Skip to main content
Rule Updates

FedRAMP's Consolidated Rules for 2026 Are Live: The Dates Cloud Contractors Need to Calendar

FedRAMP's Consolidated Rules for 2026 launched June 25, 2026, replacing the Low/Moderate/High impact-level framing with a Class A/B/C/D structure and setting hard pipeline and Rev5 sunset dates. Here is what changed since our June preview and what to calendar now.

Brandon Hancock, J.D., CMMC-RPPublished July 3, 2026Updated July 3, 20265 min read

The rules FedRAMP promised by the end of June landed on schedule — and now the calendar has real dates on it.

On June 25, 2026, the General Services Administration's FedRAMP program officially launched the Consolidated Rules for 2026 (CR26), making FedRAMP 20x a widely available certification path rather than a pilot program. This follows up our June 9 preview of CR26 (see what was coming) now that the rules are final and FedRAMP has published the specific dates cloud service providers and their federal customers need to calendar. Three things changed since the preview: the rollout uses a Class A/B/C/D structure instead of the Low/Moderate/High impact-level framing expected earlier, FedRAMP set hard pipeline-opening dates, and Rev5 now has a formal sunset timeline for new applications.

The Class Structure Replacing Low/Moderate/High

CR26 organizes certifications by class rather than impact level alone:

  • Class A — the pilot track, opening first.
  • Class B — roughly equivalent to the former Low-impact tier.
  • Class C — roughly equivalent to the former Moderate-impact tier.
  • Class D — the former High-impact tier. FedRAMP has not yet defined a 20x path for Class D; a Class D pilot is anticipated in a later phase, and High-impact systems continue on the existing Rev5 framework in the meantime.

Dates That Matter Right Away

FedRAMP published two parallel timelines — one for providers moving into 20x, one for providers still on Rev5.

FedRAMP 20x dates:

  • July 6, 2026 — Marketplace listings open for cloud service providers entering the initial implementation stage.
  • August 3, 2026 — The FedRAMP 20x Class A pipeline opens.
  • August 31, 2026 — The FedRAMP 20x Class B and Class C pipelines open.

Rev5 dates:

  • July 6, 2026 — Marketplace listings open (same date as above).
  • July 28, 2026 — FedRAMP Ready goes Legacy; no new FedRAMP Ready submissions accepted after this date.
  • August 10, 2026 — Temporary Rev5 Program Certification pipelines open for eligible Class B and Class C providers through the Ready Conversion and Lost Sponsor paths.
  • January 1, 2027 — The Consolidated Rules for 2026 become mandatory for all stakeholders. Current Rev5 Certifications must adopt the new rules by this date.
  • June 11, 2027 — FedRAMP stops accepting applications for new Rev5 Certifications.

Rev5 is not disappearing overnight, but the runway for starting a new Rev5 authorization now has a firm end date, and every existing Rev5 authorization has a mandatory-adoption deadline seven months out.

What Else Changed

FedRAMP also announced changes to how it supports stakeholders during the transition. Help.FedRAMP.gov is being rebuilt into a fuller resource hub of guidance, tips, and FAQs. Intake is shifting from the open info@fedramp.gov inbox toward structured forms that route requests more consistently. Retired templates, playbooks, and superseded guidance are being preserved on a new Legacy Documentation Reference page rather than deleted outright, so historical materials do not create confusion about current requirements. FedRAMP also published the rules in machine-readable form — structured JSON and an enhanced markdown version intended for use with AI agents — a detail worth noting for any contractor building internal compliance tooling.

What to Do Now That the Dates Are Real

  • Confirm your class, not just your old impact level. If you were tracking Low, Moderate, or High, translate that to Class B, C, or D under CR26 — and if you are High-impact, note that Class D has no 20x path yet, so your near-term plan still runs through Rev5.
  • Calendar the pipeline date that applies to you, not just the general July 6 marketplace date. Class A providers should be ready for August 3; Class B and C providers for August 31.
  • If you are pursuing FedRAMP Ready, move before July 28. After that date, no new Ready submissions are accepted under the legacy path.
  • If you are already Rev5-authorized, do not wait until January 1, 2027. Begin adopting the new rules now — the mandatory-adoption deadline is a hard cutover, not a soft target.
  • Revisit the SCN change we flagged in the June 9 post. The shift from Significant Change Requests to Significant Change Notifications is part of the same ruleset and applies regardless of which class or path you are on.

Key Takeaways

  • FedRAMP's Consolidated Rules for 2026 launched June 25, 2026, replacing the prior patchwork of guidance and making FedRAMP 20x widely available.
  • The rollout uses a Class A/B/C/D structure; Class D (formerly High) has no 20x path defined yet and remains on Rev5.
  • 20x pipelines open in stages: Class A on August 3, 2026; Class B and C on August 31, 2026.
  • Rev5 has a formal end date for new applications (June 11, 2027) and a mandatory-adoption deadline for existing authorizations (January 1, 2027).

Not sure how cloud authorization obligations intersect with your contract requirements? Start with our Find My Requirements tool, or review the federal frameworks overview.

Sources

  • FedRAMP, "Propelling Change: FedRAMP Launches Consolidated Rules for 2026," June 25, 2026. https://www.fedramp.gov/2026-06-25-propelling-change-fedramp-launches-consolidated-rules-for-2026/
  • FedRAMP, Consolidated Rules for 2026 (reference site). https://www.fedramp.gov/2026/
  • FedRAMP, Consolidated Rules for 2026 Timeline. https://www.fedramp.gov/2026/timeline/
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?