RFC-0024 Outcome:
Rev5 Machine-Readable Packages
FedRAMP published NTC-0009 on March 25, 2026 — the initial outcome from RFC-0024. Machine-readable requirements are now scaled by certification class, timelines extend to 2027, DOCX and XLSX are retired, and five Balance Improvement Releases become mandatory for all Rev5 providers.
FedRAMP heard the public comments on RFC-0024 and significantly scaled back the machine-readable requirements. Full OSCAL is now only required for Class D (High). Classes A, B, and C move to semi-structured text. DOCX and XLSX are retired for everyone. All deadlines push to 2027. Final rules publish in CR26 by end of June 2026 — none of these dates will move earlier.
What Changed from RFC-0024
RFC-0024 proposed comprehensive machine-readable OSCAL packages for all Rev5 providers on aggressive timelines. Public comments were nearly universal in pushing back on complexity and timeline. FedRAMP responded by scaling requirements to certification class and extending all deadlines by roughly a year.
The spirit of RFC-0024 carries forward — all Rev5 providers will eventually need machine-readable materials — but the path is now gradual rather than a cliff edge.
Requirements by Certification Class
- Comprehensive machine-readable authorization data required
- All authorization materials — initial and ongoing
- Significant changes integrated twice per year (not within 30 days as originally proposed)
- Deadline: before or during next annual assessment after 2027-11-01
- Some machine-readable data required; bulk in semi-structured text format
- DOCX and XLSX retired — replaced with text-based equivalents
- All authorization materials — initial and ongoing
- Deadline: before or during next annual assessment after 2027-11-01
* Detailed format requirements and exact structure will be published in CR26.
DOCX and XLSX Are Retired
This applies to all certification classes. Word documents and Excel spreadsheets will no longer be acceptable formats for FedRAMP authorization materials. They will be replaced with simple text-based equivalents — the exact formats will be defined in CR26.
✗ .xlsx (Excel)
✓ Machine-readable OSCAL (Class D)
Five Balance Improvement Releases Become Mandatory
These five Balance Improvement Releases will be folded into default Rev5 requirements and replace existing requirements. All must produce related materials in machine-readable format.
Full Timeline — Certified Services
Applies to cloud services with active FedRAMP Certification on each milestone date.
| Deadline | Milestone |
|---|---|
| 2027-01-01 | Mandatory adoption of Significant Change Notifications for all Rev5 cloud services |
| 2027-01-01 | Mandatory adoption of Minimum Assessment Scope before or during next annual assessment |
| 2027-04-02 | Mandatory adoption of Collaborative Continuous Monitoring for all Rev5 cloud services |
| 2027-06-01 | Mandatory adoption of Vulnerability Detection and Response for all Rev5 cloud services |
| 2027-08-01 | Mandatory adoption of Authorization Data Sharing. Connect.gov portal retired. |
| 2027-11-01 | Class A, B, C: semi-structured text authorization data required before or during next annual assessment |
| 2027-11-01 | Class D (High): comprehensive machine-readable authorization data required before or during next annual assessment |
Timeline — New Submissions
Applies to new submissions for FedRAMP Certification after each milestone date. Grace period applies to any service In Process with an Agency prior to 2026-10-01.
| Deadline | Requirement |
|---|---|
| 2027-01-01 | Class A, B, C new submissions must provide semi-structured text authorization data and adopt all five Balance Improvement Releases |
| 2027-05-01 | Class D (High) new submissions must provide comprehensive machine-readable authorization data and adopt all five Balance Improvement Releases |
FedRAMP Will Not Build the Tools
FedRAMP explicitly stated it will not produce, manage, or operate software to help CSPs produce machine-readable materials. The reasoning: government programs cannot do this well, and building such services would require a 3–5x budget increase and take years.
Instead, FedRAMP will establish informal partnerships with non-profit organizations supporting open source capabilities. The OSCAL Foundation is named as the first established partner. Other organizations can reach out to pete@fedramp.gov.
This is a direct market signal for third-party tooling. FedRAMP is explicitly stepping back and saying industry should build the conversion and packaging tools. The door is open for commercial solutions — the kind RampReady is building.
What To Do Right Now
NTC-0009 is preliminary — final requirements publish in CR26 by end of June 2026. None of the dates will move earlier, so use this as your planning baseline.