Initial Outcome from RFC-0021 Expanding the FedRAMP Marketplace

NTC-0005 published at Wed, 25 Feb 2026 17:05:00 GMT // Markdown Version

RFC-0021 Expanding the FedRAMP Marketplace was closed on February 19, 2026. This notice explains the initial outcome from public comment and the next steps for FedRAMP. FedRAMP will publish the FedRAMP Consolidated Rules for 2026 (CR26) by the end of June, 2026; these rules will be valid until December 31, 2028.

Initial Outcome

The following changes from the rules proposed in RFC-0021 are planned in the FedRAMP Consolidated Rules for 2026 based on public comment:

1. FedRAMP will not request, store, or publish pricing information for cloud services, independent assessors, or advisory services on the FedRAMP Marketplace.

   a. MKT-GEN-SPI Service Pricing Information will be struck.

   b. MKT-ADV-WEB Website Requirements and MKT-RIA-WEB Website Requirements will be modified appropriately.

   c. Agencies and other FedRAMP stakeholders have regularly requested that FedRAMP provide this information in a centralized place, however public comment has made it clear that many stakeholders do not want to participate. This gives FedRAMP a clear public explanation for why this information will not be available in the FedRAMP Marketplace.

2. MKT-ADV-ATT Attestation Requirements will be rewritten as an optional rule; FedRAMP will not require advisory services to maintain positive attestations from cloud service providers to be listed on the FedRAMP Marketplace.

3. MKT-RIA-ATT Attestation Requirements will be modified to require an independent assessor to complete at least 2 assessments (initial or annual) every 2 years to maintain recognition.

   a. MKT-RIA-ATT Attestation Requirements will begin the 2 year clock at either the date of FedRAMP recognition OR the date of publishing, whichever is most recent. This provides all current and future FedRAMP-recognized independent assessors 2 years to meet this requirement before it applies indefinitely.

   b. MKT-RIA-ATT Attestation Requirements will continue to include the grace period of 6 months but will add a path to prevent loss of recognition if the independent assessor demonstrates intent to perform the required assessments with the timelines being outside of their control.

   c. Some commenters inadvertently reinforced this requirement by explaining they had paid considerable cost to obtain an A2LA Accreditation with the sole intent of providing advisory services, however A2LA Accreditation and the related FedRAMP recognition process do not assess a company’s knowledge of FedRAMP or their ability to provide advisory services because it is intended only for independent assessors. This problem is exactly the confusion FedRAMP intends to address with this requirement.

4. MKT-GEN-DOD Demonstration of Ongoing Demand will be updated to only apply to cloud services without an agency authorization to operate and the overall application will be clarified.

   a. Providers that are not following the Authorization Data Sharing standard will be exempt from sharing agency package request information as FedRAMP manages that process for USDA Connect.

   b. FedRAMP will add a note clarifying that this is to help FedRAMP justify the use of government resources to support Program Certification and similar processes overall by providing aggregate numbers and is not intended as an oversight mechanism to punish providers who are struggling with demand.

5. MKT-GEN-PKO Pick One: 20x or Rev5 will be updated to be more explicitly clear that Program Certification is the path outlined in RFC-0023 where FedRAMP is the sponsor for initial and ongoing authorization and that the requirement to pick one path applies to Program Certification only.

   a. Cloud services with a 20x Certification are welcome to pursue an agency sponsored authorization to also obtain and maintain a FedRAMP Certification for Rev5. These Certifications would need to be maintained separately, following separate Rev5 and 20x processes. This would be very complicated for a company and likely result in significant confusion but FedRAMP does not have a reason to prevent this today.

   b. FedRAMP itself will not provide a Program Certification for both paths due to the issues mentioned above, however; it would certainly be a waste of time, resources, and effort for FedRAMP to perform duplicative work itself.

6. MKT-PRE-DCP Demonstrating Continuous Progress will be updated to clarify that continuous progress will be measured by the cloud service provider against goals it must include in the Ongoing Authorization Reports.

   a. This is an opportunity for a business to showcase its goals and progress in a way that any potential customer can review and should be seen as a marketing and future customer experience opportunity.

7. MKT-FRX-TAT Target Authorization Time will be updated to clarify that FedRAMP won’t throw someone under a 1 month penalty bus if there is a minor issue with a submission that is easy to correct.

   a. This penalty is for situations when a package is demonstrably insufficient or FedRAMP has to repeatedly ask for additional information such that it is impossible to make a decision in a timely manner without wasting time and resources.

   b. The note incorrectly mentioned a 3 month waiting period; the penalty is intended only to be 1 month.

8. FedRAMP will provide a JSON schema for the required web information for independent assessors and advisory services in the FedRAMP Consolidated Rules for 2026.

   a. MKT-ADV-WEB Website Requirements and MKT-RIA-WEB Website Requirements will be updated to include this JSON schema and information about validation.

9. All of the final rules will be updated to match the most recent naming conventions in FedRAMP Machine Readable Documentation, so many of the names will change.

Explanation

RFC-0021 received 41 comments in total, with a wide variety of focus for the comment content (appropriate to the various themes within RFC-0021). Comments were generally targeted at very specific areas and many aspects of the RFC received little attention. FedRAMP is making adjustments in specific areas that take into account concerns raised by the community where feedback did not conflict with the underlying goal or purpose of a proposed rule.

The adjustments are outlined in detail in the Initial Outcome section and summarized as follows:

1. Pricing information will not be required because pretty much all industry commenters raised concerns, even though pretty much all agency commenters were strongly appreciative of the proposed change.

2. Advisory services and independent assessors will not need to maintain public attestations from customers. At least initially, advisory service listings will not require demonstration of quality.

3. FedRAMP-recognized independent assessors will be expected to perform at least 2 assessments every 2 years, instead of 3, along with many other changes and clarifications. This requirement is directly targeted at withdrawing recognition from companies that are causing confusion by seeking FedRAMP-recognition as an independent assessor when they do not actually intend to actually provide assessment services; it is not intended to punish active assessment services for circumstances outside their control.

4. The limit on Program Certification to either Rev5 or 20x will remain in place because FedRAMP itself can not waste resources on duplicative reviews and continuous monitoring. It’s possible there was some confusion here from commenters because this limit only applied to Program Certification where FedRAMP itself is the primary “sponsor” of a service (FedRAMP 20x is entirely sponsored by FedRAMP, and this rule applies to that and the proposed Rev5 Program Certification sponsored by FedRAMP in RFC-0023).

5. As FedRAMP delivers the Consolidated Rules for 2026, it will clarify that FedRAMP may defer corrective action if early notification with a well documented and achievable corrective action plan is supplied in advance of the corrective action being triggered. Corrective action is not intended to punish services acting in good faith on a technicality; it is for services that are simply failing to meet requirements.

6. Various other requirements and recommendations will be clarified, templates will be provided as appropriate, and everything will be implemented within the full context of the FedRAMP Consolidated Rules for 2026.

Thank you for participating in the FedRAMP public comment process!