by Mario Lunato, field CISO at Knox Systems
On May 4, 2026, FedRAMP launched the public preview of the Consolidated Rules for 2026, or CR26. The final release is targeted for the end of June, with an effective window of July 1, 2026,, through December 31, 2028. If you’ve been tracking the Request for Comments, or RFCs, and FedRAMP Notices, or NTCs, that have stacked up over the last six months, CR26 is where they consolidate into a single rulebook for CSPs, agencies and assessors.
Here Are the High Points:
Plain Language Is Now a Design Requirement
CR26 replaces narrative guidance with declarative MUST/MUST NOT statements. FedRAMP’s own example: instead of paragraphs hedging around exterior maintenance, the rule reads “You MUST paint the exterior of your house.” That’s not a stylistic preference. Once rules are declarative, they’re trivially auditable and increasingly machine-checkable. The gap between what FedRAMP wants and what providers think FedRAMP wants gets closed at the rule level.
Machine-Readable Is the Default, Not the Option
The rules themselves are being published as structured data on GitHub, alongside an enhanced markdown version. The FedRAMP requirements catalog is effectively becoming an API. If your Governance, Risk and Compliance, or GRC, platform or compliance pipeline can consume structured requirements, you can pull updates directly. This pairs with the direction set in NTC-0009 for machine-readable authorization packages.
A Stable Thirty-Month Content Window
CR26 is intended to hold from July 1, 2026, through December 31, 2028. FedRAMP will still publish notices, but the structural pieces (certification classes, assessment model, marketplace mechanics) are meant to stay put. For anyone trying to plan a multi-year FedRAMP roadmap, it’s the first realistic chance in a while to do so against a stable target.
Marketplace Moves From Impact Levels to Classes
Per NTC-0004, the legacy Low/Moderate/High labels are being replaced with FedRAMP Certification Classes A, B, C and D.
- FedRAMP Ready → Class A (Pilot)
- Low / Li-SaaS → Class B (Low)
- Moderate → Class C (Moderate)
- High → Class D (High)
The classes aren’t cosmetic. Machine-readable expectations, assessment scope and continuous monitoring obligations are now tiered by class rather than applied uniformly. CR26 also confirms two housekeeping items: pricing is being removed from the marketplace and independent assessors must complete at least two assessments every two years to keep their status.
FedRAMP didn’t just publish a draft. The entire CR26 development process is running in public on GitHub. Each page is tagged Stable, Placeholder, or Empty so you know what’s load-bearing. Comments happen through GitHub Discussions attached to each page.
FedRAMP Director Pete Waterman was direct about the preferred channel: “Stakeholders that avoid the FedRAMP community on GitHub and email us directly create a significant burden for me.” Email isn’t banned, but the public channel is where the program wants the work to happen. That’s a real posture shift for a federal program where feedback historically flowed through closed channels.
One important caveat: don’t directly implement preview rules until the final version publishes. Read it. Comment on it. Don’t rewrite your SSP from it yet.
What CSPs Should Do This Month
Identify your class and your path. Rev 5 Moderate maps toward Class C. If you’re considering 20x for a new offering, the rules for that lane are now legible for the first time. Pick deliberately. The two paths are not reciprocal.
Map your current documentation to the new structure. Legacy SSP narrative is going to read as either redundant (rule is now declarative) or insufficient (rule expects machine-readable evidence). Get a sense of where you sit.
File substantive comments through GitHub. The preview window is when feedback actually shapes the final. After the end of June, you’re stuck with the language for thirty months.
Watch the Stable Content tags. Stable rules are what FedRAMP is signaling won’t shift, and they’re the safest parts to plan against.
The Bigger Picture
CR26 is not a new direction. It’s the same direction (machine-readable, plain-language, automation-forward) finally consolidated into one rulebook with a stable shelf life. The fact that FedRAMP is doing it in public, with a director who is openly explaining the trade-offs, is a meaningful change in how the program operates. The preview window is the part you can shape. Use it.
