Page Info
Description: A table showing all pages, their source, and their progress along with links to internal documentation only available to FedRAMP.
Purpose: The FedRAMP team will have a simple place to see progress that is machine-generated.
TO DO¶
Generated: 2026-05-04T19:14:11.376Z
Stable Human-Written Pages ¶
| Location | Picto | Description | Purpose | |
|---|---|---|---|---|
| Advisors Advisory Services |
An overview of the advisory services section. | Helps advisory services understand how to navigate effectively. | ||
| Agencies Federal Agencies |
Welcome to federal agencies, explanation of who an agency is, and why FedRAMP matters to them and they need to get in the game. | Help agencies understand if FedRAMP applies and how to get involved and use it to their benefit. | ||
| Independent Assessors Independent Assessment Services |
An explanation of what Independent Assessors are, why this term is used instead of 3PAOs now, and the general role of the assessor as now performing independent verification and validation. | Folks know why it's IAS instead of 3PAO and how to dig into this section. | ||
| Overview FedRAMP Certification |
Explanations of FedRAMP Certification profiles, which involve different types, classes, and paths. | Help folks understand what's up in this brave new world where FedRAMP uses different terms for commercial cloud service certification than agencies use for operating federal information systems. | ||
| Overview Changelog |
A history of changes to overall rules and this website through the Consolidated Rules for 2026 Public Preview period. | Gives folks a consistent place to come and see summaries of the changes since last visit. | ||
| Overview Public Preview |
This page contains an overview of the Public Preview, including descriptions of the content sources and status. | Helps folks understand the goals of the Public Preview and how to approach reviewing it. | ||
| Cloud Service Providers Cloud Service Providers |
Welcome to providers and a general overview of the expectations for FedRAMP and how to navigate this entire section. | Providers will know how to navigate the consolidated rules for 2026. | ||
| FedRAMP The Federal Risk and Authorization Management Program |
An overview of the FedRAMP section of these rules and what is in here. | Folks know where to go from here. | ||
| FedRAMP Scope of FedRAMP |
Guidelines and examples for understanding the scope of FedRAMP. | Helps folks understand when a cloud service is within the scope of FedRAMP. | ||
| Overview The Shared Responsibility Model |
Explanation of the expected responsibilities of all stakeholders and how those are shared throughout the FedRAMP game. | Helps folks understand what each party is expected to do. | ||
| Overview Source Data |
Information about the underlying sources from which this HTML web page is generated. | Allow folks and agents to go directly to structured or semi-structured text materials instead of scraping the website. | ||
| Overview FedRAMP Consolidated Rules for 2026 Release Timeline |
High level timelines for how the Consolidated Rules for 2026 will be produced and take effect. | Help folks understand when all of this will happen. |
Placeholder Human-Written Pages ¶
| Location | Picto | Description | Purpose | |
|---|---|---|---|---|
| Agencies Getting Started with FedRAMP as a Federal Agency |
A narrative overview of how to get started using FedRAMP that introduces folks to the rest of this section. Diagrams? | Help folks transition from landing into navigating the rest of the agency getting started section. | ||
| Agencies Responding to CISA Emergency and Binding Operational Directives |
Explanation of the role FedRAMP plays in coordinating cloud service provider responses to CISA EDs and BODs on behalf of the federal government, and why agencies have to let us do it. | CISA EDs and BODs will be able to link to this page and send it out to agencies during an event so they know exactly what to do instead of having constant wonky info sessions and stuff. | ||
| Agencies FedRAMP Agency Support Groups |
Agency support groups provide help for agencies trying to use FedRAMP Certified cloud services. | Folks know what support groups are, how to join them, and why they should join them. | ||
| Agencies The FedRAMP Agency Liaisons Program |
Information about the FedRAMP Liaison Program, why it matters, and how to get involved. | Agencies will know that they should assign a FedRAMP Liaison and what they get out of it, and how to get started communicating with this group, what it's good for, why it's important, etc. They should also be encouraged to use this group instead of just emailing fedramp directly sometimes. | ||
| Agencies Using a FedRAMP Certified Cloud Service |
A broad overview of how agencies leverage (use) FedRAMP Certifications within their information security programs for cloud services. | Introduces agencies to the basic concepts and expectations of using FedRAMP Certifications, highlighting the need to treat cloud services as a third-party service that is used in an agency information system (not something that becomes an agency information system itself). Also make sure they are aware of government-wide implications. | ||
| Independent Assessors FedRAMP Recognition |
It's like Certification but for assessors! An overview of FedRAMP Recognition, what it is, why it matters, what it costs, how it works, and when to do it and when not to do it. And a heads up that they have to meet all the rules in the rules section. | Companies know what's up with FedRAMP Recognition and understand that there's more to the game than A2LA. | ||
| Independent Assessors Getting Started as an Independent Assessor |
How Independent Assessment Services can get into these FedRAMP Consolidated rules and make sense of it all. | Assessors know how to work through all this and what they need to do. | ||
| Cloud Service Providers FedRAMP Rev5 Certification Rules |
A broad overview of the Rev5 path, the reasons to / to not go this path, the sponsorship situation in general, etc. | Folks know what's expected in general and how to work through the rest of this section. |
Empty Human-Written Pages ¶
| Location | Picto | Description | Purpose | |
|---|---|---|---|---|
| Advisors Advisory Services Rules |
An overview of the FedRAMP Rules for Advisory services. | Helps folks understand what they are going to see when they dig into the rules. | ||
| Advisors Getting Started as an Advisory Service |
How to get started as an advisory service, including grabbing a listing on the FedRAMP Marketplace. | Helps advisory services be clear with customers and publish their availability. | ||
| Advisors Getting Support as an Advisory Service |
How to get support and participate in the FedRAMP community. | Helps advisory services understand what FedRAMP will do to help them. | ||
| Agencies Agency Specific Rules |
Overview of the FedRAMP rules that apply to agencies, how they are structured, and why they are the way they are, including links to authority etc. | Agencies understand there are rules and how to review them and follow them. | ||
| Agencies Sponsoring a FedRAMP Certification |
This document explains when and why agencies need to sponsor a cloud service for FedRAMP Certification. Include a breakdown of classes and types. Explain that they are NOT accepting risk for anyone other than themselves, and that they are simultaneously doing an ATO and sponsoring for FR Certification but not in the same SSP/etc. | Agencies know when they should sponsor vs send something to FedRAMP and why. | ||
| Agencies Sponsoring Initial FedRAMP Certification |
The steps and process for sponsoring an Initial Certification. | Agencies understand the step by step expectations for how the process works from both their perspective and FedRAMP's. | ||
| Agencies Making Ongoing Certification Collaborative |
Explanation that sponsors are NO DIFFERENT FROM ANYONE ELSE once the FedRAMP Certification is done and that they just follow along with the rest now. | Folks realize that they are responsible for their own risk and maintaining their own information system, not some random cloud service provider's information system just because they sponsored it. | ||
| Agencies Reporting Concerns to FedRAMP |
Explains how agencies can report concerns about suspicious behavior or other stuff to FedRAMP. | Folks know when and how to report stuff to us and what we will or won't do about it. | ||
| Agencies Getting Support from FedRAMP |
How agencies can get support directly from FedRAMP when they need it. | Helps folks know who to reach out to and when, where to go for more info, and why it's okay to email us. | ||
| Agencies FedRAMP Certification Classes |
Explanations of Certification classes and their relevance to Security Categorization and why they are different. | Agencies will understand why Certification classes aren't the same as Security Categorization Levels and how to leverage Certifications of different classes in different agency information systems that have various security categorization levels. | ||
| Agencies Initial Agency Authorization |
Step by step walkthrough of the Initial Authorization process using a FedRAMP Certified cloud service. | Folks know how to do an initial ATO for an agency information system that uses a FedRAMP Certified cloud service. | ||
| Agencies The Agency System Security Plan |
Explains how to create and manage an agency SSP for a dependent agency information system that uses a FedRAMP Certified cloud service. Will be supported by an example SSP template. | Agencies understand they need to create their own SSP but should reuse the same overall one often. | ||
| Agencies Using the FedRAMP Marketplace |
Information about how agencies can use the FedRAMP Marketplace to locate information about services. | Help agencies know what to expect on the FedRAMP Marketplace and how to use it. | ||
| Agencies Ongoing Agency Authorization |
Explains the general expectations for ongoing authorization of a federal information system that uses a FedRAMP Certified cloud service offering, especially collaborative continuous monitoring stuff - points to the CCM rules but doesn't quote them. | Helps agencies know what the expectations are and where to find the explicit rules. | ||
| Agencies Agency Plans of Action and Milestones |
Explains how agencies need to manage their own POA&Ms for their own information systems, and why FedRAMP Certified cloud service providers maintain their own lists of vulnerabilities without providing copy/pasteable POA&Ms to agencies. | Agencies understand that they are accepting ongoing risk and making their own POA&Ms only for things they are responsible for. | ||
| Agencies Using FedRAMP 20x Certification Packages |
Explains how FedRAMP 20x packages come in many different shapes and sizes and are hosted on all sorts of platforms, and how to go about getting and using them. | Folks know why 20x packages look different and how to roll. | ||
| Agencies Accessing FedRAMP Certification Packages |
An overview of Certification packages, what type of information is in them, what they are used for, and why it's important for agencies to leverage them, with some information about machine-readability for ongoing authorization. | Agencies understand the value and use of a certification package, especially that it's more than a one-time thing they just look at once, ATO, and move on. | ||
| Agencies Using FedRAMP Rev5 Certification Packages |
Explains FedRAMP Rev5 packages, how they're laid out, and how they are typically distributed including expectations for high packages vs others on USDA connect, and talks about changes that are happening with the CDS. | Folks understand what is in a Rev5 package and how to get ahold of them plus what is changing with CDS. | ||
| Independent Assessors Performing FedRAMP 20x Assessments |
A description of the overall approach to assessments under FedRAMP 20x, including the flexibility inherent in the current process and the fact that it requires more detailed technical analysis, coding skills, etc. Include that it's more likely to be time and materials than just some scheduled one week on the ground thing. | Assessors know what they are getting into with FedRAMP 20x. | ||
| Independent Assessors Initial Assessment |
Clarifications about how the initial assessment requires them to check literally everything, verify and validate every single verification and validation from the provider, and address every single KSI and every single rule. Tell 'em how to read the rules too. | Assessors will know how to prepare to go about this philosophically, then hit up the applicable rules for the detailed expectations. | ||
| Independent Assessors Ongoing Assessment |
Explanations of the ongoing assessment process, which focuses on evaluating changes to automations in general for significant changes and annual assessments. | Assessors know what they are expected to do to support ongoing activities with partner providers. | ||
| Independent Assessors Applicable Rules |
An explanation of how to work through the Applicable Rules and use them to meet the required assessment objectives and properly do assessments. | Folks know how to dig into the Applicable Rules and follow them. | ||
| Independent Assessors Applicable Rules |
An explanation of the applicable rules for FedRAMP Recognition and Independent Assessors, how to read through them and make sense of them, how to address them, etc. | Assessors know exactly what FedRAMP expects of them to maintain FedRAMP Recognition. | ||
| Independent Assessors Performing FedRAMP Rev5 Assessments |
A description of the overall approach to assessments under FedRAMP Rev5, including how structured it is, how things are changing in these rules, etc.. | Assessors know what they are getting into with FedRAMP Rev5 under 2026. | ||
| Independent Assessors Initial Assessment |
Overview and flowchart of the initial assessment for FedRAMP Rev5, including the difference between program and agency, how to engage end to end, and how to follow the rules. | Assessors know how to get into and complete and assessment. | ||
| Independent Assessors Ongoing Assessment |
Overview of annual assessment requirements and significant change requests and what else the assessor is supposed to do on a regular basis (in general, not specific rules). | Assessors know exactly what they need to keep doing for Rev5 after the initial authorization. | ||
| Independent Assessors Applicable Rules |
Explanation of the different rulesets that apply to assessors for FedRAMP Rev5 assessment and how to follow them. | Assessors understand how to follow the rules. | ||
| Independent Assessors Getting Support |
Explanation of how assessors can get support, how they should interact with FedRAMP, when it is more appropriate for cloud service providers to contact us, how to clarify when they are asking as an IAS vs an advisory service, how important documentation is, and when to use public channels instead of emailing us. | Assessors know the right place to get support without thinking they should be emailing info@ 1000x a day on behalf of all of their customers. | ||
| Independent Assessors What's Changing in 2026 |
A general description of the key changes to the assessment lifestyle in 2026. | Assessors know what to look for and keep in mind as they get up to speed and start adopting these rules. | ||
| Independent Assessors Deadlines |
An overview of these deadlines, how the obtain/maintain/grace works, and what the specific expectations are for assessors. | Assessors know how to enforce changes based on the deadlines and aren't surprised by them. | ||
| Independent Assessors Updating to 2026 Rules |
A general description of the expectations for adopting 2026 rules in assessments. | Assessors know what they have to do to dig into these rules and start using them and what will happen if they don't. | ||
| FedRAMP The FedRAMP Marketplace |
Background information on the FedRAMP Marketplace. | Helps folks know where to find and how to use the FedRAMP Marketplace. | ||
| Cloud Service Providers Changing Class |
Overview of the process to change Certification Class, typically as an upgrade. (does not have specific rules as those are elsewhere) | Folks will know how to plan for changing class. | ||
| Cloud Service Providers FedRAMP 20x Certification Rules |
A broad overview of the 20x Certification section that explains initial, ongoing, changing class, applicable rules, and key security indicators sections. Explains why sponsorship isn't needed. | Folks will know how to get started learning about 20x Certification in detail. | ||
| Cloud Service Providers Initial Certification |
A broad overview of the steps required for initial certification to help folks navigate the process and the rules. Diagrams? | Folks will know what they need to do as they dig into the rules for more details. | ||
| Cloud Service Providers Key Security Indicators |
Introduction to the philosophy and approach for Key Security Indicators and how to work through them and verify/validate them with metrics etc. | Folks will understand how the KSI approach works. | ||
| Cloud Service Providers Ongoing Certification |
A broad overview of what folks will need to do persistently while they have a FedRAMP 20x Certification to maintain it, and clear reminders that it's not just about initial certification. Diagrams? | Folks will know what they are getting into so they can review the rules in more depth. | ||
| Cloud Service Providers Applicable Rules |
Explanation of the 20x Certification rulesets and how to navigate them. | Folks will know how to dive into the rules and address them. | ||
| Cloud Service Providers Changing Class |
Overview of why and how someone might change class for Rev5 and what the requirements and expectations for that process are without going into specific rules. | Folks will know what's up with class changes and where to dig into more. | ||
| Cloud Service Providers Control Baselines |
A description of the control baselines managed by FedRAMP and how to use them with FedRAMP-specific requirements, as a top-level section that will also include the machine-rendered lists. Explain how many controls are addressed with FedRAMP rules as well. | Folks will know how to approach the control baselines. | ||
| Cloud Service Providers Initial Certification |
An overview of the steps and process required for initial certification, for both agency and program paths. Diagrams? | Folks know the steps and are ready to dig into more rules and know where to find them. | ||
| Cloud Service Providers Ongoing Certification |
An explanation of the general ongoing certification requirements at a high level, including expectations for different classes, and how to handle program vs agency paths. | Folks know what they need to do at a high level and how to get more information from the rules. | ||
| Cloud Service Providers Applicable Rules |
An overview of the applicable rules for Rev5 and how to work through them. | Folks will know how to dig into the rules and follow them. | ||
| Cloud Service Providers Finding an Advisor |
Why providers absolutely should hire advisors and some general tips on finding them. | Folks will know they can't do this alone and stop trying. | ||
| Cloud Service Providers Finding an Assessor |
Overview of why you need an assessor for Class B/C/D, don't confuse them with advisors, when to get involved with an assessor (early plz), and how to find them on the Marketplace. | Folks will know they need to get a FedRAMP Recognized assessor when they are ready to go for Class B or up, and that sometimes it's okay to engage with them earlier. | ||
| Cloud Service Providers Choosing a Certification Class |
Overview of the classes, explanations that it's good to progress through them, and where to start and how to proceed through them with a focus on starting class. | Folks will know they should start at Class A and not try to go straight to Class D or something bonkers like that. | ||
| Cloud Service Providers Getting Certified |
An overview of the whole Certification game without going into too many specifics, that mostly directs folks to the specific rules. Reminds folks when they need an assessment vs not and the broad overall differences and processes, plus timelines and contacts. | Folks will know how to jump into the full steps and rules for specific Certification profiles with an idea of what they're getting into. | ||
| Cloud Service Providers Getting Started |
How to get started in these consolidated rules and on your FedRAMP journey because it's a whole thing mate. Maybe some diagrams? | Providers will learn to navigate through a lot of this, including the steps and whatnot. | ||
| Cloud Service Providers Getting Listed |
Explanation of the process for getting listed on the Marketplace in the preparation phase to start with, and how that changes during the lifecycle of the product. Reference the Applicable Rules for preparation but don't quote them. The Rules will be directly underneath this. | Folks will understand the reasons for getting listed and how to do it. | ||
| Cloud Service Providers Choosing a Certification Path |
Overview of the Certification paths and how to choose one, including depending on the type and class expectations. | Folks know they should aim for Program Certification on 20x unless they need a Class D before early 2027. | ||
| Cloud Service Providers Preparing |
An overview of the type of stuff you'll need to do to prepare, and why it's important to officially begin the preparation phase, along with ensuring they understand the scope of FedRAMP. | Folks will understand that preparing is a big deal and they should make it official and work through it, but also not waste their time if they're in the CMMC game or something. | ||
| Cloud Service Providers Choosing a Certification Type |
Overview of the certification types and how to choose one, with a focus on choosing since there's a lot more information in the Overview section on types. | Folks will know they should go 20x unless they want Class D before early 2027 or they run their own infrastructure. | ||
| Cloud Service Providers Getting Support |
An explanation of how to get support, where to find information, what to look for on fedramp.gov, what FedRAMP can and can't do for you, when to talk to FedRAMP vs public communications, and the need to find an advisor. | Folks will know how to engage and get help from various places or parties and understand the rules of interacting with a gov program. | ||
| Cloud Service Providers What's Changing in 2026 |
Broad overview of the changes, including balance improvement releases folding in, reminders that former JAB folks have to step up and do things the right way, and expectations for semi-structured and machine-readable stuff that is created by tools instead of people editing word documents and spreadsheets. | Folks will have an explicit sense of what they will need to do differently at a high level so they can start getting business buy-in and doing the work. | ||
| Cloud Service Providers Deadlines |
An explanation of how the deadlines will be enforced and how to broadly interpret them, along with general overall timelines for folks to think about (the specifics are rendered from machine-readable rules). | Folks will know how to read dates and start making concrete plans. | ||
| Cloud Service Providers Updating to 2026 Rules |
A reminder that folks with current FedRAMP Certifications need to invest in modernizing their programs or they will lose FedRAMP Certification, no more coasting with generic annual assessments and otherwise ignoring all of the changes. | Folks will know they need to start making changes. |
Stable Machine-Generated Pages ¶
Placeholder Machine-Generated Pages ¶
Empty Machine-Generated Pages ¶
| Location | Picto | Description | Purpose | |
|---|---|---|---|---|