The first quarter of 2026 is behind us, and that means the next wave of rules, program phases, and other shifts in governmental policy are starting to take effect. One that you may have seen mentioned coming soon is the Consolidated Rules update.
What is CR26, when does it take effect, and what does it do? We’ve been eyeing this update for months now, because it makes some very exciting changes, so let’s go through it and see how it will affect the FedRAMP process.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCR26 (Consolidated Rules 2026) releases end of June 2026 and takes effect Dec 31, 2026 as the FedRAMP baseline through Dec 31, 2028. It calls authorization "certification", replaces narratives with Key Security Indicators and machine-readable data, swaps impact levels for Certification Classes A–D, requires choice of Rev5 or 20x paths (not interchangeable), moves to change notifications, and updates marketplace, independent assessor, and CONMON rules. Learn new terms, pick a path, and collect JSON evidence.
What is CR26?
CR26 is the official designation for the Consolidated Rules 2026 document that will set the stage for FedRAMP compliance across the next several years. It is currently scheduled to be released at the end of June 2026 (so, the end of Q2), and will remain in effect as the baseline rules document until December 2028.
CR26 is distinct from RFC-0026. RFC-0026 is the 26th Request for Comment of the year, and while it’s part of the feedback process that will contribute to CR26, it is not the whole document. RFC-0026 is, for reference, a clarification on continuous monitoring expectations under the Rev5 FedRAMP process.
The new set of consolidated rules is very important for bringing clarity to a program that has been very disrupted over the last year or two. Many changes have been made recently, from the removal of the JAB process (and the JAB itself) to the pilot 20x program, which has made it difficult to know where you stand. CR26 is meant to give every CSP a clearer idea of how everything will work.
When Does CR26 Take Effect?
Major changes require a lead-up to implement, and the FedRAMP board knows this. Any business that has been keeping up with the various RFCs will have a good idea of what’s coming down the pipe, but many, if not most, CSPs don’t have the time or the luxury to be keeping up with everything FedRAMP puts out.
As such, there will be a six-month period where the rules are published before they take full effect. CR 26 will be released at the end of June 2026, and will take effect and apply to all FedRAMP CSPs by December 31, 2026. After that, the rules will be the base from which CSPs must operate until December 31, 2028; any additional changes, clarifications, and added rules will apply on top of the CR26 baseline.
What is Included in CR26?
While the FedRAMP board has been developing the rules for CR26 transparently through a series of Requests for Comment, the final text of the consolidated rules is not yet available. Therefore, we can only speculate on what it will specifically contain, and there’s still time in between this writing and the end of June for more rules and RFCs to be added or changed.
The changes made in CR26 have been a long time coming, with some of the earliest sources of these changes stretching back to March 2025 and the initial pilots of the 20x program. Other RFCs stem from sources of friction and lack of clarity; when enough CSPs express confusion, FedRAMP turns its attention to that issue to figure out how to make it clearer moving forward.
We’ll do our best to cover everything we know that’s coming down the pipe in CR26, but there are still two months for more RFCs and additional rules to be issued and added on. If you want to keep on top of these developments as they happen, the FedRAMP Public Notices feed is their new resource for newly-issued notices.
We’ll cover the biggest and most impactful changes first, and follow with the narrower details as we know them.
First up, one of the biggest changes: FedRAMP will no longer be an authorization process. Instead, it will be renamed to FedRAMP certification, and CSPs that successfully pass their audits will become FedRAMP Certified. Any CSP that is authorized will now be considered to be Certified, and a Certification is considered to be authorization to operate.
This is mostly just a change in terminology, but it reflects the fact that the process is changing and that agencies will no longer need to sponsor CSPs to earn authorization. Instead, CSPs will earn their FedRAMP certification and be able to work with government agencies in a manner similar to other government certifications.
One critical note here is that agencies still have their role to play. While a CSP won’t need to find an agency sponsor before they can even apply, the agency will still need to perform all of the same risk assessment and policy analysis decision-making required to authorize a CSP to work with them. FedRAMP Certification simply means that a baseline validation can be done before the agencies get involved, rather than after.
The goal is to reduce the investment from a months-long, up-front analysis of a CSP performed by an agency, to a days-long review and issuance of authorization by the agency for an already-certified CSP.
This is also a reflection of the removal of the JAB P-ATO process. The new ATO process under FedRAMP 20x is equivalent to a P-ATO, which is functionally identical to a certification under other frameworks.
From Narratives to KSIs
Another significant change is one of language. In the past, a huge source of issues throughout FedRAMP was the narrative-based structure for security. The narrative structure left a lot of room for interpretation. While good for flexibility, this often led to confusion and issues with equal enforcement, as well as “ghost requirements” that were commonly accepted interpretations but were never nailed down.
Part of CR26 is the shift to KSIs, or Key Security Indicators. These are specific metrics and verifiable data points that can be analyzed to a standard baseline. This, too, is part of the shift to machine-readable data, but goes deeper than just the reporting. Expect a lot of changes in language, but not substance, to come with CR26.
From Impact Levels to Classes
FIPS 199 is the document that outlined what FedRAMP impact levels were and how to determine if your CSP was Low, Moderate, or High. This is going away and is being replaced with a new Certification Class system.
For the most part, Certification Classes will map 1:1 to Impact Levels. The main reason for this change is to create unique terminology, so it doesn’t overlap or conflict with DoD, DOQ, or other framework level systems.
- FedRAMP Class A will be the equivalent of the current FedRAMP Ready baseline. FedRAMP Ready will be retired, and while Class A will be slightly different, the Board will have an easy path to convert to Class A quickly and easily.
- FedRAMP Class B will be the equivalent of Li-SaaS and FedRAMP Low baselines.
- FedRAMP Class C will be the equivalent of FedRAMP Moderate baseline (where most CSPs will be).
- FedRAMP Class D will be the equivalent of FedRAMP High baseline.
This will apply to both FedRAMP Rev5 and FedRAMP 20x, and will be codified fully in the CR26 document.
Note that some small number of changes will be made to the baselines to better align the list of required security controls to each class, and reporting requirements will change as well. The specific details will be published in CR26.
Two Paths: Rev5 and 20x
You’ve seen us mention these two versions of the FedRAMP framework. This is another major shift that aligns with, but is not part of, CR26.
Rev5 is the legacy FedRAMP process. It’s more or less what we’ve all been using for years, on its latest iteration. It will be subject to CR26 rules changes.
20x is the new, streamlined version of FedRAMP. It’s designed to emphasize speed, machine-readable data, fast validation, and a rapid turnaround. However, it’s still in the pilot stages, and won’t be fully reviewed by the time CR26 takes effect.
CSPs will have a choice of which path to take once CR26 takes effect, though for some, the choice is made for them.
CSPs that are cloud-native, with easily machine-readable data, and with relatively simple or non-complex systems, will easily qualify for 20x. They will be able to use the Program authorization path for full certification under 20x.
CSPs that have legacy or complex systems, or that are Impact Level High (Class D), will still have to use the Rev5 path. This is because the 20x pilot for Class D won’t be complete by the end of the year, so it won’t be available.
The goal will be for all of FedRAMP to transition to the 20x program, but that likely won’t happen until the end of 2027 or 2028, depending on how well the pilots shake out.
MOST CSPs are going to be simple enough and fall into Class C, so they will be able to use the 20x path for fast, easy certification. Look forward to this streamlining of the program.
One very important note is that Rev5 and 20x are not reciprocal. If you pick one path for certification and later find that the other would have been more appropriate, you will need to start over to earn it. Choose your initial path wisely. We can help you decide, but if possible, 20x is likely the way to go for most CSPs.
Now Required: Machine-Readable Data
A huge part of the push to FedRAMP 20x is the focus on machine-readable and verifiable data. It’s a lot easier to handle an audit when you can have a piece of software review a JSON file than when you have individuals combing through configuration files and logs. As such, 20x has a machine-readable data format expectation built into the framework.
One part of the coming CR26 ruleset is the codification and expectation of machine-readable data whenever possible for all CSPs. This is NOT just limited to 20x. Rev5 CSPs at Class D will be expected to use machine-readable data whenever possible as well.
Significant Changes: From Request to Notification
Another major change is the move from the Significant Change Request process to the new Significant Change Notification process.
Until now, if a CSP wants to make a significant change to their business that would affect how data is handled for their agency partners, they would need to outline the proposed change and submit a Significant Change Request to FedRAMP to be granted permission to make the change.
This led to many CSPs making “for government” branches of their offerings, often with fewer features and less agility, because the process was tedious and time-consuming. It also suppressed many CSPs from trying to work with the government, because asking permission for every new feature is a huge drain on resources and time.
The new change shifts to an “ask forgiveness, not permission” model. CSPs still need to carefully plan and outline their new changes, but they can be implemented and secured before notifying the government about them. There’s a lot of detail to this change depending on the kind of changes being made to the CSP’s service, which we outline in this post.
Small but Huge: Other Changes in CR26
There will likely be a lot more than what we’ve covered here in CR26, but until the full text is available, it’s impossible to outline everything.
Some other details we know about now, which are small but have an outsized impact, include:
- Removal of price information in the marketplace. In the past, FedRAMP expected CSPs to publish pricing information on the marketplace, which caused a lot of problems. After CR26, FedRAMP will no longer ask for or publish pricing information.
- Independent Assessors need to be active. CR26 will require IAs to perform at least two assessments every two years to maintain their status, preventing companies from claiming IA status without ever doing the work.
- Changes to continuous monitoring. Specifically, for CSPs with multiple agency partners, the removal of the JAB also rescinded collaborative CONMON requirements; CR26 will reinstate, clarify, and refine collaborative CONMON rules and reporting requirements.
You can expect more on top of this list as CR26’s release date approaches.
What You Can Do Now to Prepare for CR26
It’s not yet June 2026, so you have some time before the release of CR26, and another six months before the rules laid out in CR26 take effect. What can you do now, as a CSP, to prepare for this future?
Get used to new terminology. Change Notifications, KSIs, Certification, Classes instead of Levels; all of this will take some adjustment. It will also require changes to your communication with clients.
Be prepared for changes to security controls. While the Class baseline is meant to be a very close map to the current impact levels, there will be some changes, which you’ll need to be ready to identify and implement in the six-month grace period.
Pick a path. You can choose to use the older Rev5 path or the newer 20x path. 20x will be much smoother and more streamlined, but not broadly available to every CSP yet. You’ll want to determine which is best for your business.
Get set for machine-readable documentation. One of the biggest changes will be the shift to JSON-based data reporting for as much as feasibly possible. This is where being able to accumulate all of your evidence in one place, like the Ignyte Assurance Platform, will be a huge help.
If you’re concerned about how the rules in CR26 will affect your business or your certification, we’re happy to help. We’ll be right there with you, working through it all, and we’ll be ready to help you navigate these changes effectively. Reach out and contact us today so we’ll be ready to work together when the rules are published.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.