FedRAMP controls form the security backbone of every cloud service operating within the federal government. With CR26 — FedRAMP’s Consolidated Rules for 2026 — the program is undergoing its most significant structural overhaul since it was codified into law in December 2022. New certification terminology, updated baseline classes, machine-readable package requirements, and formalized continuous monitoring obligations are all taking effect on a published schedule that enforcement begins January 2027.
This guide breaks down how FedRAMP controls work, what the new certification class structure means for your organization, and what technical leaders need to act on before CR26 enforcement begins.
Understanding FedRAMP Controls and Their Purpose
Image Source: ComplianceForge
FedRAMP controls are not optional additions to a cloud security program. For any cloud service provider handling federal information, they define the minimum security posture required to operate. Understanding what they are, where they come from, and why they are mandatory is the starting point for any serious FedRAMP effort.
What Are FedRAMP Security Controls
FedRAMP security controls are specialized safeguards designed for cloud computing environments that process, store, or transmit federal information. They establish a standardized way to assess security, authorize — now formally called certify — cloud systems, and monitor them continuously after authorization is granted.
Unlike generic security frameworks, FedRAMP controls are written specifically for cloud service models and deployment scenarios. They account for the multi-tenant architecture, shared responsibility boundaries, and dynamic infrastructure that define modern cloud environments. The General Services Administration (GSA) houses the FedRAMP Program Management Office (PMO), which manages, updates, and enforces these controls across all certified cloud service offerings.
NIST SP 800-53 as the foundation
FedRAMP builds directly on NIST Special Publication 800-53, the federal government’s primary catalog of security and privacy controls. The relationship is additive: FedRAMP adopts the NIST 800-53 control catalog as its baseline, then layers cloud-specific parameters, requirements, and implementation guidance on top.
This makes FedRAMP effectively FISMA applied to cloud environments. Both frameworks follow NIST 800-53 guidance, but FedRAMP adds controls that address cloud-specific risks — particularly around continuous monitoring, incident response, and supply chain integrity — that the broader NIST catalog treats more generically.
NIST SP 800-53 organizes controls into families ranging from Access Control to System and Information Integrity. FedRAMP adapts those families for cloud service models, turning broad security principles into concrete, auditable requirements that 3PAOs assess against defined criteria.
Why controls are mandatory for Federal Cloud Use
Every executive agency is required to use FedRAMP-certified cloud services for deployments that involve federal data. This is not a recommendation. An Office of Management and Budget memorandum establishes that cloud services handling federal information must hold FedRAMP certification, and the FedRAMP Authorization Act codified the program into law in December 2022.
The mandatory nature of FedRAMP controls serves four core purposes: ensuring that cloud services protect federal information consistently, creating a standard approach to security assessment and continuous monitoring, eliminating redundant agency-by-agency security reviews, and enabling modern cloud adoption without compromising federal data security.
FedRAMP’s CR26 reinforces this mandate with an important addition: agencies themselves are required to follow FedRAMP processes. An OIG report issued in early 2026 resulted in a corrective action plan for an agency division that had refused to follow FedRAMP requirements. Federal law applies to agencies as well as providers.
FedRAMP Certification Classes: The New Baseline Structure
Image Source: Secureframe
One of the most consequential changes in CR26 is the replacement of FIPS 199 impact level terminology — Low, Moderate, High — with a new Certification Class structure. This is not a cosmetic rebrand. It reflects a deliberate decision by FedRAMP to reduce procurement confusion and separate the concept of assessment scope from agency-level risk determinations.
From Low/Moderate/High to Classes A, B, C, and D
FedRAMP is retiring the Low, Moderate, and High labels for certification baselines and replacing them with four lettered Certification Classes: A, B, C, and D. The change is anchored in NTC-0004, published February 25, 2026, and will be formalized in CR26 by end of June 2026.
The reason for the shift is practical. FIPS 199 impact level labels — particularly Moderate and High — have caused persistent confusion with DoD and DON Impact Levels, which use similar terminology but refer to entirely different frameworks. The new lettered classes eliminate that overlap and make clear that a FedRAMP Certification Class describes the scope and depth of the assessment package, not a universal judgment about how secure a system is.
Alongside the class structure, FedRAMP is standardizing its official designation. “FedRAMP Authorization” and “FedRAMP Authorized” are being replaced with “FedRAMP Certification” and “FedRAMP Certified” as the single official label across all certification types. CSPs should update proposals, websites, and collateral accordingly.
What Each Certification Class Requires
The four Certification Classes map to the existing baseline structure as follows:
Class A replaces the Pilot and Ready designations. FedRAMP Ready is being retired on July 28, 2026, replaced by Rev5 Class A (Pilot). Class A is the entry-level certification path, designed for providers beginning the authorization process or operating within tightly scoped, lower-risk environments.
Class B replaces the Li-SaaS and Low baselines. It applies to cloud services handling public or non-sensitive government data where a security breach would produce limited operational impact. Class B requires approximately 125 to 156 controls across 17 control families.
Class C replaces the Moderate baseline. It applies to systems handling Controlled Unclassified Information (CUI) and non-public federal data where a breach could cause serious but not catastrophic harm. Class C requires approximately 323 to 325 controls and represents the most common certification tier — roughly 80 percent of FedRAMP-certified services operate at this level.
Class D replaces the High baseline. It applies to systems handling mission-critical federal information — law enforcement, emergency services, national security, critical infrastructure — where a breach could produce severe or catastrophic consequences. Class D requires approximately 410 to 421 controls and is the most demanding certification tier in the program. Critically, Class D must always go through the Agency authorization path. There is no Program path for Class D, and no 20x path exists for Class D under any circumstances.
How the Old Impact Levels Map to the New Classes
For organizations mid-flight in their FedRAMP journey, the mapping is direct:
| Old Terminology | New Class | Certification Path Available |
|---|---|---|
| Ready / Pilot | Class A | Rev5 Agency or Program |
| Li-SaaS / Low | Class B | Rev5 Agency or Program; 20x Program |
| Moderate | Class C | Rev5 Agency or Program; 20x Program |
| High | Class D | Rev5 Agency only |
One clarification the PMO has been emphatic about: work completed toward Rev5 does not transfer to FedRAMP 20x, and vice versa. These are entirely separate certification types. Similarly, DoD Moderate Equivalency — a DISA-specific construct — has no crossover value toward any FedRAMP certification class. FedRAMP does not recognize it and will make no commitments based on it.
FedRAMP High vs. Moderate Controls: Key Differences
The decision between pursuing what was formerly called FedRAMP Moderate — now Class C — and FedRAMP High — now Class D — is one of the most consequential a cloud service provider makes. The difference is not just a larger control count. It reflects fundamentally different security postures, operational obligations, and market positions.
Control Count Comparison: Class C vs. Class D
At the baseline level, Class C (Moderate) requires approximately 323 to 325 controls. Class D (High) requires approximately 410 to 421 controls. That gap of roughly 90 to 100 additional controls represents meaningfully more implementation work, but the more significant difference lies in how those controls are implemented, not just how many there are.
Many control identifiers appear in both baselines. What changes at Class D is the parameter values — stricter thresholds, tighter timeframes, more prescriptive implementation requirements — applied to controls that Class C also requires but at lower intensity. A control like Audit and Accountability (AU) exists at both levels, but Class D demands more granular logging, more frequent review, and faster response to anomalies.
Data Sensitivity and Risk Impact Thresholds
The data handled by Class C and Class D systems differs in both type and consequence.
Class C systems handle CUI and non-public federal data. The risk calculus is that a breach at this level could cause serious harm — disrupted operations, compromised personal data, financial loss — but the damage is recoverable. This covers the majority of federal cloud workloads: HR systems, benefits administration, procurement platforms, and similar operational systems.
Class D systems handle information where a breach could produce severe or catastrophic consequences. This means national security data, law enforcement records, emergency response systems, healthcare data in life-critical settings, and critical infrastructure controls. The standard is not “serious harm” — it is whether a breach could endanger lives, compromise national security, or cause irreversible systemic damage.
This distinction matters because it determines not just which controls you implement, but how you scope your authorization boundary, how you classify data flows, and how you structure your shared responsibility model with agency customers.
Implementation Rigor and Audit Frequency Differences
Beyond control count and data type, Class D certification imposes stricter operational requirements across several dimensions.
Incident response testing at Class C requires annual exercises. Class D requires testing every six months. This doubled cadence reflects the higher stakes of the systems involved and the reduced tolerance for untested response procedures.
Continuous monitoring obligations are more intensive at Class D. Monthly deliverables — vulnerability scans, POA&M updates, inventory changes — are required at both levels, but Class D systems face tighter remediation windows and more frequent agency-level review of monitoring artifacts.
Audit logging at Class D must be system-wide and continuous, with more detailed event capture and faster anomaly detection requirements than Class C mandates. Identity management controls are more prescriptive, requiring stronger authentication mechanisms and more granular access controls throughout the system.
The authorization path itself also differs. Class C can go through either the Agency path or the Program path under Rev5, and is available under FedRAMP 20x for cloud-native services. Class D has no Program path and no 20x path — it must go through a federal agency as the authorizing sponsor under Rev5. This means the agency relationship is not optional at Class D; it is structurally built into the certification process.
Structure of the FedRAMP Controls List
Understanding how FedRAMP organizes its controls helps compliance teams plan implementation, assign ownership, and track progress systematically. The structure has not changed with CR26 — the 20 control families remain intact — but the way those controls are documented and delivered is evolving toward machine-readable formats.
Overview of 20 FedRAMP Control Families
FedRAMP organizes its security controls into 20 distinct families, each addressing a specific security domain. The families are:
Access Control, Awareness and Training, Audit and Accountability, Assessment and Authorization and Monitoring, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Planning, Program Management, Personnel Security, PII Processing and Transparency, Risk Assessment, System and Services Acquisition, System and Communications Protection, System and Information Integrity, and Supply Chain Risk Management.
Each family contains individual controls and control enhancements. The number of controls required from each family increases as you move from Class B to Class C to Class D. Supply Chain Risk Management and System and Information Integrity, in particular, carry significantly heavier requirements at Class D given the mission-critical nature of the systems involved.
RFC-0027 through RFC-0030, currently active as part of the CR26 process, are updating the Rev5 security controls baseline — five control families per RFC. These updates incorporate BIR changes and findings from actual Rev5 reviews. Organizations currently building SSPs should monitor these RFCs, as the final CR26 versions will reflect these updates and become mandatory in January 2027.
Control Types: Technical, Operational, Management
TFedRAMP controls fall into three implementation categories regardless of which certification class applies.
Technical controls are embedded directly in systems and infrastructure. They include encryption at rest and in transit, access enforcement mechanisms, audit log generation, and automated configuration management. These controls are increasingly expected to produce machine-readable evidence as FedRAMP moves toward automated validation.
Operational controls depend on human processes to implement and maintain. Vulnerability scanning, system monitoring, incident response execution, and media sanitization fall into this category. The VDR (Vulnerability Detection and Response) update being finalized under CR26 significantly raises the bar here — monthly scanning and CVE scoring alone will no longer satisfy the standard. Continuous detection and response capability is the new expectation.
Management controls operate at the policy and organizational level. Risk assessments, security planning, POA&M management, and organizational oversight define this category. CR26’s shift toward explicit, plain-language rules directly affects management controls — the era of interpretive ambiguity around these requirements is ending.
FedRAMP Controls Checklist by Certification Class
The control counts by certification class under the updated framework:
| Certification Class | Replaces | Approximate Control Count |
|---|---|---|
| Class A | Pilot / Ready | Scoped per offering |
| Class B | Li-SaaS / Low | 125 – 156 controls |
| Class C | Moderate | 323 – 325 controls |
| Class D | High | 410 – 421 controls |
Every control must be documented in the System Security Plan and supported by evidence. As CR26 moves toward machine-readable packages, that evidence is increasingly expected to be structured data rather than narrative text — particularly for Class D services by November 2027.
How FedRAMP Controls Map to Certification
The path from implementing FedRAMP controls to receiving a FedRAMP Certification runs through a defined set of documentation, assessment, and authorization artifacts. CR26 updates the terminology and the evidence format expectations, but the core process structure remains intact.
System Security Plan (SSP) Documentation
The SSP is the primary artifact of FedRAMP certification. It documents the cloud service offering’s security architecture, authorization boundary, data flows, cryptographic modules, and the implementation of every required control. FedRAMP provides SSP templates for each baseline class, with Appendix A mapping each control to its implementation details.
Defining the authorization boundary before implementing controls is the most consequential scoping decision a CSP makes. The boundary determines what gets certified, which controls apply, and how interconnected systems — identity providers, SIEMs, logging platforms — factor into the package. Modern agency environments are rarely a single tool: Salesforce connects to an IDP, the IDP connects to a SIEM, and the agency information system encompasses all of those interactions.
CR26 is accelerating the shift away from monolithic Word-based SSPs toward service-scoped, machine-readable evidence packages. The connect.gov portal that FedRAMP currently uses will be retired when CR26 launches. CSPs relying on it need a migration plan in place before enforcement begins.
3PAO Assessment and Security Assessment Report
A Third Party Assessment Organization assesses the cloud system independently and produces a Security Assessment Report documenting findings. The SAR captures the CSO’s security posture at a specific point in time and includes the Risk Exposure Table, Security Requirements Traceability Matrix workbook, vulnerability scan results, penetration test reports, and the initial Plan of Action and Milestones.
CR26 is directly addressing a long-standing issue with 3PAO assessments: ghost requirements. These are findings issued by assessors for things that felt safer to flag based on past experience, not because a documented FedRAMP requirement existed. CR26 is eliminating this dynamic by replacing narrative guidance with explicit, plain-language rules. The PMO’s guidance is direct: if a CSP receives a 3PAO finding it believes is not grounded in a documented requirement, it should ask the 3PAO to cite the requirement in writing. In many cases they will not be able to.
Remediation timelines from the SAR remain structured by risk severity: critical and high findings within 30 days, moderate within 90 days, low within 180 days.
FedRAMP Controls Mapping to NIST SP 800-53
FedRAMP’s relationship to NIST SP 800-53 is additive. FedRAMP adopts the NIST control catalog and adds cloud-specific parameters, implementation requirements, and monitoring obligations. This means NIST 800-53 compliance is necessary but not sufficient for FedRAMP certification — the cloud-specific additions are where the meaningful compliance work lives.
RFC-0027 through RFC-0030 are currently updating the Rev5 security controls baseline as part of CR26. Updates driven by NIST changes follow the NIST public comment process separately from FedRAMP’s RFC process. Organizations should track both channels to stay current on controls that may change before CR26 enforcement begins.
Maintaining FedRAMP Compliance Over Time
Image Source: Ignyte Assurance Platform
Receiving a FedRAMP Certification is the beginning of a continuous obligation, not its conclusion. The ongoing requirements have become more demanding and more explicitly enforced since the JAB was rescinded, and CR26 formalizes several obligations that were previously ambiguous.
Continuous Monitoring in the Post-JAB Era
The Joint Authorization Board was rescinded approximately eighteen months before this writing. Its elimination changed the continuous monitoring model in a way that many CSPs have been slow to fully absorb.
Under the JAB model, a CSP maintained a single continuous monitoring relationship with one authorizing body. Under the current model, CSPs must share continuous monitoring data with every agency customer that holds an ATO for their service. This is not optional. RFC-0026, currently in the active comment period, formalizes this expectation and introduces direct corrective action for CSPs that fail to provide agencies with access to their continuous monitoring information.
The PMO disclosed in April 2026 that multiple large CSPs — serving many agencies — had told those agencies they did not share ConMon data because they were “JAB authorized.” The JAB authorization model is gone. If you are in this category, RFC-0026 is a direct and immediate action item.
Monthly ConMon deliverables remain required across all certification classes: vulnerability scans, POA&M updates, inventory changes, and executive summaries. Remediation timelines are enforced — 30 days for high findings, 90 days for moderate, 180 days for low. CSPs managing large numbers of agency relationships should review the Collaborative Continuous Monitoring RFC, which is designed to reduce the operational burden of multi-agency ConMon.
Incident Reporting: What CSPs Must Report
FedRAMP updated its incident reporting definition under CR26, and the change has practical implications for how CSPs triage internal events.
The previous definition scoped incidents narrowly to events that had already affected federal customer data. This created ambiguity about how to handle the period between when something went wrong and when its impact on federal data was confirmed.
Under the updated framework, any event that goes wrong at the CSP level is technically an incident. The first step is an internal evaluation: did this event likely affect, or did it actually affect, federal customer data? If yes, it becomes a federally reportable incident and triggers the formal reporting process — notification to agency customers, CISA, and FedRAMP within one hour of confirmation. If no, it does not require a report to FedRAMP.
The practical implication is that CSPs are not required to report every internal outage or failure. The obligation is scoped to events with federal data impact. What is required of every CSP is a documented internal triage process that makes that determination quickly and consistently every time something goes wrong.
Automation and Machine-Readable Packages
FedRAMP’s trajectory under CR26 is clear: compliance evidence is moving from manual documents to machine-readable, structured data. The timeline is firm.
By January 2027, CR26 enforcement begins and all current Rev5 BIRs become mandatory. By November 2027, Rev5 Class D services must deliver comprehensive machine-readable packages. Other Rev5 classes will face partial requirements and a transition to semi-structured text formats in the same timeframe.
OSCAL — the Open Security Controls Assessment Language — is the data format at the center of this transition. But the PMO has been explicit that OSCAL is a format, not an automation strategy. Real scalability in evidence production comes from engineering workflows that generate compliance artifacts as a byproduct of normal operations — change management systems that automatically identify impacted controls, inventory tools that produce machine-readable deltas, and monitoring pipelines that feed structured data into FedRAMP-required reports.
The connect.gov portal will be retired when CR26 launches. CSPs currently using it for package submission need a migration plan before that date. FedRAMP will define the required documents and fields; how those reach FedRAMP and agency customers is for the industry to align on. Getting into the current betas is the fastest way to ensure your approach is on track before it becomes mandatory.
CR26 and What Changes in January 2027
CR26 is FedRAMP’s attempt to replace years of scattered narrative-based guidance — what practitioners sometimes call ghost requirements — with a single, predictable, machine-readable rule set. For technical leaders planning compliance roadmaps, the CR26 timeline is the most important planning input available.
What CR26 Means for Your Control Baseline
CR26 consolidates all existing RFCs and Balance Improvement Releases into one unified rule set. The goal is explicit, plain-language rules that eliminate interpretive ambiguity: providers must do X, assessors must do Y, with no room for the interpersonal dynamics that grew up around vague guidance.
One significant feature coming in CR26 is LLM integration. FedRAMP is structuring its rule files at github.com/fedramp/docs to be cleanly ingestible by AI agents and language models, enabling the community to query and navigate the ruleset programmatically. This is a meaningful step toward genuine machine-readability at the regulatory layer.
For control baselines specifically, CR26 will formalize the Certification Class structure, update the Rev5 security controls baseline with the RFC-0027 through RFC-0030 changes, and establish the machine-readable package requirements that take effect by November 2027.
BIR Updates — RFC-0027 Through RFC-0030
Four active RFCs are updating the Rev5 security controls baseline as part of the CR26 process. RFC-0027, RFC-0028, RFC-0029, and RFC-0030 each cover five control families, incorporating BIR changes and findings from actual Rev5 assessments.
These are not minor clarifications. They reflect real issues encountered during reviews and adjustments driven by the BIRs accumulated over the past year. Organizations building SSPs now should treat the current RFC versions as indicative but not final — the CR26 versions will differ from current betas, and final versions will become mandatory in January 2027.
Participating in the comment periods for these RFCs is the most direct way to influence the final rules and avoid surprises at enforcement. FedRAMP maintains two discussion threads per RFC on their GitHub community page: an informal Q&A thread where the PMO can respond freely, and a formal public comment thread for written submissions. Questions posted to the formal thread cannot receive a direct response.
Planning Timeline Before Enforcement Begins
The CR26 schedule as of April 2026:
Now through June 2026: CR26 is finalized. Active betas continue. This is the window to begin preparing machine-readable data structures, fix certification terminology across collateral, and decide your authorization path if you have not already.
July 28, 2026: FedRAMP Ready (Class A) designation retired. Replaced by Rev5 Class A (Pilot), specifics pending.
January 2027: CR26 enforcement begins. All current Rev5 BIRs become mandatory. This is a hard date.
November 2027: Rev5 Class D services must deliver comprehensive machine-readable packages. Other Rev5 classes face partial requirements and semi-structured text transitions.
Through December 2028: CR26 rules remain valid. This multi-year stability window is intentional — FedRAMP designed it to give organizations a realistic planning and implementation runway.
The PMO has been candid about who should move now versus who should wait. If your organization is risk-sensitive and lacks dedicated GRC engineering resources, waiting for CR26 to be fully formalized before committing to implementation is a legitimate strategy. If you have the internal capacity, engaging with the betas and working groups now means you help shape the final rules rather than react to them.
Either way, the timeline is public and the enforcement date is fixed. Planning against January 2027 is not optional — it is the minimum responsible starting point.
Key Takeaways
FedRAMP controls are undergoing their most significant structural change since the program was codified into law — and the enforcement clock is running.
- CR26 is the anchor of everything happening in 2026. Consolidated Rules 2026 replaces years of scattered narrative guidance with a single, explicit, machine-readable rule set. Finalized by end of June 2026, enforced from January 2027, valid through December 2028. This is your planning window.
- Low, Moderate, and High are being retired. FedRAMP is replacing FIPS 199 impact level labels with Certification Classes A through D. Class B replaces Low, Class C replaces Moderate, Class D replaces High. The change eliminates confusion with DoD Impact Level terminology. Update your proposals, websites, and collateral to reflect “FedRAMP Certified” as the single official designation.
- Class D (High) has no 20x path and no Program path. If you are pursuing High certification, the Agency authorization path under Rev5 is your only option. Work completed toward Rev5 does not transfer to 20x, and DoD Moderate Equivalency has no crossover value toward any FedRAMP certification class.
- The JAB is gone and ConMon obligations changed with it. CSPs must now share continuous monitoring data with every agency customer holding an ATO — not a single authorizing body. RFC-0026 formalizes this and introduces direct corrective action for CSPs that are not complying. If you have been operating under the assumption that JAB authorization exempts you from sharing ConMon data, that assumption is wrong and enforceable.
- Incident reporting is scoped to federal data impact, not every internal failure. Any internal event is technically an incident, but the federally reportable threshold is whether it affected or was likely to affect federal customer data. What is required of every CSP is a documented triage process that makes that determination quickly and consistently.
- Machine-readable packages are mandatory, not aspirational. Class D services must deliver comprehensive machine-readable packages by November 2027. Other classes face partial requirements in the same timeframe. OSCAL is the format — but format alone is not a strategy. Evidence needs to be generated as a byproduct of normal engineering operations, not assembled manually before submission.
- Ghost requirements are ending. CR26 is replacing interpretive ambiguity with explicit, plain-language rules. If a 3PAO issues a finding your team believes is not grounded in a documented FedRAMP requirement, ask them to cite it in writing. In many cases they will not be able to.
- The planning window is real but it is not infinite. January 2027 is a hard enforcement date. Organizations with internal GRC engineering capacity should be in the betas and working groups now. Organizations without that capacity should treat CR26 finalization in June 2026 as their starting gun, not January 2027.
FAQs
Q1.What are FedRAMP controls and why are they important?FedRAMP controls are security and privacy requirements that cloud service providers must implement to operate with US federal agencies. Based on NIST SP 800-53, these controls include technical, operational, and management measures designed to protect federal information in cloud environments and enable standardized security assessments across government.
Q2. What are the new FedRAMP Certification Classes and how do they replace impact levels?FedRAMP is replacing Low, Moderate, and High impact level labels with four Certification Classes — A, B, C, and D — under CR26. Class A replaces the Pilot and Ready designations. Class B replaces Li-SaaS and Low. Class C replaces Moderate. Class D replaces High. The change eliminates confusion with DoD Impact Level terminology and clarifies that certification classes describe assessment scope, not a universal security quality judgment.
Q3. How many controls are required for FedRAMP High (Class D) certification?FedRAMP Class D certification — formerly FedRAMP High — requires approximately 410 to 421 controls. This is the most rigorous baseline, designed for cloud systems managing mission-critical federal information where a breach could have severe or catastrophic consequences. Class D must go through the Agency authorization path under Rev5 and has no FedRAMP 20x equivalent.
Q4. What is the difference between FedRAMP High and Moderate controls? The difference between Class D (High) and Class C (Moderate) extends beyond the roughly 90 additional controls required at Class D. Class D systems handle mission-critical data where breaches could be catastrophic rather than serious. Class D imposes stricter parameter values on shared controls, requires incident response testing every six months instead of annually, demands more intensive continuous monitoring, and requires the Agency authorization path rather than Program sponsorship.
Q5. What changes with FedRAMP CR26 in January 2027?CR26 enforcement begins January 2027, making all current Rev5 BIRs mandatory and formalizing the Certification Class structure (A through D), the new “FedRAMP Certified” terminology, and updated continuous monitoring obligations. CR26 also initiates the transition to machine-readable compliance packages, with Class D services required to deliver comprehensive machine-readable packages by November 2027.
Q6. What incidents are CSPs required to report to FedRAMP? CSPs must report incidents that affected or were likely to affect federal customer data. Not every internal outage or failure requires a report — the obligation is scoped to events with federal data impact. CSPs must notify agency customers, CISA, and FedRAMP within one hour of confirming a reportable incident. Every CSP should have a documented internal triage process to make that determination quickly and consistently.
Q7. How does continuous monitoring work after the JAB was rescinded? With the Joint Authorization Board eliminated, CSPs must now share continuous monitoring data with every agency customer holding an ATO for their service — not a single authorizing body. RFC-0026 formalizes this obligation and introduces direct corrective action for CSPs that fail to provide agencies with ConMon data access. Monthly deliverables and strict remediation timelines remain in effect across all certification classes.
Q8. What are the machine-readable package deadlines under CR26? Rev5 Class D services must deliver comprehensive machine-readable packages by November 2027. Other Rev5 classes face partial requirements and a transition to semi-structured text formats in the same timeframe. CR26 enforcement begins January 2027, at which point all current Rev5 BIRs become mandatory. The connect.gov portal used for current submissions will be retired when CR26 launches.
Q9. Should my organization choose FedRAMP 20x or Rev5? The decision depends on your architecture and scale. FedRAMP 20x is designed for well-scoped, cloud-native services without significant technical debt or complex legacy infrastructure — a capable team can build a solid 20x package in a matter of weeks. Rev5 is designed for larger enterprises with complex infrastructure, multiple data centers, or those pursuing Class D certification. The two paths are entirely separate: work completed toward one does not transfer to the other.