The April 8th, 2026 FedRAMP 20x Community Working Group session wrapped up with a Q&A-heavy format that covered some of the most practical, ground-level questions the community has been sitting on. No major announcements, but the clarity delivered on four critical topics makes this one worth a full breakdown.
Here is everything discussed, structured for the teams that need to act on it.
1. Will FedRAMP Force Rev5 CSPs to Migrate to 20x?
This question keeps coming up, and the PMO answered it directly: no. There is no current intent to remove a Rev5 authorization and mandate a move to FedRAMP 20x.
The only scenario where 20x improvements cross over into Rev5 is when a security change introduced in 20x is significant enough that not applying it to Rev5 would leave Rev5 effectively broken or inadequate. In those cases, FedRAMP pushes a Balance Improvement Release (BIR) across to Rev5. Several of those are already in motion and will become mandatory in January 2027 under CR26.
What This Means for Your Organization
If you hold a Rev5 authorization today, your path is stable. You are not being forced onto a new track. What you do need to prepare for is the mandatory adoption of applicable BIRs under CR26 enforcement starting January 2027. That is the actual action item here, not a migration to 20x.
If you are still deciding between 20x and Rev5, this clarification reinforces that the choice is yours to make based on your architecture and readiness, not something FedRAMP will impose on you later. Not sure which path fits your current environment? Book a Readiness Call and we will help you assess.
2. How Federal Agencies Actually Use Cloud-Hosted SaaS Like Salesforce or Databricks
One of the most useful exchanges in the session was a walkthrough of how federal agencies approach cloud-hosted SaaS within the Risk Management Framework. This is foundational context that CSPs often miss because they see the process from their own side, not the agency side.
Here is the structured process the PMO walked through:
Step 1: Identify the Operational Need
Agencies do not start by shopping for tools. They start by identifying a specific operational need, for example, tracking employee office assignments or managing case workflows. The tool comes later.
Step 2: Apply the Risk Management Framework
The agency runs through RMF steps including preparation, categorization, and assessment. At this stage they evaluate what type of data is involved, how sensitive it is, and what protection requirements apply. Is it PII? Sensitive PII? How critical is availability?
Step 3: Define the Agency Information System
Based on the use case and data classification, the agency formally defines its information system. This is not the tool. This is the combination of data, processes, protection requirements, and components that together constitute the system.
Step 4: Select the Cloud Service
Only at this stage does the agency go shopping. If Salesforce meets the requirements, it becomes a component within the agency information system, not the system itself.
Step 5: Build the System Security Plan
The agency creates an SSP that maps every identified control to how it is implemented within the chosen cloud service. For well-established platforms with documented security postures, many controls can be accepted based on the provider’s existing evidence. The agency documents that review rather than independently verifying every infrastructure detail.
Step 6: Account for Interconnected Systems
Modern agency environments are rarely a single tool. Salesforce connects to an Identity Provider. The IDP connects to a SIEM. Each of those may be a separate cloud service. The agency information system encompasses all of those interactions, not just the primary application.
Why This Matters for CSPs
Understanding this process helps CSPs frame their FedRAMP packages more effectively. Agencies are not evaluating your product in isolation. They are evaluating how your product fits into a broader system security architecture. The clearer your documentation makes that fit, the easier the agency review becomes.
3. Incident Reporting: What CSPs Are Actually Required to Report
The definition of “incident” has been a source of confusion and the PMO used this session to clarify exactly where the line sits.
The Old Definition
Previously, FedRAMP defined an incident narrowly as something that affected federal customer data. This created ambiguity about what happened before that determination was made.
The New Process
Under the updated framework, any event that goes wrong at the cloud service provider level is technically an incident. However, the first step is an internal evaluation: did this incident likely affect or did it actually affect federal customer data?
If the answer is yes, it becomes a federally reportable incident and triggers the formal reporting process. If the answer is no, it does not need to be reported to FedRAMP.
The Practical Takeaway
CSPs are not required to report every internal incident, outage, or failure to FedRAMP. The reporting obligation is scoped specifically to events that impact federal customer data. What is required of every CSP is having a clear internal triage process so that evaluation happens quickly and consistently every time something goes wrong.
4. Planning and Budgeting Under an Evolving Framework
The PMO acknowledged directly what many CSPs have expressed privately: planning is hard when requirements keep moving. The entire architecture of CR26 is designed to solve this problem.
What FedRAMP Is Doing Differently
Rather than developing rules behind closed doors and dropping them suddenly, FedRAMP is building and publishing in public with the community involved throughout. CR26 will consolidate all current RFCs and BIRs into a single, stable rule set valid from enforcement in January 2027 through the end of 2028. A phased implementation plan is published at fedramp.gov/20x so organizations can plan against a real timeline.
Who Should Wait vs. Who Should Move Now
The PMO was candid about this. If your organization is risk-sensitive, does not have internal GRC engineering resources that can be redirected, and does not have the operational flexibility to absorb changes mid-cycle, it may make more sense to wait for CR26 to be fully formalized before committing to a plan. That is not a failure. That is appropriate risk management.
On the other hand, if your team has the capacity and the agility, getting into the betas and working groups now means you help shape the final rules rather than react to them. The CSPs that participated in the 20x pilots were generally those with lean, capable internal teams who could move without heavy process overhead.
The Window You Have
CR26 enforcement begins January 2027. The rules are valid through December 2028. That gives most organizations a realistic planning and implementation window if they start now. The phased implementation plan at fedramp.gov/20x gives you the milestones to plan against.
If you want to map your current compliance posture to that timeline before enforcement arrives, Book a Readiness Call with our team and we will build that roadmap with you.
5. Where to Stay Engaged
The PMO closed the session by reiterating the channels where they are actively present and responsive.
fedramp.gov for notices, RFCs, and official documentation. The 20x implementation plan lives at fedramp.gov/20x.
GitHub discussion forums for asynchronous questions. The FedRAMP team actively monitors and responds to threads there. If you have a question that does not need a real-time answer, this is the most reliable channel.
Monthly CWG sessions for real-time Q&A. The next Rev5 session is scheduled for May.
Frequently Asked Questions (FAQ)
Will FedRAMP ever force Rev5 CSPs to move to FedRAMP 20x?
No. There is no current intent to revoke a Rev5 authorization and require migration to 20x. The only crossover that happens is when a security improvement from 20x is significant enough to be applied to Rev5 via a Balance Improvement Release. Those BIRs become mandatory under CR26 in January 2027, but that is an update to Rev5, not a forced migration away from it.
What is the difference between a FedRAMP 20x certification and a Rev5 certification?
FedRAMP 20x is designed for cloud-native, well-scoped services without significant technical debt or complex legacy infrastructure. Rev5 is designed for larger, more complex providers including those operating multiple data centers or pursuing Class D (High) certifications. The two paths are entirely separate and work completed toward one does not transfer to the other.
What does a federal agency actually do before selecting a cloud service like Salesforce?
Agencies follow the Risk Management Framework before selecting any tool. They start by identifying an operational need, classify the data involved, define protection requirements, and only then shop for a cloud service that meets those requirements. The cloud service becomes one component within a broader agency information system, not the system itself.
What incidents are CSPs required to report to FedRAMP?
CSPs are required to report incidents that affected or were likely to affect federal customer data. Not every internal incident, outage, or failure requires a report. The obligation is specifically scoped to events with a federal data impact. CSPs should have a documented internal triage process to make that determination quickly and consistently.
When does CR26 take effect and how long is it valid?
CR26 enforcement begins in January 2027. The rule set is designed to be valid through December 2028, giving organizations a multi-year stable planning window. A phased implementation plan is published at fedramp.gov/20x.
Should my organization wait for CR26 to be finalized before making compliance plans?
It depends on your internal capacity. If your organization is risk-sensitive and lacks dedicated GRC engineering resources, waiting for full formalization before committing to a plan is a legitimate and reasonable approach. If you have the internal agility, engaging with betas and working groups now gives you influence over the final rules and more preparation time.
Where can CSPs ask questions about FedRAMP 20x between sessions?
FedRAMP actively monitors and responds to questions in their GitHub discussion forums. You can also find notices, RFCs, and the phased implementation plan at fedramp.gov and fedramp.gov/20x. Monthly CWG sessions also include live Q&A.
Key Takeaways
Rev5 is not going away and migration to 20x will never be forced. FedRAMP has no intent to revoke Rev5 authorizations. BIRs from 20x will apply to Rev5 only when necessary to maintain its integrity, and those become mandatory in January 2027 under CR26.
Agencies build information systems before they select cloud tools. Understanding the RMF process from the agency side helps CSPs write better packages. Your product is a component within a larger system, not the system itself. Document accordingly.
Incident reporting is scoped to federal customer data impact. Not every internal failure needs to go to FedRAMP. What every CSP does need is a fast, documented triage process to determine federal data impact consistently and without delay.
CR26 gives you a real planning window. Enforcement starts January 2027 and the rules hold through December 2028. If you have internal GRC capacity, start now. If you do not, waiting for formalization is a legitimate strategy. Either way, the timeline is public and predictable.
The FedRAMP PMO is reachable and responsive. GitHub discussion forums, monthly CWG sessions, and fedramp.gov are all active channels. Questions posted to GitHub get real responses from the team. Use them.
The choice between 20x and Rev5 is yours to make. FedRAMP will not impose a path on you. Choose based on your architecture, your scale, and your readiness. If you need help mapping that decision to your specific environment, Book a Readiness Call with our team.
Notes from the FedRAMP 20x CWG Meeting · April 8, 2026 · fedramp.gov/20x These are field notes from an attendee. For official guidance, always refer to FedRAMP’s GitHub repository and official publications.