FedRAMP 20x: What the Latest RFC Initial Outcomes Signal for Cloud Service Providers, Agencies, and the DIB

Disclaimer: This article reflects what is publicly known as of April 4, 2026, based on FedRAMP's published Initial Outcomes from RFCs 0019–0024 and the current open comment period for RFCs 0025–0030. None of the Initial Outcomes described below are final or binding. FedRAMP has indicated that all changes will be formalized in the Consolidated Rules for 2026 (CR26), expected by the end of June 2026 and valid through December 31, 2028. Specific requirements, timelines, and processes may change between now and CR26 publication. We will update this article as new information becomes available.

If You're Just Catching Up: What Is FedRAMP 20x and Why Does It Matter?

The Federal Risk and Authorization Management Program (FedRAMP) is the government-wide framework that standardizes how cloud service providers (CSPs) are assessed and authorized to operate in federal environments. For over a decade, FedRAMP has been the gatekeeper for any cloud service that wants to do business with the federal government — and by extension, for much of the Defense Industrial Base (DIB) and regulated industries that align to federal security standards.

The traditional FedRAMP process — known as Rev5, based on NIST SP 800-53 Rev 5 controls — has been effective but widely criticized for being slow, expensive, and documentation-heavy. Authorizations routinely took 12–18 months. Security packages were maintained in Word documents and spreadsheets. The process rewarded paperwork compliance over actual security posture.

FedRAMP 20x is the program's response. Announced by GSA in March 2025, 20x is a fundamentally different approach to authorization — built around automation, machine-readable compliance data, continuous monitoring, and Key Security Indicators (KSIs) rather than hundreds of pages of narrative documentation. The program has been developed entirely in public, with industry collaboration at every step.

FedRAMP 20x has been rolling out in phases. Phase 1 (Low impact) completed in 2025 with 12 initial pilot authorizations. Phase 2 (Moderate impact) is currently underway with selected pilot participants. Phase 3 — wide-scale adoption for Low and Moderate — is targeted for the second half of 2026. Phase 4 will eventually address High baseline authorizations.

But 20x isn't just about a new authorization path. The FedRAMP PMO is simultaneously modernizing the entire program — including how existing Rev5 authorizations are maintained, how the FedRAMP Marketplace operates, how authorizations are labeled and categorized, and what tooling and data formats are required going forward.

That modernization is happening right now, through a series of Requests for Comment (RFCs) and their published Initial Outcomes. This is the most consequential policy development cycle FedRAMP has ever undertaken, and it affects every CSP, federal agency, assessor, and defense contractor in the ecosystem.

This article is your comprehensive guide to what has been proposed, what the community said, and where FedRAMP has signaled it's heading — all grounded in the primary source documents published on fedramp.gov.

What Are RFCs and Initial Outcomes?

Requests for Comment (RFCs) are formal proposals published by the FedRAMP PMO to gather public feedback before finalizing policy changes. They are not rules — they are drafts. Anyone can comment: CSPs, assessors, agencies, industry groups, and individual practitioners.

Initial Outcomes are FedRAMP's published responses to that public comment. They explain what FedRAMP heard, what it plans to change based on feedback, and what direction it intends to take in the final rules. Initial Outcomes are directional signals — they carry significant weight because they represent FedRAMP's considered position after reviewing community input, but they are not binding until formalized.

The Consolidated Rules for 2026 (CR26) is where everything becomes official. CR26 is the single binding document that will codify all of the RFC outcomes into enforceable requirements. FedRAMP has committed to publishing CR26 by the end of June 2026, and the rules will be valid through December 31, 2028.

Understanding this process matters because it determines how you should read everything below: as informed direction-setting, not as final rules. The trajectory is clear, but the specifics may shift when CR26 publishes.

The Pace of Change Is the Story

Between January and March 2026, the FedRAMP Program Management Office executed one of the most aggressive policy development cycles in the program's history. Six major Requests for Comment (RFCs 0019–0024) were published on January 13, 2026. Public comment periods closed between February 12 and March 11. Initial Outcomes — detailed public notices explaining FedRAMP's intended direction based on community feedback — were published for all six between February 18 and March 25.

Before the dust settled, five more RFCs (0026–0030) dropped on March 19, covering Rev5 security controls baseline updates across every control family and continuous monitoring expectations. Those are currently open for public comment, with deadlines around April 22.

All of this feeds into CR26, which FedRAMP has committed to publishing by the end of June 2026. These rules will be binding through December 31, 2028 — giving organizations a stable three-year runway once they're finalized.

For cloud service providers, federal agencies, assessors, and the broader compliance ecosystem, understanding these Initial Outcomes now — before CR26 codifies them — is the difference between planning and reacting.

RFC-0019: Reporting Assessment Costs — Proposed, Then Dropped

Status: Closed February 12, 2026 | Initial Outcome published February 18 (NTC-0002)

What Was Proposed

RFC-0019 proposed a new requirement for both CSPs and FedRAMP-recognized independent assessors (3PAOs) to report assessment cost data to FedRAMP. The stated goal was to give the FedRAMP PMO real data on what authorizations actually cost so the program could identify cost drivers and work to optimize them — fulfilling a statutory responsibility under 44 USC § 3609 to review the costs associated with independent assessment services.

Why Industry Pushed Back — and Why FedRAMP Agreed

RFC-0019 drew more public comments than many previous FedRAMP RFCs. The community response was clear and consistent: requiring businesses to disclose assessment costs would impose a burden unrelated to the authorization of cloud services. Costs are negotiated commercially between private-sector entities. The wide variance in scope and complexity across providers makes cost comparisons meaningless. Some commenters noted they might even falsify data to protect proprietary business information.

FedRAMP concurred. NTC-0002 states explicitly that the proposed rules from RFC-0019 will not be finalized or implemented by FedRAMP. Neither CSPs nor independent assessors will be required to report assessment costs. This determination could be reconsidered in the future, but only after a new public comment period.

What This Signals

The RFC-0019 outcome is one of the clearest demonstrations in this cycle that the FedRAMP PMO is genuinely responsive to industry input — even when the proposal had a statutory basis. It also signals the limits of FedRAMP's appetite for requirements that industry views as overreach into commercial business practices. Cost reporting will not appear in CR26.

RFC-0019: Reporting Assessment Costs | Initial Outcome from RFC-0019 (NTC-0002)

RFC-0020: Authorization Designations — One Label, Four Classes

Status: Closed February 19, 2026 | Initial Outcome published February 25 (NTC-0004)

What Changed from the Original Proposal

The original RFC-0020 proposed separate designations for authorizations achieved through the 20x pathway versus the traditional Rev5 process — including a "FedRAMP Validated" label for 20x. The community pushed back hard, arguing that separate labels would create confusion in procurement and contracting. FedRAMP agreed and reversed course.

The Signaled Direction

Based on the Initial Outcome, FedRAMP intends to adopt:

• One unified label: "FedRAMP Certified" — aligning with the FedRAMP Authorization Act's definition of a FedRAMP authorization as a certification by FedRAMP
• Four Certification Classes (A, B, C, D) replacing the old impact level labels:
  • Class A — A new entry-level certification replacing FedRAMP Ready (see RFC-0023 below)
  • Class B — Maps to the current Low and Li-SaaS baselines
  • Class C — Maps to the current Moderate baseline
  • Class D — Maps to the current High baseline
• No separate branding for 20x vs. Rev5 — the distinction between authorization paths will be handled through FedRAMP Marketplace filters, not labels
• No "levels" or numbers — deliberately chosen to avoid confusion with the DoD Impact Level system (IL2, IL4, IL5, IL6)

The Strategic Implication

This is more than a naming convention change. By placing 20x and Rev5 under the same "FedRAMP Certified" umbrella, FedRAMP is signaling that 20x is not a parallel experiment or a second-tier path. If formalized, it would carry the same procurement weight as Rev5 authorization. An agency evaluating two services — one authorized through Rev5 and one through 20x — would see the same label on both.

FedRAMP also reiterated a point that is frequently misunderstood: a FedRAMP Certification is not a blanket guarantee that a service is appropriate for a given FIPS 199 security category within a specific agency environment. Agencies still perform their own risk assessment through the Risk Management Framework. FedRAMP provides the certification materials — agencies make the authorization decision.

Who Should Care

CSPs updating marketing and sales materials, contracting officers drafting acquisition language, and GRC teams maintaining compliance documentation should all be tracking this. If these labels are formalized in CR26, terminology across contracts, proposals, and Marketplace listings will need to be updated.

Initial Outcome from RFC-0020 (NTC-0004) | RFC-0020: FedRAMP Authorization Designations

RFC-0021: Expanding the FedRAMP Marketplace

Status: Closed February 19, 2026 | Initial Outcome published February 25 (NTC-0005)

Key Outcomes

The Initial Outcome from RFC-0021 signals several changes to how the FedRAMP Marketplace operates:

• Pricing information removed. FedRAMP will not request, store, or publish pricing for cloud services, independent assessors, or advisory services. Agencies had requested centralized pricing data, but public comment made it clear that many stakeholders were unwilling to participate. FedRAMP struck the pricing requirements.
• JSON schema for assessor and advisory web information. FedRAMP intends to provide a standardized JSON schema for required web information from independent assessors and advisory services, with validation built in.
• Corrective action policy softened. FedRAMP indicated it may defer corrective action if a CSP provides early notification with a well-documented and achievable remediation plan. The stated intent: corrective action is for services that are failing to meet requirements, not for punishing good-faith actors on technicalities.
• Program Certification limited to one path. CSPs pursuing Program Certification (where FedRAMP itself sponsors the authorization) will need to choose either Rev5 or 20x — FedRAMP cannot support duplicative reviews and continuous monitoring across both for the same service.

Why It Matters

The pricing decision is notable because it shows FedRAMP responding to industry pushback even where agency demand existed. The corrective action language is important for existing authorized providers — it suggests FedRAMP is moving toward a more pragmatic enforcement posture, provided CSPs communicate proactively.

Initial Outcome from RFC-0021 (NTC-0005) | RFC-0021: Expanding the FedRAMP Marketplace

RFC-0022: Leveraging External Frameworks

Status: Closed February 26, 2026 | Initial Outcome published March 3 (NTC-0007)

What It Signals

RFC-0022 addresses the mandate from OMB Memorandum M-24-15 to establish a path for leveraging external security frameworks within FedRAMP. The Initial Outcome signals:

• SOC 2 Type II as the initial approved external framework bridging to Class A FedRAMP Certifications
• 2-year window (extended from the originally proposed 1 year) for CSPs receiving a Class A Certification to achieve a full Class B, C, or D Certification, with some scheduling flexibility around the deadline
• Class A is transitory by design — intended for negligible or low-risk pilot use by agencies. No reciprocity. No permanent pass.
• Class A only available through Program Certification — directly by the FedRAMP PMO, no agency sponsor required
• Approved framework list will be limited initially with implementation staggered over time based on review capacity

The 20x Connection

The primary path for Class A Certifications will be designed for FedRAMP 20x, using Key Security Indicators (KSIs) and other 20x requirements. A separate Rev5 Class A path will be established based on RFC-0023's outcome.

Who Should Care

CSPs that hold SOC 2 Type II certification and have been considering FedRAMP but deterred by the cost and timeline of a full authorization. If formalized, this creates a legitimate — but temporary — on-ramp. The 2-year clock means you still need a plan for the full certification, but you can begin operating in the federal space sooner.

Initial Outcome from RFC-0022 (NTC-0007) | RFC-0022: Leveraging External Frameworks

RFC-0023: Rev5 Program Certifications (No Agency Sponsor Required)

Status: Closed February 26, 2026 | Initial Outcome published March 6 (NTC-0008)

FedRAMP Ready Retirement

The Initial Outcome signals that FedRAMP Ready will be retired on July 28, 2026. No new submissions will be accepted after that date. However, FedRAMP is not simply eliminating FedRAMP Ready — it's providing a conversion path:

• Existing FedRAMP Ready assessments can convert to a Class A FedRAMP Certification with minimal additional requirements
• Providers that do not convert will be relabeled "Legacy FedRAMP Ready" — effectively retired from active procurement consideration

The No-Sponsor Path

RFC-0023's Initial Outcome outlines a new Rev5 Program Certification path where FedRAMP itself acts as the sponsor. This would eliminate the need to find an agency willing to fund and manage the traditional review and continuous monitoring process.

The catch: this path would require CSPs to adopt FedRAMP's Balance Improvement Releases — modernization upgrades including machine-readable documentation, updated continuous monitoring practices, and alignment with 20x-informed operational standards.

CSPs that cannot or will not adopt these requirements would need to pursue the traditional agency sponsor route. FedRAMP is explicit about the constraint: they can only take on a limited number of providers through Program Certification because they would be performing both the initial assessment review and ongoing continuous monitoring themselves.

What Got Dropped

• "Trusted assessor" requirement — removed. If a 3PAO loses its "trusted" designation mid-assessment, the CSP would be punished for something outside their control.
• Mandatory Balance Improvement Release Adoption — removed as a blanket requirement. It remains effectively required for the no-sponsor Program Certification path, but is not imposed on providers pursuing the traditional agency route.
• Legacy Machine-Readable Package Requirements — removed specifically for Rev5 Program Certifications. Machine-readable requirements will be handled through the broader RFC-0024 framework instead.

Staged Rollout

• Stage 1: Class A Certifications available through Program Certification, replacing FedRAMP Ready
• Stage 2: Class B and Class C Certifications available to CSPs that adopt required Balance Improvement Releases and meet additional eligibility criteria

Initial Outcome from RFC-0023 (NTC-0008) | RFC-0023: Rev5 Program Certifications

RFC-0024: Rev5 Machine-Readable Packages

Status: Closed March 11, 2026 | Initial Outcome published March 25 (NTC-0009)

A Tiered Approach, Not a Blanket Mandate

The Initial Outcome from RFC-0024 (NTC-0009) establishes tiered machine-readable requirements based on Certification Class — a significant departure from the original RFC-0024 proposal, which proposed a single standard for all Rev5 providers. Based on public comment, FedRAMP modified both the scope of the requirements and the timelines considerably.

Class D (High) certifications: Comprehensive machine-readable authorization data will be required across the entire authorization package, covering both initial and ongoing authorization materials. Updates must be integrated twice per year (at annual assessment and halfway between annual assessments), replacing the originally proposed 30-day requirement.

Class A, B, and C certifications: Some machine-readable data is required, but the bulk of authorization materials will be in semi-structured text format. DOCX and XLSX will be retired as acceptable formats in favor of text-based equivalents. This covers all authorization materials for both initial and ongoing authorization.

Five Balance Improvement Releases Becoming Mandatory

NTC-0009 also folds five Balance Improvement Releases into standard Rev5 requirements for all providers — replacing existing requirements and each requiring materials in a machine-readable format:

• Minimum Assessment Scope — replaces the traditional authorization boundary approach, eliminating overly complex boundary diagrams
• Significant Change Notifications — replaces the traditional significant change request process
• Collaborative Continuous Monitoring — replaces part of the traditional monthly continuous monitoring approach
• Vulnerability Detection and Response — replaces the traditional vulnerability scanning and POA&M approach
• Authorization Data Sharing — replaces the traditional Secure Repository approach

Specific Timelines from NTC-0009

NTC-0009 provides anticipated deadline milestones for active FedRAMP Certified services. Note that final dates will be in CR26 and none will move earlier than those shown:

FedRAMP's Position on Tooling

FedRAMP has been explicit: they are not building the tooling to support this transition. Industry must lead. As stated in NTC-0009, FedRAMP will establish informal partnerships with non-profit organizations that support open source or public domain capabilities — the OSCAL Foundation is cited as one such partner. FedRAMP will set requirements and validate that partner-produced templates are adequate, but will not dictate underlying structure or format.

FedRAMP also acknowledged the competitive reality directly: Rev5 providers will face "considerable competition" from 20x-certified services that deliver machine-readable data natively. Human-readable outputs will still be required in parallel during the transition, generated from machine-readable source materials.

What This Means for the Market

This is the most operationally significant outcome in the entire RFC cycle. Every active Rev5 provider — regardless of Certification Class — faces mandatory adoption of five Balance Improvement Releases with deadlines beginning January 1, 2027. Class D (High) providers face the most demanding requirements; Class A, B, and C providers must modernize away from DOCX/XLSX and toward structured text formats. CSPs still maintaining authorization packages in manual documents should be evaluating their tooling strategy now — not when CR26 publishes in June.

Initial Outcome from RFC-0024 (NTC-0009) | RFC-0024: FedRAMP Rev5 Machine-Readable Packages

Currently Open: RFCs 0025–0030

As of April 4, 2026, six new RFCs are open for public comment:

• RFC-0025 — Retrospective on the Public Comment Process (published March 18, closes April 21)
• RFC-0026 — Clarifying CA-7 Continuous Monitoring Expectations for Rev5 Providers (published March 19, closes April 22)
• RFC-0027 — FedRAMP Rev5 Security Controls Baseline Update for AC, AT, AU, CA, and CM Control Families
• RFC-0028 — FedRAMP Rev5 Security Controls Baseline Update for CP, IA, IR, MA, and MP Control Families
• RFC-0029 — FedRAMP Rev5 Security Controls Baseline Update for PE, PL, PM, PS, and PT Control Families
• RFC-0030 — FedRAMP Rev5 Security Controls Baseline Update for RA, SA, SC, SI, and SR Control Families

RFC-0026 is particularly relevant for existing Rev5 providers. The proposed updates revise the CA-7 continuous monitoring control to standardize how CSPs share vulnerability data, assessment results, and remediation activities with all federal agency customers. FedRAMP has indicated these updates will be integrated into CR26.

If you are a Rev5 provider, this is your opportunity to influence the rules before they are codified. Public comment on these RFCs can be submitted through the FedRAMP Community on GitHub.

FedRAMP Requests for Comment

Timeline: What We Know

All dates based on Initial Outcomes and may change when CR26 is finalized. NTC-0009 states that no deadline dates will move earlier than those shown above. Cost reporting (RFC-0019) will not appear in CR26 — that requirement was dropped entirely.

Understanding CR26: The FedRAMP Consolidated Rules for 2026

Everything in this article — every Initial Outcome, every signaled direction, every timeline — leads to one document: the FedRAMP Consolidated Rules for 2026, or CR26.

What Is CR26?

CR26 is the single, authoritative ruleset that will formalize all of the policy changes FedRAMP has been developing through the RFC process into binding, enforceable requirements. It is not a proposal or a discussion draft. When CR26 publishes, the rules it contains become the governing framework for the entire FedRAMP program.

Think of it this way: the RFCs were the proposals. The Initial Outcomes were FedRAMP telling the community "here's what we heard and where we're heading." CR26 is where "heading" becomes "required."

When Does It Publish?

FedRAMP has committed to publishing CR26 by the end of June 2026. This commitment has been stated consistently across every Initial Outcome notice, the FedRAMP blog, and the 20x overview page.

How Long Is It Valid?

CR26 will be valid through December 31, 2028. Organizations that align their compliance programs to CR26 can plan with confidence that the rules won't shift again until at least 2029.

What Will CR26 Contain?

Based on the Initial Outcomes published to date, CR26 is expected to formalize:

• The unified "FedRAMP Certified" designation with Certification Classes A, B, C, and D (RFC-0020)
• Updated FedRAMP Marketplace requirements, including the removal of pricing information and new JSON schemas for assessor and advisory service listings (RFC-0021)
• The Class A Certification path leveraging external frameworks like SOC 2 Type II, with the 2-year window to achieve full certification (RFC-0022)
• The Rev5 Program Certification path (no agency sponsor required) with Balance Improvement Release prerequisites, staged rollout, and the retirement of FedRAMP Ready (RFC-0023)
• Tiered machine-readable authorization package requirements for Rev5 providers — comprehensive for Class D (High), semi-structured text for Class A/B/C — along with mandatory adoption of five Balance Improvement Releases with specific 2027 deadlines (RFC-0024)
• Note: Assessment cost reporting (RFC-0019) was explicitly excluded from CR26 after public comment — this requirement will not be implemented.
• Rev5 security controls baseline updates and continuous monitoring expectations (RFCs 0026–0030, currently open for comment)
• The formal 20x requirements for Low and Moderate, aligned with the Rev5 Certification Classes

Why Should You Care About CR26 Now?

Because the window between CR26 publication (end of June) and the date the rules apply to all CSPs (December 31, 2026) is only six months. If you wait until CR26 publishes to start planning, you'll have half a year to implement changes that could affect your authorization status, your tooling, your documentation, your Marketplace listing, and your contracting language.

The Initial Outcomes exist specifically so that organizations can start preparing now. FedRAMP has been unusually transparent about where this is heading. The community that takes advantage of this transparency will be the community that transitions smoothly.

What You Should Be Doing Now

For existing Rev5 authorized providers

• All Rev5 providers — regardless of class — must plan to adopt five Balance Improvement Releases, with the first deadlines arriving January 1, 2027. Start your assessment of readiness for Significant Change Notifications and Minimum Assessment Scope now.
• Class D (High) providers face the most demanding machine-readable requirements by November 1, 2027. Evaluate your tooling for producing comprehensive machine-readable authorization data and engage with the OSCAL Foundation or other industry partners who are building compatible solutions.
• Class A, B, and C providers must retire DOCX and XLSX in favor of semi-structured text formats and produce some machine-readable data by November 1, 2027. This is less demanding than Class D but still requires planning and tooling changes.
• Assess whether the Balance Improvement Releases align with your operational model. If you want access to the no-sponsor Program Certification path, adoption of these modernization requirements is the prerequisite.
• Track RFCs 0026–0030. The Rev5 baseline updates and CA-7 continuous monitoring changes will directly affect your ongoing compliance obligations.

For CSPs planning new authorizations

• Decide whether to pursue Rev5 or 20x. With both paths leading to the same "FedRAMP Certified" label, the decision should be based on your technical readiness, timeline, and which path your tooling and processes are best suited for.
• If you hold SOC 2 Type II, evaluate whether the Class A Certification path makes sense as an interim step — but plan for the full Class B, C, or D certification within the signaled 2-year window.

For assessors (3PAOs / C3PAOs)

• Build capacity for reviewing machine-readable packages and the five mandatory Balance Improvement Releases.
• Track the assessor-specific requirements in the Balance Improvement Releases and CR26.
• Note: Assessment cost reporting was dropped from RFC-0019 — no reporting requirements will be imposed on assessors for costs.

For agencies

• Update acquisition language to reflect the anticipated shift from impact levels to Certification Classes.
• Prepare procurement teams for the unified "FedRAMP Certified" designation — the distinction between authorization paths will need to be handled through Marketplace evaluation, not label differentiation.

How Quzara Can Help

Quzara has been at the intersection of federal compliance, cloud security, and automation since 2015. Our team tracks FedRAMP policy developments in real time — not to write blog posts, but because our clients depend on us to translate regulatory signals into operational readiness.

NISTCompliance.ai — our AI-powered compliance management platform — is purpose-built for the direction FedRAMP is heading: automated gap analysis, machine-readable documentation generation, real-time audit readiness, and multi-framework control mapping across NIST SP 800-53 Rev 5, FedRAMP, FISMA, and CMMC.

Quzara Cybertorch™ — our FedRAMP High Authorized Managed XDR and SOC-as-a-Service — provides inheritable controls that accelerate your authorization timeline and reduce the continuous monitoring burden that these RFC outcomes are reinforcing.

If you're evaluating your readiness for what CR26 will require, we'd welcome the conversation.

Explore NISTCompliance.ai | Contact Quzara

This article will be updated as FedRAMP publishes additional Initial Outcomes and when the Consolidated Rules for 2026 (CR26) are released. Follow Quzara on LinkedIn for our ongoing series breaking down each RFC outcome.