Skip to main content
Pricing
Sign inRequest demo

FedRAMP 20x + Authorization Act Updates: What Changed and What CSPs Should Do Next

FedRAMP is moving toward faster, more automated evidence-driven workflows. CSPs should tighten boundary clarity, machine-readable evidence, and repeatable control narratives.

Written by Arian|March 3, 2025|9 min read

Main question

What changed with FedRAMP 20x and what should CSPs do next?

FedRAMP 20x + Authorization Act Updates: What Changed and What CSPs Should Do Next

FedRAMP has shifted from a slow, document-heavy compliance program to a faster, automation-driven model anchored in statute. As of June 2026, the FedRAMP Authorization Act (Public Law 117-263) provides the legal foundation, FedRAMP 20x is in Phase 3 (wide adoption), and the Consolidated Rules for 2026 (CR26) are due by the end of June 2026 and valid through December 31, 2028. The practical message for cloud service providers (CSPs): tighten boundary clarity, produce machine-readable evidence, and build repeatable, automation-backed control narratives now.

Key takeaways

  • The FedRAMP Authorization Act (Dec 2022) codified FedRAMP in law and defines a FedRAMP authorization as a certification that a cloud product or service completed the FedRAMP process.
  • In 2026, FedRAMP uses one label — "FedRAMP Certified" — with no separate "FedRAMP Validated" designation for 20x vs. Rev 5 (per NTC-0004).
  • Baselines are now named as four Certification Classes — A, B, C, and D — replacing numbered "levels," to avoid confusion with the DoD Impact Level system.
  • The Consolidated Rules for 2026 (CR26) are scheduled for end of June 2026 and remain valid through December 31, 2028.
  • FedRAMP 20x has exited its pilots and entered Phase 3; the public submission pipeline is expected to open in FY26 Q4 (July–September 2026), initially for Class A (Pilot), Class B (Low), and Class C (Moderate).
  • The direction of travel is clear: continuous, automated validation over point-in-time audits, and machine-readable packages over static narratives.

What did the FedRAMP Authorization Act establish?

The FedRAMP Authorization Act, enacted as part of the National Defense Authorization Act for Fiscal Year 2023 (Public Law 117-263, December 2022), put FedRAMP on a statutory footing for the first time. Before the Act, the program operated under a 2011 memorandum from the Federal CIO with no direct legal basis. The Act, together with OMB Memorandum M-24-15 (2024), effectively redefined how FISMA applies to cloud services and re-established FedRAMP as the government-wide process for assessing and authorizing them.

Two definitions from the Act now drive 2026 terminology. The Act defines a FedRAMP authorization as "a certification that a cloud computing product or service has completed a FedRAMP authorization process," and a FedRAMP authorization package as "the essential information that can be used by an agency to determine whether to authorize the operation of an information system." FedRAMP has leaned directly on this language: the certification produces a reusable package that agencies use to make their own risk decisions under the Risk Management Framework.

A critical nuance: a FedRAMP Certification is not an agency Authority to Operate (ATO), and it is not a guarantee that a service is appropriate for a given FIPS 199 security category. FedRAMP produces reusable, vetted materials; the agency authorizing official still accepts the risk. If you are untangling these two concepts, see our breakdown of FedRAMP Certified vs ATO.

What has FedRAMP 20x changed in 2026?

FedRAMP 20x is the modern, cloud-native approach to certification, and in 2026 it is in Phase 3 — the move from pilots to a permanent, publicly available program. FedRAMP describes Phase 3 as the final set of activities needed to formally stand up 20x Certification types, with the submission pipeline opening in FY26 Q4 and initial availability for Class A (Pilot), Class B (Low), and Class C (Moderate).

The substantive shift is in how security is demonstrated. Rev 5 was "designed for extensive written narratives describing static security decisions." 20x is "designed for automated demonstration of secure configurations and practices." In Rev 5, an agency sponsor invests resources up front; in 20x, no agency sponsor is required and FedRAMP reviews initial requests directly. FedRAMP has reported that 20x pilot participants received authorization "in less than two months from start," versus the years of preparation typical under the legacy path.

For CSPs, three 20x mechanisms matter most:

  • Key Security Indicators (KSIs) — concise, validatable statements of expected security capabilities (RFC-0006 for Phase One Low, RFC-0014 for Phase Two Moderate). These replace much of the prose-heavy control narrative with evidence that can be checked.
  • Persistent / automatic validation — once a goal is set and a measurement framework is defined, status should be "automatically enforced and validated without human input whenever possible," supporting continuous review rather than a point-in-time audit.
  • Minimum Assessment Scope (RFC-0005) — an updated, security-first approach to defining what is in the assessment boundary, replacing older boundary guidance.

If you are operationalizing this, our guide on how to automate KSI evidence walks through turning KSIs into continuously collected, machine-readable proof. For dates and phase detail, see the FedRAMP 20x roadmap and key dates.

What's the new terminology — FedRAMP Certified and Classes A–D?

The biggest naming change of 2026 came from RFC-0020 (FedRAMP Authorization Designations) and its outcome notice, NTC-0004 (published February 25, 2026). The goal was to end the long-running confusion between "FedRAMP authorization" and an agency "authorization to operate." Three decisions stand out.

First, there is now a single official label for all FedRAMP authorizations: FedRAMP Certification / FedRAMP Certified. FedRAMP explicitly decided not to create separate designations such as "FedRAMP Validated" for 20x versus Rev 5, agreeing with commenters that doing so would add procurement confusion. The Marketplace will instead use filters to distinguish the underlying paths.

Second, baselines are no longer "levels" or numbers. Each baseline now maps to a FedRAMP Certification Class (A, B, C, or D). FedRAMP dropped numbered levels specifically to avoid collision with the DoD/DoW Impact Level (IL) system, and to signal that the class defines the scope and depth of the assessment, not the total security or quality of the service.

Third, FedRAMP kept four baselines with only minor changes, and provided a mapping for the transition period:

Certification ClassMaps to (Rev 5)Notes
Class ANew pilot baselineSmaller initial information burden; entry point, also a 20x option
Class BCurrent LI-SaaS + LowLight-use / smaller-footprint services; 20x option
Class CCurrent ModerateThe common target for SaaS used broadly by agencies; 20x option
Class DCurrent HighHigh-impact systems; not an initial 20x submission path

Source: FedRAMP NTC-0004 — Initial Outcome from RFC-0020

NTC-0004 stresses that these labels do not change the underlying requirements — they relabel existing baselines so the names better reflect FedRAMP's statutory role. Old and new labels will be linked during a transition period, with full detail in CR26. For more on how classes work in practice, our FedRAMP Marketplace explainer covers how authorized offerings are listed and filtered.

What is the Consolidated Rules for 2026 (CR26)?

The Consolidated Rules for 2026 (CR26) is the document that pulls the new rules together. Per NTC-0004 and the Phase 3 page, FedRAMP plans to publish CR26 by the end of June 2026 (FY26 Q3), and the rules will be valid through December 31, 2028. CR26 is expected to contain all the requirements for FedRAMP 20x and to formalize the Class A/B/C/D labels, the transition mapping, and the relationship between 20x and Rev 5 baselines.

A few things remain in flux as of this writing and should be confirmed against CR26 when it publishes: the exact requirement deltas per class, the timeline and mechanics for Class D / High under 20x (signaled for a later phase), and the precise transition rules linking old and new labels. Treat anything beyond what FedRAMP has published in RFCs and notices as directional, not final.

What should CSPs do next?

The actions below follow directly from the published direction: automation, machine-readable evidence, and boundary clarity. The table maps each change to its practical implication and a concrete next step.

ChangeWhat it meansCSP action
Single "FedRAMP Certified" label (NTC-0004)No more "Validated" vs "Authorized" split; one term in contracts and marketingUpdate sales, security, and procurement language to "FedRAMP Certified"; stop using "FedRAMP Validated"
Classes A–D replace numbered levelsBaseline names describe assessment depth, not security quality or ILRe-map your target baseline (e.g., Moderate → Class C); brief teams so no one confuses Class with DoD IL
CR26 due end of June 2026, valid to Dec 31 2028A single rulebook with a defined validity windowRead CR26 on release; align your roadmap to the 2026–2028 window
20x in Phase 3; pipeline opens FY26 Q4Public submissions for Class A/B/C become possible this fiscal yearDecide your path now; if pursuing 20x, target the pipeline opening window
Automatic / persistent validationContinuous proof beats point-in-time auditsStand up continuous evidence collection for KSIs; instrument controls to emit status automatically
Machine-readable packages (RFC-0024)Agencies ingest authorization data with toolingProduce OSCAL/machine-readable artifacts, not just PDFs
Minimum Assessment Scope (RFC-0005)Security-first boundary definitionRe-examine and tighten your boundary; document scope clearly and defensibly

A first-hand view: where teams actually get stuck

In our work helping CSPs prepare 20x evidence, the friction is rarely the security capability itself — it is proving it continuously and machine-readably. Teams that previously wrote a paragraph asserting, for example, that MFA is enforced now need an automated check that emits the enforced state on a schedule and survives a reviewer querying it months later. The CSPs that move fastest are the ones that treat each KSI as a small, testable assertion wired to live telemetry from their cloud and security tooling, then store the result in a structured, reusable format. That is the difference between a narrative you re-litigate every audit and a control story that maintains itself. Boundera was built around exactly this loop: map KSIs to evidence sources, validate continuously, and keep the package machine-readable from day one.

Frequently asked questions

Is "FedRAMP Validated" still a thing in 2026?

No. Per NTC-0004, FedRAMP decided against a separate "FedRAMP Validated" designation. There is one label — FedRAMP Certified — for both 20x and Rev 5 paths. The Marketplace uses filters, not separate labels, to distinguish the paths.

What's the difference between a FedRAMP Certification and an agency ATO?

A FedRAMP Certification is a vetted, reusable authorization package. An agency ATO is a specific agency's decision to accept the risk of operating that service in its environment at a chosen FIPS 199 category. FedRAMP does not make the agency's risk decision for it; the certification just makes that decision far easier and reusable.

What do Classes A, B, C, and D map to?

Per NTC-0004, Class A is a new pilot baseline, Class B covers the current LI-SaaS and Low baselines, Class C is the current Moderate baseline, and Class D is the current High baseline. The four baselines themselves change only minimally; the labels are what's new.

When is CR26 released and how long is it valid?

FedRAMP plans to publish the Consolidated Rules for 2026 by the end of June 2026 (FY26 Q3). The rules are valid through December 31, 2028.

When can I submit a FedRAMP 20x package?

FedRAMP 20x is in Phase 3. The pilots are over, and the public submission pipeline is expected to open in FY26 Q4 (July–September 2026), initially for Class A (Pilot), Class B (Low), and Class C (Moderate).

Does the Authorization Act require continuous monitoring?

The Act and OMB M-24-15 push FedRAMP toward continuous, automated assurance, and 20x operationalizes this through persistent validation and KSIs. The exact continuous-monitoring requirements per class will be detailed in CR26 and related standards, so confirm specifics there.

Should I pursue Rev 5 or 20x right now?

It depends on your timeline, baseline, and whether you have an agency relationship. 20x offers a faster, automation-first path without an agency sponsor; Rev 5 remains available and is the only current route to a High (Class D) profile. Confirm the Class D / High 20x timeline in CR26 before committing.

Did the new labels change FedRAMP requirements?

No. NTC-0004 is explicit that the new labels relabel existing baselines and do not change the underlying requirements. The intent is to reduce confusion about what a FedRAMP Certification means, not to raise or lower the bar.

Sources


Last updated: June 2026. Written by the Boundera team. Boundera is an AI copilot for FedRAMP.

Frequently asked questions

Is "FedRAMP Validated" still a thing in 2026?

No. Per NTC-0004, FedRAMP decided against a separate "FedRAMP Validated" designation. There is one label - FedRAMP Certified - for both 20x and Rev 5 paths. The Marketplace uses filters, not separate labels, to distinguish the paths.

What's the difference between a FedRAMP Certification and an agency ATO?

A FedRAMP Certification is a vetted, reusable authorization package. An agency ATO is a specific agency's decision to accept the risk of operating that service in its environment at a chosen FIPS 199 category. FedRAMP does not make the agency's risk decision for it; the certification just makes that decision far easier and reusable.

What do Classes A, B, C, and D map to?

Per NTC-0004, Class A is a new pilot baseline, Class B covers the current LI-SaaS and Low baselines, Class C is the current Moderate baseline, and Class D is the current High baseline. The four baselines themselves change only minimally; the labels are what's new.

When is CR26 released and how long is it valid?

FedRAMP plans to publish the Consolidated Rules for 2026 by the end of June 2026 (FY26 Q3). The rules are valid through December 31, 2028.

When can I submit a FedRAMP 20x package?

FedRAMP 20x is in Phase 3. The pilots are over, and the public submission pipeline is expected to open in FY26 Q4 (July-September 2026), initially for Class A (Pilot), Class B (Low), and Class C (Moderate).

Does the Authorization Act require continuous monitoring?

The Act and OMB M-24-15 push FedRAMP toward continuous, automated assurance, and 20x operationalizes this through persistent validation and KSIs. The exact continuous-monitoring requirements per class will be detailed in CR26 and related standards, so confirm specifics there.

Should I pursue Rev 5 or 20x right now?

It depends on your timeline, baseline, and whether you have an agency relationship. 20x offers a faster, automation-first path without an agency sponsor; Rev 5 remains available and is the only current route to a High (Class D) profile. Confirm the Class D / High 20x timeline in CR26 before committing.

Did the new labels change FedRAMP requirements?

No. NTC-0004 is explicit that the new labels relabel existing baselines and do not change the underlying requirements. The intent is to reduce confusion about what a FedRAMP Certification means, not to raise or lower the bar.

Next step

If you want to turn this guidance into an execution plan, the product side handles control mapping, SSP drafting, and evidence collection.

Related articles