FedRAMP Drops "Validated" Label — All Authorizations Become "FedRAMP Certified"
Notice NTC-0004, published February 25, 2026, delivers the initial outcome of RFC-0020. The proposed "Validated vs. Certified" split is abandoned. Every FedRAMP authorization will now carry a single label — FedRAMP Certified — with baselines reorganized into Classes A through D.
Full CR26 rules due by End of June 2026 · This notice covers initial outcomes only
The short version: RFC-0020 proposed splitting FedRAMP into "Certified" (Rev5) and "Validated" (20x). After public comment, FedRAMP reversed course — there will be one label ("FedRAMP Certified"), and the old Low/Moderate/High impact levels will be replaced by Classes A, B, C, and D. The 20x path gets no separate name but will be filterable in the Marketplace.
4 Key Outcomes from NTC-0004
Single label: "FedRAMP Certified"
All FedRAMP authorizations — Rev5 and 20x — will use the single designation "FedRAMP Certified" or "FedRAMP Certification." No separate "Validated" label. The FedRAMP Authorization Act defines a FedRAMP authorization as "a certification that a cloud computing product or service has completed a FedRAMP authorization process."
No extra baselines for corrective actions
FedRAMP will not create additional certification baselines that factor for corrective actions or implementation of recommendations. The proposed Levels 4 and 6 from RFC-0020 are dropped. Information about corrective actions will be shared separately with agencies via the Marketplace.
Classes, not numbers or levels
To avoid confusion with the DoD/DoN Impact Level (IL) system, FedRAMP is replacing the proposed 1–6 numbering with Classes A, B, C, and D. Classes reflect the scope and depth of the assessment package — not the total security quality of the cloud service.
4 baselines remain, minor changes only
FedRAMP will continue with 4 assessment baselines. Requirements are not changing — only the labels. A transition period will run old and new labels in parallel. Full details will publish in the FedRAMP Consolidated Rules for 2026 (CR26), due by end of June 2026.
The New Certification Classes
Classes reflect depth of assessment package — not total security quality
Low-intensity, high-speed automated authorizations. New pilot baseline with no direct Rev5 predecessor.
Standardized low-impact services. Encompasses the current Li-SaaS and Low baselines.
The core Moderate impact baseline. Where the bulk of 20x automation requirements will land.
High-impact services with complex security requirements.
What This Means for 20x Providers
No branding win, but no branding loss
The 20x path no longer gets the "Validated" premium label, but it also isn't second-class. The Marketplace will surface 20x providers via metadata filters — the differentiation is operational, not cosmetic.
Class C is where 20x automation lives
Most SaaS providers pursuing 20x should align with Class C (the former Moderate baseline). This is where the bulk of persistent validation, OSCAL evidence, and automated telemetry requirements will be formalized in CR26.
CR26 is the document to watch
The FedRAMP Consolidated Rules for 2026 publish by end of June 2026. That document will contain the full technical specifications for each Class. Everything in NTC-0004 is initial outcome — not final policy.
Transition period for old labels
FedRAMP will run old and new labels in parallel during a transition period. Rev5 providers will see "Low → Class B", "Moderate → Class C", "High → Class D" linkages before old labels are retired.
Auditor's Perspective
Independent commentary — not official FedRAMP guidance
"This is a classic Pivot to Sanity. The PMO realized that if they told an agency they couldn't buy a 'Certified' product because it wasn't 'Validated,' they would have a legal and procurement mutiny on their hands. For CSPs, this means the pressure is off for a name change — but the pressure is very much ON to ensure your package meets the technical requirements of Class C, which is where the bulk of 20x automation will happen. Watch CR26 in June like a hawk."
Implementation Steps for Providers
Update your marketing — carefully
Remove references to "FedRAMP Validated." Replace with "FedRAMP Certified (Class C)" or "FedRAMP Certified (Class D)" as appropriate. Do not finalize until CR26 publishes — transition labels will run in parallel.
Focus 20x efforts on Class C specifications
Most SaaS providers should align 20x automation work with Class C. This is where persistent validation, machine-readable evidence, and OSCAL telemetry requirements will concentrate.
Prepare your OSCAL data for Marketplace filters
The differentiation between Rev5 and 20x paths will happen via Marketplace metadata, not label names. Ensure your OSCAL package correctly identifies your authorization path so agencies can find you in filtered searches.
Monitor for CR26 — due by end of June 2026
NTC-0004 is the initial outcome only. The FedRAMP Consolidated Rules for 2026 will contain final technical specifications for all four classes. Block time in May to review the draft when it drops.
Related on This Site
Sources
NTC-0004 published February 25, 2026. This analysis published February 26, 2026. CR26 final rules due by end of June 2026 — this page will be updated when published.