The Federal Risk and Authorization Management Program has outlined a new program certification framework for cloud service providers while preparing to retire the FedRAMP Ready designation as part of upcoming rule changes scheduled for release in 2026.
The Potomac Officers Club's 2026 Digital Transformation Summit on April 22 will explore federal IT modernization efforts and advancements in AI, cybersecurity and user experience. Register now!
Why Is FedRAMP Creating a Program Certification Path?
The program said Saturday the proposal stems from challenges faced by cloud providers that invested in the FedRAMP Rev5 agency authorization process but lost or could not secure an agency sponsor due to government staffing and budget constraints. Traditionally, a full Rev5 security assessment requires extensive review.
FedRAMP has relied on government agencies to conduct these reviews since the program lacks the staffing and funding to evaluate every assessment directly. The new approach, called FedRAMP 20x, aims to reduce the initial review workload so FedRAMP can handle certain assessments itself while expanding capacity if additional funding becomes available.
How Will the New Certification Framework Work?
Under the updated structure, FedRAMP authorizations will be renamed FedRAMP certifications, and the program will shift from impact levels to certification classes. Certifications will be available through two pathways: agency authorization and program certification. The agency authorization path requires an agency sponsor to support the review process, while the program certification path allows FedRAMP to review a cloud product without a sponsor, though availability will be more limited.
The changes will be published by June, preceding the retirement of the FedRAMP Ready designation on July 28. They will be applicable to all cloud service providers from Dec. 31, 2026, through Dec. 31, 2028. Providers currently pursuing FedRAMP Ready will be able to convert their existing progress toward obtaining a Class A FedRAMP Certification.
What Are the Stages for Program Certification Implementation?
The rollout will occur in designated stages, beginning with the availability of Class A certifications for current FedRAMP Ready providers. Stage 2 will expand to Class B and C certifications for providers that met specific criteria between January 2025 and March 2026, such as being “In Process” or having completed a full security assessment. A tentative third stage aims to open certifications to providers using external security frameworks that are highly compatible with Rev5 requirements.
