services must deliver comprehensive machine-readable packages. Other Rev5 services face partial and semi-structured text requirements. Full details to be provided in CR26.
The Chicken and Egg Problem Is Being Solved
The PMO addressed the industry argument head-on. Many CSPs cite agency unpreparedness as a reason not to produce machine-readable data. FedRAMP’s counter: agencies cannot justify purchasing tools to consume machine-readable data if that data does not exist in the first place. The mandate breaks the deadlock. CSPs will be required to produce it, which creates the incentive for agencies to build intake capability.
The DOD CIO’s office was named as an example of an agency already buying processing tools but lacking actual data from industry to use them. The PMO noted that FedRAMP will define the required documents and fields, but will allow considerable flexibility in how those documents are delivered to FedRAMP and to agencies.
3PAOs supporting Rev5 Class D assessments were advised to read the detailed notice carefully and begin preparing now. FedRAMP will not produce reference implementation validators, but it will define what documents with what fields are required. How those get to FedRAMP and agencies is up to the industry to figure out.
3PAOs: Ghost Requirements Are Going Away
One of the most practically useful discussions in the Q&A concerned 3PAO findings and their relationship to documented FedRAMP requirements. The PMO acknowledged that 3PAOs have historically issued findings for things like dependent services at different impact levels, not because it was a documented requirement, but because past experience made it feel safer to flag it.
CR26 is specifically designed to eliminate this dynamic. The PMO’s guidance: if a CSP receives a 3PAO finding that it believes is not grounded in a documented FedRAMP requirement, it should ask the 3PAO to cite the requirement in writing. In many cases, the PMO acknowledged, they will not be able to, because the requirement was effectively a ghost.
What Is Changing for 3PAOs
The PMO also noted a noticeable shift already underway among 3PAOs. With clearer guidance arriving, assessors are less anxious about not flagging edge cases, because the days of being second-guessed by an agency review for not issuing a finding are ending. The interpersonal dynamics that grew around ambiguous guidance are being dismantled systematically through explicit, plain-language rules.
Agency Compliance Is Not Optional
A significant point came up during the Q&A around agencies and their willingness to follow FedRAMP processes. The PMO was direct: federal law dictates the rules, and agencies are mandated to follow them.
As a concrete example, the PMO cited an OIG report released just two weeks before the meeting that included a corrective action plan for an agency IT division that had refused to follow FedRAMP processes, arguing it was a waste of time. The Inspector General disagreed. The division was found non-compliant and required to correct course.
The takeaway for CSPs and 3PAOs: if an agency contractor tells you something is not required or will not happen, that is not the same as it actually not being required. FedRAMP is working through CIO and CISO councils to push alignment down through agency structures, but in the meantime, the law is the law.
Active RFCs and What You Should Comment On
Rev5 Active RFCs
RFC-0025: Retrospective on the Public Comment Process This is a meta-RFC seeking feedback on the RFC process itself. If you have opinions about how RFCs are released, timed, or structured, this is your formal channel.
RFC-0026: Clarifying CA-7 Continuous Monitoring Expectations This RFC defines the expectations for CSPs and agencies in the post-JAB world. It also includes the first-ever proposed direct corrective action for failure to meet a specific control, which is notable and signals how seriously FedRAMP is taking this issue.
RFC-0027 through RFC-0030: FedRAMP Rev5 Security Controls Baseline Update Four RFCs, each covering five control families. Updates are based on BIR changes and real issues encountered during Rev5 reviews. Importantly, updates to controls driven by NIST changes will not be part of this public RFC process at FedRAMP. Those follow the NIST public comment process instead.
The CA-7 Situation Deserves Special Attention
After the JAB was rescinded a year and a half ago, many CSPs continued behaving as if the JAB-style single-owner continuous monitoring model was still in effect. The PMO disclosed that multiple large CSPs, used by many agencies, have recently told those agencies they do not share continuous monitoring data because they are “JAB authorized.”
The JAB authorization model is gone. If you have agency customers, those agencies are entitled to access your continuous monitoring information. This is not optional. Failure to provide it is now subject to direct corrective action under RFC-0026. CSPs managing a large number of agencies in their collaborative continuous monitoring process should also look at SCN options to manage the operational burden.
How to Submit Feedback
FedRAMP maintains two separate discussion threads for each RFC on their GitHub community page at fedramp.gov/community. Use the informal Q&A post for questions, as the PMO can respond freely there. Use the official public comment post only for formal written comments. If you post a question in the formal comment thread, FedRAMP cannot respond to it. Every new comment triggers a real-time notification to the relevant team member, so feedback does get read.
Active Betas: Get In Before It Becomes Mandatory
Notice 9 confirmed that the final versions of the current beta standards will be mandatory under CR26. The final versions will differ from current betas, so participating now means you can shape the outcome and avoid surprises when enforcement begins.
Collaborative Continuous Monitoring RFC
Designed to lower the burden for both agencies and CSPs in the post-JAB era. The PMO described it as a solid win for everyone. If you are currently managing a complex multi-agency continuous monitoring arrangement, this is directly relevant to your operations.
Vulnerability Detection and Response (VDR) Update
If your vulnerability program currently consists of scanning once a month and scoring CVEs, it will no longer meet the standard. The VDR update requires effective, continuous detection and response programs. If you already have a mature security monitoring program, the new standard may actually serve you better than the old one. If you do not, start building one now.
Authorization Data Standard
The connect.gov portal, which FedRAMP manages today, will be retired when CR26 launches. CSPs that rely on it need a migration plan. FedRAMP will define what data needs to exist and what fields it must contain. How CSPs make that data available to FedRAMP and to agencies is up to the industry to align on. Getting into the beta is the fastest way to ensure your approach is on the right track before it becomes required.
Final Takeaway: The Clock Is Ticking
The April 1, 2026 session made one thing unmistakably clear: FedRAMP’s transformation from a document-and-narrative compliance model to a machine-readable, rules-based certification ecosystem is happening on a firm schedule. CR26 is the vehicle. The deadlines are real. The community was told plainly and without hedging to start preparing now.
Whether you are a CSP deciding between 20x and Rev5, a 3PAO recalibrating your assessment approach, or an agency trying to understand what machine-readable packages mean for your procurement tools, the time to engage is before enforcement begins in January 2027, not after.
Keep an eye on the FedRAMP GitHub community page. Comment on the RFCs. Sign up for the betas. And if you were on the fence about which certification type to pursue, use the framework above to make the call and do not confuse DoD’s moderate equivalency with anything FedRAMP controls.
If you want an expert set of eyes on your current compliance posture before CR26 enforcement begins, Book a Readiness Call and let’s map out your path forward together.
Frequently Asked Questions (FAQ)
What is FedRAMP CR26?
CR26, or Consolidated Rules 2026, is the new unified rule set that FedRAMP is releasing to replace years of scattered narrative-based guidance. It consolidates all existing RFCs and BIRs into a single, explicit, plain-language framework. CR26 is expected to be finalized by the end of June 2026, with enforcement beginning in January 2027 and validity running through December 2028.
What is the difference between FedRAMP 20x and Rev5?
FedRAMP 20x is designed for well-scoped, cloud-native services that do not carry significant technical debt or large legacy infrastructure. Rev5 is designed for larger, more complex providers, including those operating multiple data centers or pursuing Class D (High) certification. The two paths are entirely separate: work done toward one certification does not count toward the other.
What are the new FedRAMP certification classes?
FedRAMP is replacing FIPS 199 impact levels (Low, Moderate, High) with four lettered classes. Class A replaces Pilot and Ready designations. Class B replaces Li-SaaS and Low. Class C replaces Moderate. Class D replaces High. These classes apply under both the 20x and Rev5 certification types, though not every combination of type, path, and class is available.
When is FedRAMP Ready being retired?
FedRAMP Ready is being retired on July 28, 2026. It will be replaced by a Rev5 Class A (Pilot) designation, with specifics still pending as of the April 2026 session.
What are the machine-readable package deadlines?
All current Rev5 BIRs become mandatory in January 2027. Rev5 Class D (High) services must transition to comprehensive machine-readable packages by November 2027. Other Rev5 services will face partial requirements and a transition to semi-structured text formats. Full details will be provided in CR26.
Does “FedRAMP moderate equivalency” count toward a FedRAMP certification?
No. Moderate equivalency is a Department of Defense and DISA-specific construct. FedRAMP does not recognize it as a status and will not make any commitments based on it. CSPs with a moderate equivalency designation should not assume it provides any head start or crossover value toward a FedRAMP 20x or Rev5 certification.
What changed with continuous monitoring after the JAB was rescinded?
The Joint Authorization Board (JAB) was rescinded approximately a year and a half before this session. Under the new model, CSPs must share continuous monitoring data with all agency customers, not just a single authorizing body. RFC-0026 formalizes this expectation and introduces direct corrective action for CSPs that fail to provide agency customers with access to their continuous monitoring information.
How can I submit feedback on FedRAMP RFCs?
FedRAMP maintains two discussion threads per RFC on their GitHub community page at fedramp.gov/community. Use the informal Q&A thread for questions, since the FedRAMP team can engage and respond there. Use the formal public comment thread only for written comments, as questions posted there cannot receive a direct response from the PMO.
What is the VDR update and why does it matter?
The Vulnerability Detection and Response (VDR) update raises the bar for vulnerability management programs. Monthly scanning and CVE scoring alone will no longer be sufficient. CSPs will need effective, continuous detection and response capabilities. If you already have a mature security monitoring program, the update will likely align well with your existing practices. If you do not, this is the time to build one.
How do I know if I should choose 20x or Rev5?
The simplest framework: if your service is cloud-native, well-scoped, and does not carry significant technical debt or large infrastructure complexity, 20x is likely the right path. If you are a large enterprise with multiple data centers, legacy infrastructure, or you are pursuing a High (Class D) certification, Rev5 is the path. When in doubt, Book a Readiness Call and we can walk through your specific environment and requirements together.
Notes from the FedRAMP Community Meeting · April 1, 2026 · fedramp.gov/community These are field notes from an attendee. For official guidance, always refer to FedRAMP’s GitHub repository and official publications.