RFC-0020 FedRAMP Authorization Designations
Summary
This RFC proposes changes to directly tackle the confusion between “FedRAMP authorization” and an agency “authorization to operate” to align with terminology and usage in statute, OMB policy, and NIST materials. The proposed general changes in this RFC include:
- FedRAMP authorizations will be given specific formal labels to clearly identify them.
- FedRAMP security categories will transition from FIPS 199 security categories (Low, Moderate, High) to a number-based level system instead.
This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:
- RFC-0021: Expanding the FedRAMP Marketplace
- RFC-0022: Leveraging External Frameworks
- RFC-0023: Sponsorless Rev5 Certifications
Motivation
A FedRAMP authorization indicates that FedRAMP has packaged essential security information from a cloud service provider that can be used by an agency to make a determination whether or not to use that service; it is not a decision by an Authorizing Official that the service has been granted an Authorization to Operate (ATO). The use of “authorization” in a government IT context should be limited to the use outlined in OMB Circular A-130 around Authorization to Operate and the NIST Risk Management Framework’s Authorization Step.
The FedRAMP Board has found that the use of the words “authorized” / “authorization” for a FedRAMP authorization has created significant confusion about the separation of responsibilities for authorizing the use of information systems in government and recommended that FedRAMP establish separate designations for FedRAMP authorizations.
Cloud service providers frequently misunderstand FedRAMP “authorization” to be a government-wide ATO that allows any agency to immediately use their service. Federal employees often mistakenly believe that they can use any FedRAMP “authorized” cloud service without agency oversight. Agency security officials may take inappropriate risks when adopting a FedRAMP “authorized” cloud service in the mistaken belief that FedRAMP or other agencies oversee its security on their behalf, sometimes without even reviewing the materials in the FedRAMP authorization package. These behaviors, even if limited, can result in adverse impacts to federal information and federal information systems.
Similarly, a FedRAMP authorization at a given traditional NIST FIPS 199 security objective (Low, Moderate, High) does not necessarily align with the security objective of an agency information system that reuses that FedRAMP authorization. Only an Agency Authorizing official can identify the security category of an information system for their specific use case; there is an entire Categorize Step in the NIST Risk Management Framework dedicated to this for federal agencies. Agencies regularly use FedRAMP authorization materials in agency information systems with an ATO at a lower or higher security objective than the FedRAMP authorization; this is strongly encouraged.
FedRAMP should, to the greatest extent possible, provide a process to industry and federal agencies that reuses common industry terminology and avoids confusion around government terms. The designations FedRAMP uses should make it easier for all parties to understand the existing separation of responsibilities between FedRAMP, agencies, and cloud service providers. Overlapping, confusing, or duplicative designations should be avoided; therefore, both FedRAMP “authorization” and the terminology around the complexity of the assessment should have easy to understand designations that avoid this type of confusion.
Therefore, this RFC proposes creating FedRAMP Certified (Rev5) and FedRAMP Validated (20x) designations for FedRAMP authorizations, with each designation having 6 levels of increasingly complex assessment and monitoring requirements. To mitigate initial confusion, all current FedRAMP authorizations will be automatically mapped to a specific designation and level.
FedRAMP Certified (Rev5)
The “FedRAMP Certified” authorization designation indicates that a service has completed a point-in-time assessment by FedRAMP, based primarily on a review of filed paperwork, that meets legacy FedRAMP Rev5 requirements. FedRAMP has reviewed and assessed this package for completeness against a legacy FedRAMP Rev5 baseline and certified that there is sufficient information in the assessment materials to be used by agencies following the legacy FedRAMP Rev5 process. All Rev5 Certified services are FedRAMP authorized.
FedRAMP Certification levels do not indicate the security of the cloud service overall! These levels only indicate the coverage and depth of the assessment materials available to agencies via FedRAMP.
Effective Date: March 18, 2026 (tentatively) - on or near this date, all cloud services will be transitioned to their new designation.
| Rev5 Certified Levels | Description | Historical FedRAMP Rev5 Categorization |
|---|---|---|
| Certified Level 1 | There is a minimum amount of information in the FedRAMP Certification package that is adequate for use in a negligible or low risk non-sensitive authorization decision in most cases. | Li-SaaS |
| Certified Level 2 | There is a small amount of information in the FedRAMP Certification package that is adequate for use in a low impact authorization decision in most cases. | Low |
| Certified Level 3 | There is a typical amount of information in the FedRAMP Certification package that is adequate for use in a moderate impact authorization decision in most cases. | Moderate |
| Certified Level 4 | There is a typical amount of information in the FedRAMP Certification package that is adequate for use in a moderate impact authorization decision in almost every case. This level also means that the cloud service provider has implemented all Rev5 Balance Improvement Releases and met nearly all recommendations from FedRAMP with no corrective action for the past year. | N/A |
| Certified Level 5 | There is a significant amount of information in the FedRAMP Certification package that is adequate for use in a high impact authorization decision in many cases. | High |
| Certified Level 6 | There is a significant amount of information in the FedRAMP Certification package that is adequate for use in a high impact authorization decision in almost every case. This level also means that the cloud service provider has implemented all Rev5 Balance Improvement Releases and met nearly all recommendations from FedRAMP with no corrective action for the past year. | N/A |
Marketplace Lifecycle for Rev5
Cloud services following the legacy FedRAMP Rev5 agency authorization or program authorization processes will transition between the following statuses during their lifecycle on the Marketplace:
Preparation: The provider is carrying out the essential activities to prepare the organization to manage its security and privacy risks following the FedRAMP Rev5 process.
Note: This status has specific requirements outlined in RFC-0021: Expanding the FedRAMP Marketplace.
Agency Authorization In Process: An agency has notified FedRAMP that they have begun an agency authorization for the cloud service in accordance with FedRAMP guidelines.
Assessment by FedRAMP: FedRAMP is performing the final assessment that may result in FedRAMP Certification for the cloud service offering. The target time for this step is less than 30 days if the package is truly complete.
Continuous Monitoring: The cloud service is FedRAMP Certified and is continuously monitoring the security of their service in alignment with FedRAMP Rev5 continuous monitoring requirements.
Note: This is the target end status for Rev5 cloud service offerings.
Remediation: The provider is currently correcting a significant underlying issue with the cloud service.
FedRAMP Validated (20x)
The “FedRAMP Validated” authorization designation indicates that a service has demonstrated to FedRAMP the ability to persistently validate their security posture such that their validation package will always accurately reflect the current status of their service. FedRAMP has assessed the processes used by this service provider and ensured there is sufficient information in the persistent assessment materials to be used by agencies to make ongoing authorization decisions. All 20x Validated services are FedRAMP authorized.
FedRAMP Validation levels do not indicate the security of the cloud service overall! These levels only indicate the coverage and depth of the assessment materials available to agencies via FedRAMP.
Effective Date: March 18, 2026 (tentatively) - on or near this date, all cloud services will be transitioned to their new designation.
| 20x Validated Levels | Description | Historical FedRAMP 20x Categorization |
|---|---|---|
| Validated Level 1 | There is a minimum amount of information in the FedRAMP Validation package that is adequate for use in a negligible or low risk non-sensitive authorization decision in most cases. | Pilot |
| Validated Level 2 | There is a small amount of information in the FedRAMP Validation package that is adequate for use in a low impact authorization decision in most cases. | Low |
| Validated Level 3 | There is a typical amount of information in the FedRAMP Validation package that is adequate for use in a moderate impact authorization decision in most cases. | Moderate |
| Validated Level 4 | There is a typical amount of information in the FedRAMP Validation package that is adequate for use in a moderate impact authorization decision in almost every case. This level also means that the cloud service offering has met nearly all recommendations from FedRAMP with no corrective action for the past year. | N/A |
| Validated Level 5 | There is a significant amount of information in the FedRAMP Certification package that is adequate for use in a high impact authorization decision in many cases. | N/A |
| Validated Level 6 | There is a significant amount of information in the FedRAMP Certification package that is adequate for use in a high impact authorization decision in almost every case. This level also means that the cloud service offering has met nearly all recommendations from FedRAMP with no corrective action for the past year. | N/A |
Marketplace Lifecycle for 20x
Cloud services following the FedRAMP 20x process for program authorizations will transition between the following statuses during their lifecycle on the Marketplace:
Preparation: The provider is carrying out the essential activities to prepare the organization to manage its security and privacy risks following the FedRAMP 20x process; the cloud service may also be FedRAMP Validated Level 1 in this status.
Note: This status has specific requirements outlined in RFC-0021: Expanding the FedRAMP Marketplace and RFC-0022: Leveraging External Frameworks.
Prioritized: The provider has been accepted into a pilot or other prioritization process where they are working directly with FedRAMP on finalizing a FedRAMP 20x Validation.
Assessment by FedRAMP: The service has submitted a complete 20x Validation package to FedRAMP that meets all FedRAMP 20x requirements for final assessment and processing. The target time frame for this step is less than 30 days if the package is truly complete.
Persistent Validation: The cloud service is FedRAMP Validated and is in the ongoing status of persistent validation in alignment with FedRAMP 20x persistent validation requirements.
Note: This is the target end status for 20x cloud service offerings.
Remediation: The provider is currently correcting a significant underlying issue with the cloud service, typically as part of formal corrective action.
