FedRAMP News in 2026: Program Changes, 20x Updates, and Vendor Priorities

Written by: 
Team Knox
Published on: 
July 16, 2026

The Federal Risk and Authorization Management Program (FedRAMP) is the government's standard for authorizing cloud services to handle federal data. It runs the FedRAMP Marketplace, where agencies find authorized cloud products, historically sorted into Low, Moderate, and High impact levels. For a SaaS vendor, a FedRAMP authorization defines eligibility to sell cloud services to federal agencies.

In 2026, the authorization architecture has undergone a structural change. FedRAMP finalized and launched the Consolidated Rules for 2026 (CR26) on June 25, 2026, bringing together FedRAMP 20x, the automated authorization model, and revised requirements for existing Rev5 authorization holders into a single ruleset. Several CR26 milestones have already passed as of this writing, with the rest landing through early 2027.

Key Takeaways

  • CR26 has launched. FedRAMP finalized the Consolidated Rules for 2026 on June 25, 2026. Optional early adoption began July 4, 2026; mandatory adoption for all stakeholders lands January 1, 2027, and RFC-0024 mandates machine-readable packages for Rev5 holders by September 30, 2026.
  • KSIs replace narratives. Key Security Indicators condense NIST 800-53 Rev5 narratives into 56 Low and 61 Moderate indicators, requiring continuous validation instead of written documentation.
  • Labels are retiring. Low, Moderate, and High labels are being replaced by a lettered class system from A through D, changing how vendors describe authorizations to agency buyers.
  • Funding created urgency. Program Management Office (PMO) restructuring delayed 20x. Moderate standards, keeping Rev5 the only near-term path for many vendors and rewarding teams that move now.

FedRAMP 20x Has Moved Beyond the Pilot Stage

The 20x pilot tested whether continuous, automated compliance evidence could replace point-in-time audits at scale. Phase 1 proved the model could work, Phase 2 closed out the Moderate baseline, and Phase 3 is now the live, general-availability path for qualifying vendors.

Phase 1 Authorized Only 46% of Submissions

The Phase 1 pilot ran from April through September 2025. FedRAMP received 26 complete submission packages and granted 12 FedRAMP 20x Low pilot authorizations, for a total of 13 by the end of fiscal year 2025, which is roughly a 46% acceptance rate.

FedRAMP's Phase 1 recap concluded that a fully open pilot with minimal guardrails produced widely varying approaches and that cloud service providers would need to engage engineering teams heavily to adopt the new approach.

Phase 2 Closed Out the Moderate Baseline

The Phase 2 pilot ran from November 18, 2025, through the end of March 2026, focusing on the depth and burden of each KSI at the Moderate impact level. Submissions were limited to Phase 1 passing participants, AI-prioritized offerings, and critical-need services like trust centers and governance, risk, and compliance (GRC) tools.

FedRAMP received 14 qualifying submissions, capped general participation through the initial Phase 2 participants, and granted 8 Moderate pilot authorizations.

Under the new class system, the current Moderate baseline maps to Class C, and FedRAMP committed to finalizing the rules governing it by the end of June 2026.

Phase 3 Opens the 20x Path to Qualifying Vendors

Phase 3 began in April 2026. The Consolidated Rules for 2026 (CR26), which include all formalized FedRAMP 20x requirements, were finalized and launched on June 25, 2026, ahead of the original end-of-June target. The submission pipeline opens in stages: the Class A pipeline opens on August 3, 2026, and the Class B and Class C pipelines open on August 31, 2026.

FedRAMP 20x Phase 3 covers Class A (Pilot), Class B (Low), and Class C (Moderate) certifications. Class D (High) stays on the Rev5 path, with a Class D pilot currently targeted for FY27 Q1-Q2. Vendors should instrument KSI telemetry, document inheritance from authorized platforms, and prepare machine-readable submission packages now that the pipeline is open.

Key Security Indicators Replace Control Narratives

FedRAMP 20x replaces NIST 800-53 control narratives with Key Security Indicators (KSIs): 56 for Low under RFC-0006 and 61 for Moderate under RFC-0014.

The underlying NIST 800-53 Rev5 controls still exist and are still required. KSIs change how those controls are assessed, shifting from prescriptive narratives to measurable outcomes that can be automatically derived from technical configurations and resolved to true or false.

Vendors should treat the KSI shift as engineering work:

  1. Continuous Monitoring and Vulnerability Management. Providers must operate a Security Information and Event Management (SIEM) tool, perform authenticated vulnerability scanning, and run Infrastructure-as-Code (IaC) and configuration scanning.
  2. Identity and Access Controls. Providers must enforce phishing-resistant multi-factor authentication, use secure API authentication, and apply a least-privilege, role-based, just-in-time model.
  3. Configuration Management and Secure Baselines. RFC-0015 establishes the Recommended Secure Configuration Standard, while RFC-0014 rewrote KSI-SVC-04 as a direct IaC mandate for configuration automation.
  4. Incident Detection and Response. RFC-0014 renamed KSI-INR from "Incident Reporting" to "Incident Response," shifting the expectation from documenting an annual plan to demonstrating continuous active response.
  5. Supply Chain and Dependency Integrity. KSI-TPR governs third-party information resource management. Vendors with complex dependency stacks should start mapping now, since automated proof is harder to retrofit.

Those automated evidence streams also become the input for machine-readable packages now required under Rev5.

RFC-0024 Sets a Hard Machine-Readable Deadline for Rev5 Vendors

Many vendors tracking 20x missed the equally urgent news for Rev5 holders. RFC-0024, released January 13, 2026, mandates machine-readable authorization packages for all FedRAMP Rev5 providers, including those outside 20x. The Center for Cybersecurity Policy confirmed RFC-0024 applies to both current and future FedRAMP authorizations, even those that never opted into 20x.

FedRAMP's Notice NTC-0009, published in late March 2026, confirmed the initial outcome of RFC-0024 and folded its machine-readable requirements into CR26, finalized June 25, 2026.

  1. September 30, 2026: Machine-Readable Requirements Take Effect. New authorization packages must use an approved machine-readable format, with Open Security Controls Assessment Language (OSCAL) as the primary Rev5 standard. Existing authorizations transition at their next annual assessment.
  2. January 1, 2027: CR26 Becomes Mandatory. CR26 entered its optional early-adoption window on July 4, 2026, and becomes mandatory for all stakeholders on January 1, 2027.
  3. Late 2027: Grace Period Expires. The grace period for machine-readable packages expires September 30, 2027, after which services need compliant packages to maintain FedRAMP Certification. Class D services face the most demanding requirements.

Alongside these format changes, FedRAMP is also overhauling the terminology vendors use to describe their authorizations to agency buyers.

The Class A-D System Replaces the Low, Moderate, and High Labels

FedRAMP is retiring Federal Information Processing Standards (FIPS) 199 security categorization terminology—Low, Moderate, and High—and moving to a lettered class system. RFC-0020 originally included numbered levels, but FedRAMP reversed course, based on community feedback, to avoid confusion with the Department of Defense (DoD) Impact Level system.

  • The new certification profile is three-dimensional. A certification consists of a Type (20x or Rev5), a Path (Agency or Program), and a Class (A through D). Class D always goes through the Agency path under Rev5.
  • The lettered class system replaced numbered levels. Class A maps to a new time-limited Pilot baseline; Class B to the current Li-SaaS and Low baselines; Class C to Moderate; and Class D to High.
  • FedRAMP also introduced a new Program path alongside the existing Agency path: under Program Certification, FedRAMP itself conducts the independent assessment, giving vendors a route that doesn't require securing an agency sponsor first.
  • FedRAMP Ready is retiring July 28, 2026. No new FedRAMP Ready submissions will be accepted after that date, and existing services will transition to Legacy FedRAMP Ready status.
  • FedRAMP is also retiring the "FedRAMP Authorized" designation itself under CR26 in favor of "FedRAMP Certified." A service that was FedRAMP Authorized before the transition becomes FedRAMP Certified under the new system, with the same controls and boundary.
  • Vendors must update marketing and contract language. Proposals and agency-facing materials should shift from "FedRAMP Moderate" phrasing to the new Type/Path/Class profile.

These technical and structural changes are unfolding within a program whose operational capacity is itself in transition, shaping how quickly vendors can expect guidance and approvals.

FedRAMP Funding Constraints Slow 20x Standardization

The 20x rollout is happening amid PMO changes. The General Services Administration (GSA) declined to renew Noblis's $64 million program management contract. Federal News Network reported that FedRAMP 2025 would shift the program toward creating and maintaining standards and away from approving cloud authorization packages at the low and medium levels.

That PMO change creates a planning window for vendors ready to act:

  • Moderate KSI standards were finalized as part of CR26 on June 25, 2026, resolving the delay that had compressed vendors' planning timelines earlier in the year.
  • Near-term Moderate and High needs still require Rev5 evaluation. Vendors needing near-term Moderate or High authorization should evaluate whether Rev5 remains necessary for their contract timeline.
  • Rev5-positioned vendors can move while 20x standardizes. Vendors inside an existing authorized boundary already have active authorizations and agency relationships, so they can keep working while PMO guidance is finalized.
  • The commercial software mandate adds contradictory pressure. April 2025 executive orders directed agencies to purchase commercial products to the maximum extent practicable, even as authorization frameworks remain unfinalized.

With the program changes and operational constraints laid out, SaaS leaders need to take concrete steps now that the Class A, B, and C pipelines are open.

SaaS Vendors Need Four Actions Before Their Next Assessment Cycle

The vendors who are acting now are converting 2026 deadlines into architecture, evidence, and package work with the CR26 pipelines already open.

1. Determine Which Authorization Path Your Architecture Supports

20x Low and Moderate are designed for cloud-native, API-driven, IaC-managed services. Vendors with virtual machine (VM)-based or monolithic applications should account for the lack of a defined 20x path until Phase 4, at the earliest, in fiscal year 2027 (FY27). For those teams, the Rev5 inherited-boundary model may be the faster, architecture-agnostic route.

2. Begin an OSCAL Readiness Assessment Before September 2026

Whether vendors pursue 20x or Rev5, machine-readable packages are coming for everyone. Vendors need to be package-ready before their next annual assessment, making the engineering work worth scoping before the assessment cycle begins.

3. Map Your Security Stack Against the KSI Categories

Even vendors not yet in the 20x queue should know where their automation gaps sit. Existing security, vulnerability, and cloud posture tools may already generate the raw evidence types KSIs require. The open question is whether that evidence is structured for programmatic ingestion.

4. Move Now That the Pipeline Is Open

A SaaS vendor with a federal pipeline today must plan around both tracks. 20x general availability opened in stages this summer (Class A on August 3, Classes B and C on August 31), while Rev5 remains tied to the Agency authorization path and now layers in machine-readable engineering work that many vendors have not started.

Vendors who enter an authorized boundary before the 20x pipeline opens can now work toward active authorizations and agency relationships, an advantage that cannot be replicated retroactively.

A Pre-Authorized FedRAMP Boundary Converts Deadlines Into Execution Work

Knox's FedRAMP-as-a-Service platform operates a pre-authorized FedRAMP boundary that allows SaaS vendors facing 2026 deadline pressure to inherit 60% to 80% of required controls. While traditional FedRAMP authorization can cost upwards of $3.5 million and take 12 to 36 months, Knox's managed model is designed to support authorization in approximately 90 days at roughly 90% less cost.

Knox currently supports FedRAMP Moderate, FedRAMP High, and Defense Information Systems Agency (DISA) IL4; DISA IL5 authorization is in process.

To map your architecture to the fastest viable authorization path before the Q4 2026 window opens, schedule a call.

FAQs About FedRAMP 2026 Program Changes

Does RFC-0024 Apply to My Company If We Never Joined the 20x Pilot?

Yes. RFC-0024 applies to all FedRAMP Rev5 providers, including those who never opted into 20x. New packages need to be in machine-readable formats by September 30, 2026.

Is There a 20x Path for FedRAMP High?

No. Class D services remain on the Agency authorization path with no 20x equivalent available until at least 2027. Vendors needing High authorization should plan around Rev5.

Do KSIs Eliminate NIST 800-53 Controls Entirely?

No. The 56 Low and 61 Moderate KSIs leave NIST 800-53 controls in place. They change the assessment format from written narratives to automated, measurable outcomes.

Is FedRAMP 20x Generally Available Now?

Yes, in stages. FedRAMP finalized CR26 on June 25, 2026. The Class A pipeline opened on August 3, 2026, and Class B and Class C pipelines opened on August 31, 2026. Class D (High) has no 20x path yet.

What Happens to FedRAMP Ready Status?

FedRAMP Ready retires on July 28, 2026, and no new submissions will be accepted after that date. Existing services move into Legacy FedRAMP Ready or the replacement Class A path when eligible.