FedRAMP Releases Its Consolidated Rules for 2026
The Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity assessment and authorization program for cloud service providers (CSPs) to federal government agencies, has released its "Consolidated Rules for 2026"—a major overhaul of existing FedRAMP requirements, consolidated for the first time in one authoritative ruleset. The Consolidated Rules reorganize how CSPs must obtain and maintain FedRAMP authorizations (called "certifications" in the new rules). The rules are part of the broader FedRAMP 20x initiative and are intended to replace much of FedRAMP's prior documentation with a consolidated ruleset including defined terms, structured evidence, and clear requirements with declarative statements (i.e., "must," "should," and "may"). The Consolidated Rules require CSPs to submit quarterly ongoing certification reports, formalize notification obligations for significant changes to CSP environments, and shorten the notification deadline for some security incidents to as little as 15 minutes.
The effective date for the Consolidated Rules is staggered based on the type of certification a CSP maintains. FedRAMP offers two certification types: "Rev5," a legacy approach that has been the basis of FedRAMP authorizations since the program was created in 2011, and "20x," the newly launched 2025 program. The new rules went into effect on July 4, 2026, for all new 20x certifications and will be fully adopted on January 1, 2027, for existing certifications and new Rev5 certifications (subject to specific effective dates based on ruleset). FedRAMP has made clear that 20x is its preferred approach, as it will stop accepting new Rev5 certifications on June 11, 2027. Below are a number of key changes and takeaways from the Consolidated Rules.
Key Changes and Takeaways
Structure
The Consolidated Rules are intended to bring more structure to FedRAMP requirements. Historically, FedRAMP's rules have been set out in a series of long narrative-style guidance documents, FAQs, and other informal materials, often making it difficult for CSPs to identify clear program requirements and restrictions. The Consolidated Rules organize requirements into rulesets, subsets, individual rules, applicability criteria, and defined terms. FedRAMP created a machine-readable repository of the rules on GitHub, which represents the official program rules. A human-readable reference version of the rules is available on the FedRAMP website, although FedRAMP emphasizes that only the machine-readable version is authoritative.
Terminology
The Consolidated Rules update and refine many long-standing FedRAMP terms and concepts. In particular, the Consolidated Rules use the term "FedRAMP certification" instead of the prior term "FedRAMP authorization." FedRAMP explains in the Consolidated Rules that it adopted the "certification" nomenclature to avoid confusion with an "Authorization to Operate," which is a distinct approval from a federal agency.
The Consolidated Rules also changed FedRAMP's three "impact levels" (previously Low, Moderate, and High) to four "certification classes," which represent the level of security to be provided by the cloud service: A (a new transitionary class designed for CSPs who plan to achieve a higher certification in the future); B (formerly "Low"); C (formerly "Moderate"); and D (formerly "High").
A third-party assessment organization (3PAO) is now simply referred to as an "independent assessor."
Incident Reporting
The Consolidated Rules overhaul FedRAMP's requirements and processes for CSPs to report security incidents (we discussed these changes in a prior blog post after they were proposed). CSPs no longer need to report incidents involving the mere "potential" loss of confidentiality, integrity, or availability. The Consolidated Rules define a "FedRAMP reportable incident" as "[a]n incident that affects the confidentiality or integrity of federal customer data or is likely to affect the confidentiality or integrity of federal customer data" (emphasis added). Use of the term "likely" instead of "potential" would appear to limit the scope of incidents that CSPs must report under FedRAMP.
The Consolidated Rules also create a separate requirement and process for reporting incidents that affect the availability of cloud services. CSPs will now need to report availability incidents (i.e., an event that disrupts a customer's ability to access systems, data, or services in a timely and reliable way) using their own status service (accessible to FedRAMP and federal agency customers) indicating current and historical availability of core services within their cloud service offering over at least the past 30 days.
Deadlines for reporting security incidents also have been overhauled. Previously, FedRAMP required CSPs to report any security incident within one hour, regardless of severity or other factors. The Consolidated Rules replace that uniform deadline with a tiered approach based on the certification class of the service and a newly introduced severity rating that ranges from N1 (the incident is expected to have a minimal customer effect) to N5 (the incident is expected to have a debilitating customer effect). Under the shortest deadline, CSPs will need to make an "initial" report of a FedRAMP reportable incident within 15 minutes (an N3, 4, or 5 event in a Class D (High) system). At the longest end of the range, initial reports must be filed within one business day (i.e., for an N1 event in a Class A or B system). The rules continue to require that all notifications must be sent to FedRAMP and all impacted federal agencies.
CSPs also are now required to issue initial, ongoing, and final incident reports. As with the deadline for initial reports described above, the required timeline for ongoing and final reports depends on incident severity rating and the certification class of the affected cloud systems. Ongoing reports must be made from every three hours to every business day, and final reports are due from within three hours to three business days of recovery. Ongoing reports must provide information in addition to what was provided in the initial report as such information becomes available, including observed incident activity, indicators of compromise, related CVE, root cause, and response and recovery activities.
CSPs should consider running a tabletop exercise against the new incident reporting requirements, paying particular attention to whether existing workflows can meet the compressed timelines for high-severity incidents.
Broader Continuous Monitoring
The Consolidated Rules rename and substantially broaden requirements for what FedRAMP previously referred to as "continuous monitoring," which FedRAMP criticized as effectively only requiring periodic vulnerability scanning. Under the Consolidated Rules, CSPs must now undergo "ongoing certification," including through submitting "ongoing certification reports (OCRs)." These reports must be created quarterly and must include: any changes or planned changes to FedRAMP certification data, a list of accepted vulnerabilities, a list of transformative changes, updated security recommendations for using the service, a list of all agencies directly using the services, a list of reported incidents or an attestation that no such incidents occurred, and lessons learned and changes planned from any reported incident.
Significant Change Notification
The Consolidated Rules also formalize how CSPs must handle significant changes to their cloud services, which previously required a 30-day notification before any significant change was implemented (now reserved for "transformative" significant changes). CSPs must evaluate potentially significant changes—those that are "likely to substantively affect the security or privacy posture of a system"—and classify them under three new change categories:
- Routine recurring: A significant change "that regularly and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation."
- Adaptive: A significant change "that does not routinely recur and does not introduce substantive potential security risks that need to be assessed in depth."
- Transformative: A significant change "that introduces substantive potential security risks that are likely to affect existing risk determinations and must be assessed in depth."
These categories determine CSPs' obligations to notify FedRAMP and federal agency customers of changes to their systems. "Routine recurring" changes do not require notification, and CSPs may make these changes without notice to or approval from FedRAMP or agencies. For "adaptive" and "transformative changes," a "significant change notification" is required and must contain an explanation of the categorization of the change, description of the change, reason for the change, summary of the customer impact, plan and timeline for the change, and a copy of the impact analysis.
For "adaptive" changes, CSPs must notify federal agencies and FedRAMP within 10 business days of finishing changes and include a summary of any new risks or vulnerabilities identified from the change. For "transformative changes," CSPs must notify federal agencies and FedRAMP: 30 business days before starting the changes with a summary of any likely security impacts or changes in risk, 10 business days before starting the changes with all final plans, five business days after finishing the changes, and five business days after completion of validation of the changes. CSPs must publish updated service documentation within 30 business days after finishing transformative changes, and are encouraged to engage a third-party assessor to review the planned changes before implementation.
+++
Michael Borgia is a partner in DWT's Washington, D.C., office and Andrew Lewis is counsel in the firm's San Francisco office. For questions or more insights, please reach out to the authors or another member of our privacy & security team and sign up for our alerts.