Guides & Analysis

NTC-0009: RFC-0024 Outcome — Rev5 Machine-Readable Packages

RFC-0024 closed March 11. Full OSCAL only required for Class D (High). Classes A/B/C move to semi-structured text. DOCX and XLSX retired. All deadlines push to 2027. CR26 publishes final rules by end of June 2026.

NTC-0008: The Retirement of "FedRAMP Ready" and the Rev5 Program Certification Path

FedRAMP Ready retires July 28, 2026. Class A Certification replaces it. Sponsorless Class B/C opens to qualifying CSPs that adopt Balance Improvement Releases. Class D still requires an agency sponsor. "Trusted assessor" concept scrapped entirely.

NTC-0007: The SOC 2 On-Ramp to FedRAMP — Class A Certification via External Frameworks

NTC-0007 (Mar 3, 2026) delivers RFC-0022 outcomes: SOC 2 Type II is the first approved external framework for Class A FedRAMP Certification. Zero reciprocity. 2-year upgrade window. FedRAMP acknowledges SOC 2 quality concerns but proceeds as a pilot test case.

The 2026 Marketplace Rules: Pricing, Sponsorship, and Corrective Action

NTC-0005 (Feb 25, 2026) delivers RFC-0021 outcomes: pricing transparency dropped, 3PAO use-it-or-lose-it (2 assessments/2 years), "Pick One" clarified for PMO-sponsored only, and the 1-month resubmission penalty explained.

FedRAMP Drops "Validated" Label — All Authorizations Become "FedRAMP Certified"

NTC-0004 (Feb 25, 2026) delivers the RFC-0020 outcome: no "Validated" vs "Certified" split, one unified label, and baselines reorganized into Classes A–D. CR26 rules due June 2026.

RFC-0020: FedRAMP Certified vs. Validated — The New 2026 Designations

RFC-0020 proposed splitting "FedRAMP Authorized" into Certified (Rev5) and Validated (20x). Closed February 19, 2026. Superseded by NTC-0004 — the Validated label was dropped.

The Master Guide to the FedRAMP Secure Configuration Guide (SCG)

The SCG is mandatory for all Rev5 CSPs effective March 1, 2026. Three-strike enforcement begins immediately — public non-compliance, authorization revocation, then Marketplace removal.