FedRAMP Certification¶

FedRAMP Certification, formerly referred to as “FedRAMP authorization,” is a certification by the Federal Risk and Authorization Management Program (FedRAMP) in the General Services Administration (GSA) that a cloud computing product or service has completed a standardized security assessment and review that is adequate for use by federal agencies in making initial and ongoing authorization to operate decisions for use of that cloud service.

FedRAMP does not grant an Authorization to Operate (ATO) of any kind or accept any risk on behalf of the federal government or federal agencies. The FedRAMP process establishes a standardized, reusable approach to ensuring agencies have timely and consistent access to the information necessary to make decisions and FedRAMP focuses on ensuring stakeholders follow this process within the limits of its authority and responsibilities. FedRAMP does not establish contracts or legal agreements for FedRAMP Certification and has minimal enforcement authority beyond requesting Corrective Action by a stakeholder that is not properly following the FedRAMP process.

Types of FedRAMP Certification¶

There are 2 types of FedRAMP Certification, FedRAMP Rev5 and FedRAMP 20x.

FedRAMP Rev5¶

FedRAMP Rev5 is a modernized version of the traditional FedRAMP process that relies on a lift-and-shift of the strict regulatory-driven approach taken by government agencies for building their own information system and applies it to commercial cloud services. It typically requires cloud service providers to establish entire public-sector organizations, infrastructure, and compliance teams to build a government-specific version of their product known as a “gov cloud.” This includes extensive requirements for both the initial assessment and for meeting ongoing certification requirements called “Continuous Monitoring.”

Requirements for FedRAMP Rev5 have been updated and modernized considerably in the Consolidated Rules for 2026 to balance improvements with the new FedRAMP 20x type of certification. Legacy guides and advice from before 2026 are almost certain to cause confusion and should be viewed with care.

FedRAMP Rev5 is best for non-cloud-native services (such as those that run their own datacenters and physical security) and cloud services seeking Class D (High) Certifications. New FedRAMP Rev5 Certifications will be limited to these types of services by the end of 2027, though ongoing certification will remain available for existing FedRAMP Rev5 Certified providers through at least December 31, 2028.

FedRAMP 20x¶

FedRAMP 20x is a new cloud-native process designed for commercial cloud services that are built on FedRAMP Certified infrastructure and platforms. It is designed to highlight commercial security best practices and allows flexible implementation that can grow with adoption and customer needs. Cloud service providers must share information about Key Security Indicators that summarize their security capabilities. This requires deploying automation capabilities to persistently monitor and enforce the desired security state and to report on the performance of Key Security Indicators within the organization.

FedRAMP 20x is best for cloud-native services built with modern infrastructure and security engineering practices in mind, especially those with highly empowered Governance, Risk and Compliance (GRC) engineering teams. These types of cloud service providers are best positioned to adopt FedRAMP 20x within their existing commercial cloud service without requiring government-specific versions. FedRAMP 20x is not available to cloud service providers that run their own infrastructure or those seeking Class D (High) Certification.

Classes of FedRAMP Certification¶

There are 4 classes of FedRAMP Certification, each with different requirements.

FedRAMP Certification does not determine how secure a cloud service provider is and FedRAMP Certification classes are unrelated to the overall security of a cloud service offering. Instead, each class has different thresholds for the amount of information that must be shared by a cloud service provider and varying commitments for ongoing maintenance and reporting activities. The more detailed information that is available about a cloud service offering, combined with different commitments for reporting and maintenance, mean that different classes of FedRAMP Certifications are more or less likely to be adequate for use by agencies in federal information systems with different security objectives.

More detailed information about the requirements for each FedRAMP Certification Class, based on the type of FedRAMP Certification, are available in the appropriate sections of the Consolidated Rules for 2026 that apply to cloud service providers, assessors, and agencies.

Class A Certification¶

Class A Certifications are for cloud services with mature security and compliance programs that are looking to enter the federal marketplace. Class A requires a small amount of information in advance and a small subset of initial ongoing monitoring and reporting requirements. Cloud service providers are expected to transition to a Class B, C, or D FedRAMP Certification after initial agency adoption.

Class B Certification¶

Class B Certifications are for cloud services that provide fairly common small-scale or light use services where an entire agency is unlikely to use the service for important work so considerable additional investment in ongoing maintenance and reporting activities is not expected. Class B requires more information and more ongoing reporting than Class A but less than Class C or D.

Class C Certification¶

Class C Certifications are for cloud services that provide common enterprise services that are likely to be used in systems across an entire agency or that provide important government services. Class C requires a considerable amount of information and ongoing reporting and is the most commonly used class of FedRAMP Certifications.

Class D Certification¶

Class D Certifications are for cloud services that target mission-critical applications or enterprise usage in agency systems where problems with the cloud service offering could cripple agency operations, result in major damage or financial loss by an agency, or result in catastrophic harm to individuals that rely on the service (including loss of life). Class D requires an immense investment and commitment for both initial and ongoing FedRAMP Certification, including a vast amount of information about the cloud service offering and heavy ongoing reporting and activity requirements.

Paths for FedRAMP Certification¶

There are 2 paths for FedRAMP Certification, with each path being restricted to certain types and classes of certification:

Program Certification¶

The Program Certification path is new in the Consolidated Rules for 2026 and allows cloud service providers to submit certification packages directly to FedRAMP for initial FedRAMP Certification. This is the preferred path for qualifying cloud service offerings and does not require an initial agency partner or sponsor.

FedRAMP Certification Profiles for Program Certification include (see the specific class overview page in the cloud service provider section of the consolidated rules for more details):

1. FedRAMP 20x Class A, B, or C

2. FedRAMP Rev5 Class A

3. FedRAMP Rev5 Class B or C in extremely limited cases

Agency Certification¶

The Agency Certification path is the traditional agency partner or sponsor path, where a federal agency follows FedRAMP rules to perform an initial agency review of a cloud service offering and grants an agency-specific authorization to operate for the cloud service. The package is then submitted to FedRAMP for a completeness check and official FedRAMP Certification. After the initial FedRAMP Certification, the sponsoring agency becomes just another customer as the cloud service transitions to collaborative continuous monitoring following FedRAMP rules.

This path is available for FedRAMP Rev5 Certification at Class B, C, or D; it is the only path for FedRAMP Class D Certification in the Consolidated Rules for 2026.

Certification Profiles¶

The combination of the type, class, and path for FedRAMP Certification is called a profile. For additional information on each possible FedRAMP Certification profile, please review the relevant sections of the Consolidated Rules for 2026 that apply to cloud service providers, independent assessors, or agencies.

Comments