Initial Outcome of Rev5 Baseline RFCs (RFC-0026 through RFC-0030)
NTC-0013 published at Tue, 16 Jun 2026 13:30:00 GMT // Markdown Version
FedRAMP released a series of proposed Rev5 guidance updates in late April, including RFC-0026 through RFC-0030. These proposed guidance updates were part of a broader set of changes being made to FedRAMP throughout the past year as a result of FedRAMP 20x - a wide-scale rearchitecture of FedRAMP required by the FedRAMP Authorization Act and OMB Memorandum M-24-15.
In general, the changes FedRAMP proposed to Rev5 are intended to ensure that cloud service providers who have legacy FedRAMP Rev5 Certifications will be expected to provide a balanced level of automated assurance compared to FedRAMP 20x Certifications. This Public Notice explains the initial outcomes from these specific RFCs within the context of related RFCs and their outcomes; it is intended to summarize a subset of outcomes without reviewing the entirety of these changes.
FedRAMP is currently finalizing the Consolidated Rules for 2026, and has made that work available in advance of completion as a Public Preview. The Consolidated Rules for 2026 will be finalized before the end of June 2026, and will incorporate the changes outlined in this and other outcomes from previous RFCs.
The Future of FedRAMP Rev5
FedRAMP has been clear since the announcement of FedRAMP 20x that an initial outcome from FedRAMP 20x will be the complete replacement of the FedRAMP Rev5 process. The current end date for new FedRAMP Rev5 Certifications is targeted at June 11, 2027; the current end date for existing FedRAMP Rev5 Certifications has not been finalized but is likely to be no later than 2029.
After considerable discussion with the community and in alignment with priorities set by the White House, FedRAMP will accelerate the transition for FedRAMP Rev5 by continuing to bring the responsibility, accountability, and flexibility of FedRAMP 20x to FedRAMP Rev5 in the near term. These mandated initial changes will make it easier for cloud service providers to transition to FedRAMP 20x over time by shifting their approach to align with the assurance expectations of FedRAMP 20x.
FedRAMP is removing the vast majority of FedRAMP-assigned control parameter values for all FedRAMP Rev5 baselines in the Consolidated Rules for 2026, to address both of these problems.
FedRAMP is removing nearly all FedRAMP-specific control guidance that established additional rules and requirements from the FedRAMP Rev5 baselines in the Consolidated Rules for 2026.
Additional information on these decisions is shared below.
Removing FedRAMP-assigned Control Parameter Values
The FedRAMP Rev5 controls, built from the NIST SP 800-53 Rev 5, have a significant number of organization-defined control parameter values. The process for assigning control parameter values is described in the NIST SP 800-53B as follows:
“Controls and control enhancements containing embedded parameters (i.e., assignment and controls and control enhancements to support specific organizational requirements. After the application of scoping considerations and the selection of compensating controls, organizations review the controls and control enhancements for assignment or selection operations and determine the appropriate organization-defined values for the identified parameters. The parameter values may be driven by mission or business requirements, or the values may be prescribed by laws, executive orders, directives, regulations, policies, standards, guidelines, or industry best practices.”
Historically, FedRAMP defined the vast majority of the organization-defined control parameter values in the FedRAMP Rev5 based on further guidance that organizations who work together frequently may develop a mutually agreeable set of control parameter values. These assigned values were set, in general, based on older standards agreed to by the Department of War and the Department of Homeland Security prior to any adoption of commercial cloud services.
FedRAMP 20x is built on the foundational idea that cloud service providers should be incentivized to make their commercial cloud service offerings available to the federal government instead of building gov-specific versions. FedRAMP-assigned values have the opposite effect by forcing a different approach that often does not align with commercial cloud service goals for many different reasons.
FedRAMP-assigned values have another critical negative impact: establishing a “minimum bar” for control parameters also effectively establishes a ceiling. There are almost no cloud service providers that try to exceed the FedRAMP-assigned values in their System Security Plan. If a FedRAMP-assigned value says something must be done at least every 30 days then it becomes a goal for all providers to only ensure they do this every 30 days, even when their commercial offering might actually take this action daily in a modern high-speed security environment.
Outcome: FedRAMP is removing the vast majority of FedRAMP-assigned control parameter values for all FedRAMP Rev5 baselines in the Consolidated Rules for 2026, to address both of these problems.
Cloud service providers will be expected to follow NIST rules to assign their own actual organization-defined control parameter values based on the actions taken by the cloud service, and identify these assignments within their System Security Plan (or future Security Decision Record) for review by FedRAMP and agencies. FedRAMP believes this will lead to more secure control implementations and more accurate control documentation.
Removing Outdated FedRAMP Control Guidance
FedRAMP also historically issued additional FedRAMP-specific control guidance that established additional rules and requirements for the implementation of government-specific demands on controls, similar to FedRAMP-assigned control parameters. Most of this control guidance was rooted in the historical FedRAMP JAB authorization process, also based on default historical implementations established by the Department of War and the Department of Homeland Security for their own information systems.
These additional requirements created the same problems as FedRAMP-assigned control parameter values, encouraging cloud service providers and assessors to focus on a typically older government-specific approach that is often inappropriate for a commercial cloud service and in some cases results in degraded security in a modern environment.
FedRAMP is now separately establishing explicit FedRAMP Rules for obtaining and maintaining a FedRAMP Certification. The Consolidated Rules for 2026 are designed to outline all the applicable rules that are uniquely necessary for a cloud service to assure government customers that their information will be properly secured. These rules are sufficient for both FedRAMP 20x and Rev5 type Certifications and replace control guidance in most situations.
Outcome: FedRAMP is removing nearly all FedRAMP-specific control guidance that established additional rules and requirements from the FedRAMP Rev5 baselines in the Consolidated Rules for 2026.
FedRAMP-specific requirements are instead implemented within the FedRAMP Rules. This change eliminates a significant number of hidden requirements that in most situations did not improve the security of a cloud service offering.
Control guidance will primarily be limited to tips and helpful information for otherwise confusing situations moving forward.
Completing the Transition from Legacy Templates
FedRAMP has historically required specific document and spreadsheet-based templates with rich formatting that required considerable manual effort to maintain. As cloud service providers transition to the Consolidated Rules for 2026 they will notice a new construct for FedRAMP materials - the Certification Package rules primarily list the minimum mandatory information and provide a simple JSON schema for sharing that information in a semi-structured machine-readable format.
Cloud service providers will be allowed to innovate on the details of how they present this information within the machine-readable format, and the considerable flexibility in the production of human-readable materials means cloud service providers may now focus on providing the optimum customer experience for both commercial and government customers for sharing information about their specific cloud service offering and its environment.
The new FedRAMP Certification Package will be comprised of the following primary documents:
- The Certification Package Overview replaces most of the traditional System Security Plan and consolidates information about the cloud service offering and its boundary.
- The Security Decision Record replaces the control implementation aspects of the System Security Plan and Security Assessment Report by consolidating information about each FedRAMP Practice, including rules, Rev5 Controls, and Key Security Indicators.
- The Secure Configuration Guide replaces the Control Implementation Summary / Customer Responsibility Matrix and consolidates information about the customer responsibilities in a way that allows the cloud service provider flexibility to ensure the service is safely adopted without following a control template. FedRAMP will separately work with agencies to create standardized baselines that clearly separate the responsibilities so they can engage in the RMF process correctly.
Pending Replacement of FedRAMP Rev5
FedRAMP would like to remind all cloud service providers that FedRAMP 20x is intended to replace FedRAMP Rev5. No date has been set for the complete replacement of existing FedRAMP Rev5 Certifications but the Office of Management and Budget may do so at any time. Cloud service providers that adopt all of these changes to FedRAMP Rev5 will be much better positioned to transition to FedRAMP 20x as needed.
FedRAMP will stop accepting new FedRAMP Rev5 Certification requests on June 11, 2027. Providers may wish to consider carefully whether or not to invest in a Certification Type that is being actively replaced.
Mandatory Adoption
In general, all cloud service offerings that have current FedRAMP Rev5 Certifications will need to adopt this new approach during their first FedRAMP independent assessment that is completed after January 1, 2027. Start planning now!
For new cloud service offerings seeking to obtain a FedRAMP Rev5 Certification, all of these requirements must be met for any application after January 1, 2027.
FedRAMP is currently targeting the end of June for the formal release of the FedRAMP Consolidated Rules for 2026, but providers can review all of the rules being finalized in the Public Preview.
General Comment Themes
Due to the sweeping nature of this public notice and the rollup of many different RFCs that typically had very specific targeted feedback and commentary, FedRAMP is not supplying a breakdown of general comment themes and responding to them in this initial outcome.