FedRAMP Proposes Updates to Authorization Process—Six New RFCs Released for Public Comment

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative established to standardize the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP’s primary objective is to ensure that cloud service providers (CSPs) implement robust security controls to protect federal information in cloud environments. By leveraging a consistent framework for security assessment and authorization, FedRAMP is intended to reduce duplication of effort, cost, and time for both agencies and vendors.

The program’s statutory authority has been reinforced through the 2022 FedRAMP Authorization Act, which clarifies requirements for CSPs and strengthens FedRAMP’s role in federal cloud security. These updates are designed to enhance transparency, improve stakeholder engagement, and ensure that FedRAMP remains responsive to evolving cybersecurity threats and federal needs.

FedRAMP provides two authorization pathways: the traditional FedRAMP Rev5 agency authorization path and the modernized FedRAMP 20x authorization path. FedRAMP Rev5 relies on NIST SP 800-53, Revision 5 security controls, requires agency sponsorship, and requires manual review of expansive documentation to validate FedRAMP compliance. FedRAMP 20x, by contrast, uses Key Security Indicators, does not require agency sponsorship, and relies heavily on automated validation of security controls. FedRAMP 20x is currently in Phase 2.

Overview of Released RFCs

On January 13, 2026, FedRAMP announced the release of six new RFCs (numbered 0019 through 0024) as part of its effort to implement the FedRAMP Authorization Act and modernize its processes. The proposed changes focus on clarity, transparency, and quicker authorizations.

The RFCs propose several changes to the FedRAMP program, summarized below:

• RFC-0019 Reporting Assessment Costs (closing date February 12). Information about the cost of assessment services will need to be submitted by CSPs.
• RFC-0020 FedRAMP Authorization Designations (closing date February 19). “FedRAMP Certified” (for services authorized via the FedRAMP Rev5 process) and “FedRAMP Validated” (for services authorized via the FedRAMP 20x process) designations will be introduced to clarify the difference between FedRAMP authorization and an agency “authorization to operate” (ATO).
• RFC-0021 Expanding the FedRAMP Marketplace (closing date February 19). The FedRAMP marketplace will be expanded by allowing additional cloud service offering listings and requiring that CSPs and independent assessors share pricing information.
• RFC-0022 Leveraging External Frameworks (closing date February 26). Eligible CSPs may obtain a temporary FedRAMP Validated (i.e., FedRAMP 20x) Level 1 authorization by implementing a subset of the 20x Low requirements and demonstrating that they have obtained an independent assessment under one of the following external frameworks: SOC 2 Type II; ISO/IEC 27001; HITRUST e1, i1, r2; StateRAMP/GovRAMP; CMMC Level 2; or FedRAMP Ready.
• RFC-0023 Rev5 Program Certifications (No Sponsor Required) (closing date February 19). CSPs who adopt certain optional Rev5 Balance Improvement Releases and undergo a complete independent assessment will temporarily receive a FedRAMP Certification for cloud service offerings at Level 1-4 as FedRAMP Ready is phased out.
• RFC-0024 FedRAMP Rev5 Machine-Readable Packages (closing date March 11). FedRAMP Rev5 providers will be required to produce machine-readable authorization packages that can be ingested by agency tools, including for new assessments and for service offerings that are already FedRAMP-authorized. RC-0024 proposes an initial compliance deadline of September 30, 2026 (or the provider’s next annual assessment following that date), and a final compliance deadline of September 30, 2027. If a provider does not meet the final compliance deadline, its FedRAMP Certification (i.e., Rev5 authorization) will be revoked. 

FedRAMP is seeking stakeholder input on these proposed updates and has staggered comment closing dates to ease the burden on reviewers.

Conclusion

FedRAMP’s release of six new RFCs represents a significant milestone in the ongoing modernization of federal cloud security standards and the implementation of the FedRAMP Authorization Act. CSPs, federal agencies, and third-party assessment organizations should take this opportunity to engage in the public comment process to ensure their perspectives are considered in future program requirements. Crowell & Moring continues to monitor these developments and provide guidance on how the proposed updates may affect your FedRAMP authorization strategy, compliance obligations, and risk management practices.  For questions about the RFCs or how these changes may impact your organization, please contact our team.