Approaching FedRAMP Rev5 Assessments¶
Independent assessment services will encounter very different expectations for FedRAMP Rev5 Program Certifications versus legacy agency-sponsored Agency Certifications. FedRAMP expects different materials to be presented in a different way than agencies do, and assessors should navigate this carefully.
FedRAMP will stop accepting applications for sponsored Agency Certifications on June 11, 2027.
FedRAMP Rev5 is a legacy process that FedRAMP is actively replacing, and FedRAMP 20x is only available via Program Certification. In most cases, agencies should encourage cloud service providers to pursue FedRAMP 20x Program Certification instead of beginning a new agency-sponsored Rev5 effort.
Assessors supporting agency sponsored Rev5 assessments will need to follow a hybrid of the legacy process for agencies combined with a more modern process for FedRAMP.
Your interaction and focus will shift depending on whether the assessment is sponsored or sponsor-less. For a sponsored assessment, you are performing your duties with a clear agency partner as the primary consumer of your assessment materials. For a sponsor-less assessment, you are conducting the assessment with the understanding that your work will be scrutinized by FedRAMP for government-wide applicability, requiring a thorough and well-documented certification package.
| Path | Sponsored Assessment | Program (Sponsor-less) Assessment |
|---|---|---|
| Primary Audience | The specific sponsoring federal agency. | FedRAMP and its review team |
| Key Stakeholder Interaction | You will likely participate in a kick-off meeting with the agency and cloud provider to align on scope, schedule, and the agency’s specific risk acceptance process. | Your engagement is primarily with the cloud provider, but your deliverables must be robust enough to withstand a formal FedRAMP review for government-wide reuse. |
| End Goal | Your assessment deliverables support the sponsoring agency in making a risk-based decision to grant an Authority to Operate (ATO). | Your assessment deliverables support an initial ATO and a subsequent FedRAMP review to grant a "FedRAMP Certified" designation on the Marketplace. |
The Legacy Agency Sponsored Assessment¶
It is important that assessment services and cloud service providers work carefully with agency sponsors to provide an assessment that meets their needs. Agencies may rely on the independent assessment service to make an authorization recommendation and require a legacy Security Assessment Plan and Security Assessment Report.
The simplest approach for assessors performing a legacy agency sponsored assessment is to complete all of the traditional activities and submit all legacy materials to the agency. Information about the legacy approach is available on the Legacy FedRAMP Documentation Reference.
A modern assessment is also required!
Assessors will also need to follow the Independent Verification and Validation rules and ensure the cloud service provider supplies the correct Certification Package Overview and Security Decision Record while meeting all other applicable FedRAMP rules depending on the date of the assessment.
Initial Assessment for Rev5 Program Certification¶
Assessment for Rev5 Program Certification should follow the Independent Verification and Validation rules and ensure the cloud service provider supplies the correct Certification Package Overview and Security Decision Record while meeting all other applicable FedRAMP rules depending on the date of the assessment.
The legacy Security Assessment Plan, Security Assessment Report, etc. is not necessary.
Annual Assessment for Rev5 Program Certification¶
Annual assessment for Rev5 Program Certification should follow the Independent Verification and Validation rules and ensure the cloud service provider supplies the correct Certification Package Overview and Security Decision Record while meeting all other applicable FedRAMP rules depending on the date of the assessment.
The legacy Security Assessment Plan, Security Assessment Report, etc. is not necessary.