FedRAMP Marketplace Explained: Listings & Statuses (2026)

Q: Is FedRAMP Ready going away?

Yes. Under RFC-0020 and RFC-0021, the FedRAMP Ready designation is being retired and replaced by a new Preparation listing state. Preparation lets providers appear on the Marketplace earlier, but it carries a 12-month deadline to reach Certified/Validated status or risk removal.

Q: Can a provider pursue both Rev 5 and 20x at the same time?

Providers pick one assessment path per offering - either Rev 5 or 20x - to avoid duplicating government review, but both result in the same FedRAMP Certified designation. FedRAMP has indicated a path for Rev 5 services to transition to 20x will be offered in the future.

The FedRAMP Marketplace is the U.S. government's official public directory of cloud services assessed against FedRAMP requirements. As of June 2026 it uses three legacy designations - FedRAMP Ready, In Process, and Authorized - but those are being replaced under CR26 (the outcome of RFC-0020) by a single FedRAMP Certified designation with four Certification Classes (A-D) and redesigned lifecycle statuses.

June 4, 2026|9 min read

FedRAMP Marketplace Explained: Listings, Statuses, and Designations (2026)

The FedRAMP Marketplace is the U.S. government's official, public directory of cloud services that have been assessed against FedRAMP security requirements. As of June 2026 it lists offerings under three legacy designations — FedRAMP Ready, In Process, and Authorized — but those labels are being replaced under the FedRAMP Consolidated Rules for 2026 (CR26) with a single FedRAMP Certified designation, four assessment baselines named Class A–D, and a redesigned set of lifecycle statuses. If your cloud service wants federal agencies to find, trust, and reuse its security package, getting listed correctly on the Marketplace is the visible payoff of the entire authorization process.

Key takeaways

The FedRAMP Marketplace (marketplace.fedramp.gov) is the single authoritative source agencies use to discover authorized cloud services, assessors (3PAOs/independent assessors), and agencies that have issued authorizations.
The legacy listing designations are FedRAMP Ready, In Process, and Authorized; only "Authorized" means the security package is complete and reusable by agencies.
Under CR26 — the outcome of RFC-0020, confirmed in notice NTC-0004 — those labels become a single FedRAMP Certified designation covering both the Rev 5 and 20x paths, plus four Certification Classes (A–D) in place of the old Low/Moderate/High tiers. FedRAMP declined a separate "FedRAMP Validated" label; the two paths are shown via Marketplace filters. CR26 is due by the end of June 2026.
FedRAMP Ready is being retired, and a new Preparation listing state lets serious providers appear on the Marketplace much earlier (RFC-0021).
A Marketplace listing is not an agency Authorization to Operate (ATO). It signals that FedRAMP has packaged the security information; each agency still makes its own authorization decision.

What is the FedRAMP Marketplace?

The FedRAMP Marketplace is the official online directory, run by the FedRAMP Program Management Office (PMO) within GSA, that publishes the authorization status of cloud service offerings (CSOs) and the organizations supporting them. Federal agencies use it as the starting point when they need a cloud product that already meets a standardized federal security bar, because the program's core promise is "do once, use many times" — one rigorous assessment whose materials many agencies can reuse.

The Marketplace catalogs three main types of entries:

Cloud service offerings — the SaaS, PaaS, and IaaS products themselves, each with a designation and status.
Assessors — the independent assessment organizations (historically called Third-Party Assessment Organizations, or 3PAOs) that validate a provider's security implementation.
Agencies — federal agencies that have sponsored or reused authorizations, which helps other agencies gauge real-world adoption.

One important nuance: private cloud offerings built for a single customer are generally not listed, because their security packages are not reusable across the government and therefore do not serve the Marketplace's "do once, use many times" purpose.

Source: FedRAMP Marketplace and help.fedramp.gov — How does a CSP get listed?

What do the FedRAMP Marketplace designations mean?

A designation tells an agency how far along a cloud service is in the FedRAMP process and whether its security materials are ready to be reused. As of mid-2026, the Marketplace is mid-transition: the three legacy designations remain widely referenced, while the new RFC-0020 designations are being rolled out. The table below lays out both, so you can read a listing regardless of which label it shows.

Designation	What it means	Status under 2026 changes
FedRAMP Ready	A recognized assessor attested to the provider's readiness, and FedRAMP reviewed/approved a Readiness Assessment Report (RAR). Signals capability, not a completed authorization.	Being retired under RFC-0020 / RFC-0021; replaced by the new Preparation listing state.
In Process	The provider is actively working toward authorization with a federal agency (historically also the Joint Authorization Board). Materials are not yet complete.	Replaced by lifecycle statuses such as Agency Authorization In Process and Assessment by FedRAMP.
Authorized	The provider completed the FedRAMP process; the security package is available for agency review and reuse. The "finished" state agencies look for.	Relabeled simply FedRAMP Certified — the single new designation for both the Rev 5 and 20x paths.
FedRAMP Certified (new)	The single official label for any completed FedRAMP authorization, on either the Rev 5 or 20x path. Every Certification carries a Class (A–D) that describes its assessment baseline.	New designation under CR26 (the outcome of RFC-0020). FedRAMP declined a separate "FedRAMP Validated" label and will use Marketplace filters to show the Rev 5 vs 20x path.
Certification Class A–D (new)	The four assessment baselines that replace Low/Moderate/High: Class A (new pilot), Class B (LI-SaaS + Low), Class C (Moderate), Class D (High).	Replaces the FIPS 199 impact tiers. FedRAMP avoided numbered "levels" to prevent confusion with DoD Impact Levels.

A critical point FedRAMP states explicitly: a Certification Class does not rank how secure a service is overall. It describes the coverage and depth of the assessment materials available to agencies — how much information an agency has to work with when making its own risk decision.

Source: RFC-0020 FedRAMP Authorization Designations

How is a Marketplace listing different from an ATO?

A Marketplace designation is not an Authority to Operate. This distinction sits at the heart of the 2026 relabeling. A FedRAMP designation means FedRAMP has packaged essential security information about a cloud service so that an agency can evaluate it; an ATO is a separate decision made by an individual agency's Authorizing Official to actually run that service for a specific use case.

FedRAMP's own rationale for the rename is that "authorized" was being misread. Providers assumed it functioned as a government-wide ATO; agency staff sometimes adopted "authorized" services without their own review; and officials occasionally took on risk assuming FedRAMP or another agency was monitoring security on their behalf. Reserving the word "authorization" for the agency ATO step — consistent with OMB Circular A-130 and the NIST Risk Management Framework — is meant to remove that ambiguity. In practice: a Marketplace listing gets you in the door, but each agency still runs its own categorization and authorization before going live.

If you're sizing up the broader process behind that listing, see our complete FedRAMP authorization guide and a breakdown of the FedRAMP impact levels those designations historically map to.

How do you get listed on the FedRAMP Marketplace?

You get listed by entering one of FedRAMP's defined lifecycle stages and having FedRAMP confirm your status. Historically this meant earning a FedRAMP Ready designation (assessor attestation plus an approved RAR), then moving to In Process once an agency began sponsoring your authorization, and finally to Authorized once the package was complete. Under the 2026 changes, the on-ramp opens earlier and the stages are renamed.

For the legacy Rev 5 agency authorization path, a cloud service offering moves through these Marketplace statuses (per RFC-0020):

Preparation — the provider is doing the foundational work to manage its security and privacy risks. This new state, defined in RFC-0021, lets companies appear on the Marketplace before they're near the finish line.
Agency Authorization In Process — an agency has told FedRAMP it has begun the authorization.
Assessment by FedRAMP — FedRAMP performs the final review that can result in Certification. The target is under 30 days when the package is genuinely complete.
Continuous Monitoring — the service is FedRAMP Certified and is maintaining its security posture under Rev 5 ConMon requirements. This is the intended end state.
Remediation — the provider is correcting a significant underlying issue.

The 20x path follows a parallel set of statuses (Preparation → Prioritized → Assessment by FedRAMP → Persistent Validation → Remediation), reflecting its continuous, evidence-driven model rather than a point-in-time paperwork review.

A few requirements worth flagging from RFC-0021's Marketplace Listings (MPL) process:

Pick one path. A provider must choose either Rev 5 Certification or 20x Validation for a given offering — not both.
Statutory scope only. The offering must be intended for direct agency use (integrated into a federal system getting an ATO) or indirect use (as a component inside another agency-used service). Products listed solely to support other frameworks like CMMC fall outside FedRAMP's scope.
A Preparation listing has a clock. Providers must meet Certified/Validated requirements within 12 months of an initial Preparation listing or face removal from the Marketplace for at least six months.
Pricing disclosure is coming. RFC-0021 introduces a requirement to publish general pricing information, with an effective date of August 26, 2026 — a notable reversal from the previous practice of not publishing pricing.

Source: RFC-0021 Expanding the FedRAMP Marketplace

What role does the FedRAMP PMO play in the Marketplace?

The FedRAMP PMO — the program office inside GSA's Technology Transformation Services — owns and operates the Marketplace and is the gatekeeper for what appears on it. The PMO reviews readiness materials, confirms when a provider's status changes, performs the final assessment that results in Certification or Validation, and publishes the listing data agencies rely on.

Under the 2026 rules, the PMO is also committing to transparency and speed targets it did not publish before. RFC-0021 sets a 14-day target for FedRAMP to act on certain submissions (such as a Preparation listing or an Agency Authorization In Process notification) and a 30-day target for the Certification or Validation assessment itself once a complete package is submitted. The PMO also commits to publishing de-identified activity data so the community can see how long Marketplace actions actually take. These targets are aspirational — FedRAMP notes they depend on demand and staffing — but they represent a meaningful shift toward measurable service levels.

How is the Marketplace changing under 20x and CR26?

The Marketplace is being restructured as part of the broader 2026 modernization, which the program is consolidating into the FedRAMP Consolidated Rules for 2026 (CR26) alongside the FedRAMP 20x initiative. The headline changes:

New designations. "FedRAMP Authorized" is being replaced by a single FedRAMP Certified label, and the Low/Moderate/High tiers become four Certification Classes (A–D) (RFC-0020 / NTC-0004).
FedRAMP Ready is retiring. The readiness designation goes away in favor of the new Preparation state, which lets serious providers list earlier and keep agencies updated on their progress.
Number-based levels replace FIPS 199 tiers. The old impact-level naming is being moved to a numbered system to reduce confusion between a FedRAMP designation and an agency's own system categorization.
Broader listings. Beyond cloud offerings and assessors, advisory/consulting firms can now be listed, and independent assessors face new attestation and pricing-transparency requirements (RFC-0021).
Transparency and pricing. FedRAMP will publish activity data on Marketplace actions, and providers will be required to disclose general pricing.

If you're new to all of this, our overview of the 20x program and how much FedRAMP costs puts these Marketplace changes in the context of the path and budget you'll actually plan around.

A practical note for 2026: because the relabeling is mid-rollout, you may see a listing described as "FedRAMP Authorized" in one place and "FedRAMP Certified, Class C" in another for the same service. Both can be correct during the transition — FedRAMP is auto-mapping existing authorizations to the new Certified label and Class. When in doubt, read the status (e.g., Continuous Monitoring vs. In Process/Assessment by FedRAMP) and confirm the exact entry on marketplace.fedramp.gov rather than relying on a third-party summary.

Frequently asked questions

What does "FedRAMP Authorized" mean on the Marketplace?

It historically meant a cloud service completed the FedRAMP process and its security package is available for any agency to review and reuse. As of 2026 this label is being replaced by a single FedRAMP Certified designation (each carrying a Certification Class of A–D). Importantly, it still does not mean a government-wide green light to use the service — each agency must issue its own Authority to Operate.

Is being on the FedRAMP Marketplace the same as having an ATO?

No. A Marketplace listing means FedRAMP has assessed and packaged a service's security information. An ATO is a separate decision an individual agency's Authorizing Official makes to actually operate that service for a specific use. The 2026 designation rename (RFC-0020) exists specifically to make this separation clearer.

What's the difference between "In Process" and "Authorized"?

"In Process" means a provider is actively working toward authorization with a federal agency, but its package isn't finished — agencies cannot yet reuse it. "Authorized" (now Certified/Validated) means the assessment is complete and the package is available for agency review and reuse. Under the new lifecycle, "In Process" maps to statuses like Agency Authorization In Process and Assessment by FedRAMP.

Is FedRAMP Ready going away?

Yes. Under RFC-0020 and RFC-0021, the FedRAMP Ready designation is being retired and replaced by a new Preparation listing state. Preparation lets providers appear on the Marketplace earlier and keep agencies informed, but it carries a 12-month deadline to reach Certified/Validated status or risk removal.

How long does it take to get listed?

That depends on your stage. FedRAMP's 2026 targets (RFC-0021) call for acting on certain listing submissions within about 14 days and completing the final Certification/Validation assessment within roughly 30 days of a complete package. The full journey to a completed authorization, however, still typically spans many months of preparation, assessment, and remediation before that final review.

Can a provider pursue both Rev 5 and 20x at the same time?

No. Under the 2026 rules a provider picks one assessment path per offering — Rev 5 or 20x — to avoid duplicating government review, though both result in the same FedRAMP Certified designation. FedRAMP has indicated a path for Rev 5 services to transition to 20x will be offered in the future.

Where can I verify a service's current Marketplace status?

Go directly to marketplace.fedramp.gov and search for the offering. Because designations are mid-transition in 2026, the official Marketplace entry — not a press release or third-party blog — is the authoritative source for a service's current designation, level, and status.