U.S. flag

An official website of the United States government

Focus on FedRAMP® Blog

Discover what’s happening in the FedRAMP world.

Continuing Our Commitment to Public Engagement

Continuing Our Commitment to Public Engagement

May 28, 2026

Over the past year, we’ve been sharing our work early, taking in feedback, testing new approaches, and aligning the program with the vision and mission in the FedRAMP Authorization Act and OMB Memorandum M-24-15. As we move towards clearer, faster, more reusable, and more automated processes, we will continue to meet federal requirements while engaging with the public to develop new rules and processes.

A lot of this work has shown up through FedRAMP 20x, our public request for comment (RFC) process, updated guidance, open and transparent community discussions, and now the Public Preview of the Consolidated Rules for 2026 (CR26).

But another important part of this work deserves more attention: the Federal Secure Cloud Advisory Committee (FSCAC).

FSCAC’s focus for 2026

The FSCAC is more than a forum for consultation. It is a statutory federal advisory committee established under the FedRAMP Authorization Act and in accordance with the Federal Advisory Committee Act. The FSCAC brings together industry and government security practitioners to provide balanced, deliberate conversations on how FedRAMP can improve.

Every two years, its role is defined in the FSCAC charter. The committee advises the FedRAMP Director, the FedRAMP Board, and federal agencies on technical, financial, programmatic, and operational matters related to the secure adoption of cloud computing products and services.

That may sound formal, but the intent behind it is simple: FedRAMP works best when agencies, cloud providers, independent assessors, technical experts, and the public can help identify what is working, what is not working, and what needs to change. The FSCAC gives that conversation a formal, public forum for that level of engagement.

The charter directs FSCAC to examine existing FedRAMP operations and recommend efficiency improvements. This includes streamlining the certification process, increasing agency reuse, reducing marketplace entry and adoption costs, supporting more FedRAMP certified small business cloud offerings, and collecting feedback on agency implementation.

FedRAMP has made substantial progress on many of these priorities over the past year. One recurring challenge, however, remains agency adoption and reuse. For the remainder of 2026, FedRAMP will use the FSCAC as a forum to help identify practical ways to improve how agencies adopt and reuse FedRAMP cloud security packages.

Looking for support

FSCAC is now accepting applications for five open or upcoming committee seats. Applications are due by 5:00 p.m. ET on Friday, June 12, 2026.

Current and upcoming vacancies include:

  • Two Agency Chief Information Security Officer seats
  • Two large cloud service provider seats
  • One small business cloud service provider seat

The FSCAC is most effective when it includes people who understand the real-world impact of FedRAMP from different perspectives: agencies trying to reuse certifications, cloud providers trying to navigate the certification process, independent assessors evaluating security outcomes, and tech experts helping the government modernize securely.

If that sounds like you, or someone you know, please consider applying or sharing this opportunity. Learn more and apply through the FSCAC page.

Join the next meeting

If you have been following FedRAMP updates through our website or attending our community update sessions, much of the next meeting may sound familiar. That is intentional. The goal of the June FSCAC meeting is to provide committee members with a comprehensive update on the major changes underway across FedRAMP and to create space for public input on the work ahead.

If you have questions or comments you would like included in the public record, you may submit them in advance using this form. Your comments will be shared with committee members before the meeting and will be posted on the FSCAC website.

The next FSCAC meeting is scheduled for Monday, June 8, 2026, from 1:00 p.m. to 3:00 p.m. ET. The meeting is open to the public, but registration is required. Register here to receive the meeting link.

CR26 progress

Work on the Consolidated Rules for 2026 (CR26) continues to move quickly.

On May 4, FedRAMP launched the public preview of CR26 as a major step toward bringing scattered guidance, templates, RFC outcomes, and program updates into a clearer and more consistent set of structured rules with supporting narrative content. The goal is not to repackage the old process. The goal is to make FedRAMP easier to understand, implement, validate, reuse, and maintain over time.

Since the preview launched, FedRAMP has continued updating the CR26 site based on internal review, public feedback, and recent RFC outcomes. Updates include expanded guidance for federal agencies and cloud providers, a step-by-step getting-started path for providers, clearer support guidance, improved explanations of certification classes, updated rule-linking logic, new generated reference pages, updates to Incident Communications Procedures based on RFC-0031, and support for defining activity workflows in the FRMR rules. To keep apprised of updates you can follow the CR26 preview changelog.

This work is part of our broader commitment to public engagement. FedRAMP is continuing to publish Public Notices for important updates that may not require a full blog post but still matter to the community. For example, Notice 0011 shares the initial outcome from RFC-0025, our retrospective on the public comment process, and explains how FedRAMP will improve future RFCs with clearer summaries of comment themes, fewer simultaneous open RFCs, a restored public comment form option, and continued use of the FedRAMP Community on GitHub as our primary engagement forum.

The CR26 public preview remains under active development and should not be treated as final implementation guidance until the final version is published. We encourage agencies, cloud providers, independent assessors, and other stakeholders to keep reviewing the preview and providing feedback.

FedRAMP expects CR26 to provide a more stable set of standardized guidance and expectations through the end of 2028. That stability matters: cloud providers need to plan, federal agencies need to reuse, independent assessors need clear validation criteria, and FedRAMP needs to keep improving without surprising the community with disconnected changes.

CR26 is how we start bringing all that work together!

More hiring ahead

We are building the FedRAMP Cybersecurity Service to bring more cloud security engineering expertise directly into the program. The GS-15 Lead Cloud Security Engineer positions are currently in HR review, and FedRAMP will begin reviewing candidates and setting up interviews for those positions soon. Once that review is complete, FedRAMP will post the GS-14 Senior Cloud Security Engineer positions, followed by additional hiring activity for the next wave.

If you are interested in helping scale FedRAMP, please keep an eye on the Join FedRAMP page.

FedRAMP has moved quickly over the past year, and there is still a lot more to do. FSCAC, CR26, public comments, public meetings, and hiring are all part of the same shared goal: building a FedRAMP that is more transparent, collaborative, automated, and valuable for the federal cloud community.