RFC-0023 Rev5 Program Certifications

[pete-gov]

RFC-0023 Rev5 Program Certifications

❓ Please note that FedRAMP will not answer questions in this thread as it is reserved for public comment. If you would like to ask a question or generally discuss this RFC informally, please use the General discussion / Q&A for RFC-0019 through RFC-0024 thread. Thank you!

Status: Closed
Start Date: January 13, 2026
Closing Date: February 26, 2026

Summary

This RFC proposes a time-limited opportunity for cloud service providers who have already completed significant progress towards a FedRAMP Rev5 Certification but are struggling to find an agency sponsor due to budgetary constraints with agency information security programs. FedRAMP will offer program authorizations for FedRAMP Certification to cloud service offerings at Level 1-4 to cloud service providers who adopt certain optional Rev5 Balance Improvement Releases and undergo a complete independent assessment.

This RFC also proposes a timeline for phasing out FedRAMP Ready in favor of this new path and FedRAMP 20x Validations.

This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:

• RFC-0020: FedRAMP Authorization Designations
• RFC-0021: Updating the FedRAMP Marketplace
• RFC-0022: Leveraging External Frameworks
• RFC-0024: Rev5 Machine-Readable Packages

Background

The primary benefit of the agency authorization path for FedRAMP is the distribution of initial costs across the federal government: the legacy Rev4 and Rev5 authorization paths were so expensive for the government that each such initial authorization might cost hundreds of thousands of dollars while ongoing continuous monitoring can cost tens of thousands of dollars. Centralizing authorization along these paths in a single entity like FedRAMP would require considerably more than the $25mil allocated at peak for FedRAMP in FY24 (let alone the $10mil budget FedRAMP operates on today).

A year ago FedRAMP had a backlog of 100+ cloud services waiting for final assessment and authorization and nearly all funding and resources went to eliminating that backlog during the last half of FY25. This was highly successful, and for the last few months there have been less than 10 cloud services in that final review queue for FedRAMP Certification at any given time.

FedRAMP 20x has also focused on making significant improvements to the underlying authorization requirements to drastically reduce the cost and resources required for government review so that FedRAMP can perform a final assessment and authorization for a tiny fraction of this cost. Many of these improvements are being made available along the Rev5 path in the form of Balance Improvement Releases - typically optional changes to the process that results in a quicker, cheaper, more efficient initial and ongoing authorization process.

Motivation

For many years the struggle for agency sponsorship has been the single biggest challenge for cloud service providers to overcome while seeking a FedRAMP authorization. This struggle is even harder today as budgets and resources for many agency information security programs shifted unexpectedly. Many cloud service providers have invested significant effort and funding into the Rev5 authorization path and have realistic demand from agencies but are still unable to finalize an authorization due to the complexity of agency sponsorship expectations.

FedRAMP has spent the past year under an aggressive multi-faceted modernization effort to eliminate the years-long FedRAMP authorization backlog while building and piloting a more efficient and more secure approach to assessment and authorization. Many cloud services that invested in the legacy Rev5 path are interested in the modern approach but are caught between continuing forward on that path or waiting for a formal 20x path that will likely require significant rework in the short term.

At FedRAMP’s current staffing level, and assuming successful implementation of our FY26 and FY27 staffing plan, we are able to take on more Rev5-based assessment and authorizations than we are currently receiving from agency authorizations. We estimate that by applying the improvements to the Rev5 process available via Balance Improvement Releases that we may be able to complete 40-50 program authorizations for Rev5 this year while demand for 20x authorizations builds.

Opening a sponsorless Rev5 Certification path will provide a release valve for agencies and cloud service providers that are currently stuck in limbo pending wide-scale adoption of FedRAMP 20x at the risk of providers investing in a process that will soon be defunct. Nonetheless, given FedRAMP’s mission to ensure civil servants have access to all the modern tools and capabilities that they need, supporting Rev5 Certification for services that are almost ready to go over the next year is the right thing to do.

Ultimately it is up to each business to make its own determination about how to invest resources; if a business wants to invest in a Rev5 Certification while knowing this path is a legacy path that will be phased out over the next few years then so be it; FedRAMP will ensure agencies can use that product in the interim.

Retiring FedRAMP Ready

FedRAMP Ready will be rapidly phased out to prevent unnecessary investment and make room for this new Certification path.

The proposed process for retiring FedRAMP Ready on July 28, 2026 is as follows:

1. FedRAMP Ready will be renamed “Legacy FedRAMP Ready.”
2. FedRAMP will stop accepting any new submissions for FedRAMP Ready.
3. Legacy FedRAMP Ready cloud services will remain listed in this status until the furthest date of either November 17, 2026 or the expiration of their most recent yearly assessment.
4. Legacy FedRAMP Ready cloud services will retain their legacy impact level and will not be FedRAMP Certified.

Proposed Requirements for Rev5 Program Certification

The following term will be defined in FedRAMP materials related to these requirements:

• Trusted Assessor: A FedRAMP-recognized independent assessor with no corrective action in the last 12 months that was the primary assessor for 3 cloud service offerings granted initial FedRAMP Certification in the last 12 months is trusted for FedRAMP Certification; OR a FedRAMP-recognized independent assessor with no corrective action in the last 12 months that was the primary assessor for 3 cloud service offerings granted initial FedRAMP Validation in the last 12 months is trusted for FedRAMP Validation.

  Notes:

• Trusted assessor status applies at the beginning of an assessment - if a trusted assessor loses that status during the assessment, FedRAMP will not hold this against either the cloud service provider or the independent assessor.

• FedRAMP will note trusted assessor status on the FedRAMP Marketplace.

The following requirements apply for all cloud services that wish to obtain and maintain a FedRAMP Program Certification for Rev5 without an agency sponsor; these requirements must be met and assessed prior to submission to FedRAMP.

LPC-FRX-MCM Minimum Continuous Monitoring

FedRAMP MUST provide a minimum level of continuous monitoring for cloud service offerings with a FedRAMP Program Certification, including at least reviewing Ongoing Authorization Reports to ensure the cloud service is maintaining appropriate security measures.

LPC-FRX-GRC Prioritization of Some GRC Tools

FedRAMP SHOULD prioritize the FedRAMP Program Certification of cloud services that can be used by agencies to ingest machine-readable authorization data for the cloud services they use; such GRC automation services will have a separate submission queue where 3 GRC automation services will be FedRAMP Program Certified for every 1 non-GRC automation service as long as demand exists in the GRC automation queue.

Note: This prioritization does NOT apply to all GRC services, ONLY to GRC services that will be used by agencies to oversee federal information systems. Many GRC services are designed for use by commercial cloud services to review the security posture of their own service and produce materials for third parties and would not meet the stated requirement of agency use to oversee federal information systems.

LPC-GEN-PRE Preparation State Listing Required

Providers MUST meet all requirements for a FedRAMP Marketplace listing in the Preparation state prior to submitting an authorization package for FedRAMP Program Certification.

Note: See RFC-0021 Updating the FedRAMP Marketplace, including proposed MKT-PRE requirements and recommendations for context.

LPC-GEN-LVL Level Limited

Providers MUST request FedRAMP Program Certification Level 1, 2, 3, or 4; requests for Program Certification Level 5+ will be immediately denied.

Note: High impact reviews are too expensive and time-consuming with lower demand for reuse - it’s more effective to complete a program authorization for 3-5 services under Level 5 than to complete one for a Level 5 or 6 service.

LPC-GEN-IBR Implement Balance Releases

Providers MUST implement all legacy Rev5 requirements at the appropriate impact level, adjusted to include all mandatory Rev5 Balance Improvement Releases along with the following optional ones:

1. Minimum Assessment Scope
2. Authorization Data Sharing
3. Collaborative Continuous Monitoring
4. Significant Change Notifications
5. Vulnerability Detection and Response

Notes:

• Some of these Balance Improvement Releases are entering wide release, open beta, or closed beta in February 2026.
• For clarification purposes, any optional Balance Improvement Release listed in this requirement is NOT optional for FedRAMP Program Certification, it is mandatory.

LPC-GEN-LMR Legacy Machine-Readable Package Requirements

Providers MUST meet the requirements and recommendations from the final version of FedRAMP’s requirements for Rev5 Machine-Readable Packages.

Notes:

• RFC-0024: Rev5 Machine-Readable Packages contains the relevant proposed requirements; remember that final requirements may vary and this RFC should not be referred to after the comment period.
• These requirements must be addressed in advance of submission for the FedRAMP Program Certification, regardless of the Effective Date for requirements in LFR-MRP. That means any submission prior to September 30, 2026 must meet the requirements regardless.
• There will be no grace periods to meet the requirements in the final LFR-MRP, they must be met in advance of submission.

LPC-GEN-MBA Mandatory Balance Improvement Release Adoption

Providers MUST participate in the first beta for any future mandatory or optional Rev5 Balance Improvement Release, then implement the related requirements and recommendations.

Note: Even future optional Balance Improvement Releases are effectively mandatory while a cloud service is being monitored by FedRAMP.

Corrective Action: Failure to meet this requirement will result in public notification and a 6 month grace period to adopt the related Balance Improvement Release, followed by revocation of FedRAMP Certification for at least 3 months.

LPC-GEN-ATA Assessment by Trusted Assessor

Providers MUST complete a full FedRAMP assessment with a trusted assessor for FedRAMP Certification that includes an attestation of completeness and an overall positive recommendation.

Notes:

• In the event of a dispute about a control or other implementation, cloud service providers or their independent assessor may request public clarification in the FedRAMP Community Rev5 Discussion forum if the matter is not sensitive; otherwise they may jointly email info@fedramp.gov.
• This does not mean that there should be no findings and that everything needs to be perfect, it just means that all of the necessary materials have been provided and that the package is complete so that FedRAMP can perform a final assessment and make a decision without requesting additional materials. The assessor is indicating that FedRAMP has sufficient information to perform this final review without a considerable investment in government resources to seek clarification or missing materials.

LPC-GEN-IRI Included Required Information

Providers MUST ensure all required information is included in the authorization package prior to submission for FedRAMP, including a final attestation and recommendation for submission from the assessor.

Notes:

• The Authorization Data Sharing process explains how to share a FedRAMP authorization package.
• The formal process for submission will be included, with instructions, in these materials when finalized.

Corrective Action: Failure to submit a complete package will result in the following corrective actions depending on severity:

1. Missing information on 10 or less requirements: The cloud service provider will have 5 business days to address the missing requirements or a denial of authorization will be issued and a 1 month resubmission penalty will be applied.
2. Missing information on 11 or more requirements, or any appendix or set of requirements in entirety: A denial of authorization will be issued and a 3 month resubmission penalty will be applied.

LPC-GEN-AVV Assessors Verify and Validate All Requirements

Assessors MUST verify and validate that all requirements for FedRAMP Program Certification have been met by the provider prior to recommending submission to FedRAMP.

Note: This does not mean that there should be no findings and that everything needs to be perfect, it just means that all of the necessary materials have been provided and that the package is complete so that FedRAMP can perform a final assessment and make a decision without requesting additional materials. The assessor is indicating that FedRAMP has sufficient information to perform this final review without a considerable investment in government resources to seek clarification or missing materials.

Corrective Action: If an assessor recommends the submission of a grossly incomplete package that is missing information on 11 or more requirements or any appendix or set of requirements in entirety, corrective action will include public notification resulting in the loss of trusted assessor status for 12 months.

LPC-TIM-EOL End of Life for Legacy Program Certification

Providers MUST submit complete authorization packages for FedRAMP Program Certification before 2PM ET December 16, 2026 (FY27 Q1).

Note: There will be no grace period and any incomplete or insufficient packages submitted before this deadline will be permanently denied. Providers will have access to the FedRAMP 20x Validation program authorization path instead.

[pjavan]

@pete-gov: LPC-GEN-LMR should reference RFC-0023 (not 20) in the notes section

[pete-gov]

(I'll respond to this as it's not a comment on the guidance itself - thank you, fixed! Really thought we had caught all of those after the renumbering but I guess not.)

[rgutwein]

Comment on RFC-0023: Rev5 Program Certifications

This RFC addresses a real and pressing problem: qualified CSPs stranded in authorization limbo due to agency sponsorship constraints rather than security deficiencies. The sponsorless Rev5 path is a pragmatic bridge that honors prior investments while the ecosystem transitions to 20x. I offer the following observations:

On Trusted Assessor Definition

The 3-authorization threshold within 12 months to achieve "trusted" status creates a significant barrier for smaller or specialized 3PAOs. This risks concentrating assessment work among a handful of large firms, potentially reducing competition and increasing costs for CSPs. Consider either:

• A tiered threshold (e.g., 2 authorizations for assessors with 5+ years of FedRAMP recognition and clean records), or
• Allowing "trusted" status to be earned via a combination of completed authorizations and PMO-reviewed sample work product

Additionally, clarify whether authorizations completed under the legacy JAB process count toward the 12-month lookback, or only post-JAB Certifications.

On LPC-GEN-LVL (Level 1-4 Limitation)

The exclusion of Level 5+ is understandable given resource constraints, but leaves High-impact CSPs without a sponsorless path. For CSPs serving national security-adjacent missions (e.g., critical infrastructure sectors), the agency sponsorship bottleneck is often more acute, not less. Consider whether a limited pilot—perhaps 2-3 High authorizations annually, could serve this underserved segment without materially impacting PMO capacity.

On LPC-GEN-MBA (Mandatory Balance Release Adoption)

Requiring participation in "the first beta" for all future Balance Improvement Releases places significant operational burden on CSPs who may lack the engineering bandwidth to continuously adopt pre-production requirements. Suggest modifying to require adoption within a defined window after open beta (e.g., 60 days post-open-beta), rather than mandating first-beta participation.

On Corrective Actions (LPC-GEN-IRI)

The 1-month and 3-month resubmission penalties are reasonable deterrents against incomplete submissions, but the 11-requirement threshold for escalation to a 3-month penalty warrants scrutiny. A package missing 11 minor documentation elements should not receive the same penalty as one missing an entire appendix. Consider distinguishing between:

• Missing/incomplete documentation items (graduated penalty)
• Missing entire appendices or control families (immediate 3-month penalty)

On LPC-TIM-EOL (December 16, 2026 Deadline)

The hard cutoff with "no grace period" for incomplete packages creates cliff-edge risk for CSPs in active assessment. Given typical 3PAO engagement timelines, CSPs would need to begin assessment no later than Q2 2026 to have reasonable confidence of meeting this deadline. Recommend either:

• Publishing a "last date to begin assessment" guidance, or
• Allowing packages submitted before the deadline but requiring minor remediation a 30-day cure period

On FedRAMP Ready Retirement

The July 28, 2026 retirement date and November 17, 2026 listing expiration provide adequate notice. However, clarify whether Legacy FedRAMP Ready status confers any advantage for Preparation-state listing (per RFC-0021) or for the Program Certification queue.

On LPC-FRX-GRC (3:1 GRC Prioritization)

The 3:1 prioritization for agency-facing GRC tools is a welcome recognition that these platforms accelerate the broader ecosystem. However, the distinction between "agency-use" and "CSP-use" GRC tools may prove difficult to adjudicate—many platforms serve both. Suggest publishing clear eligibility criteria or requiring a brief attestation of intended agency use cases as part of the submission.

[Tony-B-RP]

The trusted assessor requirement seems specifically tied to 3 initial authorization assessments, not assessments performed more broadly. This further narrows the eligible assessor pool beyond what a simple volume threshold implies and disproportionately disadvantages firms that primarily support mature, already authorized systems.

Annual and SCR assessments require the same assessor rigor, technical depth, and FedRAMP expertise as initial authorizations for the controls in scope. Excluding these assessments from consideration undervalues a substantial portion of demonstrated assessor capability. As I assume the trusted status is to confirm the 3PAO's capability and competence and can be equally demonstrated with annual assessments and SCR assessments and even FedRAMP Ready Assessments.

We recommend that eligibility for trusted assessor status allow all FedRAMP-related assessment to count toward the threshold. This would better reflect sustained assessment performance, expand the qualified assessor pool, and align trusted status with demonstrated quality and consistency rather than reliance on a limited subset of authorization work.

[bhachech]

On LPC-GEN-LVL (Level 1-4 Limitation)

The exclusion of Level 5+ is understandable given resource constraints, but leaves High-impact CSPs without a sponsorless path. For CSPs serving national security-adjacent missions (e.g., critical infrastructure sectors), the agency sponsorship bottleneck is often more acute, not less. Consider whether a limited pilot—perhaps 2-3 High authorizations annually, could serve this underserved segment without materially impacting PMO capacity.

@pete-gov , I agree with @rgutwein's comment about the sponsorship bottleneck being more acute for High baseline / Level 5+.

Perhaps a Level 5+ CSO package can be reviewed and Certified at Level 3 or 4 with an asterisk denoting that remaining controls are documented but not reviewed? This will at least provide a clear pathway for CSPs to get listed and get partial credit for work they might have done. It will also provide transparency for agencies that are looking to onboard such CSPs.

[AetherHund29]

This would be an amazing opportunity for any company that is having difficulties securing a sponsor to complete their FedRAMP journey. Our company had a sponsor but they had to step back with all of the volatility of the DOGE initiatives and such. I think any company who has progressed to at least a "Ready" status would have a great deal of interest in this, as they have already invested heavily in the effort to achieve FedRAMP Authorization. Our company was already pretty close to the finish line when we lost our sponsorship commitment, so we are in a situation where we have a FedRAMP compliant and functional product that can't make it over the finish line without direct sponsorship. According to the specs of this RFC, this would only need a short additional remediation period to cover the additional requirements (such as CCM), but overall, it appears to be a much more streamlined pathway to Authorization.

I would like to see some more definition around the SCR notifications, distinguishing between what might constitute a routine vs adaptive vs transformative (etc.) change.

Overall, I would love to see this implemented and I think it presents a significant opportunity, especially for CSPs looking to move from a Ready status to Authorized.

[JustAnother3PAO]

I disagree with the "trusted assessor" definition here. Moss Adams would have qualified as a "trusted assessor" in 2022 and it turns out they were not-so-trusted. Other active 3PAOs also technically qualify, but I ASKed a wise SAGE who disagreed. If the intent is to have an accurate assessment, then the authorizing agency (PMO) should review the package and captured evidence. Don't spend 1.5 hours Finelling with boundary diagrams, actually review "what" the 3PAO reviewed and make sure that is actually reflects the control requirements.

If the PMO is going to be issuing authorizations, every one of these authorizations should be going towards tools that will accelerate and enhance 20x validation. Such tools have no value to a federal agency, but they will benefit the FedRAMP eco-system. The best agency to authorize such tools would be the PMO.

[hawksjennifer]

The proposed “Trusted Assessor” designation introduces an unnecessary restriction on the FedRAMP assessment ecosystem. FedRAMP already maintains rigorous recognition, oversight, and corrective action processes for all credentialed 3PAOs. Creating an additional volume-based tier does not improve security outcomes and instead limits competition, increases costs, constrains assessor capacity, and slows cloud solution availability to the Federal Government.

Recent FedRAMP modernization efforts have successfully reduced bottlenecks and improved market efficiency. Restricting certifications and validations to a small subset of assessors reverses that progress and reintroduces structural barriers.

FedRAMP’s goals of scalability, speed, and market competition are best achieved by allowing all FedRAMP-recognized 3PAOs to perform assessments under consistent oversight.

[TBailey223]

Having some customer conversations on this RFC and others. This question came up: If a CSP were to lose its agency sponsor, could this path be pursued to renew FedRAMP Authorization via Program Certification instead of an annual assessment with an agency?

[bjagasia]

Thank you for the continued transparency and engagement on these RFCs. I wanted to ask for clarification on something that has come up in client conversations, as the language in LPC-TIM-EOL appears to create some uncertainty when read alongside recent FedRAMP guidance.

During the Digital Government Institute "FedRAMP 20x: Faster, More Secure Cloud Adoption" webinar, @pete-gov indicated that currently Rev5 authorized CSPs would not be forced to transition, stating: "If you are currently Rev 5 authorized and you want to stay Rev 5 authorized for the next 15 years, it is not on my radar to take that away from you."

We understand that RFC-0023 specifically addresses new submissions for Program Certification and that the December 16, 2026 deadline applies to that submission window. However, we are hearing concerns from CSPs currently pursuing Rev5 authorization (particularly those working toward agency-sponsored authorizations or already in the assessment pipeline) who are uncertain about what happens after this deadline.

Could you help clarify:

1. For CSPs that are already Rev5 authorized (whether through agency sponsorship or Program Certification), will Rev5 remain a valid path for continuous monitoring and reauthorization indefinitely?
2. For CSPs pursuing agency-sponsored Rev5 authorizations (not Program Certification), will that path remain available after December 16, 2026, or will all new authorizations need to go through FedRAMP 20x regardless of sponsorship status?

We want to ensure we are advising clients correctly. Any clarification on the distinction between the Program Certification submission deadline and the broader Rev5 authorization ecosystem would be greatly appreciated.

[Max-sudo-hub]

• A super regulatory hack would be to reconcile DoD's FedRAMP Equivalency Requirements with the new proposed FedRAMP Rev5 Program. It would help out many CSPs dealing with DIBCAC, C3PAOs and also PMO.
• Trusted Assessor thing will increase the price as larger firms will buy out all the "trusted assessor" capacity. This is what is happening on CMMC eco system right now. Assessor capacity is paid at premiums.
• Rename of FedRAMP Ready should be FedRAMP Ready (Classic Edition). Some Agencies have built processes around RAR as a pathway to an Interim ATO eventually to a formal long term sponsorship.
• Consider a Fee For Service Model via a for PMO Led sponsorship to generate revenue for the PMO to keep the sponsorship from PMO pathway open.

[cmr2531]

Implementing the path to FedRAMP Certification outlined in RFC‑0023 provides significant value by removing the agency‑sponsor requirement for FedRAMP Rev5 Certification, allowing qualified cloud service providers to pursue authorization independently, an especially impactful improvement for our organization as a financial‑services CSP that has historically faced delays due to limited agency support and sponsorship availability. This sponsor-less path, combined with the adoption of Rev5 Balance Improvement Releases, reduces authorization friction, lowers compliance overhead, and streamlines assessment activities. These changes will accelerate time‑to‑market, improve predictability in authorization timelines, and strengthen the competitiveness of security‑focused CSPs serving federal customers and consumers. Additionally, by implementing the Rev5 Balance Improvement Releases, our organization will be well‑positioned to adopt FedRAMP 20x as an early adopter.

[vedigaurav]

Gap #1: Eligibility Threshold Clarity
The RFC references cloud service providers that have made “significant progress” toward Rev5 Certification but does not define a minimum eligibility threshold for this Program Certification path. Without a clear definition, intake decisions may become inconsistent and difficult for providers to plan against.
Recommendation: FedRAMP should define explicit eligibility criteria (e.g., required completion percentage of Rev5 controls, completed SSP/SAP aligned to Rev5, or recent 3PAO engagement) as a prerequisite for submission.

Gap #2: Cost Transparency for Program Certification
The RFC indicates that FedRAMP can now perform program authorizations at a significantly reduced cost, but provides no guidance on expected fees or cost recovery mechanisms for CSPs.
Recommendation: FedRAMP should publish indicative cost bands or a fee-for-service estimate for Program Certification and ongoing continuous monitoring to enable informed investment decisions by CSPs.

Gap #3: Transition Path to FedRAMP 20x
Program Certification is described as a bridge to FedRAMP 20x, yet the RFC does not specify how Rev5 artifacts, assessments, or monitoring outputs will be reused or credited under 20x.
Recommendation: FedRAMP should explicitly identify which Program Certification artifacts and activities will be reusable or credited toward FedRAMP 20x validation to reduce duplicative effort and sunk cost risk.

Gap #4: Appeals or Reconsideration Process
The RFC defines denial and resubmission penalties but does not provide a mechanism for appeal or reconsideration, even for procedural or completeness disputes.
Recommendation: FedRAMP should introduce a limited, time-boxed reconsideration process for denied submissions focused on procedural or completeness issues.

Gap #5: Continuous Monitoring Scope Definition
While the RFC requires FedRAMP to provide a minimum level of continuous monitoring, the scope, cadence, and division of responsibility between FedRAMP and CSPs are not clearly defined.
Recommendation: FedRAMP should publish a baseline continuous monitoring model outlining reporting frequency, review expectations, and conditions that may trigger expanded oversight.

Gap #6: Marketplace Labeling and Agency Interpretation
The RFC introduces “FedRAMP Program Certification” but does not specify how it will be labeled or described in the Marketplace, nor how agencies should interpret its reuse authority relative to agency-sponsored certifications.
Recommendation: FedRAMP should clearly define Marketplace language and agency guidance for Program Certification to ensure consistent adoption and understanding.

Gap #7: Intake Capacity and Throttling Transparency
The RFC estimates capacity for 40–50 Program Certifications annually but does not describe how intake will be managed if demand exceeds capacity.
Recommendation: FedRAMP should publish intake limits, prioritization rules, and any cutoff mechanisms to help CSPs plan assessments and submissions.

Gap #8: Security Outcome Metrics
The RFC emphasizes efficiency gains but does not define how FedRAMP will measure security outcomes under the sponsorless Program Certification model.
Recommendation: FedRAMP should establish and periodically publish high-level security outcome metrics (e.g., post-certification vulnerability trends, SCR frequency) to demonstrate continued rigor.

Gap #9: Transition Risk for CSPs Currently Pursuing FedRAMP Ready
The RFC proposes retiring FedRAMP Ready on July 28, 2026 and stopping acceptance of new Ready submissions. However, it does not address CSPs that are actively in progress toward FedRAMP Ready and may be unable to complete the process by this date due to assessor availability, PMO review timelines, or dependency on third-party artifacts.
These CSPs may have already made substantial investments and could be left without a viable on-ramp to Program Certification or FedRAMP 20x, particularly if they do not yet meet Preparation-state or Program Certification submission requirements.
Recommendation: FedRAMP should define a clear alternative path for CSPs already pursuing FedRAMP Ready, such as Allowing in-flight FedRAMP Ready efforts to convert to Preparation-state listings without penalty, or Providing a limited grace period for CSPs that can demonstrate active engagement (e.g., executed 3PAO contracts or draft RARs), or Defining an interim “Ready-to-Preparation” transition mechanism that preserves prior assessment work.
Clarifying this transition will prevent stranded investments and support an orderly migration to Program Certification and FedRAMP 20x.

[cb-axon]

Gap 2 – I disagree that FedRAMP should publish expected fee bands or “cost recovery” estimates. The PMO is not a pricing advisory body, nor is it positioned to aggregate or normalize private market assessment costs. CSPs already make business decisions about investment levels when entering the federal market. That calculus is part of operating in this space. FedRAMP providing cost projections would be speculative at best and inappropriate at worst.

Gap 3 – I believe transition reuse is already contemplated within broader Rev5-to-20x transition planning. This RFC establishes a Rev5 Program Certification path; it does not need to restate every downstream reuse mechanism. Rev5 artifacts have always been leveraged forward where appropriate, and I expect that principle to continue.

Gap 4 – I agree that a limited reconsideration or appeal mechanism would be helpful, particularly for procedural completeness disputes. That said, we should recognize that Program Certification itself is an accommodation to industry — not an entitlement. The PMO’s role is not to optimize industry experience, but to maintain program integrity. Appeals should be narrow and time-boxed, not expansive.

Gap 5 – I disagree that continuous monitoring needs further codification here. ConMon standards already exist. Over-specifying cadence or thresholds risks locking both the PMO and CSPs into rigid models that don’t adapt well to different architectures or risk profiles. Some flexibility benefits both sides.

Gap 7 – While intake transparency would be nice in theory, historically the PMO (and most federal entities) do not publish granular intake throttling models. Even if they did, it would not materially change how CSPs plan — most planning is constrained by 3PAO timelines and internal readiness, not PMO queue mechanics.

Gap 8 – I strongly disagree that public “security outcome metrics” should be published at the CSP level. Many artifacts, KSI mappings, and vulnerability trends are sensitive. Public aggregation could unintentionally expose competitive or security-sensitive information. Program rigor should be demonstrated through process, not public scoring.

Gap 9 – I do not share the concern about retiring FedRAMP Ready. The RAR process had become a relic of the JAB era and often provided limited practical value relative to cost. The timeline to sunset Ready appears reasonable. CSPs currently pursuing Ready have ample opportunity either to complete it under the legacy timeline or pivot to Level 1 under RFC-0022. The intent of Ready was always to prepare for full authorization; if a CSP is not prepared to move forward, maintaining a quasi-status indefinitely does not advance program goals.

Overall, I view Program Certification as a pragmatic, time-bound bridge — not a permanent parallel track. Modernization necessarily creates friction. The goal should be clarity and integrity, not preserving every legacy on-ramp.

[john-allison]

I agree with the proposed Program Sponsorship, but I'm concerned that given there is no guarantee that FedRAMP 20x will be implemented, I expect that the need for Program Sponsorship to go beyond the expected timeline discussed in this RFC. Until there is clear acceptance of FedRAMP 20x across both federal civilian and to include DoD/DoW acceptance, Rev 5 will be the only viable path for some time. Specifically, with CMMC requiring FedRAMP Moderate (or equivalent), having those B2B SaaS providers that do not have a product that a federal agency would be interested in will require a sponsorless option. I expect that it will take an EO to ensure that FedRAMP 20x is accepted government wide. There also needs to be a discussion with the GovRAMP/StateRAMP community on if 20x will be honored. Ideally, the sponsorless 20x path in the future will be the one standard that all gov't, include state and local will accept.

[TrevorLowing]

Feedback: FedRAMP Rev5 Program Certifications (Sponsorless Authorization)

Thank you for RFC-0023 proposing the "Program Certification" pathway for CSPs to achieve FedRAMP authorization without requiring an agency sponsor to fund the assessment. This addresses real barrier to entry for new CSPs. However, RFC-0023 requires clarification on federal contract authority, procurement implications, and the December 16, 2027 sunset timeline.

---

Summary: Operational & Legal Assessment

✅ FISMA-Compliant: RFC-0023 does not violate FISMA (44 U.S.C. § 3544). Agency AO still authorizes system; RFC-0023 just removes the requirement for government-funded assessment.

⚠️ Procurement implications: Contract law authority and timeline clarity needed before agencies can implement.

---

Critical Issue #1: Contract Authority for "Sponsorless" Authorization

The Question

Traditional FedRAMP Sponsorship Model:

• Agency CIO or OMB sponsors CSP assessment (funds 3PAO costs, ~$300K–$500K)
• Assessment validates compliance
• Agency then authorizes CSP for federal use
• Authority: Agency was "sponsor" (invested in assessment); authority to authorize is clear

RFC-0023 Program Certification:

• CSP self-funds assessment (or venture-backed funding)
• FedRAMP PMO validates 3PAO's work
• But no sponsor agency exists
• Can any federal agency then "adopt" and authorize Program-Certified service under their own ATO?
• Authority: Unclear—does CSP's Program Cert carry implicit federal endorsement, or is each agency's ATO independent?

Authority Question for OMB/General Counsel

Issue: Federal Acquisition Regulation (FAR Part 16, updated under FAR 2.0 modernization) establishes that agencies must have statutory or regulatory authority to enter into contracts. If an agency adopts a Program-Certified service (without being the sponsor), under what authority?

Scenario:

• CSP self-funds assessment
• FedRAMP validates: "Program Certified"
• Agency A wants to adopt without sponsoring assessment
• Agency A's lawyer asks: "What contract authority gives us the right to authorize this service without our own assessment investment?"

Current RFC-0023 Gap: Doesn't address federal procurement law authority for sponsorless adoption.

Recommendation to FedRAMP PMO

Request DOJ/OMB Guidance: Clarify whether Program Certification determination by FedRAMP PMO constitutes sufficient "federal validation" for non-sponsor agencies to authorize under their own ATOs, or whether agencies must conduct independent authorization.

Outcome Option 1:
"Program Certification carries federal PMO validation; non-sponsor agencies may authorize under their own ATO based on PMO certification."

• Benefit: Sponsorless model works; CSPs can achieve authorization without agency sponsor
• Agency responsibility: Still independent in own ATO (full authorization authority retained)

Outcome Option 2:
"Each agency must conduct independent assessment before authorization; Program Certification is not sufficient substitute."

• Benefit: Preserves agency authority; clear responsibility
• Cost: Sponsorless model doesn't work; CSPs still need funding

---

Critical Issue #2: December 16, 2027 Sunset Deadline — Contract Planning Required

The Reality

RFC-0023 sunsets Program Certification pathway December 16, 2027. After that date, no new Program Certifications will be issued. Services authorized before deadline remain valid, but CSP must complete full Rev5 or transition to 20x.

Federal Procurement Impact

Scenario A: Agency signs contract BEFORE Dec 16, 2027

• CSP receives Program Cert authorization (within sunset date)
• Agency signs multi-year contract (e.g., 3-year)
• Contract runs through Dec 31, 2029 (beyond sunset)
• Question: Does contract "lock in" Program Cert authorization, or must CSP transition to full authorization during contract?

Scenario B: Agency signs contract AFTER Dec 16, 2027

• CSP must have full Rev5 or 20x authorization (Program Cert no longer available)
• If CSP only has Program Cert, cannot be authorized
• CSP loses federal market

Contract Authority Gaps (FAR Implications & FAR 2.0 Modernization)

FAR Part 16 (Contract Types), modernized under FAR 2.0 to support flexible commercial practices, requires clarity on:

1. Does contract specify when CSP must complete full authorization? (e.g., "within 18 months of contract start"?)
2. Who bears cost of transition if CSP must upgrade from Program Cert to full Rev5? (CSP? Agency? Shared?)
3. What happens to contract if CSP fails to achieve full authorization by Dec 16, 2027?

Current RFC-0023 Gap: Silent on these contract law questions.

Recommendation to FedRAMP PMO

Publish "Program Certification Contract Planning Guide" (by March 2026) specifying:

1. Contract Timing Decision Framework:
   
   IF agency signing contract before Dec 16, 2027:
     □ Specify "CSP must achieve full Rev5 by [DATE]" in contract
     □ Include cost responsibility (CSP bears transition cost? Agency reimburses?)
     □ Include exit clause if CSP doesn't achieve full authorization
   
   IF agency signing contract after Dec 16, 2027:
     □ CSP must already have full Rev5 or 20x (no Program Cert permitted)
     □ Contract can proceed normally
   
2. Sunset Transition Examples:
   
   Example 1: 2-Year Contract (Signed June 2027)
     Start: June 1, 2027 (contract signed; CSP has Program Cert)
     Sunset: Dec 16, 2027 (6.5 months into contract)
     Question: Does CSP have 6 months to achieve full Rev5 while contract executing?
     Recommendation: Contract should state "CSP must complete full Rev5 by [DATE]"
   
   Example 2: 3-Year Contract (Signed Jan 2027)
     Start: Jan 1, 2027 (CSP has Program Cert)
     Sunset: Dec 16, 2027 (11 months into contract)
     Contract End: Dec 31, 2029 (2 years after sunset)
     Recommendation: Contract must require full authorization by June 30, 2028
     Timeline: 18 months to transition (achievable for most CSPs)
   
3. Cost Responsibility Guidance:
   
   FedRAMP position: "CSP selecting Program Cert knows sunset date is Dec 2027.
   CSP accepts cost risk of achieving full authorization by that date.
   If CSP cannot transition in time, CSP exits federal market."
   
   OR
   
   FedRAMP position: "Agencies adopting Program Cert should budget for 
   CSP's transition cost (3PAO re-assessment, etc.) as part of contract value."

---

Issue #3: "First Customer" Risk for Program-Certified CSPs

The Problem

Unlike full FedRAMP authorization (which requires government/industry review), Program Certification relies on FedRAMP PMO 3PAO validation only. CSP may not have been "battle-tested" in operational federal environment.

First-Customer Risk Example:

• CSP achieves Program Cert (3PAO says "controls compliant")
• Agency A adopts as first federal customer
• In production: Service fails federal identity integration
• In production: Logging doesn't work with federal SIEM
• In production: Data cannot be encrypted using federal key management
• Assessment found no gaps, but operational environment exposed gaps
• Agency A bears burden of fixing problems

Current RFC-0023 Gaps

1. No "first customer" warning: RFC-0023 doesn't clarify that early adopters bear higher risk
2. No operational validation: 3PAO assessment is standard FedRAMP, but no federal operational testing
3. No CSP commitment: RFC doesn't require CSP to commit resources to operational support during transition

Recommendation to FedRAMP PMO

Warning Label for Program-Certified CSPs:

⚠️ CLASSIFICATION: Program-Certified Service
   This service has NOT been operationally deployed in federal environment.
   Early-adopting federal agencies accept risk that production use may 
   expose gaps in assessment that full FedRAMP evaluation would identify.
   
   Recommended approach: Pilot deployment (non-critical systems) first 
   to validate federal operational compatibility.

CSP Transition Commitment:
Require CSP to document (in Program Cert file) commitment to:

• Maintain federal customer support during full authorization transition
• Commit development resources to compliance gaps discovered in federal environment
• Provide 24/7 support for first 6–12 months of federal customer deployment

---

Issue #4: NIST RMF Phase Timing — Compress "Authorize" Phase Risk

The Timing Question

Full FedRAMP Authorization Timeline (Current):

Prepare (1 mo) → Categorize (1 mo) → Select (1 mo) → Implement (2 mo) 
→ Assess (6-9 mo) → AUTHORIZE (3-4 mo) → Monitor (ongoing)
Total: ~15 months to Authorization phase completion

Program Certification Timeline (implied by RFC-0023):

CSP self-funds:
Prepare (1 mo) → Categorize (1 mo) → Select (1 mo) → Implement (2 mo) 
→ Assess (3-6 mo) → AUTHORIZE [compressed] → Monitor
Then agencies can adopt independently

Problem: Program Cert pathway compresses the Authorize phase (where government/industry review findings). This shifts review burden to agencies adopting the service.

Recommendation to FedRAMP PMO

NIST RMF Guidance for Program Certs:

Program-Certified services have completed formal NIST RMF Assess phase.
Agencies adopting Program-Cert services should allocate full NIST RMF 
Authorize phase in own risk management timeline (don't compress).

Recommended: Allow 4-6 weeks for agency Authorize phase review, even 
for Program-Cert services, to ensure independent validation.

Timeline: Program Cert issued (FedRAMP) → Agency's Authorize phase 
(4-6 weeks) → Agency's ATO authorization

This clarifies that Program Cert doesn't eliminate agency's Authorize responsibility.

---

Issue #5: Privacy Implications Not Addressed

Gap: Privacy Act (5 U.S.C. § 552a) Compliance Unknown

Question: If Program-Certified service processes Personally Identifiable Information (PII), has FedRAMP assessed Privacy Act compliance?

Issue: NIST SP 800-53 includes privacy controls (PE, SA families), but assessment rigor varies. Program Cert doesn't clarify whether privacy controls were explicitly validated.

Recommendation to FedRAMP PMO

Privacy Assessment Clarification:

• If CSP processes PII → require explicit Privacy Act assessment in Program Cert validation
• If CSP does not process PII → document in Program Cert that privacy controls assessment was limited scope
• Provide agencies guidance: "Agencies must conduct independent Privacy Act impact assessment if adopting Program-Cert service for PII processing"

---

Closing

My Position: RFC-0023 sponsorless authorization is operationally sound and addresses real CSP barriers. However:

1. DO: Seek DOJ/OMB contract authority opinion (clarifying non-sponsor agencies' authority to authorize)
2. DO: Publish Program Cert Contract Planning Guide addressing Dec 16, 2027 sunset + cost/timeline responsibility
3. DO: Issue "First Customer Risk" warning for early-adopting agencies
4. DO: Clarify NIST RMF Authorize phase expectations for agencies adopting Program Certs
5. DO: Specify Privacy Act assessment rigor in Program Cert validation

Recommendation:
FedRAMP should coordinate with OMB/DOJ on contract law questions (1-2 months), then publish implementation guidance (March 2026) addressing sunset, cost responsibility, and agency role in Authorize phase.

Submitted by: Trevor Lowing (private citizen, personal capacity)
Contact: Trevor.Lowing@gmail.com
Disclaimer: The views expressed are my own.

[wisecryptic]

I’m generally very supportive of AI, but in this case my observation is that several points were interpreted incorrectly. Among other things, I don't see a conflict between this and agencies' authority issuance, and I do not believe FedRAMP is positioned to provide contractual guidance more effectively than the parties directly involved. Additionally, CSPs almost always self‑fund today already; if there is a reliable way out of this, I would be interested to learn more outside this public comment process.

[TrevorLowing]

I’m generally very supportive of AI, but in this case my observation is that several points were interpreted incorrectly. Among other things, I don't see a conflict between this and agencies' authority issuance, and I do not believe FedRAMP is positioned to provide contractual guidance more effectively than the parties directly involved. Additionally, CSPs almost always self‑fund today already; if there is a reliable way out of this, I would be interested to learn more outside this public comment process.

Let's be real about the Change
I think we need to step back from the policy theory and look at the actual math for an agency. We’re talking about a radical shift in how we authorize cloud software, a very tight timeline, and—let’s be honest—zero additional resources for the agencies expected to do the work.

Here is why "AO discretion" isn't a magic wand when resources are thin:

1. New Processes require "Learning Time" (which we don't have)
   Every time a "new pathway" is created, it’s not just a checkbox. It’s dozens of hours of meetings between security teams, legal, and procurement to decide how to handle this new bird. Without a clear, FedRAMP-provided Standard Operating Procedure (SOP), every single agency is going to waste hundreds of man-hours trying to "invent" their own version of the same process.

2. The "Sunset" is a Resource Cliff
   The December 2027 deadline isn't just a date on a calendar; it’s a liability. If an agency uses their limited staff to authorize a Program-Certified tool today, and that tool doesn't make the jump to a full authorization by 2027, all that work was for nothing. Agencies with tight budgets can't afford to "bet" their limited staff hours on a temporary pathway unless FedRAMP gives them a clear, documented transition plan to follow.

3. We're asking AOs to take "Unfunded Risk"
   In the old model, we reused another agency's work to save time and money. In this new model, we’re asking the first agency to take on 100% of the operational debugging and security "heavy lifting" for a tool that hasn't been in a federal environment yet. Most agencies don't have the "extra" engineers sitting around to be the guinea pig for a brand-new process.

What I’m actually requesting (The "Help Us Out" list):
If FedRAMP wants this to succeed despite limited agency resources, they have to do the "pre-work" for us:

The "Plug-and-Play" SOP: Give us the exact language to put in our ATO memos. Don't make 100 different agencies write it from scratch.

A "No-Surprises" Timeline: Give us a clear roadmap of what happens to our data and our authorization on Dec 17, 2027. We need to know the "exit strategy" before we invest the resources to "enter."

Validation Support: If the PMO is "certifying" these, the PMO should provide the "technical bridge" for the first agency customers so they aren't stuck debugging vendor issues alone.

Bottom Line:
This is a huge change. If FedRAMP leaves the "how-to" up to individual agencies, the sheer lack of resources and the fear of audit findings will kill adoption before it starts.

Let's make this "low-friction" for the agencies, not just the vendors.

[cb-axon]

I think several of the concerns raised here stem from a fundamental misunderstanding of what this RFC is actually doing.

First and most importantly: FedRAMP Program Certification is not an ATO. The PMO is not issuing agency authorizations, not assuming operational risk, and not creating contracting authority. Under the updated terminology in RFC-0020, FedRAMP issues Certifications (Rev5) or Validations (20x). Agencies issue ATOs. That separation of responsibility is explicit and repeated throughout the modernization effort.

The premise that sponsorless certification creates a FISMA or FAR contracting authority problem is therefore misplaced. Agencies already have the authority to issue their own ATOs under RMF, whether a service is Program-Certified, Agency Authorized, or not yet authorized at all. Program Certification is a completeness review of the assessment package — it does not confer contracting authority, nor does it create “federal endorsement” of risk. Agencies remain independently responsible for risk acceptance decisions.

Second, the description of the traditional “sponsorship” model is inaccurate. Agencies do not fund 3PAO assessments for CSPs. I've worked within a 3PAO and performed dozens of assessments including several initial assessments. None were funded by an agency. CSPs self-fund those assessments as sunk cost investments to enter the federal market. If you know of an agency funding their CSPs initial 3PAO assessment, I know several CSPs that would love to work with them. Agency sponsorship historically meant an agency was willing to review and own the authorization decision — not that it paid $300K–$500K for the 3PAO engagement. Sponsorship costs are internal to the agency. Framing this as a shift in funding authority misrepresents how the program has operated for years.

Third, the concern that agencies lack authority to “adopt” a Program-Certified service misunderstands the construct. Agencies do not “adopt” a Program Certification. They issue their own ATOs. The existence of a Program Certification simply indicates that FedRAMP has determined the assessment package is complete and review-ready without requiring an agency sponsor to trigger that review. The agency’s ATO remains fully independent and fully required.

On the December sunset issue, this is a program lifecycle decision, not a contract law event. Agencies routinely manage contracts where compliance milestones evolve over time. If an agency wishes to require transition to full 20x by a certain date, it can write that into the contract. FedRAMP has never provided contract clause templates for agencies and should not start here. Procurement structure is an agency responsibility, not a PMO function.

Regarding “first-customer risk,” that risk already exists today. Every CSP has a first federal customer. That is not unique to Program Certification. The PMO has repeatedly indicated that it is not accepting agency operational risk now, and this RFC does not change that. Agencies can (and often do) issue provisional or pilot ATOs for limited deployments to test viability. That is normal RMF practice.

On privacy and operational validation concerns: if a CSP system is processing federal PII, it should no longer remain merely at the Program Certification stage (which is achievable by the agency placing that federal PII there). An agency would need to issue its own ATO, and at that point the service is being authorized for that specific use case. Program Certification is a sponsorless completeness review — it is not an operational authorization for handling federal data.

Importantly, the agency remains fully responsible for conducting its RMF process, including determining whether privacy controls are required for the data being placed into the system. If the agency’s use case involves PII or other regulated data, it is the agency’s obligation to assess and enforce the appropriate privacy and security controls as part of its ATO decision. Program Certification does not waive, reduce, or transfer that responsibility.

Finally, suggesting that this pathway should be paused pending DOJ contract authority opinions overstates the issue. This RFC does not alter statutory authority, shift contracting power, or bypass FISMA. It creates a sponsorless path for PMO review of package completeness. Agencies still own authorization decisions. That has been repeatedly and clearly stated across the modernization RFCs.

In short, the analysis presented here conflates PMO certification with agency authorization and mischaracterizes the sponsorship model. Program Certification removes the agency-as-gatekeeper bottleneck for initiating PMO completeness review. It does not transfer risk, authority, or contracting power away from agencies.

I agree with prior commenters that several of these concerns appear rooted in a misunderstanding of how FedRAMP sponsorship, 3PAO funding, and ATO authority actually function in practice.

[TrevorLowing]

I appreciate the thorough technical correction. I was wrong to conflate Program Certification with a federal endorsement or a transfer of authority.

• I withdraw my concerns regarding contract authority, privacy responsibility, and the need for a DOJ opinion.
• I acknowledge that CSPs self-fund 3PAO assessments in the traditional model; my previous characterization of agencies "writing checks" to 3PAOs was inaccurate.

2. The Agency Perspective: Internal Labor vs. 3PAO Costs

While I accept your correction on direct funding, I want to clarify the agency operational burden. Even if the CSP pays the 3PAO, the first agency to authorize a service faces a massive internal labor cost:

Metric	Traditional Sponsor / First Program Cert Agency	Later Adopting Agencies
Internal Labor	6–12 months (Full RMF Review)	2–4 weeks (Delta Review)
Presumption of Adequacy	No (None exists yet)	Yes (Per 44 USC § 3613)
Risk Profile	High (Operational Validation)	Low (Proven Deployment)

The Reality: The first agency to authorize a Program-Cert service bears nearly the same resource burden as a traditional sponsor. The PMO completeness review does not provide a "free ride" for the initial agency reviewer.

3. Reframing the 2027 Sunset Risk

I agree that sunsetting is a program lifecycle event, not a legal conflict. However, from a procurement standpoint, the December 16, 2027, deadline creates a sunk-cost risk for agencies:

• If an agency invests 12 months of labor in 2026 to authorize a Program-Cert CSP, and that CSP fails to transition to full 20x status by late 2027, the agency's authorization investment becomes worthless.
• Revised Recommendation: I no longer suggest contract templates. Instead, I suggest a simple Marketplace Flag noting the sunset date so agencies can factor a CSP's "transition commitment" into their ROI calculations.

4. Summary of Revised Position

Our dialogue highlights two equally important lenses: the Technical Mechanics (which you correctly clarified) and the Agency Resource Implications (which I am highlighting).

I now support RFC-0023 with the following caveats for agency awareness:

• ✅ Mechanics are sound: PMO and Agency roles are properly bifurcated.
• ⚠️ Labor Transparency: Agencies should be aware that the first authorization of a Program-Cert service requires significant internal staff time.
• 💡 Marketplace Indicators: I recommend simple indicators for "Zero Agency ATOs" and "Sunset Timeline" to assist with agency risk management.

Thank you for the course correction. This exchange has significantly refined my understanding of how Program Certification will function in the real world.

[cb-axon]

I appreciate the reframing and clarification — that’s helpful.

On the sunset point, I think there’s still a key distinction being missed. Once an agency issues an ATO for a Program-Certified CSP, that service is no longer simply a “Program-Certified” listing — it is an agency-authorized service for that use case. The agency’s investment is not wiped out by the 2027 sunset.

The sunset only affects FedRAMP’s ability to issue new sponsorless Program Certifications. It does not invalidate existing agency ATOs or undo prior agency review work. And assuming the CSP has met the bar for the requested level, there is no additional CSP assessment work required beyond standard continuous monitoring and applicable Balance Improvement Releases.

[jeffhoge]

I’m writing on behalf of a CSP that recently completed a full FedRAMP Rev5 Moderate assessment with a 3PAO (including 100% control coverage, no open risks, and a DoD Moderate Equivalency recommendation). We also previously completed a RAR and were listed as FedRAMP Ready for the one‑year period.

Our main issue is that we’re still trying to secure an agency sponsor, but RFC‑0023’s Program Certification path looks like a great alternative if sponsorship doesn’t happen in time. We want to avoid unnecessary rework, especially since we already invested in a full SAR and equivalency assessment.

A few questions we hope can be clarified:

1. Can an existing, recent full SAR be reused for Program Certification?
   If a CSP already has a full Rev5 Moderate SAR (done by a FedRAMP-recognized 3PAO) with a positive recommendation, can that assessment count for LPC‑GEN‑ATA as long as updated scans/delta testing are done and the assessor issues an updated attestation? Or will CSPs be required to redo a brand‑new assessment specifically labeled for Program Certification?

2. Is a new RAR required?
   For CSPs that already passed a RAR and held FedRAMP Ready status, will they need another RAR just to maintain Marketplace presence until Program Certification opens? Or is there a way to go straight into Program Certification without repeating the RAR?

3. DoD Moderate Equivalency alignment
   For CSPs that already achieved Moderate Equivalency, will Program Certification be considered equal or stronger than the DoD memo requirements? This clarity would help us explain the transition to DoD customers.

We appreciate the direction RFC‑0023 is going and just want to avoid redundant work here.

[cb-axon]

Overall, I strongly support this RFC. Providing a sponsorless Rev5 Program Certification path is a practical bridge while 20x adoption scales, and it helps break the longstanding agency sponsor bottleneck.

I recommend explicitly allowing indirect demand (as introduced in RFC-0021) to qualify as sufficient demand for Program Certification. If an already FedRAMP-authorized CSP demonstrates intent to leverage a service within its authorized boundary, that should be treated as meaningful federal demand. Requiring a direct agency sponsor perpetuates the same structural friction this RFC is attempting to solve.

Agencies are already capable of reviewing continuous monitoring materials and inherited service relationships today. There is no reason indirect use cases cannot be treated similarly. Incorporating indirect demand as a qualifying signal would modernize the model and better reflect how cloud ecosystems actually operate.

Overall, this is a strong step forward in moving beyond the legacy sponsor-dependent model.

[Lowebrew]

My feedback for:
RFC-0023: Program Certifications - Structural Barriers Favoring Incumbents

"Trusted Assessor" Requirement Creates Market Concentration
• The most concerning element of RFC-0023 is the "Trusted Assessor" definition:
• "A FedRAMP-recognized independent assessor with no corrective action in the last 12 months that was the primary assessor for 3 cloud service offerings granted initial FedRAMP Certification in the last 12 months"
• Industry practice is unambiguous: assessors are either qualified and listed or unqualified and removed. There is no industry standard supporting assessment volume disclosures or subjective classifications such as “trusted” versus “non trusted.” The PCI Council exemplifies this approach.
• In a federal acquisition context, introducing a “trusted” designation effectively creates a preference regime untethered from technical merit. It privileges scale and incumbency, undermines competitive neutrality, and risks disadvantaging small and emerging providers without improving assessment quality or security outcomes. The justification for such a designation—and the specific problem it is intended to solve—remains undefined.
• This creates a severe chicken-and-egg problem that entrenches large 3PAOs:
o 3PAOs need 3 certifications in 12 months to achieve "trusted" status
o CSPs are required to use trusted assessors for program certification (LPC-GEN-ATA)
• Result: Only the largest, most established 3PAOs with existing high-volume pipelines can maintain "trusted" status
• Market impact: Smaller, specialized, or regional 3PAOs are locked out, reducing competition and increasing costs
• Consequence for CSPs:
o Large enterprises can afford the premium rates charged by the limited pool of "trusted assessors"
o Small and mid-sized CSPs face either:

1. Prohibitively expensive assessment costs from the limited "trusted" pool
2. Being unable to use the sponsorless certification path at all
3. Waiting for the agency authorization path (which the RFC acknowledges is severely constrained by agency budgets)

Note: Currently it SEEMS that Trusted Assessor would only be for the Rev5 initial assessments and is not clear if this will stick around for 20x. However the mere suggestion of such a designation is entirely counter to the objectives of providing cost effective and industry competitive 3PAO ecosystem. Either way this is not looked upon as positive.

How marketplace transparency compounds the problem:
• The marketplace publicly shows how many assessments each 3PAO has completed
• This creates a self-reinforcing cycle where CSPs naturally choose high-count 3PAOs
• High-volume 3PAOs maintain "Trusted Assessor" status while smaller ones can't break in
• Combined with the "Trusted Assessor" requirement, CSPs working with smaller 3PAOs are disqualified from the sponsorless path

The perverse effect:
• Transparency meant to inform decisions now actively restricts choices
• A 3PAO with 20 assessments vs. 2 assessments may provide identical quality work, but only the former qualifies for program certification
• This creates a permanent two-tier market with no path for new entrants

Complexity and Technical Requirements Favor Well-Resourced Providers
• RFC-0023 mandates implementation of five optional Balance Improvement Releases (now mandatory for program certification):

1. Minimum Assessment Scope
2. Authorization Data Sharing
3. Collaborative Continuous Monitoring
4. Significant Change Notifications
5. Vulnerability Detection and Response
   • Additionally, providers must meet machine-readable package requirements (RFC-0024) in advance of submission, with no grace period.
   • Why this favors large enterprises:
   • Large CSPs have dedicated DevSecOps teams, automated tooling, and mature GRC platforms
   • Small CSPs often rely on manual processes and off-the-shelf tools that may not support machine-readable output formats
   • The compressed timeline (submissions must be completed by December 16, 2026) leaves insufficient time for smaller providers to develop or procure the necessary automation capabilities

Time Pressure Disadvantages Late-Stage Smaller Providers
• The December 16, 2026 hard deadline with "no grace period" (LPC-TIM-EOL) disproportionately harms smaller CSPs:
• Large enterprises that have been in the FedRAMP pipeline for years are already positioned to submit quickly
• Smaller CSPs that have invested in the Rev5 path but haven't completed all Balance Improvement Releases face a forced choice:

1. Rush to comply and risk submitting incomplete packages (resulting in permanent denial)
2. Abandon the sponsorless path and wait for FedRAMP 20x, which requires "significant rework" and may not be ready for general availability soon
3. Continue seeking elusive agency sponsors in a budget-constrained environment
   • The RFC acknowledges that "many cloud service providers have invested significant effort and funding into the Rev5 authorization path" but provides a 10-month window to comply with complex new requirements; a timeline that favors incumbents already near completion.

We urge FedRAMP to consider the following modifications to ensure these RFCs do not inadvertently favor large incumbents:
Reform the "Trusted Assessor" definition to use alternative qualification criteria:
• Time-based: 3PAOs with 5+ years of FedRAMP recognition and clean records
• Portfolio-based: 3PAOs that have completed 3+ total FedRAMP authorizations (not limited to last 12 months)
Create a tiered implementation schedule for Balance Improvement Releases, allowing providers to phase in requirements over 6-12 months (Which FedRAMP kind of has been doing with the beta)

[cb-axon]

On the complexity and technical requirements favoring large providers, I disagree. In many cases, modernization requirements (machine-readable packages, automation, structured data) are actually easier for smaller, more agile CSPs to implement. Retrofitting large, legacy environments with automation is often significantly more complex than designing a smaller footprint correctly from the outset. This is less about incumbency advantage and more about everyone adapting to a modernized model.

I do agree that the timeline pressure is real for providers late in the Rev5 pipeline. However, that is an inherent tension of any sunset model. The alternative—keeping legacy paths open indefinitely—would undermine the transition to 20x. Modernization carries impact for both large and small providers, and staying static is not a viable option.

[Balsinawi]

Actually this point is about the 3PAO being trusted assessor vs non trusted, not the CSP...

[cb-axon]

Thanks for the distinction! I didn't read it that way, sorry! I think the point still stands. As someone who previously worked at a 3PAO, I think the comment still applies, theres outsized impact large and small.

[Leah-GovRAMP]

Question: Who will be providing oversight of continuous monitoring?

[rockdj-git]

FedRAMP is proposing an additional requirement for achieving “Trusted Assessor” status: Serving as the primary assessor for three (3) Cloud Service Offerings (CSOs) that achieve initial FedRAMP Validation within a 12-month period.
This represents an extremely high threshold, particularly for new entrants because only a very small subset of 3PAOs have enough market share, assessment volume, and resource capacity to meet this requirement. The practical effect of this criterion is a further narrowing of an already consolidated assessment marketplace. While the FedRAMP has expressed interest in expanding market participation, the Trusted Assessor requirement instead appears likely to shrink the pool of eligible FedRAMP assessors even further, reinforcing dominance by the current top 3PAO firms.
This new Trusted Assessor requirement presents a barrier that disproportionately affects new, smaller and emerging 3PAOs. Achieving three initial validations within a single 12-month window is structurally difficult and not reflective of assessor capability, quality, or adherence to FedRAMP standards.
We respectfully request that FedRAMP reconsider and revise this requirement.
A more balanced definition of a FedRAMP Trusted Assessor could include:
• A FedRAMP recognized independent assessor with no corrective actions within the last 12 months.
• A Lead assessor that performs FedRAMP assessments
• Adherence to ISO 17020 requirements
This approach maintains quality assurance while allowing newer, highly capable 3PAOs to participate meaningfully in the assessment ecosystem ultimately strengthening the FedRAMP marketplace rather than restricting it.

[PTrier-Indie]

The sponsorless authorization path is something that I'm happy to see come to fruition. While, the removal of RAR's has been long expected and RAR's have always been a consolation prize.

I hope that this is a test trial as having sponsors as optional participants in the process, willing to eat some of the cost and risk for an initial assessment, is far more ideal than the limbo many CSPs operate in.

I understand the requirements for the Trusted Assessor and the need as an initial Assessment requires far more rigor and attention to detail than an annual assessment. As well as Rev 5 and generally newer CSPs are under more scrutiny due to the maturation of the FedRAMP program.

That being said, 3 might be too many, as the market, especially for initial assessments, is very consolidated. A single initial seems more fair while ensuring quality. With the clarification that is due to this being a limited time pathway and restrictions need to be in place as to not exacerbate FedRAMP.

[pete-gov]

The following public comment was received via email from GovDash on Fri Feb 20 @ 4pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

GovDash is formally expressing strong interest in pursuing the sponsorless certification pathway under the evolving FedRAMP modernization framework.

GovDash helps businesses win and deliver government contracts that advance American interests. Our acquisition and procurement platform is a single, secure, workflow-driven system for the full contracting lifecycle, from opportunity discovery and capture through proposal execution, award, and post-award operations. In 2025 alone, GovDash customers won more than $5B in government contracts. Our software directly supports the missions of federal procurement offices and the businesses that support them, and achieving formal, independent security validation is a strategic priority.

Over the past 12 months, GovDash has made significant investments in cybersecurity and compliance. Our platform aligns with FedRAMP Moderate controls under NIST SP 800-53 Rev. 5. In December 2025, we completed a FedRAMP Moderate Equivalency assessment and now undergo monthly continuous monitoring. We have also developed internal automation capabilities that enable continuous compliance validation and structured security evidence generation across our application and infrastructure.

For this sponsorless certification effort, we selected Ignyte Assurance as our 3PAO based on their expertise in continuous validation, automation-driven assessment methodologies, and multi-regulatory experience. Their technical approach aligns with the objectives of the FedRAMP 20x initiatives, particularly the emphasis on scalable, repeatable, and automation-supported validation.

The sponsorless certification pathway is important to GovDash because it enables security validation grounded in technical readiness and measurable controls rather than sponsorship timing alone. As we support both contractors and agency procurement offices, a standardized and scalable authorization model is essential to responsible growth in the federal market.

The Defense Innovation Unit, Navy RCO, DHS Procurement Innovation Lab are all actively seeking pilots for improving procurement processes using new technology for solicitation generation, vendor evaluation and management. FedRAMP PMO is in a fantastic position to support pre-authorization activities to accelerate agency missions.

We saw your recent note on LinkedIn and strongly encourage continued development of this pathway as a viable option for serious CSPs investing in secure, scalable validation models.

[pete-gov]

The following public comment was received via email from ClassLink on Fri Feb 20 @ 9am.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

ClassLink is formally expressing strong interest in pursuing the sponsorless certification pathway in partnership with our trusted 3PAO, Ignyte.

By way of background, ClassLink is a cloud-based education technology company providing identity, access, and analytics solutions to K-12 and higher education institutions. We directly support DoDEA and more than 100 federally funded institutions, serving over 25 million users across 3,000+ educational organizations worldwide.

We selected Ignyte Platform as our 3PAO based on their depth of experience across multiple regulatory frameworks (3PAO, C3PAO, DoD IL, ISO, PCI-DSS and others), their classified experience with the DoW and their capability to validate and continuously assess our security posture through automation-enabled processes for persistent validation.

As a security-centric organization, our objective is not marketplace access as a growth mechanism. Rather, we view certification as an affirmation of our commitment to safeguarding the institutions and communities we serve. For us, this pathway represents a principled alignment with doing the right thing independent of commercial considerations.

We would be disappointed to see this option no longer available, as we believe ClassLink is well-positioned to serve as a strong candidate under this model.

[MattRattiganUE]

If there is demand, then I like the RFC.

Here is some input worth considering should you have enough demand:

1. Allow CSPs to reuse SARs that were completed by a trusted assessor within the past 4-6 months. A CSP that wants to sell to both the DIB and gov't agencies may have recently gone through a FedRAMP Moderate Equivalency audit because they were not able to find a government agency to sponsor them.

Reasons why it would be beneficial to allow a CSP to reuse a recently created SAR/SSP/SAP Package:

• A Getting on the schedule of a trusted assessor can be difficult.
• FedRAMP Moderate Equivalency audits are expensive, and I think it will be hard for CSPs to get budget and staffing approved to go through an audit if they just received their completed SAR in the past 1-6 months.

2. My first recommendation/input above only applies/makes sense if you agree to remove the optional and beta balance improvement requirements....and FedRAMP agrees to review the mandatory balance improvement requirements themselves (secure inbox and secure configuration guides). An additional benefit of removing the optional and beta balance improvements is it would create consistency and level playing ground for everyone with a Rev5 Authorization, whether it be agency led or program led.

This is my input should there be enough demand.

I'm not aware of the number of FedRAMP Equivalent CSPs who want to sell to the DIB and the fed gov't that are in this situation and interested. It could be zero or greater than ten. I'm not sure.

I recommend to CSPs that are actually interested in this and reading this comment to put there name out there so FedRAMP has real data/examples to work off.

[jeffhoge]

Agreed completely on all points. The demand is definitely more than zero.

I represent a CSP, InEight, that successfully went through a FedRAMP Moderate Equivalency SAR recently in order to engage with the DIB initially, as well as agencies. I would add your argument that Moderate Equivalency is more difficult to obtain due to the requirement of complete compliance/no AO to accept residual risks.

[skriz24]

100%. Is the beta requirements can be removed for the initial SAR, they can be added at time of annual assessment.

[3paocontributor]

The FedRAMP Program Management Office objective to ensure assessor familiarity with the sponsorless authorization process is appropriate and aligned with maintaining program integrity. However, as others have mentioned, the realities of requiring three annual initial assessments per year as the primary threshold for Trusted Assessor designation may unintentionally shrink the pool of eligible 3PAOs, increase assessment costs, extend queue times / constrain assessor capacity, create market concentration risk, and create circular eligibility barriers.

Familiarity with the sponsorless model is fundamentally a process and governance alignment issue. It can be effectively achieved through structured enablement mechanisms such as mandatory sponsorless process training, publication of a detailed sponsorless assessment playbook, PMO-led onboarding sessions for 3PAOs, and enhanced QA oversight during an assessor’s first sponsorless engagement. These approaches directly address process competence without limiting participation based solely on prior volume.
In addition, the current accreditation model administered by A2LA primarily evaluates management system conformance rather than the technical depth of individual auditors or competency with current PMO processes. Strengthening oversight to include review of assessment artifacts, control validation rigor, Security Assessment Report quality and / or review of conformance with PMO processes would provide a more direct measure of performance.

Additionally, introducing a witness audit model—where the PMO observes actual control testing and walkthrough execution—could create a performance-based qualification mechanism. ISO certification bodies go through this same process, where their assessment process is observed and recommendations are provided to strengthen the assessment process. Observed execution is a stronger proxy for competence than historical certification counts.

Requiring prior sponsorless certifications as a threshold risks concentrating work among a limited set of assessors and slowing overall program scalability. This potentially could be a particularly acute issue since it’s fair to anticipate a flood of CSPs pursuing the sponsorless path. Historically, FedRAMP authorizations have been constrained by the sponsorship requirement. Is it our view that removing the sponsor requirement but replacing it with a constrained market of ‘Trusted Assessors” will shift the authorization choke point from agencies to assessors. Performance-based and enablement-focused approach could better balance quality assurance with the capacity required to support modernization objectives.

[CSP-AB]

CSP-AB Submits the following comment:

Can FedRAMP use this as a model for CSPs that are leveraged by other CSPs (indirect demand). One of the biggest challenges is the leveraging of only FedRAMP authorized services and while that requirement has been relaxed there will still be cases where an external system would need to transmit, store or process government or sensitive data. The marketplace to be expanded so that these CSPs can get an authorization and not just a validation level from the FR PMO.

[travis-w-sgc2]

For Trusted Assessor

Removing the agency sponsor bottleneck is a meaningful improvement. However, the current Trusted Assessor criteria may unintentionally shift the constraint from agency sponsorship to assessor availability and cost. If only a limited number of assessors qualify, concentrated demand could create scheduling delays that affect all CSPs, as well as pricing pressure that may disproportionately impact smaller providers.

Additional clarification would be helpful regarding whether a CSP with a recent full Rev5 assessment performed by a FedRAMP-recognized assessor - and a current SAR within the active assessment cycle - may submit for Program Certification using an updated SAR that reflects delta testing, updated scans, and an updated attestation, rather than undergoing a duplicative full reassessment.

For example, we are currently undergoing our full Rev5 annual assessment, expected to result in an updated SAR in July 2026. Clarifying whether such an assessment could be leveraged for Program Certification submission would improve predictability for CSPs already operating within the established Rev5 lifecycle.

For Mandatory Balance Improvement Release Adoption

RFC-0023 proposed that Program Certification submissions must implement all Balance Improvement Releases at the time of submission. In RFC-0020, the Rev5 Balance Improvement Releases are associated with the proposed Certified level 4 designation. Should sponsorless Program Certification therefore be understood as aligning with Certified Level 4 expectations, rather than the Certified Level 3 (Moderate) authorization? Clarification on this alignment would help CSPs plan implementation scope, resourcing, and certification strategy.

[vanderson-fits]

LPC-GEN-ATA Assessment by Trusted Assessor

• FedRAMP should consider not creating new programs or requirements where they are not necessary; the marketplace already tracks active FedRAMP assessments per 3PAO which translates into experience.
• FedRAMP should also not require 3PAOs to solicit positive feedback from their clients as part of this; that may create a perceived conflict of interest. Instead consider relying on the existing F338 CSP Evaluation Form to determine CSP satisfaction.

LPC-GEN-LVL Level Limited

• Limiting this to levels 1 – 4 (or classes A&B) seems reasonable and caps FedRAMP’s level of effort in reviewing authorization packages. CSPs who will need high can prepare for High, document for High, and even have the additional High controls/parameters assessed by their 3PAOs alongside level 4. Agencies will avoid the initial review load that appears to be the big blocker but would take on the SCR to uplift a level 4 to level 5 or 6 (class C).

LPC-TIM-EOL End of Life for Legacy Program Certification

• To be able to submit a complete authorization package by 12/16/26, particularly with the additional balance improvement requirements, the practical window for a CSP to commit to the program certification path may be very small. FedRAMP should consider extending this window for as long as the Rev 5 initial certification path exists or allowing CSPs until 12/16/26 to claim a seat in the program even if their authorization package might not come together until sometime in 2027.

[drewmk]

The introduction of a sponsorless option represents a significant advancement for all CSPs.

Regarding the initial beta requirements for Rev5 Balance Improvements, we are prepared to commit to these terms as they provide a clear and tangible path forward.

[skriz24]

I absolutely love the idea of the Program Certification for both 20x and Rev5. The only issue I have is with the time limit. With DoD/DoW not wanting to adopt 20x (at least for now), there is still a need for CSPs to invest in Rev5 as the DoD/DoW IL baselines build off of Moderate. What would make zero sense is for an organization to do 20x for FedCiv and then have to go build a Rev5 environment for DoD/DoW, but instead build a Rev5 environment that can be Certified for FedRAMP and then authorized by DISA at the appropriate IL level. But by time-bounding this to only 2026, it leaves organizations in 2027 right where they are today. My suggestion is, until DoD/DoW is open to adopting the 20x baseline, FedRAMP should be willing to review both styles of package and issue program certifications, allowing organizations to implement the baseline of their choosing based on their addressable market. Reuse of effort is key here for the CSP market.

[cbiggsrun]

Comments from Fortreum:

1. We wholeheartedly support an agency-less path, but a few over-arching points to consider:
   • I assume agencies still have to grant an ATO on top of this FedRAMP Program Certification for their agency to use the CSO.
   • Once an agency grants an ATO, the designation on the Marketplace listing will change to Agency Authorized?

2. Proposed Requirements for Rev5 Program Certification section, first paragraph: Are we changing the name “3PAO” to “Trusted Assessor”? Do they still have to be certified via A2LA? Please make this clear in the final standard.

3. LPC-GEN-LVL Level Limited section:
   • Instead of saying “level-limited”, suggest just you just say “No High-Impact Packages”.
   • First paragraph: Explain the levels or provide a link to the explanation.

4. LPC-GEN-ATA Assessment by Trusted Assessor section: Suggest moving this and the next two sections up to be the first sections because this is the key content we all want to know.

5. LPC-TIM-EOL End of Life for Legacy Program Certification section: The section says Providers MUST submit complete authorization packages for FedRAMP Program Certification before 2PM ET December 16, 2026 (FY27 Q1).” Why is this new program only temporary? Please make this clear in the final standard.

Thanks!

[Rene2mt]

Given the sustained difficulty CSPs have faced in securing agency sponsors, this is a practical and much appreciated evolution—even if intended as a temporary measure.

Regarding LPC-GEN-IBR, I support the concept of collaborative continuous monitoring (CCM), but I am concerned that agencies unwilling to sponsor may also be reluctant to meaningfully participate in CCM activities. CSP must / will do their part but any measures to help with engagement would strengthen this provision.

For LPC-GEN-IRI, I strongly support efforts to reduce churn and back-and-forth during intake and review. However, given the number of new requirements and the flexibility in implementation approaches, there may be situations where CSPs and assessors reasonably believe they have met requirements but FedRAMP disagrees or requests additional detail. It would be unfortunate for CSPs to incur a one- or three-month resubmission delay due to good-faith misunderstandings. The approach should distinguish between material deficiencies and clarification gaps, and should also provide clear guidance on constitutes a “complete” package so all parties (CSP, 3PAO, and FedRAMP) are in alignment.

Again, thank you for this proposal. It could really address what has been a long standing bottleneck in the ecosystem.

[PS-SEC-MSG]

RFC-0023: Rev5 Program Certifications (No Sponsor Required)

I appreciate the opportunity to comment on RFC‑0023. I am submitting this feedback in an individual capacity as a FedRAMP senior assessor and practice lead who actively supports cloud service providers in meeting FedRAMP requirements. I support the sponsorless path as a time‑limited bridge for qualified providers while the ecosystem transitions toward FedRAMP 20x. To improve clarity and fairness, the comments below focus on Trusted Assessor criteria, corrective action processes, program mechanics and alignment with related RFCs.

Perspective: Senior assessor, implementation‑focused, seeking objective, auditable and fair requirements.

1. Trusted Assessor criteria – allow broader assessment types
   Comment/Question:
   Limiting Trusted status to three initial certifications or validations within 12 months narrows the field and disadvantages smaller 3PAOs. Would FedRAMP consider counting annual assessments, Significant Change Reviews or FedRAMP Ready assessments toward the volume requirement?
   Proposed clarification language:
   • Recognize a combination of initial certifications/validations and other FedRAMP assessments (annual assessments, Significant Change Reviews, FedRAMP Ready assessments) completed within the past 12 months when evaluating Trusted status.

2. Credit for legacy authorizations
   Comment/Question:
   Many assessors performed authorizations under the legacy JAB process. Does FedRAMP intend for those authorizations to count toward the Trusted volume threshold?
   Proposed clarification language:
   • Credit authorizations completed under the prior JAB process when the assessor was the primary assessor, allowing them to substitute for up to two of the three required certifications/validations.

3. Align volume thresholds with assessor recognition rules
   Comment/Question:
   RFC‑0021 requires independent assessors to complete at least two assessments every two years to maintain recognition, while RFC‑0023’s Trusted threshold is three certifications or validations in 12 months. How should assessors interpret these thresholds?
   Proposed clarification language:
   • Clarify that the two‑assessments‑in‑24‑months requirement maintains recognition, while the Trusted threshold is an optional higher standard.
   • Publish guidance illustrating how the two requirements coexist.

4. Terminology and path‑agnostic eligibility
   Comment/Question:
   The RFC‑0020 initial outcome adopts “FedRAMP Certification” as the single label and replaces numbered levels with Certification Classes A–D. RFC‑0023 still references Level 1–4. Please confirm that Trusted status applies across Classes A–D.
   Proposed clarification language:
   • State that Trusted status applies to certifications across Classes A–D.
   • Update references to “Level 1‑4” in RFC‑0023 to align with the forthcoming Consolidated Rules.

5. Consultation and cure period before public corrective action
   Comment/Question:
   The 3PAO Obligations and CSP Continuous Monitoring guides provide consultation and cure periods before public corrective action, yet RFC‑0023 appears to impose immediate public notification for incomplete packages or grossly incomplete submissions. How will FedRAMP ensure due process?
   Proposed clarification language:
   • Issue a written consultation notice specifying deficiencies and provide a cure period before public notice.
   • Publicly post corrective action only if deficiencies remain or if the assessor’s conduct constitutes a breach of trust.
   • Publish examples distinguishing good‑faith mistakes from breaches of trust.

6. Graduated penalties for incomplete packages
   Comment/Question:
   RFC‑0023 triggers a three‑month resubmission penalty and loss of Trusted status when a package is missing 11 or more requirements, regardless of severity. Could FedRAMP adopt graduated penalties?
   Proposed clarification language:
   • Distinguish between minor omissions (e.g., incomplete fields or missing attachments) and gross omissions (e.g., entire appendices or control families).
   • Apply shorter resubmission windows and no Trusted penalty for minor omissions, while retaining existing penalties for gross omissions.

7. Define “breach of trust” triggers
   Comment/Question:
   FedRAMP staff have referred to corrective actions as responses to breaches of trust. Please provide examples of conduct that would constitute a breach of trust and warrant immediate public notice.
   Proposed clarification language:
   • Publish a non‑exhaustive list of breach‑of‑trust scenarios (e.g., deliberate submission of falsified artifacts, systemic disregard for mandatory controls, repeated neglect of consultation notices).
   • Note that disagreements arising from ambiguous requirements will be handled through consultation and cure rather than immediate public notice.

8. Sponsor‑loss scenario and eligibility to switch paths
   Comment/Question:
   If a CSP loses its agency sponsor mid‑assessment, can the same Rev5 package be resubmitted under the Program Certification path, and what additional steps are needed?
   Proposed clarification language:
   • Allow a CSP to submit its existing Rev5 assessment under the Program Certification path provided the package is updated to meet mandatory Balance Improvement Releases and machine‑readable requirements.
   • Require an independent assessor attestation confirming completeness and reflect any delta assessments performed since the sponsor’s withdrawal.

9. Guidance on “significant progress” and last possible start date
   Comment/Question:
   RFC‑0023 does not define the minimum progress required to enter the sponsorless path or specify when a provider must begin assessment to meet the December 16 2026 deadline. Without these details, providers may misjudge their eligibility.
   Proposed clarification language:
   • Define “significant progress” using objective milestones such as completion of the SSP and SAP, executed 3PAO contracts, or a draft SAR.
   • Publish an estimated “latest start date” by which a CSP must begin its assessment to reasonably meet the submission deadline.

10. Flexibility in Balance Improvement Release adoption
    Comment/Question:
    LPC‑GEN‑MBA requires participation in the first beta of every Balance Improvement Release. Would FedRAMP consider allowing adoption within a window after open beta rather than mandating first‑beta participation?
    Proposed clarification language:
    • Require adoption of each Balance Improvement Release within 60 days of open beta.
    • Encourage first‑beta participation but do not require it.
    • Publish a schedule of releases and adoption windows for planning purposes.

11. Path for high‑impact services (Class D/Level 5+)
    Comment/Question:
    RFC‑0023 excludes Level 5+ services from the sponsorless path, leaving high‑impact providers without an option. Several commenters suggested pilot or partial certifications.
    Proposed clarification language:
    • Consider limited pilots authorizing a small number of high‑impact services (Class D) each year through Program Certification.
    • Explore partial certifications that assess controls up to Class C while clearly noting unreviewed controls.

12. Alternative pathways for smaller assessors
    Comment/Question:
    Concentrating Trusted status among large firms could reduce competition. Would FedRAMP explore alternative pathways for smaller or specialized assessors to achieve Trusted status?
    Proposed clarification language:
    • Evaluate alternative pathways such as reduced volume thresholds for long‑standing assessors with clean records or quality‑based reviews of sample work product.
    • Pilot these approaches to preserve market diversity and competition.

13. Marketplace search and filtering fairness
    Comment/Question:
    The Trusted badge will be visible in the FedRAMP Marketplace. How will FedRAMP ensure that search and filtering functions do not penalize non‑trusted assessors?
    Proposed clarification language:
    • Publish guidance on Marketplace search algorithms.
    • Ensure non‑trusted assessors remain discoverable and default to neutral sorting unless users filter explicitly for Trusted assessors.

14. Interaction with attestation and assessment cadence (RFC‑0021 outcome)
    Comment/Question:
    The RFC‑0021 initial outcome removes mandatory positive attestations for advisors and requires assessors to complete two assessments every two years. How will these changes intersect with Trusted status?
    Proposed clarification language:
    • Clarify that Trusted status requires compliance with the general recognition requirement (two assessments every two years) plus the Trusted volume threshold.
    • Confirm that positive customer attestations remain optional and are not part of Trusted eligibility.

15. Impact of cost‑reporting deferral (RFC‑0019 outcome)
    Comment/Question:
    FedRAMP has decided not to implement cost reporting at this time. Can FedRAMP confirm that cost information will not be part of Trusted criteria?
    Proposed clarification language:
    • Confirm that cost reporting and cost attestation are excluded from the Trusted criteria in the 2026 Consolidated Rules.
    • Clarify that any future cost‑related proposals would be subject to a separate comment process.

16. Role of PMO‑sponsored certifications and future evolution
    Comment/Question:
    Some commenters suggested that PMO‑sponsored certifications could accelerate tool adoption and support future validation. Does FedRAMP plan to extend Trusted status to other authorization paths?
    Proposed clarification language:
    • Commit to reviewing the Trusted program after the sponsorless period ends to determine whether to support PMO‑sponsored or other innovative authorization paths.
    • State that any expansion of the program would go through a new public comment process.

17. Unified corrective action and appeal framework across RFCs
    Comment/Question:
    With multiple RFCs proposing different corrective actions and appeal mechanisms, several commenters requested a consolidated framework to ensure consistency and transparency.
    Proposed clarification language:
    • Develop a consolidated corrective action and appeal process that applies to CSPs, independent assessors and advisors.
    • Include notification, cure periods, public disclosure conditions, and appeal mechanisms.
    • Publish the framework through a future notice or RFC.

Personal capacity note: This comment is submitted in an individual capacity and does not represent any employer or organization.
Matthew S. Graham, CISSP
https://www.linkedin.com/in/msgcyberassessments/