Living DocumentationSynced from FedRAMP/docs

FedRAMP 20x Resource Hub

Every page in this hub is generated directly from the official FedRAMP machine-readable documentation. When FedRAMP updates their requirements, this hub updates automatically — no manual maintenance required.

KSI Themes

Indicators

Glossary Terms

0.9.43-beta

Data Version

Guides & Analysis

New

View all →

NTC-0009March 25, 2026

NTC-0009: RFC-0024 Outcome — Rev5 Machine-Readable Packages

RFC-0024 closed March 11. Full OSCAL only required for Class D (High). Classes A/B/C move to semi-structured text. DOCX and XLSX retired. All deadlines push to 2027. CR26 publishes final rules by end of June 2026.

NTC-0008March 6, 2026

NTC-0008: The Retirement of "FedRAMP Ready" and the Rev5 Program Certification Path

FedRAMP Ready retires July 28, 2026. Class A Certification replaces it. Sponsorless Class B/C opens to qualifying CSPs that adopt Balance Improvement Releases. Class D still requires an agency sponsor. "Trusted assessor" concept scrapped entirely.

NTC-0007March 6, 2026

NTC-0007: The SOC 2 On-Ramp to FedRAMP — Class A Certification via External Frameworks

NTC-0007 (Mar 3, 2026) delivers RFC-0022 outcomes: SOC 2 Type II is the first approved external framework for Class A FedRAMP Certification. Zero reciprocity. 2-year upgrade window. FedRAMP acknowledges SOC 2 quality concerns but proceeds as a pilot test case.

NTC-0005February 26, 2026

The 2026 Marketplace Rules: Pricing, Sponsorship, and Corrective Action

NTC-0005 (Feb 25, 2026) delivers RFC-0021 outcomes: pricing transparency dropped, 3PAO use-it-or-lose-it (2 assessments/2 years), "Pick One" clarified for PMO-sponsored only, and the 1-month resubmission penalty explained.

NTC-0004February 26, 2026

FedRAMP Drops "Validated" Label — All Authorizations Become "FedRAMP Certified"

NTC-0004 (Feb 25, 2026) delivers the RFC-0020 outcome: no "Validated" vs "Certified" split, one unified label, and baselines reorganized into Classes A–D. CR26 rules due June 2026.

RFC-0020February 22, 2026

RFC-0020: FedRAMP Certified vs. Validated — The New 2026 Designations

RFC-0020 proposed splitting "FedRAMP Authorized" into Certified (Rev5) and Validated (20x). Closed February 19, 2026. Superseded by NTC-0004 — the Validated label was dropped.

MandatoryFebruary 21, 2026

The Master Guide to the FedRAMP Secure Configuration Guide (SCG)

The SCG is mandatory for all Rev5 CSPs effective March 1, 2026. Three-strike enforcement begins immediately — public non-compliance, authorization revocation, then Marketplace removal.

Browse by Category

Key Security Indicators

All 11 KSI themes with indicators, NIST mappings, and guidance.

Glossary

A–Z definitions from the FedRAMP Definitions (FRD) document.

Rev5 → 20x Transition

Side-by-side comparison of Rev5 and 20x requirements.

Templates & Tools

Checklists, OSCAL templates, and automation scripts.

OSCAL Lab

Machine-readable evidence packages and automation guidance.

Guides & Analysis

Original articles, RFC breakdowns, and practitioner perspectives.

KSI Themes

View all →

KSI-AFR10 indicators

Authorization by FedRAMP

A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.

KSI-CMT4 indicators

Change Management

A secure cloud service provider will ensure that all changes are properly documented and configuration baselines are updated accordingly.

KSI-CNA8 indicators

Cloud Native Architecture

A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.

KSI-CED4 indicators

Cybersecurity Education

A secure cloud service provider will educate their employees on cybersecurity measures, testing them persistently to ensure their knowledge is satisfactory.

KSI-IAM7 indicators

Identity and Access Management

A secure cloud service offering will protect user data, control access, and apply zero trust principles.

KSI-INR3 indicators

Incident Response

A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement.

KSI-MLA5 indicators

Monitoring, Logging, and Auditing

A secure cloud service offering will monitor, log, and audit all important events, activity, and changes.

KSI-PIY5 indicators

Policy and Inventory

A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured.

KSI-RPL4 indicators

Recovery Planning

A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies.

KSI-SVC8 indicators

Service Configuration

A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources.

KSI-SCR2 indicators

Supply Chain Risk

A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources.

Recently Updated Terms

View all 49 terms →

Accepted Vulnerability

A vulnerability that the provider does not intend to fully mitigate or remediate, OR that has not or will not be fully mitigated or remediated within the maximum overdue period recommended or required by FedRAMP.

FRD-ACV

Adaptive

The type of significant change that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.

FRD-ADP

Agency

Has the meaning given in 44 U.S. Code § 3502 (1), which is "any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include—(A) the Government Accountability Office; (B) Federal Election Commission; (C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities."

FRD-AGY

All Necessary Assessors

All entities who participate in the FedRAMP assessment of a cloud service offering in the context of a FedRAMP program authorization. This always includes FedRAMP and any FedRAMP recognized independent assessor contracted by the provider to perform a FedRAMP assessment.

FRD-ANA

All Necessary Parties

All entities whose interests are affected directly by activity related to a specific cloud service offering in the context of a FedRAMP authorization. This always includes FedRAMP and any agency customer who is operating the cloud service offering, but may include additional parties depending on agreements made by the cloud service provider (such as consultants or third-party assessors). Potential agency customers or third-party cloud service providers should also be included in most cases but this is not a mandatory requirement under FedRAMP as ultimately the cloud service provider may choose who they wish to do business with.

FRD-ANP

Authorization data

The collective information required by FedRAMP for initial and ongoing assessment and authorization of a cloud service offering, including the authorization package.

FRD-AUD

All content synced from github.com/FedRAMP/docs · Version 0.9.43-beta · Last updated 2026-04-08

Independent community tool. Not affiliated with GSA or any 3PAO.