Public Preview of the Consolidated Rules for 2026
May 4, 2026
It’s Monday, May 4, 2026. If you’re from the future, things have certainly changed by the time you read this. But for those following along in real time, we have some pretty exciting stuff to share today!
FedRAMP Cybersecurity Service Positions are OPEN!
Thousands of technology companies and hundreds of agencies need engineers who deeply understand FedRAMP. The best way to build that level of understanding is here with us. The FedRAMP Cybersecurity Service (FRCS) will immerse you in all things FedRAMP, giving you hands-on experience in performing FedRAMP Certifications, working with key FedRAMP stakeholders, improving policy and guidance, helping agencies adopt cloud services, and training the next FRCS cohort.
After 2 years of service with FedRAMP, you’ll head to the private sector as an unparalleled expert in a rapidly expanding market of FedRAMP Certified cloud services… or continue your work as a civil servant at a partner agency (or even at FedRAMP).
Positions are now posted on USAJOBS for the initial cohort of 4 GS-15 Lead Cloud Security Engineers. Applications will close after 400 applicants or after one week, whichever comes first. We might be able to extend the window but the applicant cap is a hard one. If you’re interested in spending some time with us and have the right experience at a lead level, get on over there and apply early. If you don’t have quite that much experience, that’s okay. We’ll be hiring for GS-14 Senior Cloud Security Engineers next, followed by GS-13 Cloud Security Engineers. These positions are going to be stacked up over the coming weeks.
You can learn more about the full plan, benefits, the government hiring experience, and more over at https://fedramp.gov/join. If you’ve already reviewed that information and are ready to apply, head over to the USAJOBS job posting and get your application in early: https://www.usajobs.gov/job/867607100.
Public Preview of the Consolidated Rules for 2026
Over the past year, we’ve been throwing a lot of rocks into the FedRAMP pond, watching and often feeling the ripples and disruption in the ecosystem. It’s been an absolute barrage of changes to the rules, an entirely new FedRAMP Certification path, changes to all the key terminology, and two large-scale public pilots. Coupled with a complete shift towards maximizing public engagement and transparency, it’s been a bit overwhelming at times for all of us.
One thing is about to change: FedRAMP will finalize the Consolidated Rules for 2026 by the end of June, giving the community a clear set of standardized guidance and expectations through the end of 2028. The Consolidated Rules will have explicit rules and timelines for changes to existing Rev5 FedRAMP Certifications, so cloud service providers can plan and execute with confidence without worrying about FedRAMP driving a bus through their plans with a new RFC a few months later. They will also explain the rules and timelines for general availability of FedRAMP 20x, allowing folks to build against a set of expectations that will remain steady after the pace of the Phase 1 and Phase 2 pilots. Also effective immediately, we have updated the FedRAMP Marketplace impact levels to classes as outlined in the previously released FedRAMP notice, NTC-004.
The Consolidated Rules are built on FedRAMP’s new rule system that supplies direct statements in clear plain language. Instead of trying to decode multiple paragraphs of narrative text about the theory of paint, you get something more like: “You MUST paint the exterior of your house.” If we don’t specify a type or color, then that choice is up to you.
Another major adjustment for Rev5 is the transition away from FedRAMP provided templates. Instead, FedRAMP will provide machine-readable structured requirements for all artifacts, along with human-readable summaries of these requirements, that can be used by providers to ensure whatever materials they produce are complete. This is the first big step encouraging providers to maintain security decision records and related artifacts using systems designed to integrate information from external sources of truth (instead of traditional manually edited spreadsheets and word processing documents).
It’s not all rules though. It turns out some information is just best conveyed via narrative, like the information you’re reading right now. Interspersed in the rules you’ll also find theory, exposition, explanation, and other support. Instead of confusing conversations where folks bring in RFCs while others reference NTCs and someone else talks about what they heard Pete say on a podcast… all of this content will be mostly fixed in time for a steady period so we’re all talking about the same stuff.
One thing will not change: Our commitment to working in public and inviting stakeholders to see what we’re doing and tell us what they think about it. In fact, we’re going to take this to the next level by publishing a Public Preview of our work in progress so you can all follow along as we finalize narratives, tweak rules, and expand this content. Most of you should probably ignore this because the Public Preview will be changing at a bonkers pace as we crash through editing and tuning and finalizing… but we know some of you will love to see this happening in public and benefit from it.
We also want to hear from you. We want to know what you think by giving you a chance to flag stable content that’s unclear or confusing, see if you have any cool ideas about making something better at a reasonable effort, and discuss things with you. To facilitate this, we’ve enabled comments for every single page on the Public Preview website, leveraging a comments system powered by GitHub Discussions. You’ll need to sign into your GitHub account and authorize the Giscus app to leave a comment, but we’re confident folks can climb over that bar and can’t wait to hear from you. These won’t be considered formal public comment, just an opportunity for targeted feedback open to the public.
Monitor the Consolidated Rules for 2026 Public Preview here: https://fedramp.gov/preview/2026
Review the underlying machine-readable structured rules in JSON here: https://github.com/FedRAMP/rules
Download all content as enhanced markdown for use with AI agents here: https://github.com/FedRAMP/2026-markdown
What’s Next
Our work to finalize the Consolidated Rules for 2026 will finish sometime between now and the end of June. They will take effect at the beginning of July, with an optional transition period in many cases extending through to January 1, 2027. They are then in effect and supported by FedRAMP until December 31, 2028, when they’ll be replaced by the next set of Consolidated Rules finalized in 2028.
Implementation, availability, and enforcement will all vary throughout that period. Some rules will not become mandatory for FedRAMP Certification until late in 2027 to give folks time to make the necessary changes. Others become mandatory on the very first day of 2027. Some will take effect earlier, as we specify dates for retiring FedRAMP Ready or opening up the FedRAMP 20x pipelines.
Let’s throw one last big rock in the pond then let things settle for a bit, eh?
