What is FedRAMP?
The Federal Risk and Authorization Management Program is the U.S. government's standardized security assessment approach for cloud services consumed by federal agencies. A cloud service provider works with a federal agency sponsor to have its service assessed against a FedRAMP baseline; agencies across government can then rely on that result rather than each repeating the review.
Two things changed in 2026, and most published guidance — including a lot of what still ranks in search — has not caught up. "FedRAMP Authorization" is now "FedRAMP Certification," and the Low / Moderate / High impact levels are now Certification Classes: Class B (Low), Class C (Moderate), Class D (High), with Class A as the Pilot tier. And on June 24, 2026 FedRAMP released the Consolidated Rules for 2026 (CR26) — one ruleset that governs how every submission is reviewed, optional from July 4, 2026 and mandatory for all stakeholders on January 1, 2027.
The control baselines did not change with the rename. Nearly everything about how you author, submit, and maintain the package did.
Who needs FedRAMP?
Any cloud service provider whose customer includes — or wants to include — a U.S. federal agency. That includes IaaS, PaaS, and SaaS offerings. A modern SaaS company winning its first federal contract almost always discovers that FedRAMP is the technical precondition to the deal, not a line item to negotiate.
The typical first target is Moderate — now Class C, which covers the majority of federal CUI workloads. Class D (High) is reserved for higher-impact federal systems. Class B (Low) is rarely a commercial target on its own — most providers start at Moderate because the delta is narrow and Moderate opens meaningfully more agency demand.
20x Certification vs Rev 5 Certification
This is the live path choice under CR26, and it replaces the old "Agency ATO vs JAB P-ATO" decision entirely. The Joint Authorization Board no longer exists — GSA replaced it with the FedRAMP Board in May 2024, and the JAB P-ATO path went with it. Any guidance still telling you to weigh an Agency path against a JAB path predates that change by two years; if a consultant is still framing the decision that way, that tells you something.
FedRAMP 20x — the automation-first path built on Key Security Indicators and machine-readable evidence. It is where the program is going. All Class A packages now run under the 20x rules. The Class A pipeline opens August 3, 2026; Class B and Class C pipelines open August 31, 2026.
FedRAMP Rev 5 — the traditional control-baseline path, itself rebuilt by NTC-0013: you now set and justify your own control parameters rather than inheriting FedRAMP's, and the SSP / SAR / CIS / CRM templates are replaced by a machine-readable Certification Package. This is a closing window — FedRAMP stops accepting applications for new Rev 5 certifications on June 11, 2027.
The practical read: a provider starting fresh today should be planning against 20x and the CR26 rules rather than authoring a Rev 5 package it will later have to convert. A provider already holding a Rev 5 certification has a sequence of dated obligations through 2027, not a single cutover — we map that in the [CR26 explainer](/insights/fedramp-consolidated-rules-2026/).
What a FedRAMP engagement actually looks like
Twelve to eighteen months is the realistic Moderate (Class C) window for a provider with a clean architecture and an engaged sponsor. The shape:
- Months 0–3 — sponsor engagement, certification boundary definition, initial package scaffold.
- Months 3–6 — documentation deepening, gap remediation, 3PAO selection.
- Months 6–9 — 3PAO security assessment and the assessment report.
- Months 9–12 — agency review, remediation cycles, certification issuance.
- Month 12+ — continuous monitoring begins.
One thing to flag about that last step, because it is where stale guidance does real damage: continuous monitoring is no longer a flat monthly scan cadence. NTC-0014 moves certified providers to the exposure- and threat-based VDR and VER rules — mandatory December 7, 2026, with non-compliant certifications revoked after March 7, 2027. Designing a ConMon program around monthly scanning today is designing to a model with an expiration date.
The single widest variable is sponsor responsiveness, not technical quality. Engagements that slip usually slip on the sponsor's review cycle, not on the provider's implementation.
Why Fortinetics for FedRAMP
End-to-end execution, not gap-analysis-and-leave. We author the package, coordinate with the 3PAO, run remediation, and stay through certification issuance and the first ConMon cycles. Our value is in the judgment calls across the package, not a binder handed off at month three.
We track the rules as they move. CR26 has shipped multiple rule releases since its June 24 launch — Class A moving fully to the 20x rules, the assessment grace period changing from "completed after" to "started after," the Ready Conversion and Lost Sponsor pipelines merging. We read the changelog so your package doesn't get authored against last month's ruleset.
Evidence-as-byproduct design. The ConMon cadence starts the day certification is issued. We design the program so deliverables are automated artifacts of normal operations — not a reconstruction exercise that erodes engineering velocity.
Framework overlap advantage. Many providers pursuing FedRAMP also need SOC 2, ISO 27001, or DoD IL4/IL5. We run these in parallel rather than sequentially when the buyer demands it, with shared controls and a shared evidence pipeline.