The Federal Risk and Authorization Management Program¶
The FedRAMP of 2026 was formally established in law at the end of 2022, with government-wide guidance released in mid-2024 that mandated a comprehensive overhaul of the program with a new vision.
The Consolidated Rules for 2026 reflect that vision, establishing a full new set of rules for modern FedRAMP.
Historical FedRAMP information is now often wrong!
A previous iteration of FedRAMP existed since 2011 with processes that were established and discussed over many years. Nearly all of that historical information no longer applies after FedRAMP was rescinded and replaced in 2024. Stakeholders should be extremely careful to avoid outdated information, especially that provided by Large Language Models and AI services.
Point AI services at the source material for FedRAMP rules
The Source Data page in the Overview contains links to the raw source data used to generate the FedRAMP Consolidated Rules for 2026. Each of the repositories that contain source data also contain instructions for AI Agents to help them process this information.
Whenever possible, the original Source Data should be explicitly specified with any AI service to ensure it is primary source of truth.
-
What is the Marketplace?
Learn why the official FedRAMP Marketplace is the source of truth for the status of cloud service offerings and independent assessment services.
-
When does FedRAMP apply?
Learn why not all cloud services are eligible for a FedRAMP Certification and when FedRAMP doesn't apply for agency information systems.
-
Learn the rules.
Review the specific rules that FedRAMP has created for our involvement in certain processes to understand our commitment to consistency.
-
Who put FedRAMP in charge?
Review the exact laws and policies that established FedRAMP and granted it authority and responsibility, along with many expectations.