NTC-0007: The SOC 2 On-Ramp to FedRAMP — Class A Certification via External Frameworks
Notice NTC-0007, published March 3, 2026, delivers the initial outcome of RFC-0022. SOC 2 Type II becomes the first — and currently only — approved external framework for a Class A FedRAMP Certification. It's a transitional on-ramp, not a shortcut: zero reciprocity, 2-year upgrade window, and compensating controls required for anything beyond low-risk pilot use.
Full CR26 rules due by End of June 2026 · This notice covers initial outcomes only
The short version: If you have a SOC 2 Type II report, you can now pursue a Class A FedRAMP Certification without a full Rev5 assessment or 20x KSI validation — but only for pilot or low-risk agency use. You have 2 years to schedule a Class B/C/D assessment before your Class A lapses. No credit carries over. FedRAMP knows SOC 2 has quality problems and is using it as a test case anyway.
Zero Reciprocity — This Is Not a Shortcut
FedRAMP is explicit: "No reciprocity is intended or will be granted in this process." A Class A Certification does not bridge to Class B, C, or D. Any provider seeking long-term or non-pilot agency use must pursue a full FedRAMP Certification independently. Your SOC 2 evidence does not carry forward.
What Class A FedRAMP Certification Actually Is
Class A exists to address a specific problem: agencies have been conducting their own informal pilot authorizations outside the FedRAMP process, preventing government-wide reuse. Class A formalizes and standardizes that pilot pathway — it is not intended as a permanent authorization.
Negligible or low-risk pilot use only. Agencies must add compensating controls for higher security objectives or non-pilot use.
Program Certification only (PMO-sponsored). No agency sponsor required. Available for both Rev5 and 20x with different requirements.
2 years from Preparation phase listing to schedule a Class B, C, or D IV&V or Independent Assessment.
None. SOC 2 evidence does not transfer to Class B/C/D. A separate full assessment is required.
Approved External Frameworks
Additional frameworks added incrementally — staggered based on demand and pipeline capacity
SOC 2 Type II
Initial — ActiveThe only framework approved at launch. FedRAMP acknowledges quality concerns with SOC 2 audits but is using it as the initial test case given its widespread agency adoption.
ISO/IEC 27001
Future — TBDOriginally proposed in RFC-0022. Will be added incrementally based on demand, throughput, and relevance. No timeline confirmed.
HITRUST e1 / i1 / r2
Future — TBDOriginally proposed in RFC-0022. Staggered implementation based on level of effort and review pipeline depth.
StateRAMP / GovRAMP
Future — TBDOriginally proposed in RFC-0022. Implementation timeline not confirmed in NTC-0007.
CMMC Level 2
Future — TBDOriginally proposed in RFC-0022. Implementation timeline not confirmed in NTC-0007.
Why SOC 2 First — And Why FedRAMP Is Worried About It
SOC 2 Type II is the most widely used external framework by agencies for informal pilot authorizations today — which is exactly why FedRAMP is starting there. But the official notice is unusually candid about its limitations.
FedRAMP is "aware of concerns about the quality and reliability of SOC 2 Type II audits and current trends with these audits as stated in public comment." The program is proceeding anyway because Class A is transitional — the expectation is that agencies will require CSPs to pursue a full Class B/C/D certification before any production use.
This is a notable departure from how external frameworks have historically been discussed in FedRAMP. The PMO is essentially saying: we know this isn't rigorous enough for production use, but it's better than the informal pilot process happening outside our visibility.
The primary Class A path. Designed for industry companies that have not invested in Rev5. Uses KSI assessment and 20x requirements alongside SOC 2 Type II evidence. Full details in CR26.
Rev5 Class A path established separately via NTC-0008 / RFC-0023. For providers already invested in the Rev5 path — separate requirements apply. See the NTC-0008 guide for details.
Identifier Outcomes from NTC-0007
Final names will update to match FedRAMP Machine Readable naming conventions in CR26
Deadline for FedRAMP Validation
Removed entirely. Replaced by agency guidance encouraging conditional ATOs that require CSPs to pursue a higher class if use continues beyond pilot.
Negligible or Low Risk Use Cases
Removed. Replaced by MKT-LEF-LIO (Low Impact Only), which clarifies agencies SHOULD deploy compensating controls for higher security objectives or non-pilot use.
Require Ongoing FedRAMP Qualification
Removed. M-24-15 already requires agencies to obtain and maintain FedRAMP Certifications for services they use — no need to re-emphasize for Class A.
Approved Security Frameworks
Initial list limited to SOC 2 Type II only. Other frameworks (ISO 27001, HITRUST, CMMC, StateRAMP) added incrementally over time based on demand and pipeline capacity.
Deadline for Authorization
Updated to require CSPs to schedule an IV&V (20x) or Independent Assessment (Rev5) for a Class B, C, or D Certification within 2 years of Preparation phase listing. Applies to Class A Certified offerings.
Low Impact Only
Updated to clarify agencies SHOULD deploy compensating controls when using a Class A Certification for ATOs with higher security objectives or for non-pilot use cases.
Mapping to Key Security Indicators
Primary path designed for FedRAMP 20x, using KSI assessment. Rev5 Class A path established separately via NTC-0008/RFC-0023.
Auditor's Perspective
Independent commentary — not official FedRAMP guidance
"The SOC 2 on-ramp is useful exactly once: to get a foot in the door with a federal agency that wants to pilot your product without waiting 18 months for a full authorization. But don't mistake it for a compliance win. The 2-year clock starts the moment you list in the Preparation phase, not when you get the Class A badge — and your SOC 2 evidence is worthless when you start your Class C assessment. The smart play is to use the pilot period to build real agency demand, then convert that demand into an agency ATO sponsor for Class C. Class A without a clear upgrade plan is just an expensive delay."
What This Means For You
CSPs with SOC 2 Type II — not yet in FedRAMP
You now have a formal on-ramp. Class A lets agencies pilot your product without you completing a full FedRAMP assessment. Start your Preparation phase listing, but simultaneously scope your Class B/C requirements — the 2-year clock is real.
CSPs pursuing 20x
Class A is the primary path from NTC-0007. If you have a SOC 2 report, this accelerates your time-to-first-agency-customer significantly. KSI mapping requirements still apply alongside your SOC 2 evidence.
CSPs on Rev5 with SOC 2
Your Rev5 Class A path comes from NTC-0008, not this notice. The SOC 2 external framework path is primarily designed for 20x. If you're already invested in Rev5, focus on NTC-0008's Stage 2 qualifying criteria.
Agency security officials
Class A services are pilot-grade only. When issuing ATOs for Class A certified services, your conditional ATO should explicitly require the CSP to pursue Class B/C/D within the 2-year window if your agency intends continued use.
Related on This Site
Sources
NTC-0007 published March 3, 2026. This analysis published March 6, 2026. CR26 final rules due by end of June 2026 — this page will be updated when published.