The General Services Administration (GSA) is working on consolidating the certification framework for cloud service providers who are new to the FedRAMP Program. Right now, a full traditional security assessment and review is expensive and cumbersome for the government and creates barriers for cloud service providers looking to get FedRAMP certified. The goal is to reduce the initial review burden with consolidated rules that are anticipated to be published by the end of June 2026, and retire the FedRAMP Ready designation program. If you offer cloud services and are currently doing business with the federal government, or plan to in the future, read on to learn more about these changes.
Why GSA Plans to Consolidate the FedRAMP Certification Framework
FedRAMP, which is a governmentwide program that provides a standardized security assessment and authorization of cloud products and services, is an important certification for cloud service providers who want to do business with the federal government. Because it’s so important, GSA is noticing the effects of roadblocks delaying certification for several contractors.
GSA noted that the Rev5 Certification Program (called FedRAMP ready) has proven to be difficult in the midst of the unexpected government-wide staffing and budget changes. Many contractors who are far down in the line in Rev5 authorization path have either lost their agency sponsor or have struggled to get a sponsor. The traditional Rev5 assessment is costly and time consuming, and the government simply doesn’t have the resources to realistically carry it out.
That’s where the consolidated rules come in. GSA has been working on a new approach that lowers the initial certification hurdles, and allows individuals in the FedRAMP program to review certain assessments without relying on agencies to evaluate every assessment directly. This is known as FedRAMP 20x. We’ll dive into the specifics of these reduced rules below.
What Will the New FedRAMP Framework Look Like?
To clarify the new program, FedRAMP authorizations will be renamed to FedRAMP certifications, and the program will move on from impact levels to certification classes.
Under this change, GSA is introducing two pathways in the FedRAMP certification process—program certification and agency authorization. If reducing rules seemed contradictory to you in the realm of government contracting—you were pretty much right. GSA is not going to take away the full certification process for ALL contractors.
Only certain contractors are allowed to go down the new certification path, which would allow for FedRAMP to review a cloud product or service without an agency sponsor. GSA has noted that this path is only available to a limited number of cloud service providers that are able to adopt the Balance Improvement Releases necessary to cut these corners. Balance Improvement Releases were introduced in the FedRAMP 20x initiative.
Companies that cannot adopt these requirements will need to go down the traditional agency authorization path and secure an agency sponsor. More specific information on the application criteria and expectations will be published alongside the FedRAMP Consolidated rules by the end of June 2026.
Timeline for this New FedRAMP Certification
GSA anticipates the official changes to the certification program will be released by the end of June 2026, and retire FedRAMP Ready on July 28, 2026. The changes will be applicable to all cloud service providers from Dec. 31, 2026 through Dec. 31, 2028.
Once released, GSA will deploy this new certification program in stages. Stage 1 will be for Class A Certifications, meaning cloud service providers that are already FedRAMP ready. Stage 2 includes cloud service providers who are willing to adopt the required Balance Improvement Releases and have met at least one of the following criteria between 1/1/2025 and 3/1/2026:
- FedRAMP Ready on the FR Marketplace
- In Process on the FR Marketplace
- Completed a FedRAMP Ready assessment with a Readiness Assessment (RAR)
- Completed a full FedRAMP assessment with a Security Assessment Plan and Security Assessment Report (SAP/SAR)
In stage 3, GSA hopes to include any cloud service provider using an external security framework that is 80+% compatible with FedRAMP Rev 5 requirements.
Who Does FedRAMP Apply to?
If you are a cloud service provider who works with the federal government and creates, collects, stores, processes, or transmits federal data on the cloud, then FedRAMP is for you. All federal agencies are required to procure from cloud service providers who are FedRAMP authorized, so it’s a crucial certification to get.
Need Help Managing Your GSA Contract?
FedRAMP is just one step for cloud services providers acquiring a GSA Schedule contract and selling successfully to the government. You also need to stay on top of managing your GSA Schedule from basic modifications, to sales reporting, and contract assessments. If you have questions about FedRAMP, or need help obtaining or managing your GSA Schedule, we are here to help.
