Realizing the FedRAMP Authorization Act
January 13, 2026
FedRAMP is releasing the final set of proposed changes to complete the program’s modernization under the FedRAMP Authorization Act and OMB Memorandum M-24-15. These six Requests for Comment (RFCs) represent the culmination of nearly a year of planning, testing, and community input, marking a significant milestone in realigning FedRAMP with its new statutory mandate.
A Year of Transformation
The past year reshaped FedRAMP. Long-standing precedents were adjusted or retired to meet new expectations under the law. These proposed changes are designed to be the last major updates for the foreseeable future. Everything from here will be focused on implementation details and continuous incremental improvement. Your voices informed the re-creation of FedRAMP by Congress and OMB, the wide-scale testing of a new approach for FedRAMP. Your voices will also help us complete this transformation responsibly and effectively. As a result, all of these changes address long-standing issues with the traditional FedRAMP process that were identified by the FedRAMP community throughout the years.
Six RFCs, One Coordinated Release
FedRAMP is simultaneously releasing six related RFCs to finalize this transformation, with staggered comment closing dates to ease the burden of comment. That’s a lot of proposed updates to release at the same time and it’s likely to feel overwhelming at first, but all of these changes have been coming for a long time and are related to each other in a way that stringing them out one at a time would just be a series of small, continuous shocks to the FedRAMP ecosystem.
| RFC | Topic | Reading Time | Closing Date |
|---|---|---|---|
RFC 0019 Read moreThis RFC proposes new requirements for cloud service providers to report the costs associated with independent assessments to comply with the FedRAMP Authorization Act. | Reporting Assessment Costs | ~6 min | Feb 12, 2026 |
RFC 0020 Read moreThis RFC proposes new formal designations for FedRAMP authorizations and a number-based level system for FedRAMP authorizations to clearly separate them from agency Authorizations to Operate. | FedRAMP Authorization Designations | ~8 min | Feb 19, 2026 |
RFC 0021 Read moreThis RFC proposes expanding the FedRAMP Marketplace by allowing cloud services in the Preparation phase to be listed, adding listings for advisory services, and requiring all parties to share basic pricing information. | Expanding the FedRAMP Marketplace | ~7 min | Feb 19, 2026 |
RFC 0022 Read moreThis RFC proposes a new FedRAMP authorization step that leverages existing external security assessments to allow agencies to quickly pilot the use of cloud-services for low risk applications. | Leveraging External Frameworks | ~9 min | Feb 26, 2026 |
RFC 0023 Read moreThis RFC proposes a limited time sponsorless Rev5 Certification path for cloud service providers who adopt specific Balance Improvement Releases to support providers who lost agency sponsorship unexpectedly last year; it also includes a plan to phase out the FedRAMP Ready status entirely. | Rev5 Program Certifications (No Sponsor Required) | ~7 min | Feb 19, 2026 |
RFC 0024 Read moreThis RFC proposes modifications to the FedRAMP Rev5 process to require cloud service providers to produce machine-readable authorization data alongside timelines for implementation. | Rev5 Machine-Readable Packages | ~5 min | Mar 11, 2026 |
FedRAMP will host Q&A related to this RFC in our upcoming Community Update meetings and plans to host at least one related Community Special Event next month. Bookmark our new FedRAMP Events page to stay up-to-date on this future event, and view our past events and podcasts!
Pro-Tips for Commenting
- RFCs are not official guidance and rarely become official guidance without considerable change driven by public comment. These proposed updates are designed to be adjusted and improved based on feedback.
- Participation in the FedRAMP RFC process is open to any member of the public and individuals are strongly encouraged to participate. All comments are considered equally, whether it comes from a giant company or a single individual.
- Anyone may comment multiple times on any RFC, there is no limit on comments. It’s even okay to come back later and add an additional thought!
- Avoid asking questions in formal comments - FedRAMP is not able to respond to questions in comments! If you want us to know something isn’t clear, you should explain what you’d like to see clarified instead of asking about it because questions are confusing in public comment. If you have a question about an RFC in general, there is a casual discussion post where FedRAMP may be able to respond as long as we are not inappropriately influencing comments.
- It’s not a marathon: read through all of the RFCs and consider the entire flow prior to commenting - many aspects may be initially confusing until the whole context is reviewed.
Note: If you attended or watched FedRAMP’s Rev5 Community Update on January 7, we previewed these RFCs with slightly different names and numbers. One larger RFC was split into two smaller ones, shifting the numbering.
