The honest answer to the FedRAMP certification timeline question has two halves that most guides blur together: the program milestones, which are fixed dates FedRAMP publishes, and the phase durations, which are estimates that depend entirely on your service. Under the Consolidated Rules for 2026 (CR26), the fixed dates changed and the duration math changed with them, so timelines built on the old JAB and Rev5-only model now mislead. This guide separates the two cleanly: the CR26 dates you can plan against with certainty, and the phase durations you should treat as ranges, not promises.
If you are choosing between paths, the FedRAMP certification timeline is one of the strongest deciding factors, because FedRAMP 20x and Rev5 move at very different speeds under CR26. For the terminology and path structure behind the dates below, see the FedRAMP ATO and certification path guide.
The Fixed Dates: CR26 Program Milestones
These are the dates FedRAMP has published. They are the same for everyone, and they are the backbone any FedRAMP certification timeline hangs from. Every date below is from the official CR26 rules.
| Date | Milestone | Why it matters to your timeline |
|---|---|---|
| July 4, 2026 | Optional early adoption; all new 20x applications must follow CR26 | You can begin transitioning now |
| July 6, 2026 | Initial Implementation Marketplace listings open | The journey now starts with a listing, not an application |
| July 28, 2026 | FedRAMP Ready goes Legacy | No new Ready submissions; the on-ramp is 20x Class A |
| August 3, 2026 | 20x Class A pipeline opens | First applications for market-entry certification |
| August 10, 2026 | Ready Conversion and Lost Sponsor pipelines open | Limited sponsorless Rev5 Class B and C applications |
| August 31, 2026 | 20x Class B and C pipeline opens | Full 20x class lineup available |
| January 1, 2027 | Mandatory adoption; all new Rev5 applications must follow CR26 | Legacy processes end for new work |
| June 11, 2027 | End of new Rev5 Certifications | Rev5 closes to new applicants |
| February 1, 2028 | All CR26 grace periods expire | Offerings not following CR26 lose certification |
Read this table as the boundary conditions on your plan, not the plan itself. The August 31, 2026 opening of the 20x Class B and C pipeline was confirmed directly by FedRAMP at its July 2026 community working group, and it is the date most new cloud-native providers will actually build toward. The June 11, 2027 Rev5 cutoff is the one that forces decisions: a service that requires Rev5 has to start before it, and starting late compresses everything that follows against a hard wall.
The Three Deadline Types You Have to Track
CR26 does not use one deadline per rule. It uses three, and confusing them is a common way to misread the FedRAMP certification timeline. Every ruleset in CR26 carries its own set.
The Obtain date is when a rule becomes mandatory for a new certification: to obtain a certification after that date, you must follow the rule. The Maintain date is when an already-certified provider must be following the rule to keep its certification, after which FedRAMP can request corrective action. The Grace Ends date is the hard backstop: a certified offering not following the rule by then loses its certification until it complies, with no extensions past the default grace period.
The practical consequence is that “the deadline” depends on which side of it you sit. A provider seeking a new certification plans against Obtain dates. A provider already certified plans against Maintain and Grace Ends dates. The overall grace backstop for CR26 adoption is February 1, 2028, after which any offering not fully following the rules loses its certification. These dates load programmatically from the machine-readable ruleset, so a compliance team can track them as data rather than reading them out of a document.
The Certification Journey, Phase by Phase
The sequence of the FedRAMP certification timeline changed under CR26. The steps below run in order, and each one depends on the previous being done well.
Phase one is the Marketplace listing. Under CR26 the journey now begins with an Initial Implementation Phase listing, which FedRAMP describes as always the first step toward certification. You do not need a complete package or a full Trust Center to list; you need to show you are working toward certification, and you commit to beginning an assessment within two years. For the listing rules themselves, see the FedRAMP Marketplace listing guide.
Phase two is building the certification package. This is where the two types diverge most. On 20x, you instrument your systems and produce machine-readable evidence against the Key Security Indicators. On Rev5, you document control implementations against NIST 800-53 Rev 5. In both cases the evidence lives in the new JSON schemas: a public Certification Package Overview with your metadata, and a Security Decision Record with your implementation detail. For exactly what each type must produce, see the FedRAMP certification requirements guide.
Phase three is the independent assessment. A FedRAMP Recognized Assessor, the CR26 term for the role formerly called a 3PAO, validates your evidence. This assessor must be independent of any firm that advised you, which is a scheduling fact as much as a compliance one: the assessor’s availability is a real variable in your timeline.
Phase four is submission and review. You submit your application, FedRAMP runs its review, and, on the Agency path, your sponsoring agency grants an agency-specific ATO before FedRAMP issues the Certification. On the sponsorless Program path, you submit directly to FedRAMP.
Phase five is continuous monitoring, which never ends and keeps the FedRAMP certification timeline open indefinitely. Certification starts the recurring obligations of Collaborative Continuous Monitoring rather than closing the project. The timeline does not stop at the certificate; it changes shape.
FedRAMP Certification Timeline: How Long Each Phase Takes
Here is where honesty matters most. FedRAMP does not publish official per-phase durations, and any guide that quotes a precise month count is presenting an estimate as a fact. What follows are ranges that depend on your certification type, your Class, and your operational maturity, offered as planning estimates and nothing more.
The single official signal comes from FedRAMP itself: at its July 2026 community working group, FedRAMP indicated that a provider pursuing 20x should be able to qualify for a Class B Certification within a few months. That is the closest thing to an authoritative duration, and it applies to the automation-driven 20x path for a prepared provider, not to every service.
Beyond that, the durations follow logic rather than published numbers. The listing phase can be fast for a prepared team, because it does not require a complete package. The package-building phase is the largest variable: a cloud-native provider that already runs strong automation converts existing telemetry into 20x evidence quickly, while a provider building controls and documentation from a blank start spends far longer. The assessment phase depends on assessor availability and how ready your evidence is when testing begins. The review phase depends on FedRAMP’s queue and, on the Agency path, on your sponsoring agency’s responsiveness, which is historically the least predictable element of any FedRAMP timeline. Treat these as inputs to a range, and build your plan around the fixed dates above rather than around any single duration estimate.
20x vs Rev5: The Timeline Decision
For a provider choosing a path, the FedRAMP certification timeline difference between 20x and Rev5 is one of the clearest deciding factors.
| Timeline factor | FedRAMP 20x | FedRAMP Rev5 |
|---|---|---|
| Sponsor search | None; sponsorless Program path | Agency sponsor required, historically the longest delay |
| Evidence model | Automated, machine-readable, faster to produce if already instrumented | Documentation-intensive, slower to assemble |
| FedRAMP-stated speed | Class B achievable within a few months for a prepared provider | No comparable published estimate |
| Hard deadline | None specific to 20x | New Rev5 applications end June 11, 2027 |
| Best-fit timeline profile | Fastest path for cloud-native services | Necessary for self-hosted or Class D, but slower and closing |
The strategic reading is that 20x is the faster path by design, and the sponsor search is the reason. Under the legacy model, finding an agency sponsor was the single most unpredictable stretch of the entire FedRAMP certification timeline, and it still is for Rev5. The 20x Program path removes that variable entirely, which is why a cloud-native provider can often move faster on 20x than a comparable service could ever move on the old sponsored model. If your architecture points to Rev5, the June 11, 2027 cutoff means the timeline conversation and the deadline conversation are the same conversation. Elevate’s FedRAMP consulting and advisory services scope this decision against your specific service, and the Rev5 authorization and transition strategy service covers the transition planning the cutoff forces.
Where CSPs Lose Months
Most FedRAMP certification timeline overruns are not caused by the process taking a fixed long time. They are caused by avoidable delays, and the same few appear again and again.
The sponsor search is the largest on the Rev5 path. Budget real calendar time for finding, formalizing, and keeping an agency partner engaged, because their responsiveness sets your pace and it is outside your control.
A failed assessment is the most expensive delay in time as well as money. Remediating findings and re-testing adds months during which the service earns no federal revenue, which is why preparation and a first-time pass are a schedule strategy, not just a quality one.
Scope creep extends every downstream phase. A boundary that pulls in components not handling federal data means more to implement, document, assess, and monitor, and each addition stretches the timeline.
Evidence that is not ready when the assessor arrives turns a scheduled assessment into a waiting game. On 20x especially, if a Key Security Indicator has no live evidence source behind it, that gap becomes build time in the middle of your assessment window.
Conclusion
A realistic FedRAMP certification timeline is built from two different materials: the fixed CR26 program dates, which you plan against with certainty, and the phase durations, which you plan against as ranges shaped by your type, Class, and maturity. The most common mistake is treating a competitor’s confident month count as a fact; the second most common is ignoring the fixed dates that actually constrain the plan, especially the June 11, 2027 Rev5 cutoff and the February 1, 2028 grace backstop.
The fastest realistic path for most new, cloud-native providers is 20x, precisely because it removes the sponsor search that made the old timeline unpredictable. To build a FedRAMP certification timeline against your actual architecture and the CR26 dates that apply to you, book a readiness call with an Elevate advisor.
Key Takeaways
A FedRAMP certification timeline under CR26 has two parts: fixed program dates you can trust, and phase durations you should treat as estimates.
The program dates are fixed and public. The 20x Class B and C pipeline opened August 31, 2026, new Rev5 applications end June 11, 2027, and all CR26 grace periods expire February 1, 2028.
Three deadline types apply per rule. Obtain dates govern new certifications, Maintain dates govern keeping one, and Grace Ends dates are the hard backstop with no extensions.
The journey now starts with a listing. An Initial Implementation Marketplace listing is the first step, followed by package building, independent assessment, submission and review, and continuous monitoring.
Durations are estimates, not facts. FedRAMP publishes no official per-phase durations; its one stated signal is that a prepared provider can qualify for 20x Class B within a few months.
20x is the faster path by design. It removes the agency sponsor search that is historically the least predictable delay, while Rev5 remains necessary for self-hosted or Class D services and closes to new applicants June 11, 2027.
FAQs
Q1. How long does FedRAMP certification take under CR26?
There is no single official duration, because FedRAMP does not publish per-phase timelines and the total depends on your certification type, Class, and existing security maturity. The one authoritative signal is that FedRAMP has indicated a prepared provider pursuing 20x can qualify for a Class B Certification within a few months. Rev5 has no comparable published estimate and is generally slower because it is documentation-intensive and requires an agency sponsor. Plan against the fixed CR26 program dates, and treat any specific month count you see elsewhere as an estimate, not a fact.
Q2. What are the key FedRAMP certification dates in 2026 and 2027?
The 20x Class A pipeline opened August 3, 2026 and the Class B and C pipeline opened August 31, 2026. The temporary Rev5 Ready Conversion and Lost Sponsor pipelines opened August 10, 2026. Mandatory CR26 adoption took effect January 1, 2027. FedRAMP stops accepting new Rev5 Certification applications on June 11, 2027. All CR26 grace periods expire February 1, 2028, after which offerings not following the rules lose their certification.
Q3. Is FedRAMP 20x faster than Rev5?
Generally yes, and the main reason is the agency sponsor. The 20x Program path is sponsorless, which removes the single most unpredictable delay in the traditional timeline. FedRAMP has indicated a prepared provider can reach 20x Class B within a few months, and the automated evidence model is faster to produce for a cloud-native service already running strong automation. Rev5 remains necessary for self-hosted services and for Class D, but it is documentation-intensive, requires a sponsor, and closes to new applicants June 11, 2027.
Q4. What are Obtain, Maintain, and Grace Ends dates?
They are the three deadline types CR26 attaches to each ruleset. The Obtain date is when a rule becomes mandatory to obtain a new certification. The Maintain date is when an already-certified provider must follow the rule to keep its certification, after which FedRAMP may request corrective action. The Grace Ends date is the hard backstop: a certified offering not following the rule by then loses its certification until it complies, with no extensions. Which date applies to you depends on whether you are seeking a certification or maintaining one.
Q5. Where do FedRAMP timelines usually slip?
Four places. The agency sponsor search on the Rev5 path, historically the least predictable stretch. A failed first assessment, which adds months of remediation and re-testing. Scope creep, where a broad authorization boundary stretches every downstream phase. And evidence that is not ready when the assessor arrives, which on 20x means a Key Security Indicator without a live evidence source becomes build time inside the assessment window. All four are avoidable with preparation, which is why readiness work is a schedule strategy.