If you’re a cloud service provider (CSP) trying to figure out where you fit in the new FedRAMP world, you’ve probably noticed the program has introduced new types, classes, paths, and profiles all at once.

Let’s break these down so you can better understand the possible paths forward with the future of FedRAMP. 

The FedRAMP Consolidated Rules for 2026 are still in public preview. Details will likely adjust with the final publishing, but the framework is clear enough to start planning around now.

The new building blocks

Your FedRAMP certification is now defined by three dimensions: 

• Type: The methodology (FedRAMP Rev5 or FedRAMP 20x) 
• Class: The level of disclosure and reporting required (A, B, C, or D) 
• Path: How you get certified (Program Certification or Agency Certification) 

The combination of all three is called your certification profile. Not every combination is valid, so let’s break down the options. 

Type: Rev5 or 20x?

FedRAMP Rev5 is the modernized version of the traditional process. It’s still fundamentally the regulatory-driven, documentation-heavy approach that has defined FedRAMP for years. In practice, this has meant building a government cloud, standing up public-sector compliance teams, and navigating extensive assessment requirements. The 2026 rules have updated Rev5 considerably, but it hasn’t becomesomething radically different. 

Rev5 is the right choice if you run your own data centers and physical infrastructure, if your sponsor or customers contracts still request Rev5, or if you need Class D certification (Rev5 is the only path to Class D). By the end of 2027, new Rev5 certifications will be limited to these use cases. If you’re cloud-native and not pursuing Class D, the program is actively nudging you toward 20x. 

FedRAMP 20x is genuinely new. It’s a cloud-native process for commercial services built on FedRAMP-certified infrastructure. Instead of documenting compliance against a sprawling control list, 20x focuses on Key Security Indicators (KSIs) which are machine-readable data points demonstrating security capabilities in practice, validated through automation rather than static documentation snapshots. 

The intent: a well-run cloud-native product should be able to certify its existing commercial service without building a parallel government cloud. 

Class: A, B, C, or D

Certification Class is about how much information you share and how intensive your ongoing reporting obligations are. Not how secure your service is. One of the biggest factors that differentiates each class is continuous monitoring. As class level increases, so does the scope of what you’re required to monitor and report on an ongoing basis. For many CSPs, standing up and maintaining a continuous monitoring program is one of the most significant operational investments in the certification process.

Class A: The Entry Point. This is for CSPs with mature security programs looking to break into the federal market for the first time. There are limited disclosure and reporting requirements. Think of it as a provisional credential. You’re expected to transition to Class B, C, or D once agencies start adopting your service. 

Class B: Light Use. Designed for smaller-scale or niche services where an entire agency is unlikely to stake critical operations on your product. Reporting requirements are more than Class A, but less than C or D. 

Class C: The Workhorse. This is where most CSPs land — common enterprise services used broadly across agencies. The rules call it the “most commonly used class,” which tracks with Moderate being the most common authorization under the old model. If you’re selling SaaS to the federal government at scale, this is probably your destination. 

Class D: Mission Critical. Reserved for services where failure could cripple agency operations, cause major financial damage, or result in catastrophic harm to individuals. The investment required, according to the rules, is “immense”. Class D is exclusively Rev5 and requires an agency sponsor. 

Path: Program or Agency Certification?

Program Certification is brand new in 2026. It lets CSPs submit directly to FedRAMP for initial certification without needing an agency sponsor. This is a meaningful change as the sponsor requirement has historically been one of the biggest barriers to market entry. Program Certification is available for 20x at Class A, B, or C; Rev5 at Class A; and Rev5 at Class B or C in “extremely limited cases”. 

Agency Certification is the traditional path: an agency conducts the initial review, grants an agency-specific ATO, and submits to FedRAMP for official certification. It’s required for Rev5 Class B, C, and D. For Class D, it’s the only option — no sponsorless path exists. 

Profiles at a glance

The three questions that actually matter

Strip away the framework language and most CSPs are making three decisions: 

1. Am I 20x-eligible? If you’re running a cloud-native service on FedRAMP-certified infrastructure with automation capabilities to support KSI reporting, you’re almost certainly 20x. Running your own infrastructure or need Class D? You’re on Rev5.

2. What class fits my actual use case? Be honest about this one. Class D sounds more impressive than Class C, but it comes with obligations that aren’t right for most products. Start with Class A if you’re new and build from there. 

3. Do I need an agency sponsor? Going 20x at Class A, B, or C — no. Going Rev5 at Class C or D — yes. That dependency is still very real for the traditional pathway. 

As a top three FedRAMP assessor with a 100% PMO acceptance rate, we’re committed to supporting you at every stage, from selecting the right certification path to managing the full scope of certifications your organization may need over time. Contact us today to get started.