Updating to 2026 Rules¶

If you are already FedRAMP Certified or have already invested effort in the legacy FedRAMP Certification process then you will need to understand all of the changes FedRAMP has made over the past year and adjust to the FedRAMP Consolidated Rules for 2026 as quickly as possible.

Changes in the Law and Policy¶

At the end of 2022, a new FedRAMP was created by Congress in the FedRAMP Authorization Act. This law superseded previous FedRAMP guidance and updated existing laws (including the Federal Information Security Modernization Act or FISMA) by applying a patch to the United States Code.

On July 25, 2024, the Office of Management and Budget released updated guidance, as directed by the FedRAMP Authorization Act, that turned FedRAMP on its head by rescinding and replacing the entire program. This guidance, OMB Memorandum M-24-15, directed sweeping changes to FedRAMP's priorities, processes, authority, and responsibility.

New Strategic Goals and Responsibilities¶

M-24-15 established new strategic goals and responsibilities for FedRAMP:

1. Lead an information security program grounded in technical expertise and risk management. FedRAMP is a security program that should, in consultation with industry and security experts across the Federal Government, focus Federal agencies and CSPs on the most impactful security features that protect Federal agencies from the most salient threats.

2. Rapidly increase the size of the FedRAMP Marketplace by evolving and offering additional FedRAMP authorization paths. FedRAMP has the challenging task of defining core security expectations for FedRAMP authorizations that will support the statutory presumption of their adequacy and lead to their reuse [...] by agencies with a wide variety of risk postures.

3. Streamline processes through automation. It is essential that FedRAMP establish an automated process for the intake, use, and reuse of security assessments and reviews.

4. Leverage shared infrastructure between the Federal Government and private sector. FedRAMP should not incentivize or require commercial cloud providers to create separate, dedicated offerings for Federal use, whether through its application of Federal security frameworks or other program operations.

The Origin of FedRAMP 20x¶

In early 2025, the GSA Administrator and the OMB Federal CIO emphasized the criticality and urgency of rapidly shifting the posture of FedRAMP to meet these new goals and responsibilities. FedRAMP responded by beginning an aggressive modernization process called FedRAMP 20x.

The underlying principle of FedRAMP 20x was that FedRAMP would evolve rapidly, indefinitely - with an updated set of rules that would incorporate emerging threats, technologies, and methodologies on a yearly basis. The Consolidated Rules for 2026 is the first major milestone for FedRAMP 20x, but it will continue every year.

These changes will not just apply to FedRAMP 20x Certifications - the core security and usability improvements must be extended across all FedRAMP Certifications. As long as FedRAMP Rev5 is retained as a legacy Certification Type, it will continue to be updated to ensure that it provides security signals that are balanced with the value of FedRAMP 20x Certifications.

The Consolidated Rules for 2026 Apply to All¶

Every single cloud service provider will need to adjust their processes, tools, capabilities, and methodologies to modernize their approach to Governance, Risk, and Compliance (GRC) in order to retain their FedRAMP Certification.

Definitions¶

Please ensure you are familiar with all FedRAMP Definitions or at least how to reference them when a FedRAMP Practice uses a specific term that is defined by FedRAMP.

Comments