Important Deadlines¶
Each Ruleset has a different set of mandatory adoption requirements aligned around a different date range, based on RFC feedback, pilots, and estimated difficulty and complexity.
FedRAMP expects most cloud service offerings will track the various deadlines as they prioritize development and enhancement to update their procedures and assurance profiles.
Critical Overall Dates¶
All providers must be aware of the following critical overall dates for adjustments to the FedRAMP Rev5 and 20x processes:
| Date | Milestone |
|---|---|
| July 4, 2026 | The Consolidated Rules for 2026 are in effect for widespread adoption. Providers are expected to begin adjusting to these rules as quickly as possible. |
| July 4, 2026 | For FedRAMP 20x, all new applications for FedRAMP Certification MUST follow all applicable Consolidated Rules for 2026. |
| January 1, 2027 | For FedRAMP Rev5, all new applications for FedRAMP Certification MUST follow all applicable Consolidated Rules for 2026. |
| January 1, 2027 | For FedRAMP 20x, all active FedRAMP Certified cloud service offerings MUST follow all applicable Consolidated Rules for 2026 or corrective action will be requested by FedRAMP. |
| June 11, 2027 | No new applications for FedRAMP Rev5 Certification will be accepted. |
| February 1, 2028 | All grace periods for the Consolidated Rules for 2026 expire and all cloud service offerings that are not fully following the Consolidated Rules for 2026 will lose their FedRAMP Certification. |
Understanding Ruleset Effective Dates¶
Each FedRAMP ruleset includes effective dates for both FedRAMP 20x and FedRAMP Rev5. Understanding these dates is critical to informed planning. These dates can be loaded programmatically from the underlying semi-structured machine-readable source for the Consolidated Rules.
| Critical Milestone | Explanation |
|---|---|
| Optional Adoption | Cloud service offerings may begin intentionally and responsibly adopting the FedRAMP ruleset after this date; the entire ruleset should be adopted as quickly as possible once adoption begins. |
| Obtain | Cloud service offerings must be following the rules in the FedRAMP ruleset in order to obtain a new FedRAMP Certification after this date. |
| Maintain | Cloud service offerings with active FedRAMP Certifications must be following the rules in the FedRAMP ruleset by this date in order to maintain their FedRAMP Certification; corrective action during the grace period will be requested by FedRAMP after this date. |
| Grace Ends | Cloud service offerings with active FedRAMP Certifications that are not following the rules in the FedRAMP ruleset by this date will lose their FedRAMP Certification until they follow the rules. Some grace periods have fixed end dates while others coincide with the next completed FedRAMP independent assessment. |
There will be no extensions past the ending of the default grace period.
The default grace period is a hard deadline that applies regardless of notification, corrective action, or progress. If FedRAMP determines that a cloud service offering is not following the rules then it will revoke their FedRAMP Certification with public notice.
FedRAMP will take no other punitive action, and cloud service offerings that lose their FedRAMP Certification in this way can regain it by demonstrating they are following the rules.
Expiration¶
All FedRAMP Practices outlined in the FedRAMP Consolidated Rules for 2026 will expire no later than December 31, 2028.
Cloud service providers will need to update to future releases of the Consolidated Rules for 2027 or 2028 prior to this deadline. It is imperative that providers continuously keep track of changing FedRAMP Practices and incorporate changes as they are available to avoid losing FedRAMP Certification in the future.