FedRAMP, through director Pete Waterman, has proposed modifications to the FedRAMP Rev5 process in the newly published Request For Comment (RFC)-0024.

This RFC, if implemented, enacts major changes to the current FedRAMP process and would require all current and future Cloud Service Offerings (CSOs) to provide their authorization packages in a “machine-readable format.” With potentially wide-reaching implications, it’s important to understand the context around these proposed changes and how it will shape the future compliance ecosystem.

Not Just a Pilot Program

Since its announcement in March 2025, the FedRAMP 20x Pilot Program has been laying the groundwork for the future of the FedRAMP Marketplace. 20x is designed to enable true continuous monitoring and bring full-scale automation to the federal CSO acquisition process. The program includes some radical departures from the traditional FedRAMP process, including extensive requirements for machine-readable data from applicants.

As a voluntary pilot program, 12 FedRAMP 20x Low authorizations were granted out of 26 submissions in its first phase thru Q4 2025. The program has now entered its second phase: testing the 20x pathway for Moderate level authorizations. FedRAMP has indicated that the 20x program will continue steady advancement until it supersedes and replaces the current authorization pipeline in Q3 2027.

But the most recent RFC is not for FedRAMP 20x. RFC-0024 brings a selection of the requirements from the 20x Pilot Program into the current FedRAMP Rev5 process, is not voluntary, and applies to both current and future FedRAMP authorizations – even those that did not opt-in to the 20x program. This shift is a strong signal from the FedRAMP PMO that they intend to not only follow through with the 20x timeline but also require existing CSOs to begin the shift to machine-readable packages earlier than expected.

Speaking to this, the RFC provides the following motivation: “These changes will allow the Rev5 process to continue to exist and compete against the new 20x process until the ecosystem is ready to fully transition to 20x.”

This RFC may come as a surprise to some CSPs who were under the impression that they would have more time to adjust to new requirements before facing consequences. The proposed requirements will likely serve as a kind of mandatory migration path that iteratively shifts existing authorizations towards the pure automation approach of FedRAMP 20x.

The Proposed Timeline

The RFC provides the following summary of deadlines:

• April 15, 2026: Deadline for FedRAMP to publish materials to support industry adoption of machine-readable authorization packages.
• September 30, 2026: Requirements for adopting machine-readable authorization packages take effect; failure to meet these requirements on the applicable timelines will result in public notification.
• September 30, 2027: Grace period for adopting machine-readable authorization packages expires and any non-compliant service loses FedRAMP Certification.

These are subject to change as feedback is collected but gives a rough estimation of the FedRAMP PMO’s intended timeline. For any providers that already have an authorization, the requirements apply to their next annual package submission.

The Requirements

The RFC includes 12 discrete proposed requirements, with some highlights extracted below:

• FedRAMP will publish a list of accepted package formats – all submitted packages MUST use one of these formats. The formats will be purely machine-readable – which means formats like Word documents, Excel spreadsheets, or PDFs will no longer be allowed.
• Offerings with more advanced automation-friendly authorization packages will get prioritized placement in Marketplace listings and search results.
• The requirements discourage the use of generative AI – and instead push CSPs towards deterministic telemetry data.

In general, the use of an approved machine-readable format is a hard requirement, while the other items represent guidelines – with compliance encouraged with market incentives -- highlighted in the Marketplace, higher placement on service lists, etc.

The Impact on Vendors

For the Cloud-Service Providers, and vendors that sell through the FedRAMP Marketplace, the implication is clear: action must be taken immediately to prepare to meet the upcoming hard requirements for machine-readable packages. Individual companies will need to reassess and likely overhaul their authorization data collection and packaging processes if they wish to remain FedRAMP compliant.

Meanwhile, the industry at large is in the process of researching and coalescing support around machine-readable formats in preparation. The RFC explicitly names the Open Security Control Assessment Language (OSCAL), a National Institute of Standards and Technology (NIST) project, as the first approved format. NIST, in coordination with the industry through the OSCAL Foundation, are working with stakeholders to further develop and improve the format in the leadup to the proposed deadlines.

‍