Cloud service providers (CSPs) pursuing opportunities with the federal government need to show that their cloud services meet defined security requirements for handling federal data. FedRAMP controls establish that foundation. They shape what providers document, what independent assessors test, and what federal agencies review when deciding whether a cloud service fits their risk tolerance and intended use.

But that process is changing. FedRAMP is moving toward new certification terminology and class-based labels as it prepares its Consolidated Rules for 2026. At the same time, CSPs still need to operate against today’s Revision 5 expectations while preparing for what comes nex

For providers planning FedRAMP authorization, that means understanding the control foundation, maintaining defensible evidence, and tracking the transition without losing momentum.

How FedRAMP Controls Work Today

FedRAMP security controls are grounded in National Institute of Standards and Technology Special Publication (NIST SP) 800-53 Rev. 5 and its related control baselines. The program applies those security controls to cloud services used by federal agencies, giving agency reviewers a consistent starting point for evaluating cloud security and risk.

Under the current Rev. 5 structure, CSPs generally work against one of these baselines:

  • Tailored for LI-SaaS: A limited-impact path for qualifying software-as-a-service offerings.
  • FedRAMP Low: Used for services handling federal data where a loss of confidentiality, integrity, or availability would have limited adverse effect.
  • FedRAMP Moderate: Common for cloud services supporting federal agency business functions where a disruption or data exposure could have serious adverse effects.
  • FedRAMP High: Intended for services that require the most rigorous baseline because an incident could have severe or catastrophic impact.

Baseline selection is tied to the federal agency use case and the impact categorization of the information system. It is not simply a provider preference or marketing label.

The selected baseline affects the depth of the security assessment, the security controls that must be addressed, and the evidence the CSP needs to maintain. It also shapes the system security plan (SSP), where the provider documents its authorization boundary, data flows, control implementation, inherited controls, and responsibilities for protecting federal data.

Continuous monitoring is part of the FedRAMP compliance model after the initial assessment. A cloud service is expected to maintain its control posture over time, document changes, track identified issues, and provide required monitoring information as systems evolve.

Current Baselines vs. Proposed Certification Classes

FedRAMP is changing how its authorization outcomes and assessment baselines are labeled. The program has stated that “FedRAMP Certification” or “FedRAMP Certified” will become the official label for a FedRAMP authorization under the Consolidated Rules for 2026. This terminology is intended to distinguish a FedRAMP authorization from an agency Authorization to Operate (ATO).

That distinction matters because a FedRAMP Certification does not, by itself, authorize a federal agency to use a service in its own information system. Federal agencies still review FedRAMP materials, evaluate risk, and issue an agency ATO based on their mission and security needs.

The emerging class structure is expected to map to current and new FedRAMP paths as follows:

 

Current FedRAMP Structure Proposed/Emerging 2026 Framing What CSPs Should Know
FedRAMP Ready Class A FedRAMP Ready is scheduled to retire on July 28, 2026. Class A will provide a time-limited certification path for initial testing and piloting, with a conversion path for eligible FedRAMP Ready cloud services.
LI-SaaS / Low Class B Providers still need defined scope, appropriate security controls, and evidence that substantiates control operation.
Moderate Class C Moderate-level requirements continue to align to cloud services used in many common federal agency scenarios.
High Class D A FedRAMP High authorization continues to require deeper assessment evidence and higher operational rigor.
FedRAMP authorization FedRAMP Certification / FedRAMP Certified The label changes, but agency review and ATO decisions remain separate responsibilities.

 

FedRAMP 20x is also part of the transition. FedRAMP has indicated that 20x requirements will align with the certification classes, while the final rules and transition timelines will be established through the Consolidated Rules for 2026. CSPs evaluating FedRAMP 20x should monitor formal program updates rather than assume preview materials are final compliance requirements.

What Is Not Changing

New labels do not replace the substance of FedRAMP compliance. Whether a provider is preparing for FedRAMP Moderate today or tracking a future Class C path, the cloud service still needs security controls that can withstand independent review.

Several priorities remain central:

  • Accurate scope: The authorization boundary needs to match the actual cloud service, connected components, data flows, and inherited responsibilities.
  • Control implementation that reflects reality: SSP narratives should explain how each applicable security control works in the environment, not describe an intended future state.
  • Clear access control practices: Administrative access, authentication, privileged activity, and account review need to align with the baseline and supporting evidence.
  • Configuration management discipline: Providers need current inventories, approved configuration settings, and traceable changes to in-scope components.
  • Supply chain risk management: Sub-service providers and inherited security responsibilities need to be identified and documented.
  • Continuous monitoring: Compliance continues after authorization through routine monitoring, issue tracking, reporting, and annual security assessment activity.

Evidence quality remains especially important. A policy may describe an access control process, but an assessor needs records that substantiate its operation. A diagram may depict a boundary, but the related inventory and data flows must tell the same story. These details affect whether a security assessment can be completed efficiently and whether federal agencies can rely on the resulting package.

The Role of Assessment Evidence in FedRAMP Authorization

A FedRAMP authorization package is built to give a government agency usable information for its own risk decision. That package may include the SSP, assessment procedures, a security assessment report, plans of action and milestones, and continuous monitoring materials.

For CSPs, this means FedRAMP compliance should be treated as an operating practice rather than a documentation event. Weak control narratives can slow review. Missing or conflicting artifacts can trigger questions late in the process. When evidence is current and mapped to the relevant FedRAMP controls, an independent security assessment has a stronger foundation.

Readiness assessment work can help identify those issues before a formal security assessment begins. It can clarify whether SSP narratives align to the environment, whether the evidence supports control claims, and whether the selected FedRAMP baseline reflects the intended federal agency use case.

How Insight Assurance Supports FedRAMP Assessment Readiness

Insight Assurance is a FedRAMP-recognized Third-Party Assessment Organization (3PAO) that performs independent FedRAMP assessment services for CSPs pursuing federal cloud opportunities.

Our assessment-focused work can include:

  • Reviewing SSP narratives and evidence alignment against applicable FedRAMP requirements.
  • Evaluating whether documentation substantiates control implementation and operating practices.
  • Performing independent security assessment activities aligned to the selected baseline.
  • Supporting required assessment reporting, including security assessment report development where applicable.
  • Assessing continuous monitoring evidence for cloud services maintaining FedRAMP authorization.

Insight Assurance maintains the independence required of a 3PAO. Our role in an assessment engagement is to evaluate control implementation and supporting evidence objectively, not to operate controls, implement remediation, or manage the client’s compliance program.

Prepare for Today While Watching for What Comes Next

FedRAMP terminology is changing, and providers should monitor the final Consolidated Rules for 2026 as they are published. The underlying expectation remains familiar: CSPs must be able to document their security controls, substantiate their operation, and provide materials that federal agencies can use when making risk-based authorization decisions.

Whether your organization is preparing for FedRAMP Low, FedRAMP Moderate, FedRAMP High, or an emerging certification class, strong scope definition and current evidence remain essential.

Contact Insight Assurance to discuss FedRAMP assessment readiness, baseline-aligned evidence expectations, and independent security assessment services for your cloud offering.