RFC-0024 FedRAMP Rev5 Machine-Readable Packages

Summary

This RFC proposes modifications to the FedRAMP Rev5 process for current and future Rev5-based assessments and authorizations to ensure that cloud service providers produce machine-readable authorization data that can be ingested by agency tools. This RFC applies only to the FedRAMP Rev5 process and does not apply to FedRAMP 20x.

These modifications include explicit requirements for the production of machine-readable authorization data by FedRAMP Rev5 providers, related timelines, and corrective actions for those who fail to meet these requirements. This RFC also proposes requirements for the structured nature of this required machine-readable authorization data to ensure interoperability between diverse government and industry systems, including the use of OSCAL (Open Security Controls Assessment Language).

Finally, this RFC proposes requirements and timelines for Rev5-based assessments and authorizations to transition, where feasible, from human-written narratives (or machine-generated probabilistic text designed to mimic human-written narratives) to machine-generated deterministic telemetry.

This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:

• RFC-0020: FedRAMP Authorization Designations
• RFC-0021: Expanding the FedRAMP Marketplace
• RFC-0023: Rev5 Program Certifications

Background

The history of federal information system security plans charts a fascinating course through the past 50+ years. Laws and policies throughout the 1970s and 1980s established recommendations for maintaining the security of federal information systems that changed rapidly in response to technology and shifting global politics. Momentum for system security plans reached an initial peak when the Office of Management and Budget (OMB) transmitted Appendix III to OMB Circular No. A-130 in 1985. This appendix, titled “Security of Federal Automated Information Systems”, established a “minimum set of controls to be included in Federal automated information systems security programs” and required agency officials to maintain information security programs.

The Computer Security Act of 1987 soon followed, creating the first statutory requirement for all agencies to “establish a plan for the security and privacy of each Federal computer system.” In 1988, OMB Bulletin No. 88-16 responded to the Computer Security Act by directing agencies to prepare security plans for each identified system and submit them to the National Bureau of Standards (which would soon be renamed to NIST) for advice and comment.

NIST completed a review of the resulting government-wide computer security and privacy plans in 1990 and published a report (NIST IR 4409) that found, among many other issues, a lack of consistency and standardization in these plans across government agencies. A key result from this report was that NIST would develop guidance on computer security planning. Notably, this report included the following warning in its conclusion:

“It is unclear whether the plans submitted to NIST and NSA under OMB Bulletin 88-16 were true computer security planning instruments, or only artifacts produced to satisfy an external submission requirement.”

Eventually, in 1998, NIST first published the NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems. This guide recommended a format for system security plans that improved on the original format from OMB Bulletin No. 88-16 and provided a significant amount of supporting guidance on the creation of system security plans.

In 2016, NIST collaborated with FedRAMP to begin the development of OSCAL, the Open Security Controls Assessment Language, to provide a standardized machine-based representation of these artifacts to encourage a transition from manual human-written documents to materials that included machine-generated deterministic telemetry. Industry is generally quick to adopt capabilities that reduce cost, complexity, and risk but has shown little interest in leveraging OSCAL at scale in spite of its considerable promise. In 2025, FedRAMP processed 100+ Rev5 authorizations without a single submission that used OSCAL; no formal participants in the FedRAMP 20x Phase 1 pilot used it to structure the required machine-readable materials.

Today, at the beginning of 2026, the FedRAMP system security plans used by providers and agencies for the Rev5 process are at best a minor incremental improvement over the template provided in the original SP 800-18. The expectation remains that a human will manually write narrative responses to a series of questions, attaching supporting documents and materials, and justify an implementation for each control in text that is not directly tied to the system itself… and that these materials will all be reviewed manually by a different human.

Definitions

Italicized terms are explained in the Rev5 Balance Improvement Releases Definitions, with the most commonly used terms in this document provided below for quick reference:

• Machine-Readable: Has the meaning from 44 U.S. Code § 3502 (18) which is “the term “machine-readable”, when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost.”

• Authorization Data: The collective information required by FedRAMP for initial and ongoing assessment and authorization of a cloud service offering, including the authorization package.

• Authorization Package: Has meaning from 44 USC § 3607 (b)(8) which is “the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.”

The following terms will be newly explained as follows:

• Machine-Generated: Automatically produced by a computer process, application, or other mechanism without the intervention or manipulation of a human during production.

• Deterministic Telemetry: Verifiable data collected directly from an authoritative source that represents a factual and reproducible observation of the attributes of a system such as the system’s state, configuration, or behavior.

  Note: Probabilistic inferences, generative outputs, or predictive assessments such as those produced using generative transformer models (commonly referred to as “Generative AI”) do not constitute a factual record of the system state and must not be used to generate deterministic telemetry.

• FedRAMP Certification: This is a draft label for FedRAMP Rev5 authorization discussed separately in RFC-0021: Updating the FedRAMP Marketplace.

The capitalized key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this documentation are to be interpreted as described in IETF RFC 2119.

Motivation

The FedRAMP Authorization Act and OMB Memorandum M-24-15 directed FedRAMP to create a modernized assessment, authorization, and continuous monitoring process for cloud services used by agencies; FedRAMP 20x is being developed from first principles to ensure this process will support native machine-generated deterministic telemetry that is persistently distributed via machine-readable artifacts. FedRAMP is carefully integrating select improvements that have been piloted and tested with 20x into the Rev5 process to balance modernization with stability.

This set of requirements and recommendations, unique to the Rev5 process, are designed to ensure that legacy Rev5 FedRAMP Certified cloud service offerings can produce modern validated authorization data and that agencies can automatically consume this data to make both initial and ongoing authorization decisions.

First, the groundwork will be laid by aggressively transitioning FedRAMP authorization data from traditional word-processor and spreadsheet based submission materials to machine-readable structured information. This will address the “chicken or the egg problem” that has hindered wide-scale adoption of machine-readable structured materials by establishing formal requirements and deadlines for industry adoption of this capability; without industry adoption, there are no machine-readable structured materials for agencies to consume, so the change must begin outside the government even if the machine-readable structured materials are only used to generate traditional documents for agencies at first.

Second, as industry adopts, improves, and innovates with the production of machine-readable structured authorization data, FedRAMP will encourage and reward the integration of machine-generated deterministic telemetry within these materials. Providers following the Rev5 process that incorporate Balance Improvement Releases and build in machine-generated deterministic telemetry will be ranked higher in the Marketplace, receive additional support from FedRAMP such as centralized continuous monitoring, and be more likely to meet updated agency procurement requirements.

These changes will allow the Rev5 process to continue to exist and compete against the new 20x process until the ecosystem is ready to fully transition to 20x.

Summary of Deadlines

This summary is provided only for convenience and is not authoritative; please review the full proposed requirements and recommendations below for authoritative effective dates and specific applicability. In the event of a mismatch between deadlines in this summary and effective dates in the requirements and recommendations below, use the effective date for the specific requirement.

• April 15, 2026: Deadline for FedRAMP to publish materials to support industry adoption of machine-readable authorization packages.
• September 30, 2026: Requirements for adopting machine-readable authorization packages take effect; failure to meet these requirements on the applicable timelines will result in public notification. (Note: This is not a universal deadline as some requirements have additional delays built in, such as “the next annual assessment after September 30, 2026”)
• September 30, 2027: Grace period for adopting machine-readable authorization packages expires and any non-compliant service loses FedRAMP Certification.

---

Proposed Requirements for Rev5 Machine-Readable Packages

After public comment, the final form of these requirements and recommendations will apply to all cloud services obtaining or maintaining a Rev5 FedRAMP Certification based on the final Effective Date(s).

Unless otherwise specified in a specific requirement, the default corrective actions for cloud service providers that fail to address these requirements will be as follows:

1. Initial grace period until 2PM ET on September 30, 2027: Public notification that the provider has failed to meet this requirement and is pending revocation of FedRAMP Certification on September 30, 2027, unless this requirement is addressed.

2. After 2PM ET on September 30, 2027: Revocation of FedRAMP Certification (including revocation of any legacy exceptions based on FedRAMP Certification status), requiring a completely new initial authorization that meets all FedRAMP requirements for new assessments and authorizations at that time.

LMR-FRX-LAM List of Authorization Materials

FedRAMP MUST publish and maintain a list of required information for a Rev5 authorization package, including security controls from the NIST SP 800-53 and FedRAMP-specific assignments and guidance for these controls; once published, FedRAMP will no longer publish or maintain word-processor based templates for these materials.

Note: This will include all standard Rev5 Appendices.

Effective Date: 2PM ET on April 15, 2026 (tentative)

LMR-FRX-LAF List of Approved Formats

FedRAMP MUST publish and maintain a list of approved standardized formats for the submission of machine-readable authorization data. Any approved standardized format that has not been adopted by any cloud service providers within 1 year of its inclusion will be removed from the list. This list will include:

1. Any standardized format in the public domain that 5 or more FedRAMP Certified cloud service providers agree to use and maintain, subject to verification and validation from FedRAMP. Any such alliance may publish their intent, agreement, and the standardized format publicly then notify FedRAMP and the public by announcing this intent in the Rev5 Discussion section of the FedRAMP Community.
2. The NIST Open Security Controls Assessment Language (OSCAL), so long as this project is maintained and responsive to industry input.

Note: There is no need for a single universal standardized format as structured formats are machine-interchangeable; automatically converting between standardized formats has been a normal part of exchanging data between computer systems for 50+ years. Industry is strongly encouraged to create innovative solutions that can compete with or replace OSCAL if that is necessary for the wide-scale production of machine-readable authorization data.

Effective Date: Concurrent with the publication of this document as a formal policy.

LMR-FRX-AMR Accepting Machine Readable-Packages

FedRAMP MUST accept and review new authorization packages submitted in a machine-readable approved format for FedRAMP Certification.

Effective Date: 2PM ET on April 15, 2026 (tentative)

LMR-FRX-PRM Prioritizing Review of Machine-Readable Submissions

FedRAMP MUST prioritize the Certification of new authorization packages submitted in an approved machine-readable format over those that are not; FedRAMP will extend the target final review window from 30 days to 90 days and operate a separate lower-priority pipeline for authorization packages that are not submitted in an approved machine-readable format to ensure machine-readable authorization packages are properly prioritized.

Note: FedRAMP will continue to perform Certification as quickly as possible based on the submission pipeline; packages that are not in an approved machine-readable format are likely to complete final assessment and authorization within 30 days until or unless the submission pipeline is flooded with machine-readable submissions.

Effective Date: 2PM ET on April 15, 2026 (tentative)

LMR-FRX-GPM General Prioritization of Machine-Readable Packages

FedRAMP MUST publicly identify FedRAMP Certified cloud service offerings with machine-readable authorization packages, prioritize their listing in search results, and coordinate additional support for agency adoption of such; this MUST include additional identification, prioritization, and support for services that leverage machine-generated deterministic telemetry or have adopted Rev5 Balance Improvement Releases.

Note: This demonstrates FedRAMP’s strong support for prioritizing and supporting cloud service providers that adopt changing requirements that benefit the federal government and ensures cloud service providers who prioritize security-based improvements to meet changing FedRAMP requirements will benefit from doing so when agencies consider their use.

Effective Date: 2PM ET on April 15, 2026 (tentative)

LMR-GEN-ICR Initial Certification Requirements

Providers MUST submit new authorization packages for initial FedRAMP Certification in an approved machine-readable format.

Notes:

• This requirement does not apply to providers with an active Rev5 FedRAMP Certification (see LMR-GEN-OAR for existing Rev5 Certified cloud services).
• New authorization packages will not be accepted by FedRAMP unless they are in an approved machine-readable format once this rule takes effect; there will be no grace period or exceptions regardless of demand, delay, or other factors. This includes authorization packages that are In Process for Agency Authorization; such authorization packages must be converted into an approved machine-readable format prior to submission to FedRAMP for Certification.
• This is effectively a 9+ month advance warning for cloud services seeking a Rev5-based FedRAMP Certification to transition to a machine-readable format before the final package is submitted to FedRAMP after an agency authorization; this should be sufficient time to acquire or deploy necessary capabilities.

Effective Date: 2PM ET on September 30, 2026 (no grace period)

LMR-GEN-OAR Ongoing Authorization Requirements

Providers MUST submit a full authorization package in an approved machine-readable format for each annual assessment to maintain FedRAMP Certification.

Notes:

• This requirement applies to all cloud service providers with a current Rev5 FedRAMP Certification.
• This requirement applies to the next annual assessment that is completed after the Effective Date.

Effective Date: 2PM ET on September 30, 2026

LMR-GEN-SDS Service-based Data Separation

Providers SHOULD separate the authorization data for services or sets of services when submitting machine-readable authorization packages so that customers are able to easily review authorization data for specific services or sets of services, as appropriate; such separation SHOULD at least align with services or sets of services that are commonly procured separately.

Notes:

• This requirement will result in increased transparency of the services included in a FedRAMP Certification and make per-service customer adoption assets available to agencies and other customers
• Providers are expected to make their own determinations about the appropriate separation of per-service (or sets of services) authorization data and are encouraged to do this programmatically such that customers can pull only the assets they need for the services they plan to use. Implementation of this requirement should be done in consultation with the business branches of the cloud service provider.
• This requirement only applies to cloud service offerings when they next submit a machine-readable authorization package after the effective data; for example, a machine-readable authorization package submitted in August of 2026 will not be impacted by this requirement until they submit a new package as part of their annual assessment in August of 2027, at which point they will have until October 1, 2027 to meet the requirement or lose their FedRAMP Certification.

Effective Date: 2PM ET on September 30, 2026

LMR-GEN-USC Updates after Significant Changes

Providers MUST update their machine-readable authorization package after completing significant changes to accurately reflect the current state of their cloud service by 2PM ET at the end of the following month.

Notes:

• This addresses a significant problem with legacy authorization packages when cloud service providers make significant changes such as adding or integrating additional services in a way that creates confusion for agencies reviewing their authorization package for potential use because these changes are not documented in the primary materials.
• The “end of the following month” is used to simplify setting deadlines; for example, if a significant change is completed on February 12 then the deadline is 2PM on March 31.
• Providers are encouraged to exceed this deadline; where relevant, the average number of days it takes a provider to update their primary materials after making a significant change may be tracked and published by FedRAMP.
• This only applies to providers after they have submitted their first machine-readable authorization package in alignment with other requirements and effective dates in this document.

Effective Date: 2PM ET on September 30, 2026

Corrective Actions: This requirement will be enforced over a rolling 1 year period as follows:

1. First action: Public notification and a 3 month grace period to address the requirement; failure or a new occurrence that is not addressed by the end of the grace period will lead to Strike 2.
2. Second action: Revocation of FedRAMP Certification (including revocation of any legacy exceptions based on FedRAMP Certification status), requiring a completely new initial authorization that meets all FedRAMP requirements for new assessments and authorizations at that time, with a 3 month resubmission penalty.

LMR-GEN-DGI Deterministically Generated Illustrations

Providers SHOULD use machine-generated deterministic telemetry to generate all necessary illustrations and diagrams, including at least the Authorization Boundary Diagram.

Effective Date: 2PM ET on September 30, 2026

Note: The marketplace listing and authorization package for cloud services that do not follow this recommendation will include a warning that illustrations and diagrams are artisanal artifacts and may be unreliable.

LMR-GEN-UDT Use Deterministic Telemetry

Providers SHOULD use machine-generated deterministic telemetry in place of manually or probabilistically generated narratives in authorization data where feasible.

Note: FedRAMP is deliberately leaving this vague and up to the cloud service provider; use of machine-generated deterministic telemetry will be a factor in both initial and ongoing FedRAMP Certification.

Effective Date: 2PM ET on September 30, 2026

LMR-GEN-HRV Human-Readable Versions

Providers MUST also make human-readable versions of all materials in the machine-readable authorization package available in standard formats, such as Word and Excel, if requested by FedRAMP or an agency.

Notes:

• Generation of human-readable versions from structured machine data should be a default capability of any approved format and a relatively trivial task.
• This will be necessary for some period of time as industry and agencies adopt machine-readable formats for Rev5 authorization packages.
• The grace period for this requirement is co-terminus with the grace period for providing a machine-readable package; that is, once a provider begins sharing machine-readable materials then any grace period expires.

Effective Date: 2PM ET on September 30, 2026