Initial Outcome from RFC-0024 Rev5 Machine-Readable Packages
NTC-0009 published at Wed, 25 Mar 2026 21:50:00 GMT // Markdown Version
RFC-0024 FedRAMP Rev5 Machine-Readable Packages was closed on March 11, 2026. This notice explains the initial outcome from public comment and identifies next steps for FedRAMP related to this proposal. The official outcome from this RFC will be included in the FedRAMP Consolidated Rules for 2026 (CR26) that will be published by the end of June 2026; those rules will be valid until December 31, 2028.
We are especially grateful for the considerable thoughtful public comment on this RFC and will work hard to chart a course that aligns the expectations of the government with those that provide commercial services for its use.
Overview
FedRAMP 20x was designed to open the federal market to thousands of new cloud services that invest in automation capabilities to demonstrate continuously validated security metrics. FedRAMP has nearly completed the first two pilot phases for FedRAMP 20x and is nearing release of formal FedRAMP 20x requirements and wide-scale adoption of this new certification type. Every single FedRAMP 20x certification package will include machine-readable authorization data across the entire scope of the authorization package, from initial security materials to ongoing authorization reports including data on significant changes and vulnerabilities. FedRAMP anticipates an explosion in adoption of automation capabilities government-wide as agencies suddenly have access to the exact automation data they have requested for many years.
Cloud service providers with traditional FedRAMP Rev5 certifications will face considerable competition from those with FedRAMP 20x certifications. The difference in initial and ongoing authorization experience for agencies will be stark and difficult to overcome if FedRAMP Rev5 requirements remain focused around manual documentation. FedRAMP cannot simply abandon the 500+ cloud services that have invested in FedRAMP Rev5 certifications by allowing them to stagnate while new services with FedRAMP 20x certifications provide superior continuous assurance and higher quality integrations.
FedRAMP acknowledges that a significant majority of public comments on RFC-0024 expressed deep concerns about the complexity of adopting a modern approach to managing legacy security materials after years of investment in a manual process. FedRAMP must chart a course that ensures adequate information is available to agencies even as the expectations of agencies grow and change, but commenters have nearly universally requested additional time to prepare for adopting a modern approach. Therefore, FedRAMP will update both the expected requirements and timelines to enable gradual adoption over a much longer period of time while still ensuring that all Rev5 providers have modernized their approach within two years.
In the Consolidated Rules for 2026, FedRAMP will outline explicit requirements for machine-readable packages for Rev5, generally aligned with those proposed in RFC-0024. This will include providing detailed instructions of exactly what should be in machine-readable formats and options for the general structure of those formats, along with integration into FedRAMP compatible trust centers to ensure agencies can eventually consume this information via API. This data and these mechanisms will be provided by industry in alignment with FedRAMP’s mandate to set policies that enable industry innovation to provide the solutions.
Members of the community may discuss this initial outcome and ask clarifying questions as needed in the General discussion / Q&A on Rev improvements and changes in 2026 thread in the FedRAMP Community and attend FedRAMP Rev5 Community Updates for live Q&A.
Initial Outcome
Detailed information, requirements, and timelines for all items below will be provided in the Consolidated Rules for 2026.
All of the proposed requirements in RFC-0024 will be modified in the Consolidated Rules for 2026, though many will carry forward in the same spirit.
Broadly, the following changes will be made, based on public comment, to the rules and approach initially proposed in RFC-0024:
Comprehensive machine-readable authorization data will only be required for FedRAMP Rev5 Class D (High) certifications.
a. Rev5 Class D (High) certified providers will be required to create and maintain per-service authorization materials as proposed.
b. Rev5 Class D (High) certified providers will be required to integrate significant changes into their authorization materials twice per year (once during annual assessment, once halfway between annual assessments) instead of within 30 days of a significant change.
c. This will cover all authorization materials for both initial and ongoing authorization.
Some machine-readable authorization data will be required for FedRAMP Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) certifications; the bulk of authorization data will be required in a semi-structured text format similar to the current approach.
a. DOCX and XLSX will be retired as an acceptable format in favor of simple text-based equivalents.
b. This will cover all authorization materials for both initial and ongoing authorization. Detailed information, requirements, and timelines will be provided in the Consolidated Rules for 2026.
The following Rev5 Balance Improvement Releases will be folded into the default FedRAMP Rev5 certification requirements (replacing existing requirements as appropriate), including the requirement to produce related materials in a machine-readable format:
a. Minimum Assessment Scope replaces the traditional authorization boundary approach and eliminates the need for excessively complex authorization boundary diagrams
b. Significant Change Notifications replaces the traditional significant change request process
c. Collaborative Continuous Monitoring replaces part of the traditional monthly continuous monitoring approach
d. Vulnerability Detection and Response replaces the traditional vulnerability scanning and POA&M approach
e. Authorization Data Sharing replaces the traditional Secure Repository approach for centralizing authorization materials
f. Each of the above Balance Improvement Releases will have minor adjustments made as they are finalized for the Consolidated Rules for 2026.
FedRAMP will not require diagrams or illustrations after the transition to the Minimum Assessment Scope.
a. There is no expectation in the Minimum Assessment Scope of a traditional Authorization Boundary Diagram that contains every single service and flow in a single diagram. Instead, providers have flexibility to present the structure of their information resources across multiple levels of abstraction and grouping in a way that factors for continuous change within the environment and makes the most sense for their particular service.
FedRAMP Rev5 Class C (Moderate) and Class D (High) certifications will strongly encourage the use of machine-generated deterministic telemetry in their authorization data where feasible, with a focus on the Minimum Assessment Scope, Significant Change Notifications, and Vulnerability Detection and Response processes.
a. Providers will be encouraged to go beyond traditional Rev5 processes and “minimum control requirements” to find ways to demonstrate their security commitments instead of simply writing narrative text about them. This process will include flexibility for providers based on their own unique environment and the best customer experience.
All providers will still be required to ensure basic human-readable materials are available as requested by all necessary parties, and will be required to generate these materials from the relevant machine-readable materials during production.
a. FedRAMP will encourage flexibility in human-readable materials to ensure cloud service providers are considering the best customer experience for conveying data about their unique environment. As long as the underlying machine-readable information is consistent, providers will not be penalized for providing an optimal customer experience in their human-readable materials.
b. This will cover all authorization materials for both initial and ongoing authorization.
Partnering with Industry
FedRAMP will not produce, manage, or operate services or software to help cloud service providers produce machine-readable materials. Government programs are not adept at providing this type of service in general due to restrictions and regulations, and attempting to do so would ensure a poor experience for cloud service providers and agencies. Furthermore, building and maintaining such services would require an increase in budget of 3-5x or more for FedRAMP and take several years, neither of which are an option.
Innovative solutions for maintaining and producing security materials must be provided by industry; this is the only way to ensure a wide-ranging set of options and alternatives that can compete to provide better capabilities and improve the customer experience for all stakeholders. To enable and encourage innovative solutions from industry, FedRAMP will establish informal partnerships with non-profit organizations that seek to support open source or other public domain capabilities for enabling the adoption of automation-related capabilities.
The OSCAL Foundation is one such established industry partner that provides capabilities, education, and a community to help cloud service providers modernize their approach to managing security materials, including free general membership. Other organizations that are interested in establishing informal partnerships with FedRAMP should reach out to pete@fedramp.gov to discuss opportunities.
At a minimum, FedRAMP will expect informal partner organizations to produce, maintain, and share templates and other materials that align with FedRAMP requirements and to help providers with transitioning from legacy manual materials. FedRAMP will establish the general requirements and ensure the templates and other materials are adequate for use, but FedRAMP will not dictate the underlying structure or approach. Approved organizations, templates, and other materials will be hosted by the organization and linked to in FedRAMP’s official documentation.
Initial Expected Timelines
The dates and milestones below may change in the final release of the Consolidated Rules for 2026, however none of the dates below will move forward in time.
Dates and Milestones for FedRAMP Certified Services
The following timelines are expected to be published as part of the FedRAMP Consolidated Rules for 2026 related to this notice; these timelines will apply to cloud services that have an active FedRAMP Certification on the date of each milestone:
| Anticipated Deadline | Milestone |
|---|---|
| 2027-01-01 | Mandatory adoption of the Significant Change Notifications process for all Rev5 cloud services. |
| 2027-01-01 | Mandatory adoption of the Minimum Assessment Scope before or during the next annual assessment for a cloud service. |
| 2027-04-02 | Mandatory adoption of the Collaborative Continuous Monitoring process for all Rev5 cloud services. |
| 2027-06-01 | Mandatory adoption of the Vulnerability Detection and Response process for all Rev5 cloud services. |
| 2027-08-01 | Mandatory adoption of the Authorization Data Sharing process for all Rev5 cloud services. The Connect.gov portal will be retired. |
| 2027-11-01 | Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) certified cloud services must provide semi-structured text based authorization data before or during their next annual assessment. |
| 2027-11-01 | Rev5 Class D (High) certified cloud services must provide comprehensive machine-readable authorization data before or during their next annual assessment. |
Progressive corrective action for failure to meet the requirements in these milestones will be applied quarterly.
Dates and Milestones for New FedRAMP Certifications
The following timelines are expected to be published as part of the FedRAMP Consolidated Rules for 2026 related to this notice; these timelines will apply to new submissions for FedRAMP Certification after the date of each milestone:
| Anticipated Deadline | Milestone |
|---|---|
| 2027-01-01 | Rev5 Class A (Pilot), Class B (Low), and Class C (Moderate) submissions for FedRAMP Certification must provide semi-structured text based authorization data and adopt the following Rev5 Balance Improvement Releases: Minimum Assessment Scope Significant Change Notifications Collaborative Continuous Monitoring Vulnerability Detection and Response Authorization Data Sharing (this will apply to changes in the security categorization of a service) A grace period will be applied to any cloud service that was In Process with an Agency prior to 2026-10-01. |
| 2027-05-01 | Rev5 Class D (High) submissions for FedRAMP Certification must provide comprehensive machine-readable authorization data and adopt the following Rev5 Balance Improvement Releases: Minimum Assessment Scope Significant Change Notifications Collaborative Continuous Monitoring Vulnerability Detection and Response Authorization Data Sharing (this will apply to changes in the security categorization of a service) A grace period will be applied to any cloud service that was In Process with an Agency prior to 2026-10-01. |