FedRAMP Certification¶
This ruleset explains how cloud service offerings obtain and maintain FedRAMP Certification across certification classes and paths.
Subsets
- General Provider Responsibilities
- Applying for FedRAMP Certification
- Applying for FedRAMP Certification with an Agency Sponsor
- Changing Certification Class
- Rev5-Specific Provider Responsibilities
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
General Provider Responsibilities¶
These rules apply to cloud service providers obtaining and maintaining any FedRAMP Certification.
Path: ProgramAgency
Class: Class C
Audience: Providers
FedRAMP Certification Profile¶
FRC-CSO-FCP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST identify a target FedRAMP Certification Profile and apply all relevant FedRAMP Practices to the cloud service offering.
Note: Information resources (including third-party information resources) MAY vary by security category as appropriate to the type of information handled by or impacted by the information resource.
Terms: Certification Profile, Cloud Service Offering, FedRAMP Practices, Handle, Information Resource, Security Category, Third-Party Information Resource
FedRAMP Certification Package¶
FRC-CSO-PKG
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Certification Overview Package (FRC-CSO-PKG)
Providers seeking a Class B Certification MUST supply a complete FedRAMP Certification Package to FedRAMP for initial certification; the FedRAMP Certification Package MUST include at least the following information:
- A Certification Package Overview
- A Security Decision Record
- A real or example Ongoing Certification Report following CCM-OCR-AVL (Report Availability)
Terms: Certification Package, FedRAMP Certification Report, Initial Certification, Ongoing Certification, Ongoing Certification Report (OCR), Security Decision Record (SDR)
FedRAMP JSON Schemas¶
FRC-CSO-JSN
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST supply machine-readable information in JSON documents that are valid against the corresponding JSON schema when a rule contains a FedRAMP JSON schema, UNLESS otherwise specified in the rule.
Note: FedRAMP JSON schemas are designed to be lightweight and flexible to establish a minimum set of structured information while allowing providers to improve on the format and structure of the information as needed to meet their needs and the needs of their customers.
Terms: Machine-Readable
Maintain Responsibility and Accountability¶
FRC-CSO-MRA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST maintain responsibility and accountability for the accuracy and completeness of all information in the FedRAMP Certification Package, especially when they engage a third party (such as an independent assessor, advisory service, or external tools) to supply information on their behalf.
Terms: Certification Package
Pick One Program Certification Type¶
FRC-CSO-POP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST NOT seek both FedRAMP Rev5 Program Certification and FedRAMP 20x Program Certification for the same cloud service offering; pick one type.
Note: This rule does not prevent a provider from seeking and maintaining a FedRAMP Rev5 Agency Certification and a FedRAMP 20x Program Certification for the same cloud service offering, however, doing so is strongly discouraged due to the increased complexity and risk of confusion for all parties.
Terms: Cloud Service Offering
Applying for FedRAMP Certification¶
These rules apply to cloud service providers who have met all other relevant rules and are ready to apply for any FedRAMP Certification.
Path: ProgramAgency
Class: Class C
Audience: Providers
Marketplace Listing First¶
FRC-APP-MLF
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST be listed in the FedRAMP Marketplace before applying for FedRAMP Certification, including:
- FedRAMP Marketplace: MKT-CSO-MLR (Marketplace Listing Requirements),
- FedRAMP Marketplace: MKT-CSO-PML (Provider Marketplace Listing Requests)
- FedRAMP Marketplace: MKT-IIP-AGU (Agency Use Cases)
- FedRAMP Marketplace: MKT-IIP-DCP (Demonstrating Continuous Progress)
Applying for FedRAMP Certification¶
FRC-APP-AFC
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
- Notify FedRAMP via form: [For CSPs] FedRAMP Certification Application Form.
Providers MUST complete the FedRAMP Certification Application Form in full to request an initial assessment by FedRAMP.
Fresh FedRAMP Certification Package¶
FRC-APP-FCP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST supply a fresh initial FedRAMP Certification Package that shows the current status of the cloud service offering as verified and validated by the provider within the previous 7 days.
Terms: Certification Package, Cloud Service Offering, Validation, Verification
Fresh Independent Assessment¶
FRC-APP-FIA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers seeking Class C Certification MUST supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized independent assessment service within the previous 3 months.
Timeframe: 3 months
No Third-Party Applicants¶
FRC-APP-NTP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST NOT use a third party to apply for a FedRAMP Certification on their behalf; this includes independent assessment services.
Notes:
- FedRAMP previously allowed independent assessment services to submit applications on behalf of providers, but this caused confusion about who was responsible for the application and the information in it. Providers should apply directly to ensure clear accountability.
- Providers may use third parties to help them prepare their application and assessment materials for submission.
Updating Stale Assessments¶
FRC-APP-USA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MAY freshen a stale initial independent verification and validation assessment by having a FedRAMP Recognized independent assessment service review any changes between the original assessment and the current status of the cloud service offering in place of a full re-assessment, UNLESS the stale assessment is more than 9 months old.
Terms: Cloud Service Offering, FedRAMP Recognized, Validation, Verification
Applying for FedRAMP Certification with an Agency Sponsor¶
These rules apply to cloud service providers with an Agency Sponsor who have met all other relevant rules and are ready to apply for any FedRAMP Certification.
Path: Agency
Class: Class C
Audience: Providers
Agency Authorization to Operate¶
FRC-APS-ATO
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers seeking a FedRAMP Rev5 Agency Certification MUST have completed the Authorization to Operate (ATO) process with their agency sponsor for the cloud service offering, concluding with a formal signed ATO letter that the agency has sent over official government channels to FedRAMP.
Terms: Cloud Service Offering
Changing Certification Class¶
These rules apply to cloud service providers when changing their FedRAMP Certification Class.
Path: Agency
Class: Class C
Audience: Providers
Upgrading Certification Class¶
FRC-CCL-UCC
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST apply for a new FedRAMP Certification to upgrade their Certification Class; all applicable requirements MUST be met in advance.
Notes:
- Upgrade paths include moving from A to B, C, or D; B to C or D; and C to D.
- The preferred path is to incrementally update the implementation and assurance commitments within the current Certification Class until the provider has met all requirements for the target Certification Class, then apply for the new Certification Class.
Terms: Certification Class
Downgrading Certification Class¶
FRC-CCL-DCC
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST apply for a new FedRAMP Certification to downgrade their Certification Class.
Notes:
- Downgrade paths include moving from D to C, B, or A; C to B or A; or B to A.
- FRC-CCL-DNP (Downgrade Notification Period) applies - please DO NOT downgrade Certification Class with providing advance notification to all necessary parties!
Downgrade Notification Period¶
FRC-CCL-DNP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD notify all necessary parties at least 120 days in advance of an intended downgrade or cancellation of FedRAMP Certification.
Note: Downgrading or canceling FedRAMP Certification will have severe negative consequences for the provider and their agency customers and should only be done after careful consideration and planning... but if it must be done, notify all necessary parties as soon as possible.
Terms: All Necessary Parties
Rev5-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP Rev5 Certifications.
Path: ProgramAgency
Class: Class C
Audience: Providers
FedRAMP Rev5 Baselines¶
FRC-CSF-BSL
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers seeking FedRAMP Rev5 Class C Certification MUST include at least the following NIST SP 800-53 Rev. 5 controls in their Security Decision Record:
Rev5 Control List
- Access Control (AC)
AC-01(Policy and Procedures)AC-02(Account Management)AC-02 (01)(Automated System Account Management)AC-02 (02)(Automated Temporary and Emergency Account Management)AC-02 (03)(Disable Accounts)AC-02 (04)(Automated Audit Actions)AC-02 (05)(Inactivity Logout)AC-02 (07)(Privileged User Accounts)AC-02 (09)(Restrictions on Use of Shared and Group Accounts)AC-02 (12)(Account Monitoring for Atypical Usage)AC-02 (13)(Disable Accounts for High-risk Individuals)AC-03(Access Enforcement)AC-04(Information Flow Enforcement)AC-04 (21)(Physical or Logical Separation of Information Flows)AC-05(Separation of Duties)AC-06(Least Privilege)AC-06 (01)(Authorize Access to Security Functions)AC-06 (02)(Non-privileged Access for Nonsecurity Functions)AC-06 (05)(Privileged Accounts)AC-06 (07)(Review of User Privileges)AC-06 (09)(Log Use of Privileged Functions)AC-06 (10)(Prohibit Non-privileged Users from Executing Privileged Functions)AC-07(Unsuccessful Logon Attempts)AC-08(System Use Notification)AC-11(Device Lock)AC-11 (01)(Pattern-hiding Displays)AC-12(Session Termination)AC-14(Permitted Actions Without Identification or Authentication)AC-17(Remote Access)AC-17 (01)(Monitoring and Control)AC-17 (02)(Protection of Confidentiality and Integrity Using Encryption)AC-17 (03)(Managed Access Control Points)AC-17 (04)(Privileged Commands and Access)AC-18(Wireless Access)AC-18 (01)(Authentication and Encryption)AC-18 (03)(Disable Wireless Networking)AC-19(Access Control for Mobile Devices)AC-19 (05)(Full Device or Container-based Encryption)AC-20(Use of External Systems)AC-20 (01)(Limits on Authorized Use)AC-20 (02)(Portable Storage Devices — Restricted Use)AC-21(Information Sharing)AC-22(Publicly Accessible Content)
- Awareness and Training (AT)
AT-01(Policy and Procedures)AT-02(Literacy Training and Awareness)AT-02 (02)(Insider Threat)AT-02 (03)(Social Engineering and Mining)AT-03(Role-based Training)AT-04(Training Records)
- Audit and Accountability (AU)
AU-01(Policy and Procedures)AU-02(Event Logging)AU-03(Content of Audit Records)AU-03 (01)(Additional Audit Information)AU-04(Audit Log Storage Capacity)AU-05(Response to Audit Logging Process Failures)AU-06(Audit Record Review, Analysis, and Reporting)AU-06 (01)(Automated Process Integration)AU-06 (03)(Correlate Audit Record Repositories)AU-07(Audit Record Reduction and Report Generation)AU-07 (01)(Automatic Processing)AU-08(Time Stamps)AU-09(Protection of Audit Information)AU-09 (04)(Access by Subset of Privileged Users)AU-11(Audit Record Retention)AU-12(Audit Record Generation)
- Assessment, Authorization, and Monitoring (CA)
CA-01(Policy and Procedures)CA-02(Control Assessments)CA-02 (01)(Independent Assessors)CA-02 (03)(Leveraging Results from External Organizations)CA-03(Information Exchange)CA-06(Authorization)CA-07(Continuous Monitoring)CA-07 (01)(Independent Assessment)CA-07 (04)(Risk Monitoring)CA-08(Penetration Testing)CA-08 (01)(Independent Penetration Testing Agent or Team)CA-08 (02)(Red Team Exercises)CA-09(Internal System Connections)
- Configuration Management (CM)
CM-01(Policy and Procedures)CM-02(Baseline Configuration)CM-02 (02)(Automation Support for Accuracy and Currency)CM-02 (03)(Retention of Previous Configurations)CM-02 (07)(Configure Systems and Components for High-risk Areas)CM-03(Configuration Change Control)CM-03 (02)(Testing, Validation, and Documentation of Changes)CM-03 (04)(Security and Privacy Representatives)CM-04(Impact Analyses)CM-04 (02)(Verification of Controls)CM-05(Access Restrictions for Change)CM-05 (01)(Automated Access Enforcement and Audit Records)CM-05 (05)(Privilege Limitation for Production and Operation)CM-06(Configuration Settings)CM-06 (01)(Automated Management, Application, and Verification)CM-07(Least Functionality)CM-07 (01)(Periodic Review)CM-07 (02)(Prevent Program Execution)CM-07 (05)(Authorized Software — Allow-by-exception)CM-08(System Component Inventory)CM-08 (01)(Updates During Installation and Removal)CM-08 (03)(Automated Unauthorized Component Detection)CM-09(Configuration Management Plan)CM-10(Software Usage Restrictions)CM-11(User-installed Software)CM-12(Information Location)CM-12 (01)(Automated Tools to Support Information Location)
- Contingency Planning (CP)
CP-01(Policy and Procedures)CP-02(Contingency Plan)CP-02 (01)(Coordinate with Related Plans)CP-02 (03)(Resume Mission and Business Functions)CP-02 (08)(Identify Critical Assets)CP-03(Contingency Training)CP-04(Contingency Plan Testing)CP-04 (01)(Coordinate with Related Plans)CP-06(Alternate Storage Site)CP-06 (01)(Separation from Primary Site)CP-06 (03)(Accessibility)CP-07(Alternate Processing Site)CP-07 (01)(Separation from Primary Site)CP-07 (02)(Accessibility)CP-07 (03)(Priority of Service)CP-08(Telecommunications Services)CP-08 (01)(Priority of Service Provisions)CP-08 (02)(Single Points of Failure)CP-09(System Backup)CP-09 (01)(Testing for Reliability and Integrity)CP-09 (08)(Cryptographic Protection)CP-10(System Recovery and Reconstitution)CP-10 (02)(Transaction Recovery)
- Identification and Authentication (IA)
IA-01(Policy and Procedures)IA-02(Identification and Authentication (Organizational Users))IA-02 (01)(Multi-factor Authentication to Privileged Accounts)IA-02 (02)(Multi-factor Authentication to Non-privileged Accounts)IA-02 (05)(Individual Authentication with Group Authentication)IA-02 (06)(Access to Accounts —separate Device)IA-02 (08)(Access to Accounts — Replay Resistant)IA-02 (12)(Acceptance of PIV Credentials)IA-03(Device Identification and Authentication)IA-04(Identifier Management)IA-04 (04)(Identify User Status)IA-05(Authenticator Management)IA-05 (01)(Password-based Authentication)IA-05 (02)(Public Key-based Authentication)IA-05 (06)(Protection of Authenticators)IA-05 (07)(No Embedded Unencrypted Static Authenticators)IA-06(Authentication Feedback)IA-07(Cryptographic Module Authentication)IA-08(Identification and Authentication (Non-organizational Users))IA-08 (01)(Acceptance of PIV Credentials from Other Agencies)IA-08 (02)(Acceptance of External Authenticators)IA-08 (04)(Use of Defined Profiles)IA-11(Re-authentication)IA-12(Identity Proofing)IA-12 (02)(Identity Evidence)IA-12 (03)(Identity Evidence Validation and Verification)IA-12 (05)(Address Confirmation)
- Incident Response (IR)
IR-01(Policy and Procedures)IR-02(Incident Response Training)IR-03(Incident Response Testing)IR-03 (02)(Coordination with Related Plans)IR-04(Incident Handling)IR-04 (01)(Automated Incident Handling Processes)IR-05(Incident Monitoring)IR-06(Incident Reporting)IR-06 (01)(Automated Reporting)IR-06 (03)(Supply Chain Coordination)IR-07(Incident Response Assistance)IR-07 (01)(Automation Support for Availability of Information and Support)IR-08(Incident Response Plan)IR-09(Information Spillage Response)IR-09 (02)(Training)IR-09 (03)(Post-spill Operations)IR-09 (04)(Exposure to Unauthorized Personnel)
- Maintenance (MA)
MA-01(Policy and Procedures)MA-02(Controlled Maintenance)MA-03(Maintenance Tools)MA-03 (01)(Inspect Tools)MA-03 (02)(Inspect Media)MA-03 (03)(Prevent Unauthorized Removal)MA-04(Nonlocal Maintenance)MA-05(Maintenance Personnel)MA-05 (01)(Individuals Without Appropriate Access)MA-06(Timely Maintenance)
- Media Protection (MP)
MP-01(Policy and Procedures)MP-02(Media Access)MP-03(Media Marking)MP-04(Media Storage)MP-05(Media Transport)MP-06(Media Sanitization)MP-07(Media Use)
- Physical and Environmental Protection (PE)
PE-01(Policy and Procedures)PE-02(Physical Access Authorizations)PE-03(Physical Access Control)PE-04(Access Control for Transmission)PE-05(Access Control for Output Devices)PE-06(Monitoring Physical Access)PE-06 (01)(Intrusion Alarms and Surveillance Equipment)PE-08(Visitor Access Records)PE-09(Power Equipment and Cabling)PE-10(Emergency Shutoff)PE-11(Emergency Power)PE-12(Emergency Lighting)PE-13(Fire Protection)PE-13 (01)(Detection Systems — Automatic Activation and Notification)PE-13 (02)(Suppression Systems — Automatic Activation and Notification)PE-14(Environmental Controls)PE-15(Water Damage Protection)PE-16(Delivery and Removal)PE-17(Alternate Work Site)
- Planning (PL)
PL-01(Policy and Procedures)PL-02(System Security and Privacy Plans)PL-04(Rules of Behavior)PL-04 (01)(Social Media and External Site/Application Usage Restrictions)PL-08(Security and Privacy Architectures)PL-10(Baseline Selection)PL-11(Baseline Tailoring)
- Personnel Security (PS)
PS-01(Policy and Procedures)PS-02(Position Risk Designation)PS-03(Personnel Screening)PS-03 (03)(Information Requiring Special Protective Measures)PS-04(Personnel Termination)PS-05(Personnel Transfer)PS-06(Access Agreements)PS-07(External Personnel Security)PS-08(Personnel Sanctions)PS-09(Position Descriptions)
- Risk Assessment (RA)
RA-01(Policy and Procedures)RA-02(Security Categorization)RA-03(Risk Assessment)RA-03 (01)(Supply Chain Risk Assessment)RA-05(Vulnerability Monitoring and Scanning)RA-05 (02)(Update Vulnerabilities to Be Scanned)RA-05 (03)(Breadth and Depth of Coverage)RA-05 (05)(Privileged Access)RA-05 (11)(Public Disclosure Program)RA-07(Risk Response)RA-09(Criticality Analysis)
- System and Services Acquisition (SA)
SA-01(Policy and Procedures)SA-02(Allocation of Resources)SA-03(System Development Life Cycle)SA-04(Acquisition Process)SA-04 (01)(Functional Properties of Controls)SA-04 (02)(Design and Implementation Information for Controls)SA-04 (09)(Functions, Ports, Protocols, and Services in Use)SA-04 (10)(Use of Approved PIV Products)SA-05(System Documentation)SA-08(Security and Privacy Engineering Principles)SA-09(External System Services)SA-09 (01)(Risk Assessments and Organizational Approvals)SA-09 (02)(Identification of Functions, Ports, Protocols, and Services)SA-09 (05)(Processing, Storage, and Service Location)SA-10(Developer Configuration Management)SA-11(Developer Testing and Evaluation)SA-11 (01)(Static Code Analysis)SA-11 (02)(Threat Modeling and Vulnerability Analyses)SA-15(Development Process, Standards, and Tools)SA-15 (03)(Criticality Analysis)SA-22(Unsupported System Components)
- System and Communications Protection (SC)
SC-01(Policy and Procedures)SC-02(Separation of System and User Functionality)SC-04(Information in Shared System Resources)SC-05(Denial-of-service Protection)SC-07(Boundary Protection)SC-07 (03)(Access Points)SC-07 (04)(External Telecommunications Services)SC-07 (05)(Deny by Default — Allow by Exception)SC-07 (07)(Split Tunneling for Remote Devices)SC-07 (08)(Route Traffic to Authenticated Proxy Servers)SC-07 (12)(Host-based Protection)SC-07 (18)(Fail Secure)SC-08(Transmission Confidentiality and Integrity)SC-08 (01)(Cryptographic Protection)SC-10(Network Disconnect)SC-12(Cryptographic Key Establishment and Management)SC-13(Cryptographic Protection)SC-15(Collaborative Computing Devices and Applications)SC-17(Public Key Infrastructure Certificates)SC-18(Mobile Code)SC-20(Secure Name/Address Resolution Service (Authoritative Source))SC-21(Secure Name/Address Resolution Service (Recursive or Caching Resolver))SC-22(Architecture and Provisioning for Name/Address Resolution Service)SC-23(Session Authenticity)SC-28(Protection of Information at Rest)SC-28 (01)(Cryptographic Protection)SC-39(Process Isolation)SC-45(System Time Synchronization)SC-45 (01)(Synchronization with Authoritative Time Source)
- System and Information Integrity (SI)
SI-01(Policy and Procedures)SI-02(Flaw Remediation)SI-02 (02)(Automated Flaw Remediation Status)SI-02 (03)(Time to Remediate Flaws and Benchmarks for Corrective Actions)SI-03(Malicious Code Protection)SI-04(System Monitoring)SI-04 (01)(System-wide Intrusion Detection System)SI-04 (02)(Automated Tools and Mechanisms for Real-time Analysis)SI-04 (04)(Inbound and Outbound Communications Traffic)SI-04 (05)(System-generated Alerts)SI-04 (16)(Correlate Monitoring Information)SI-04 (18)(Analyze Traffic and Covert Exfiltration)SI-04 (23)(Host-based Devices)SI-05(Security Alerts, Advisories, and Directives)SI-06(Security and Privacy Function Verification)SI-07(Software, Firmware, and Information Integrity)SI-07 (01)(Integrity Checks)SI-07 (07)(Integration of Detection and Response)SI-08(Spam Protection)SI-08 (02)(Automatic Updates)SI-10(Information Input Validation)SI-11(Error Handling)SI-12(Information Management and Retention)SI-16(Memory Protection)
- Supply Chain Risk Management (SR)
SR-01(Policy and Procedures)SR-02(Supply Chain Risk Management Plan)SR-02 (01)(Establish SCRM Team)SR-03(Supply Chain Controls and Processes)SR-05(Acquisition Strategies, Tools, and Methods)SR-06(Supplier Assessments and Reviews)SR-08(Notification Agreements)SR-10(Inspection of Systems or Components)SR-11(Component Authenticity)SR-11 (01)(Anti-counterfeit Training)SR-11 (02)(Configuration Control for Component Service and Repair)SR-12(Component Disposal)
Reference: NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
Assign Control Parameters¶
FRC-CSF-ACP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST assign all organization-defined control parameters, following FedRAMP Rev5 Controls Guidance, and ensure that all control parameter assignments are documented in the Security Decision Record (SDR).
Follow FedRAMP Rev5 Controls Guidance¶
FRC-CSF-FFG
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST follow FedRAMP Rev5 Controls Guidance for the implementation and documentation of all applicable controls.
FedRAMP Ready Conversion¶
FRC-CSF-RDY
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers with FedRAMP Rev5 Ready status MUST convert to a FedRAMP Certification by whichever of the follow dates is later: the expiration of their annual assessment or November 17, 2026 (the legacy FedRAMP Ready status will be entirely removed on December 31, 2027).
Notes:
- The simplest conversion in most cases would be to a FedRAMP 20x Class A Certification.
- Cloud services that do not wish to convert or do not meet conversion criteria will be renamed Legacy FedRAMP Ready and otherwise retired from FedRAMP Ready.