U.S. flag

An official website of the United States government

Mountain background

Notice Thumbnail

Initial Outcome from RFC-0020 FedRAMP Authorization Designations

NTC-0004 published at Wed, 25 Feb 2026 17:01:00 GMT // Markdown Version

RFC-0020 FedRAMP Authorization Designations was closed on February 19, 2026. This notice explains the initial outcome from public comment and the next steps for FedRAMP. FedRAMP will publish the FedRAMP Consolidated Rules for 2026 (CR26) by the end of June, 2026; these rules will be valid until December 31, 2028.

Initial Outcome

The following changes from the initial proposed designations in RFC-0020 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

  1. The single official label for all FedRAMP authorizations will be FedRAMP Certification or FedRAMP Certified.

    a. This aligns with the definition of a FedRAMP authorization in the FedRAMP Authorization Act which states that a FedRAMP authorization is a certification by FedRAMP.

    b. Any cloud service with a FedRAMP Certification is FedRAMP authorized for the purposes of meeting statutory or regulatory requirements, including adequacy for use by an agency to authorize the operation of that cloud service within a federal information system.

    c. There will not be separate designations (such as “FedRAMP Validated”) for 20x and Rev5; FedRAMP concurs with many commenters that this will ultimately create additional confusion for procurement and other discussions. FedRAMP will provide filters in the marketplace to differentiate these paths instead.

  2. FedRAMP will not create additional certification baselines that factor for corrective actions or the implementation of recommendations in the FedRAMP Consolidated Rules for 2026.

    a. Proposing new levels for this caused significant confusion as many commenters believed the requirements for the existing baselines would also change. FedRAMP is not intending to change requirements as part of this process, only to provide labels for the existing requirements that better align to FedRAMP’s responsibility and authority.

    b. FedRAMP will separately share information about optional processes and corrective actions with agencies, using the FedRAMP Marketplace.

  3. FedRAMP will not use the term “levels” or numbers for the new baseline labels to avoid confusion with the DOD/DOW Impact Level/IL system.

    a. The new labels for each baseline will align to a FedRAMP Certification Class (A, B, C, or D).

    b. This better reflects that the baseline defines the scope of the assessment and certification by FedRAMP, not the total quality or security of the cloud service.

  4. FedRAMP will continue with 4 baselines of assessment in the Consolidated Rules for 2026, with each requiring a different amount (and sometimes type or frequency) of information for FedRAMP Certification as they currently do. There will only be minor changes to the baselines themselves.

    a. The labels for these baselines will change, with a transition period where the old and new labels will be linked. FedRAMP will provide full details and expectations in the Consolidated Rules for 2026.

    b. Rev5: Class A will be a new pilot baseline, Class B will include the current Li-Saas and Low baselines, Class C will include the current Moderate baseline, and Class D will include the current High baseline.

    c. 20x: These requirements will be formalized within the FedRAMP Consolidated Rules for 2026 and will align with Rev5 Classes.

Explanation

A fundamental lifecycle change for FedRAMP occurred when the FedRAMP Authorization Act was passed and OMB Memorandum M-24-15 was released. FedRAMP was not simply established in law or updated by these changes in statute and policy; instead, a very different program was established in its place with the same name.

As FedRAMP continues to align with these massively changed authorities and responsibilities there will be changes that fundamentally alter historical approaches to FedRAMP that are no longer relevant or applicable due to the rescission of the original FedRAMP. We acknowledge that for many stakeholders these changes continue to be confusing or frustrating at times but FedRAMP MUST operate in a different way to meet these new requirements; making changes now will reduce confusion in the future as FedRAMP grows.

The FedRAMP Authorization Act defines a FedRAMP authorization as simply “a certification that a cloud computing product or service has completed a FedRAMP authorization process.” The outcome of this process is a “FedRAMP authorization package” which is defined by the Act as “the essential information that can be used by an agency to determine whether to authorize the operation of an information system.” This naturally leads to the labels FedRAMP Certification for “FedRAMP authorization” and FedRAMP Certification Package for “FedRAMP authorization package.”

As explained in RFC-0020, a FedRAMP Certification is not a guarantee that a cloud service has met all requirements to be appropriate for use by an agency at a given FIPS 199 security category. FedRAMP does not have the authority to make this determination on behalf of an agency authorizing official. Agencies may use a FedRAMP Certification Package to authorize the inclusion of a cloud service in an agency information system at any security category they deem appropriate following the Risk Management Framework. OMB Memorandum M-24-15 and modern FedRAMP policies in general encourage agencies to use FedRAMP materials as the base for such decisions, and explicitly encourage the appropriate use of a FedRAMP Certification at different security categories (“impact levels”) than the FedRAMP Certification itself.

Many commenters inadvertently reinforced the critical misconception that a FedRAMP assessment baseline labeled with a FIPS 199 security category was a de facto acceptance of risk for agency use at that security category. This is incorrect, the FedRAMP assessment baseline identifies the depth and complexity of the information provided by the cloud service provider, not the overall security of a system. The outcome of the FedRAMP assessment and authorization process is a package of reusable materials to massively simplify the process for agencies to review and accept risks themselves, categorized by the amount of information available. This is the government-wide statutory and policy responsibility of FedRAMP today, providing the process for agencies to consistently manage the risk of using cloud services.

For all of these reasons, as proposed in RFC-0020, FedRAMP must establish proper labels that demonstrate the purpose and intent of the new FedRAMP. These labels do not change the requirements, purpose, or use of a FedRAMP authorization but over time will reduce the continuous confusion (clearly indicated in public comment) about the purpose and use of a FedRAMP Certification.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov