Elevate

FedRAMP Certification Requirements: What the CR26 Rulebook Demands

The FedRAMP certification requirements a cloud service provider had to meet a year ago are not the ones the program enforces today. The Consolidated Rules for 2026 (CR26) launched officially on June 24, 2026 and become mandatory on January 1, 2027, and they replaced the old control-count model with a rulebook, a set of Key Security Indicators, and two very different evidence paths depending on how your service is built. This guide lays out the current FedRAMP certification requirements for cloud service providers (CSPs): what governs certification now, what a FedRAMP 20x service must demonstrate, what a Rev5 service must document, and what applies to every provider regardless of type.

The single most important shift to internalize: FedRAMP certification requirements are no longer one long checklist applied uniformly. They branch by certification type, so the first real requirement is knowing which set applies to you. For the terminology behind the rename from authorization to certification, see the FedRAMP Authorized vs Ready guide.

The Rulebook Replaced the Checklist

Under the legacy program, requirements meant a fixed number of NIST 800-53 controls tied to your impact level, documented in a large System Security Plan and tested once. CR26 reframes requirements as a machine-readable rulebook: a structured set of FedRAMP Requirements covering everything from certification data sharing to minimum assessment scope to continuous monitoring, expressed so that both humans and systems can read them.

This matters for how you plan. Requirements are now versioned, addressable, and consistent across providers, which removes much of the interpretive guesswork that used to sit between a CSP and its assessor. It also means a requirement can be satisfied by evidence a machine produces, not only by prose a human writes. The rulebook still traces back to recognized security fundamentals, so the FedRAMP controls to NIST 800-53 mapping guide remains the bridge between the control language your team already knows and the requirement language CR26 uses.

Because the requirements branch by type, the rest of this guide follows that branch: the 20x model first, the Rev5 model second, then the requirements common to both. Before that, one clarification that saves confusion later. The rulebook did not throw away the security concepts underneath the old controls; it reorganized how you prove them. A firewall rule, an access policy, or a logging configuration that satisfied a NIST control still satisfies the corresponding requirement. What changed is the unit of proof, from a narrative that describes the control to, on the 20x side, evidence that a system emits. Teams that already run a mature control environment are closer to meeting the new requirements than the unfamiliar vocabulary suggests.

FedRAMP 20x Requirements: Key Security Indicators

FedRAMP 20x is the cloud-native certification type, served by the sponsorless Program path at Class A, B, or C. Its defining requirement is not a control count but a set of Key Security Indicators (KSIs): outcome-focused statements of security capability that a provider demonstrates through automated, machine-readable evidence rather than narrative description.

CR26 defines 46 Key Security Indicators organized into 10 families. The families are the map of what a 20x service must show:

KSI familyWhat it covers
Cloud Native ArchitectureSecure-by-design architecture and isolation
Service ConfigurationHardened, correctly configured services
Identity and Access ManagementAuthentication, authorization, and access control
Monitoring, Logging, and AuditingVisibility into system and security activity
Change ManagementControlled, tracked changes to the environment
Policy and InventoryDocumented policy and a current asset inventory
Recovery PlanningBackup, recovery, and resilience
Incident ResponseDetection, response, and communication
Supply Chain RiskManagement of third-party and dependency risk
Cybersecurity EducationTraining tied to roles and risk

The table is the shape of the 20x requirement set, and the strategic reading is that the model rewards providers whose security is already instrumented. A KSI is satisfied by showing, through data your systems generate, that the capability is real and persistent, not by asserting it in a document. For a team already running strong automation, this converts existing telemetry into certification evidence. For a team that treats security as periodic paperwork, it exposes the gap. The FedRAMP compliance checklist sequences the work of getting from today’s posture to a KSI-ready one.

The practical requirement hidden inside the KSI model is traceability. Each indicator has to connect to a live source of evidence, and that evidence has to be current, not a screenshot from last quarter. A requirement stated as a capability means the assessor is looking for proof the capability operates continuously, so the underlying requirement is really an instrumentation requirement: log it, monitor it, and be able to produce the record on demand. Providers that map each KSI family to the specific system that already generates its evidence turn the assessment into a data-collection exercise rather than a writing project. Providers that discover, mid-assessment, that a family has no evidence source behind it face the most expensive kind of gap, the kind that requires building a capability rather than documenting one.

FedRAMP Rev5 Requirements: The Documented Package

FedRAMP Rev5 is the certification type for services that operate their own infrastructure or specialized compute, served by the Agency path and the only route to Class D. Its requirements are the modernized descendant of the traditional model, built on NIST SP 800-53 Rev 5 controls and a documented evidence package.

A Rev5 provider must produce a System Security Plan that defines the authorization boundary and documents how each applicable control is implemented, a Security Assessment Plan and Security Assessment Report from an independent assessor, and a Plan of Action and Milestones tracking findings to remediation. The requirements around that package have not softened: reviewers judge submissions on clarity, completeness, conciseness, and consistency, and the most common failure remains a mismatch between the boundary diagram, the data-flow diagram, and the control narrative. One deadline shapes any Rev5 requirements plan: FedRAMP stops accepting applications for new Rev5 Certifications on June 11, 2027, so a service that requires Rev5 has a fixed window to meet these requirements in.

The Rev5 path is documentation-intensive by nature, which makes control mapping the highest-leverage early requirement. Getting the boundary and the control implementations right on paper, before an assessor tests them, is what separates a Rev5 timeline measured in months from one measured in years.

Two Rev5 requirements catch teams off guard because they are easy to underestimate. The first is control inheritance documentation: building on infrastructure that already holds a FedRAMP Certification lets you inherit a share of the control responsibility, but only if the shared responsibility matrix assigns every control to the provider, to you, or to both, with no control left in the gap where each party assumes the other owns it. The second is the “not applicable” trap: marking a control as not applicable when the offering actually invokes it is a fast way to stall a review, because the assessor will find the use case the paperwork denied. Both are documentation discipline problems, and both are cheaper to solve during the SSP build than during assessment.

Requirements Every Provider Must Meet

Some FedRAMP certification requirements apply regardless of type or class. These are the CR26 rulesets that govern how any certified provider operates.

  • Minimum Assessment Scope. You must define your assessment boundary narrowly enough to be defensible but complete enough to cover everything that touches federal data. Scope discipline is itself a requirement, not just good practice.
  • Independent verification and validation. Assessment must be performed by a FedRAMP Recognized Assessor, the CR26 term for the role formerly called a 3PAO, and that assessor must be independent of the firm that advised you. The two roles cannot be held by the same organization.
  • Certification Package Overview. Every certification includes a clear, standardized overview of the offering, so agencies can understand what they are relying on.
  • Certification Data Sharing. You must store and share your FedRAMP Certification Data through a FedRAMP-compatible Trust Center that follows the data sharing rules.
  • Collaborative Continuous Monitoring. After certification, you must share ongoing certification data with all agency customers, produce a regular Ongoing Certification Report, host a synchronous Quarterly Review, and undergo Persistent FedRAMP Assessments focused on your KSIs. The full cadence is in the FedRAMP continuous monitoring evidence guide.
  • FedRAMP communication. You must maintain reliable channels so FedRAMP can reach the security and compliance staff responsible for the offering.

These common requirements carry a planning lesson. The monitoring, data-sharing, and communication obligations are recurring, which means the true cost of meeting FedRAMP certification requirements is not the one-time push to certification but the standing operational capacity to keep the certification valid. Providers that budget only to the certification date meet the requirements once and then breach them.

Class also shapes how heavily these requirements land, though not which ones apply. The Class you target, A through D, reflects how much security information you share and how much ongoing reporting you commit to, so a higher Class raises the depth and cadence of the common requirements rather than adding new categories. The decision is a commitment level, not a difficulty rating, and it should follow the sensitivity of the data your agency customers will run on the service. Choosing a Class higher than your customers need inflates your recurring obligations for no commercial return; choosing one too low can disqualify you from the contracts you were pursuing.

How the Requirements Come Together

The way to read the full requirement set is as three layers stacked on one decision. The decision is your certification type, which follows your architecture. On top of it sits either the KSI layer for 20x or the documented-package layer for Rev5. Underneath both sits the common layer of scope, independent assessment, data sharing, and continuous monitoring that every certified provider carries.

Getting this sequence right is the difference between an efficient path and an expensive one. A provider that picks the wrong type meets the wrong requirements, discovers it at assessment, and pays to redo the work in the correct model. A provider that maps its architecture to the right type first meets one coherent set of requirements once. Elevate’s FedRAMP consulting and advisory services exist to get that mapping right before the requirements work begins.

Conclusion

FedRAMP certification requirements under CR26 are more rational than the model they replaced, but only for providers who read them correctly. The requirements branch by certification type: 46 Key Security Indicators across 10 families for cloud-native 20x services, a documented NIST 800-53 Rev 5 package for Rev5 services, and a common layer of scoping, independent assessment, data sharing, and continuous monitoring for everyone. The single most expensive mistake is meeting the wrong branch, and the single best defense is mapping your architecture to its type before you write a line of evidence.

The dates make the sequence urgent for some providers: mandatory CR26 adoption on January 1, 2027, and the close of new Rev5 applications on June 11, 2027. To confirm which requirement set applies to your service and build the plan to meet it, book a readiness call with an Elevate advisor.

Key Takeaways

FedRAMP certification requirements under CR26 branch by certification type, so the first requirement is knowing which set applies to your service.

Requirements are a rulebook, not a control count. CR26 expresses FedRAMP certification requirements as a machine-readable set of rulesets covering scope, assessment, data sharing, and monitoring, versioned and consistent across providers.

20x runs on 46 Key Security Indicators. Cloud-native services demonstrate 46 KSIs across 10 families through automated, machine-readable evidence rather than narrative documentation.

Rev5 keeps the documented package. Services on the Agency path produce a System Security Plan, Security Assessment Plan and Report, and Plan of Action and Milestones against NIST 800-53 Rev 5, with new Rev5 applications closing June 11, 2027.

Some requirements apply to everyone. Minimum assessment scope, independent verification by a FedRAMP Recognized Assessor, a Trust Center for certification data, and Collaborative Continuous Monitoring apply regardless of type or class.

The requirements are recurring, not one-time. Continuous monitoring, data sharing, and communication obligations mean the real cost is standing operational capacity, not just the push to certification.

FAQs

Q1. What are the FedRAMP certification requirements under CR26?

They branch by certification type. FedRAMP 20x services demonstrate 46 Key Security Indicators across 10 families through automated, machine-readable evidence. FedRAMP Rev5 services produce a documented package against NIST SP 800-53 Rev 5, including a System Security Plan, a Security Assessment Plan and Report from an independent assessor, and a Plan of Action and Milestones. Both types must also meet common requirements: a defined minimum assessment scope, independent verification, certification data sharing through a Trust Center, and Collaborative Continuous Monitoring after certification.

Q2. What are Key Security Indicators in FedRAMP?

Key Security Indicators (KSIs) are the requirement model for FedRAMP 20x. Rather than listing controls to document, they state security capabilities a provider must demonstrate, and the provider proves them with automated, machine-readable evidence from its own systems. CR26 defines 46 KSIs organized into 10 families covering areas such as cloud-native architecture, identity and access management, monitoring and logging, incident response, and supply chain risk.

Q3. Do FedRAMP certification requirements still use NIST 800-53?

Yes, on the Rev5 path. FedRAMP Rev5 requirements are built on NIST SP 800-53 Rev 5 controls, documented in a System Security Plan and tested by an independent assessor. FedRAMP 20x shifts to Key Security Indicators as its primary requirement model, though the KSIs still trace back to recognized security fundamentals. Mapping your existing controls to the requirement model you will use is a strong early step regardless of type.

Q4. Who verifies that FedRAMP certification requirements are met?

A FedRAMP Recognized Assessor, the CR26 term for the independent assessor formerly called a 3PAO, performs the verification and validation. A core requirement is independence: the assessor cannot be the same organization that advised the provider on building its controls, which is why advisory and assessment must stay in separate hands throughout the process.

Q5. How long do FedRAMP certification requirements apply after certification?

Continuously. Several requirements are ongoing rather than one-time: Collaborative Continuous Monitoring, a regular Ongoing Certification Report, a synchronous Quarterly Review with agency customers, persistent vulnerability response, and Persistent FedRAMP Assessments focused on the provider’s Key Security Indicators. Meeting FedRAMP certification requirements is therefore a standing operational commitment, not a one-time milestone.