Fortinetics
← Frameworks · FEDERAL CLOUD

FedRAMP Low, Moderate, and High are now Classes B, C, and D. The realistic path to federal certification.

FedRAMP certification is the gate between a commercial cloud service and federal customers. The technical work is well-scoped; the program management is where most first-time providers lose six months. We run the package end-to-end — sponsor coordination, Certification Package authoring to assessor grade, 3PAO engagement, gap remediation, and the continuous-monitoring program that begins the day certification is issued.

12–18 mo
Moderate (Class C) timeline
CR26
Ruleset in force — mandatory Jan 1, 2027
20x or Rev 5
Certification paths supported

What is FedRAMP?

The Federal Risk and Authorization Management Program is the U.S. government's standardized security assessment approach for cloud services consumed by federal agencies. A cloud service provider works with a federal agency sponsor to have its service assessed against a FedRAMP baseline; agencies across government can then rely on that result rather than each repeating the review.

Two things changed in 2026, and most published guidance — including a lot of what still ranks in search — has not caught up. "FedRAMP Authorization" is now "FedRAMP Certification," and the Low / Moderate / High impact levels are now Certification Classes: Class B (Low), Class C (Moderate), Class D (High), with Class A as the Pilot tier. And on June 24, 2026 FedRAMP released the Consolidated Rules for 2026 (CR26) — one ruleset that governs how every submission is reviewed, optional from July 4, 2026 and mandatory for all stakeholders on January 1, 2027.

The control baselines did not change with the rename. Nearly everything about how you author, submit, and maintain the package did.

Who needs FedRAMP?

Any cloud service provider whose customer includes — or wants to include — a U.S. federal agency. That includes IaaS, PaaS, and SaaS offerings. A modern SaaS company winning its first federal contract almost always discovers that FedRAMP is the technical precondition to the deal, not a line item to negotiate.

The typical first target is Moderate — now Class C, which covers the majority of federal CUI workloads. Class D (High) is reserved for higher-impact federal systems. Class B (Low) is rarely a commercial target on its own — most providers start at Moderate because the delta is narrow and Moderate opens meaningfully more agency demand.

20x Certification vs Rev 5 Certification

This is the live path choice under CR26, and it replaces the old "Agency ATO vs JAB P-ATO" decision entirely. The Joint Authorization Board no longer exists — GSA replaced it with the FedRAMP Board in May 2024, and the JAB P-ATO path went with it. Any guidance still telling you to weigh an Agency path against a JAB path predates that change by two years; if a consultant is still framing the decision that way, that tells you something.

FedRAMP 20x — the automation-first path built on Key Security Indicators and machine-readable evidence. It is where the program is going. All Class A packages now run under the 20x rules. The Class A pipeline opens August 3, 2026; Class B and Class C pipelines open August 31, 2026.

FedRAMP Rev 5 — the traditional control-baseline path, itself rebuilt by NTC-0013: you now set and justify your own control parameters rather than inheriting FedRAMP's, and the SSP / SAR / CIS / CRM templates are replaced by a machine-readable Certification Package. This is a closing window — FedRAMP stops accepting applications for new Rev 5 certifications on June 11, 2027.

The practical read: a provider starting fresh today should be planning against 20x and the CR26 rules rather than authoring a Rev 5 package it will later have to convert. A provider already holding a Rev 5 certification has a sequence of dated obligations through 2027, not a single cutover — we map that in the [CR26 explainer](/insights/fedramp-consolidated-rules-2026/).

What a FedRAMP engagement actually looks like

Twelve to eighteen months is the realistic Moderate (Class C) window for a provider with a clean architecture and an engaged sponsor. The shape:

  • Months 0–3 — sponsor engagement, certification boundary definition, initial package scaffold.
  • Months 3–6 — documentation deepening, gap remediation, 3PAO selection.
  • Months 6–9 — 3PAO security assessment and the assessment report.
  • Months 9–12 — agency review, remediation cycles, certification issuance.
  • Month 12+ — continuous monitoring begins.

One thing to flag about that last step, because it is where stale guidance does real damage: continuous monitoring is no longer a flat monthly scan cadence. NTC-0014 moves certified providers to the exposure- and threat-based VDR and VER rules — mandatory December 7, 2026, with non-compliant certifications revoked after March 7, 2027. Designing a ConMon program around monthly scanning today is designing to a model with an expiration date.

The single widest variable is sponsor responsiveness, not technical quality. Engagements that slip usually slip on the sponsor's review cycle, not on the provider's implementation.

Why Fortinetics for FedRAMP

End-to-end execution, not gap-analysis-and-leave. We author the package, coordinate with the 3PAO, run remediation, and stay through certification issuance and the first ConMon cycles. Our value is in the judgment calls across the package, not a binder handed off at month three.

We track the rules as they move. CR26 has shipped multiple rule releases since its June 24 launch — Class A moving fully to the 20x rules, the assessment grace period changing from "completed after" to "started after," the Ready Conversion and Lost Sponsor pipelines merging. We read the changelog so your package doesn't get authored against last month's ruleset.

Evidence-as-byproduct design. The ConMon cadence starts the day certification is issued. We design the program so deliverables are automated artifacts of normal operations — not a reconstruction exercise that erodes engineering velocity.

Framework overlap advantage. Many providers pursuing FedRAMP also need SOC 2, ISO 27001, or DoD IL4/IL5. We run these in parallel rather than sequentially when the buyer demands it, with shared controls and a shared evidence pipeline.

Recent regulatory changes

What changed in FedRAMP, recently.

  • June 2026
    FedRAMP released the Consolidated Rules for 2026 (CR26)

    CR26 consolidates the 20x requirements into one stable ruleset and resets how every certification is reviewed — carrying the Authorization→Certification rename, the NTC-0012/0013/0014 changes, and a machine-readable rules + Certification Package format. Optional early adoption from July 4, 2026; mandatory for all stakeholders January 1, 2027; no new Rev 5 applications after June 11, 2027. FedRAMP has shipped several rule releases since launch — Class A packages now run entirely under the 20x rules.

    Read more →
  • June 2026
    FedRAMP rebuilt the Rev 5 baselines (NTC-0013) — CSPs now set their own control parameters

    NTC-0013 (RFC-0026–0030, inside the Consolidated Rules for 2026) removes most FedRAMP-assigned control parameter values — providers now set and justify their own per NIST — moves FedRAMP-specific guidance into a separate 'FedRAMP Rules' construct, and replaces the SSP/SAR/CRM templates with a machine-readable Certification Package. Mandatory for new Rev 5 applications January 1, 2027.

    Read more →
  • June 2026
    FedRAMP adopted CISA BOD 26-04 for CSPs (NTC-0014) — VDR + VER vulnerability rules

    Two mandatory rulesets — Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) — move certified providers off the flat monthly-scan cadence to an exposure/threat-based model (internet-reachability, exploitability, KEV status). Mandatory December 7, 2026; non-compliant certifications revoked after March 7, 2027.

    Read more →
  • June 2026
    FedRAMP finalized its 2026 incident communications overhaul (NTC-0012)

    FedRAMP rebuilt its Incident Communications Procedures: class-based reporting timeframes as tight as 15 minutes for Class D (High), the renamed Potential Agency Impact (PAIN) rating, an optional PAIN5 fast-path default, a new requirement to name affected agencies, and removal of direct CISA reporting. Mandatory July 4, 2026 for 20x certifications and January 1, 2027 for Rev5 and existing pilot holders.

    Read more →
Frequently asked

Questions we get about FedRAMP.

How long does FedRAMP Moderate actually take?
Twelve to eighteen months for a prepared provider with an engaged agency sponsor, from sponsor engagement to certification. The widest variable is sponsor responsiveness — the same provider with the same architecture can see a six-month difference depending on how engaged the agency reviewer is. Note the vocabulary: Moderate is now Certification Class C under the Consolidated Rules for 2026, and the ruleset your package is reviewed against becomes mandatory January 1, 2027.
Is the FedRAMP JAB still a thing? Should we pursue a JAB P-ATO?
No. The Joint Authorization Board was replaced by the FedRAMP Board in May 2024 — GSA announced the new board as the program's official governing body, established by OMB under the FY23 NDAA — and the JAB P-ATO path went away with it. Existing JAB P-ATOs were redesignated rather than reissued. A great deal of published FedRAMP guidance still frames the decision as 'Agency path vs JAB path'; that guidance is at least two years stale. The real path choice today is 20x Certification versus Rev 5 Certification under CR26.
Do we need a federal sponsor to start FedRAMP?
Practically, yes — an engaged agency sponsor is still the on-ramp, and without one the package does not reach certification regardless of technical quality. CR26 acknowledges this directly: it runs a combined Lost Sponsor / Ready Conversion pipeline for providers whose sponsor relationship falls through or who are converting from FedRAMP Ready, opening August 10, 2026. Sponsor responsiveness remains the single widest schedule variable in the whole engagement.
What's FedRAMP Rev 5 and do we need to worry about it?
Rev 5 is the control baseline derived from NIST SP 800-53 Rev 5, and it is now a closing path rather than the default. NTC-0013 rebuilt every Rev 5 baseline inside CR26 — FedRAMP removed most assigned control parameter values, so providers now set and justify their own, and the SSP/SAR/CIS/CRM templates are replaced by a machine-readable Certification Package. FedRAMP stops accepting applications for new Rev 5 certifications on June 11, 2027, and existing Rev 5 certifications adopt the rebuilt baselines at their first independent assessment started after January 1, 2027. A provider starting today should generally be planning against 20x.
Is FedRAMP the same as DoD Impact Level 4 or IL5?
No — DoD CC SRG Impact Levels 2–6 are a DoD overlay on top of FedRAMP. FedRAMP Moderate (Class C) is roughly equivalent to IL2. IL4 and above add DoD-specific controls (US-citizen operators at IL5, GovCloud or equivalent region isolation, stricter ConMon). If your customer is a DoD component, FedRAMP alone is usually insufficient; the IL4/IL5 overlay is required.
Can a compliance platform like Vanta or Drata handle FedRAMP?
Not alone. The platforms are built primarily for SOC 2 and ISO 27001. FedRAMP's package depth, 3PAO assessment methodology, agency-specific review cycles, and continuous-monitoring obligations all require human judgment that the platforms don't automate — and CR26 moved the package to a machine-readable format the platforms don't natively produce. We often use platform tooling for evidence collection alongside the firm engagement — the platform is a tool, not a substitute.
Tools & comparisons
Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific FedRAMP target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →