The 2026 Marketplace Rules: Pricing, Sponsorship, and Corrective Action
Notice NTC-0005, published February 25, 2026, delivers the initial outcomes of RFC-0021. It's a mixed bag for CSPs — a major win on pricing transparency, clarifications on the sponsorship "Pick One" rule, tighter 3PAO requirements, and a corrected 1-month penalty for bad-faith submissions.
Final CR26 rules due by End of June 2026 · This notice covers initial outcomes only
The short version: FedRAMP won't publish your pricing. 3PAOs must actually do assessments to keep their badge. The "Pick One" path rule only applies when FedRAMP itself is your sponsor. CSPs must now publish security goals in Ongoing Authorization Reports. The 1-month resubmission penalty is real — but only for demonstrably bad submissions.
7 Key Outcomes from NTC-0005
No pricing transparency — MKT-GEN-SPI deleted
Industry WinFedRAMP will not request, store, or publish pricing information for cloud services, independent assessors, or advisory services. Agencies wanted centralized pricing data, but industry objected universally. MKT-GEN-SPI is struck entirely.
Advisory service attestations made optional
Industry WinMKT-ADV-ATT is rewritten as an optional rule. Advisory services are no longer required to maintain positive attestations from CSPs to be listed in the Marketplace. At least initially, advisory listings will not require demonstration of quality.
3PAO "use it or lose it" — 2 assessments per 2 years
ClarificationMKT-RIA-ATT is modified to require at least 2 assessments (initial or annual) every 2 years. The 2-year clock starts at date of FedRAMP recognition OR date of publication, whichever is most recent. A 6-month grace period and a hardship path exist for circumstances outside the assessor's control.
"Pick One" clarified — PMO-sponsored only
ClarificationMKT-GEN-PKO is updated to make clear that the Rev5-or-20x choice applies only to Program Certification, where FedRAMP itself is the sponsor. A CSO can hold an agency-sponsored Rev5 authorization alongside a PMO-sponsored 20x certification — though FedRAMP warns this would be "very complicated and likely result in significant confusion."
Continuous Progress is now a public commitment
ClarificationMKT-PRE-DCP is updated: CSPs must include specific security goals in their Ongoing Authorization Reports. FedRAMP explicitly frames this as a marketing and customer experience opportunity — a chance to showcase forward momentum to prospective agency buyers.
1-month penalty clarified — minor issues exempt
Industry WinMKT-FRX-TAT corrects an error in the RFC: the penalty is 1 month (not 3). FedRAMP will not penalize for minor issues easy to correct. The penalty targets bad-faith submissions where a package is demonstrably insufficient or requires repeated follow-up requests.
JSON schemas coming for assessor and advisory web requirements
ClarificationMKT-ADV-WEB and MKT-RIA-WEB will be updated in CR26 to include a JSON schema and validation instructions for required web information. This is part of the broader machine-readable push across the 2026 consolidated rules.
Identifier Changes Summary
Final identifiers will be updated to match FedRAMP Machine Readable naming conventions in CR26
Service Pricing Information — no longer required. Pricing data stays private.
Advisory Service Attestation Requirements — rewritten as optional. Advisory listings no longer require positive attestations from CSPs.
Independent Assessor Attestation — must complete 2 assessments (initial or annual) every 2 years. 6-month grace period and hardship path included.
Target Authorization Time penalty — corrected from 3 months to 1 month. Minor issues exempt. Aimed at bad-faith or demonstrably insufficient submissions only.
Demonstration of Ongoing Demand — now only applies to services without an agency ATO. Not an oversight mechanism; used for aggregate resource justification only.
"Pick One" rule — explicitly applies only to Program Certification (PMO-sponsored). Agency-sponsored services can pursue both paths separately.
Demonstrating Continuous Progress — CSPs must include specific security goals in Ongoing Authorization Reports. FedRAMP frames this as a marketing opportunity.
Auditor's Perspective
Independent commentary — not official FedRAMP guidance
"NTC-0005 is a clear message: FedRAMP is cleaning house. By removing inactive 3PAOs and forcing CSPs to choose a single Program path, they are trying to reduce the massive backlog. For CSPs, the biggest takeaway is MKT-PRE-DCP — Demonstrating Continuous Progress. You now have to include specific security goals in your Ongoing Authorization Reports and they will be publicly visible. If you aren't showing progress, you're at risk for corrective action. Treat your Authorization Report like a product roadmap — because that's exactly what it's becoming."
What This Means For You
CSPs on the Rev5 path
Your pricing stays private. If you're PMO-sponsored, you must choose Rev5 OR 20x — not both. Start including security goals in your Ongoing Authorization Reports now, before CR26 makes it mandatory.
CSPs pursuing 20x
You can hold a separate agency-sponsored Rev5 authorization alongside your 20x certification — but FedRAMP warns it's complicated. Ensure your OSCAL data correctly identifies your path for Marketplace filter visibility.
3PAOs and independent assessors
2 assessments every 2 years starting from your recognition date or publication date, whichever is later. A 6-month grace period exists, plus a hardship path. If you're holding FedRAMP recognition without performing assessments, address this now.
Advisory services
MKT-ADV-ATT attestations are now optional. You no longer need positive attestations from CSPs to list in the Marketplace. A JSON schema for your web information is coming in CR26.
Related on This Site
Sources
NTC-0005 published February 25, 2026. This analysis published February 26, 2026. CR26 final rules due by end of June 2026 — this page will be updated when published.