Skip to main content
WhyHow It WorksFeaturesPricingBlogResources
Sign inRequest demo

FedRAMP 20x Class A, B, C, and D Explained

Class A supports initial entry, Class B fits lighter use, Class C fits enterprise use, and Class D is not a 20x path in the current preview.

May 24, 2026|6 min read

Main question

How do FedRAMP 20x certification classes work?

FedRAMP classes are about certification depth

FedRAMP's 2026 preview organizes certification around classes: A, B, C, and D.

For teams coming from older FedRAMP language, this can be confusing. Class is not just a new name for Low, Moderate, and High. It is a way to describe the depth, expected use, and ongoing information burden of a certification profile.

For FedRAMP 20x, the practical takeaway is simple: new cloud-native providers should understand Class A, B, and C. Class D is not a 20x path in the current preview.

Class A

Class A is for cloud services with mature security and compliance programs that want to enter the federal marketplace with a smaller initial information burden.

Think of Class A as an initial entry point. It can help a provider establish a starting FedRAMP posture, but it is not the end state for services that become broadly adopted by agencies.

Class A makes sense when:

  • The service is early in federal adoption.
  • The provider already has mature security practices.
  • Agencies need an initial level of certification data before broader use.
  • The provider expects to transition later to Class B or Class C.

Class A should not be treated as "lightweight forever." If the product becomes important to agency operations, the certification class should mature with the use case.

Class B

Class B is for common, small-scale or light-use cloud services.

It requires more information and ongoing reporting than Class A, but less than Class C. For SaaS providers with limited federal use cases, smaller blast radius, or lower agency dependency, Class B may be a reasonable target.

Class B makes sense when:

  • The service supports lighter agency workflows.
  • An entire agency is unlikely to depend on the service for important operations.
  • The service has a smaller risk profile.
  • The provider can support ongoing reporting but does not need the heavier Class C posture.

The key is honest use-case analysis. A provider should not choose Class B if agencies will use the product as an enterprise platform.

Class C

Class C is likely the main target for many enterprise SaaS providers.

It applies to common enterprise services that may be used across an agency or may support important government services. Class C requires more information, stronger ongoing reporting, and a more mature evidence program.

Class C makes sense when:

  • The product is an enterprise platform.
  • Agency-wide adoption is realistic.
  • The service supports important government workflows.
  • The provider needs a stronger posture for procurement and reuse.
  • The engineering team can support persistent validation and current authorization data.

For many commercial SaaS teams, "FedRAMP 20x readiness" really means "Can we support a Class C operating model?"

Class D

Class D is for mission-critical or high-impact usage where failure could seriously affect agency operations, finances, or individuals.

In the current FedRAMP 2026 preview, Class D is not a 20x path. Class D uses the agency certification path and remains a Rev5-oriented certification route.

That means a provider targeting high-impact or mission-critical use should not assume 20x is available as the path today. The planning conversation should start with Rev5.

How to choose

Use this practical sequence:

  1. Identify how agencies will actually use the service.
  2. Determine whether the service is cloud-native and eligible for 20x.
  3. Decide whether the expected use is initial entry, light use, enterprise use, or mission-critical use.
  4. Map that to Class A, B, C, or D.
  5. Confirm the path against current FedRAMP rules before making public claims.

The mistake to avoid is choosing the lowest class because it feels easier. The right class should match the risk and dependency agencies will place on the service.

What this means for product planning

Class selection affects the whole operating model:

  • How much inventory detail you need
  • How complete KSI validation must be
  • How mature vulnerability detection and response needs to be
  • How much authorization data agencies will expect
  • How often validation runs
  • How much assessor review you should prepare for

If your target is Class C, design for Class C from the beginning. Retrofitting persistent validation after the fact is much harder than building it into the evidence system early.

Key takeaways

  • Class A is an initial entry point.
  • Class B fits lighter-use services.
  • Class C fits enterprise or important agency services.
  • Class D is mission-critical and not a 20x path in the current preview.
  • Class selection should follow real agency use, not convenience.

References

Next step

If you want to turn this guidance into an execution plan, the product side handles control mapping, SSP drafting, and evidence collection.

Request demoBrowse resources

Related articles

Blog

FedRAMP 20x vs Rev5: What Actually Changes for CSPs

A practical comparison of the Rev5 and 20x operating models, including documentation, KSIs, validation, VDR, and authorization data.

FedRAMPFedRAMP 20xRev5
May 24, 20268 min
Blog

What Are FedRAMP 20x KSIs? A Practical Guide for CSPs

How to understand, map, validate, and evidence FedRAMP 20x Key Security Indicators.

FedRAMPFedRAMP 20xKSI
May 24, 20268 min
Blog

VDR vs POA&M: How FedRAMP 20x Changes Vulnerability Management

How FedRAMP 20x shifts vulnerability work from periodic POA&M tracking toward persistent vulnerability detection and response.

FedRAMPFedRAMP 20xVDR
May 24, 20267 min