RFC-0023 Rev5 Program Certifications (No Sponsor Required)

Summary

This RFC proposes a time-limited opportunity for cloud service providers who have already completed significant progress towards a FedRAMP Rev5 Certification but are struggling to find an agency sponsor due to budgetary constraints with agency information security programs. FedRAMP will offer program authorizations for FedRAMP Certification to cloud service offerings at Level 1-4 to cloud service providers who adopt certain optional Rev5 Balance Improvement Releases and undergo a complete independent assessment.

This RFC also proposes a timeline for phasing out FedRAMP Ready in favor of this new path and FedRAMP 20x Validations.

This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:

• RFC-0020: FedRAMP Authorization Designations
• RFC-0021: Updating the FedRAMP Marketplace
• RFC-0022: Leveraging External Frameworks
• RFC-0024: Rev5 Machine-Readable Packages

Background

The primary benefit of the agency authorization path for FedRAMP is the distribution of initial costs across the federal government: the legacy Rev4 and Rev5 authorization paths were so expensive for the government that each such initial authorization might cost hundreds of thousands of dollars while ongoing continuous monitoring can cost tens of thousands of dollars. Centralizing authorization along these paths in a single entity like FedRAMP would require considerably more than the $25mil allocated at peak for FedRAMP in FY24 (let alone the $10mil budget FedRAMP operates on today).

A year ago FedRAMP had a backlog of 100+ cloud services waiting for final assessment and authorization and nearly all funding and resources went to eliminating that backlog during the last half of FY25. This was highly successful, and for the last few months there have been less than 10 cloud services in that final review queue for FedRAMP Certification at any given time.

FedRAMP 20x has also focused on making significant improvements to the underlying authorization requirements to drastically reduce the cost and resources required for government review so that FedRAMP can perform a final assessment and authorization for a tiny fraction of this cost. Many of these improvements are being made available along the Rev5 path in the form of Balance Improvement Releases - typically optional changes to the process that results in a quicker, cheaper, more efficient initial and ongoing authorization process.

Motivation

For many years the struggle for agency sponsorship has been the single biggest challenge for cloud service providers to overcome while seeking a FedRAMP authorization. This struggle is even harder today as budgets and resources for many agency information security programs shifted unexpectedly. Many cloud service providers have invested significant effort and funding into the Rev5 authorization path and have realistic demand from agencies but are still unable to finalize an authorization due to the complexity of agency sponsorship expectations.

FedRAMP has spent the past year under an aggressive multi-faceted modernization effort to eliminate the years-long FedRAMP authorization backlog while building and piloting a more efficient and more secure approach to assessment and authorization. Many cloud services that invested in the legacy Rev5 path are interested in the modern approach but are caught between continuing forward on that path or waiting for a formal 20x path that will likely require significant rework in the short term.

At FedRAMP’s current staffing level, and assuming successful implementation of our FY26 and FY27 staffing plan, we are able to take on more Rev5-based assessment and authorizations than we are currently receiving from agency authorizations. We estimate that by applying the improvements to the Rev5 process available via Balance Improvement Releases that we may be able to complete 40-50 program authorizations for Rev5 this year while demand for 20x authorizations builds.

Opening a sponsorless Rev5 Certification path will provide a release valve for agencies and cloud service providers that are currently stuck in limbo pending wide-scale adoption of FedRAMP 20x at the risk of providers investing in a process that will soon be defunct. Nonetheless, given FedRAMP’s mission to ensure civil servants have access to all the modern tools and capabilities that they need, supporting Rev5 Certification for services that are almost ready to go over the next year is the right thing to do.

Ultimately it is up to each business to make its own determination about how to invest resources; if a business wants to invest in a Rev5 Certification while knowing this path is a legacy path that will be phased out over the next few years then so be it; FedRAMP will ensure agencies can use that product in the interim.

Retiring FedRAMP Ready

FedRAMP Ready will be rapidly phased out to prevent unnecessary investment and make room for this new Certification path.

The proposed process for retiring FedRAMP Ready on July 28, 2026 is as follows:

1. FedRAMP Ready will be renamed “Legacy FedRAMP Ready.”
2. FedRAMP will stop accepting any new submissions for FedRAMP Ready.
3. Legacy FedRAMP Ready cloud services will remain listed in this status until the furthest date of either November 17, 2026 or the expiration of their most recent yearly assessment.
4. Legacy FedRAMP Ready cloud services will retain their legacy impact level and will not be FedRAMP Certified.

Proposed Requirements for Rev5 Program Certification

The following term will be defined in FedRAMP materials related to these requirements:

• Trusted Assessor: A FedRAMP-recognized independent assessor with no corrective action in the last 12 months that was the primary assessor for 3 cloud service offerings granted initial FedRAMP Certification in the last 12 months is trusted for FedRAMP Certification; OR a FedRAMP-recognized independent assessor with no corrective action in the last 12 months that was the primary assessor for 3 cloud service offerings granted initial FedRAMP Validation in the last 12 months is trusted for FedRAMP Validation.

  Notes:

• Trusted assessor status applies at the beginning of an assessment - if a trusted assessor loses that status during the assessment, FedRAMP will not hold this against either the cloud service provider or the independent assessor.

• FedRAMP will note trusted assessor status on the FedRAMP Marketplace.

The following requirements apply for all cloud services that wish to obtain and maintain a FedRAMP Program Certification for Rev5 without an agency sponsor; these requirements must be met and assessed prior to submission to FedRAMP.

LPC-FRX-MCM Minimum Continuous Monitoring

FedRAMP MUST provide a minimum level of continuous monitoring for cloud service offerings with a FedRAMP Program Certification, including at least reviewing Ongoing Authorization Reports to ensure the cloud service is maintaining appropriate security measures.

LPC-FRX-GRC Prioritization of Some GRC Tools

FedRAMP SHOULD prioritize the FedRAMP Program Certification of cloud services that can be used by agencies to ingest machine-readable authorization data for the cloud services they use; such GRC automation services will have a separate submission queue where 3 GRC automation services will be FedRAMP Program Certified for every 1 non-GRC automation service as long as demand exists in the GRC automation queue.

Note: This prioritization does NOT apply to all GRC services, ONLY to GRC services that will be used by agencies to oversee federal information systems. Many GRC services are designed for use by commercial cloud services to review the security posture of their own service and produce materials for third parties and would not meet the stated requirement of agency use to oversee federal information systems.

LPC-GEN-PRE Preparation State Listing Required

Providers MUST meet all requirements for a FedRAMP Marketplace listing in the Preparation state prior to submitting an authorization package for FedRAMP Program Certification.

Note: See RFC-0021 Updating the FedRAMP Marketplace, including proposed MKT-PRE requirements and recommendations for context.

LPC-GEN-LVL Level Limited

Providers MUST request FedRAMP Program Certification Level 1, 2, 3, or 4; requests for Program Certification Level 5+ will be immediately denied.

Note: High impact reviews are too expensive and time-consuming with lower demand for reuse - it’s more effective to complete a program authorization for 3-5 services under Level 5 than to complete one for a Level 5 or 6 service.

LPC-GEN-IBR Implement Balance Releases

Providers MUST implement all legacy Rev5 requirements at the appropriate impact level, adjusted to include all mandatory Rev5 Balance Improvement Releases along with the following optional ones:

1. Minimum Assessment Scope
2. Authorization Data Sharing
3. Collaborative Continuous Monitoring
4. Significant Change Notifications
5. Vulnerability Detection and Response

Notes:

• Some of these Balance Improvement Releases are entering wide release, open beta, or closed beta in February 2026.
• For clarification purposes, any optional Balance Improvement Release listed in this requirement is NOT optional for FedRAMP Program Certification, it is mandatory.

LPC-GEN-LMR Legacy Machine-Readable Package Requirements

Providers MUST meet the requirements and recommendations from the final version of FedRAMP’s requirements for Rev5 Machine-Readable Packages.

Notes:

• RFC-0020: Rev5 Machine-Readable Packages contains the relevant proposed requirements; remember that final requirements may vary and this RFC should not be referred to after the comment period.
• These requirements must be addressed in advance of submission for the FedRAMP Program Certification, regardless of the Effective Date for requirements in LFR-MRP. That means any submission prior to September 30, 2026 must meet the requirements regardless.
• There will be no grace periods to meet the requirements in the final LFR-MRP, they must be met in advance of submission.

LPC-GEN-MBA Mandatory Balance Improvement Release Adoption

Providers MUST participate in the first beta for any future mandatory or optional Rev5 Balance Improvement Release, then implement the related requirements and recommendations.

Note: Even future optional Balance Improvement Releases are effectively mandatory while a cloud service is being monitored by FedRAMP.

Corrective Action: Failure to meet this requirement will result in public notification and a 6 month grace period to adopt the related Balance Improvement Release, followed by revocation of FedRAMP Certification for at least 3 months.

LPC-GEN-ATA Assessment by Trusted Assessor

Providers MUST complete a full FedRAMP assessment with a trusted assessor for FedRAMP Certification that includes an attestation of completeness and an overall positive recommendation.

Notes:

• In the event of a dispute about a control or other implementation, cloud service providers or their independent assessor may request public clarification in the FedRAMP Community Rev5 Discussion forum if the matter is not sensitive; otherwise they may jointly email info@fedramp.gov.
• This does not mean that there should be no findings and that everything needs to be perfect, it just means that all of the necessary materials have been provided and that the package is complete so that FedRAMP can perform a final assessment and make a decision without requesting additional materials. The assessor is indicating that FedRAMP has sufficient information to perform this final review without a considerable investment in government resources to seek clarification or missing materials.

LPC-GEN-IRI Included Required Information

Providers MUST ensure all required information is included in the authorization package prior to submission for FedRAMP, including a final attestation and recommendation for submission from the assessor.

Notes:

• The Authorization Data Sharing process explains how to share a FedRAMP authorization package.
• The formal process for submission will be included, with instructions, in these materials when finalized.

Corrective Action: Failure to submit a complete package will result in the following corrective actions depending on severity:

1. Missing information on 10 or less requirements: The cloud service provider will have 5 business days to address the missing requirements or a denial of authorization will be issued and a 1 month resubmission penalty will be applied.
2. Missing information on 11 or more requirements, or any appendix or set of requirements in entirety: A denial of authorization will be issued and a 3 month resubmission penalty will be applied.

LPC-GEN-AVV Assessors Verify and Validate All Requirements

Assessors MUST verify and validate that all requirements for FedRAMP Program Certification have been met by the provider prior to recommending submission to FedRAMP.

Note: This does not mean that there should be no findings and that everything needs to be perfect, it just means that all of the necessary materials have been provided and that the package is complete so that FedRAMP can perform a final assessment and make a decision without requesting additional materials. The assessor is indicating that FedRAMP has sufficient information to perform this final review without a considerable investment in government resources to seek clarification or missing materials.

Corrective Action: If an assessor recommends the submission of a grossly incomplete package that is missing information on 11 or more requirements or any appendix or set of requirements in entirety, corrective action will include public notification resulting in the loss of trusted assessor status for 12 months.

LPC-TIM-EOL End of Life for Legacy Program Certification

Providers MUST submit complete authorization packages for FedRAMP Program Certification before 2PM ET December 16, 2026 (FY27 Q1).

Note: There will be no grace period and any incomplete or insufficient packages submitted before this deadline will be permanently denied. Providers will have access to the FedRAMP 20x Validation program authorization path instead.