FedRAMP’s 2026 Rules Upend FedRAMP Moderate Equivalency

Understood Backwards, Lived Forwards

Søren Kierkegaard once observed that life can only be understood backwards, but it must be lived forwards. He was writing about existential dread, not federal compliance frameworks, but I would argue he nailed the FedRAMP Moderate Equivalency (FRME) and the recently released FedRAMP CR 26 situation pretty well.

So let me just say the announcement plainly: FedRAMP has published its Consolidated Rules for 2026, and the new rules restructure (or at least rename) most terms, documents, and processes that the DoD CIO’s 2024 FRME memo was built on. Cloud Service Providers (CSPs) used within the Defense Industrial Base built their compliance posture forward, assuming the documentation requirements they were handed would hold still long enough to be useful. Now they get to understand, in hindsight, exactly how temporary all of it seems to be. We at IntelliGRC have a stake in this game and are feeling this pretty heavily right now, and we’re sure many others are too.

In this blog, I want to walk through three things: what is actually changing under the Consolidated Rules, what it means for CSPs (including us here at IntelliGRC, since we voluntarily pursued FedRAMP Moderate Equivalency even though, as a Security Protection Asset, we didn’t really need to), and the growing pile of questions that the DoD CIO and the CMMC Program Management Office (PMO) need to answer before any of us can say with a straight face what “FedRAMP Moderate Equivalent” even means going forward.

NOTE: The Consolidated Rules for 2026 are deep and wide (gotta’ love a good Sunday School reference) so there will more than likely be quite a few things that don’t get emphasized. As always, I recommend everyone go read the rules for themselves found here: 2026 – FedRAMP Consolidated Rules for 2026. My main goal here is to assist the DIB in thinking through the changes specifically in relation to the DFARS 7012 and CMMC obligations on their plates. It is also fully acknowledged that the nature of the timing of this article may seem premature. However, I am hopeful that the context and questions asked in this article will assist in what comes next, even if for DIB contractors, their MSPs, and the CSPs providing relevant services.

This one has layers, so you might want to grab a pitcher of coffee or somethin’.

A Quick Refresher

If you have been in this industry for more than five minutes, you know FedRAMP Moderate Equivalency by reputation if nothing else. DFARS 252.204-7012 has required, since 2016, that if a defense contractor uses an external cloud service provider to store, process, or transmit covered defense information, that CSP must meet security requirements “equivalent to” the FedRAMP Moderate baseline, on top of the incident reporting, data retention, and access provisions in paragraphs (c) through (g) of the same clause.

For about eight years, “equivalent” was one of those words everyone used and almost nobody could define the same way twice. The DoD CIO finally tried to nail it down in a memo (finalized in December 2023 and released on January 2, 2024) which laid out a Body of Evidence a CSP had to produce to be considered FedRAMP Moderate equivalent: 100 percent compliance with the latest FedRAMP Moderate security control baseline, validated by a FedRAMP-recognized 3PAO, supported by a System Security Plan, Security Assessment Plan, Security Assessment Report, Customer Responsibility Matrix, a fully closed-out Plan of Action and Milestones, penetration testing documentation, and a Continuous Monitoring Monthly Executive Summary, refreshed annually.

That memo gave the industry something concrete to build toward for the first time. It is also the exact memo that the Consolidated Rules for 2026 just quietly pulled several load-bearing walls out from underneath.

Some of What Actually Changed in 2026 (and Why the DIB Should Pay Attention)

FedRAMP did not just tweak a few definitions here or update their workflow a bit. Rather, in many ways, it reformed the terminology, the documentation requirements, the certification structure, and the nature and approach to CSP compliance altogether, with phasing starting July 4, 2026, and reaching mandatory adoption on January 1, 2027. Guys, that’s under six months away!

Here is the short version of what changed, and why it matters for anyone holding or chasing FRME status.

“Authorization” is gone. It is “Certification” now. FedRAMP made the call that “FedRAMP authorization” was getting confused with an agency’s own Authorization to Operate under OMB Circular A-130, so the new term across the board is “FedRAMP Certification.” Small change on paper, but it means every reference to an “ATO” or “P-ATO” in older guidance, including the DoD CIO’s memo, is now talking about a status that does not officially exist anymore under FedRAMP’s own vocabulary. Terminology can be a big hold-up for certain processes, though this is probably one of the least impactful changes on this list if I had to guess.

Low, Moderate, and High are being replaced by Certification Classes A through D. This is the big one for FRME specifically. The entire concept of “FedRAMP Moderate” as a target baseline is being phased out in favor of four Certification Classes that, by FedRAMP’s own rules, do not directly correlate to the old Impact Levels. Per the Choosing a Certification Class rule, Class A includes adequate information for most non-sensitive use cases and some Low, Moderate, or High objectives; Class B for most Low and some Moderate or High; Class C for most Low and Moderate plus some High; and Class D for most use cases except classified systems. Notice what is missing: a clean, singular definition of “Moderate” for a contractor or Independent Assessor to point to. FedRAMP now states that a Certification Class only “loosely aligns” with the 800-53B baseline expectations for a given impact level, in part because providers may tailor controls within the baseline so no two are implemented the same. The “Moderate” label survives only as a loosely aligned class with meaningful portions now tailorable or CSP-defined, not the fixed, FedRAMP-prescribed construct DFARS and the memo were written to point at. The former FedRAMP Security Control Baseline spreadsheets, and any other FedRAMP document templates for that matter under the previous program, are available on the FedRAMP.gov website but with explicit warnings that they are only there for reference and are not applicable to the new program any longer.

The System Security Plan is changing hands. The rationale is that FedRAMP Certification is supposed to reflect the actual outcomes of a CSP’s security decisions, while the agency specifies the plan for its intent to implement the service offering in their system. In short, the SSP is not something that is developed by the Cloud Service Provider; rather, it is a document that an agency develops and maintains using the information provided by the CSP in their FedRAMP Certification Package, in accordance with the agency’s own policy and the NIST Risk Management Framework. That is actually an incredibly defensible and practical philosophical shift. However, it is also a direct problem if your DoD CIO-mandated Body of Evidence specifically names the System Security Plan for the service offering as a required artifact, because that artifact is now something the CSP will no longer develop and provide on its own without using the legacy templates no longer supported by FedRAMP.

Plans of Action and Milestones are gone. Completely. Not “tightened.” Gone. FedRAMP has eliminated POA&Ms entirely and replaced them with Accepted Vulnerabilities and Weaknesses that Agencies can then evaluate as they determine the suitability for a certain CSP for use in their system, on the theory that POA&Ms were mostly being used to formally bless long-term acceptance of risk anyway. The DoD CIO’s memo, recall, requires a “fully closed-out” POA&M as part of the Body of Evidence. If there is no POA&M to close out anymore under the new program, what exactly is a CSP supposed to hand a contractor or DIBCAC to satisfy that line item?

3PAOs are now “Independent Assessors,” and they need “FedRAMP Recognition,” not 3PAO accreditation, to count. The work is largely the same: verify, validate, attest, document gaps. The label and the recognition pathway are not the same, though, and the DoD memo’s Body of Evidence is written entirely around “FedRAMP-recognized 3PAO” language. Probably not a huge deal on its own, but it is another point of discontinuity from the context the DoD’s memo was written within.

The Security Assessment Plan and Security Assessment Report are gone too, at least on the sponsor-less path. Under the Consolidated Rules, the Independent Assessor’s role shifts significantly. For Rev5 Program Certification (the sponsor-less path), FedRAMP states explicitly: “The legacy Security Assessment Plan, Security Assessment Report, etc. is not necessary.” On the legacy agency-sponsored path, an agency may still require a SAP and SAR, but that path is itself being retired for new applications after June 11, 2027. Why does this matter? The FRME memo from the DoD CIO explicitly requires both a SAP and a SAR as named Body of Evidence artifacts. Those documents no longer exist in any form FedRAMP will produce or accept from an assessor. Rather than a standalone SAR, assessor findings now go directly into the CSP’s Security Decision Record. Assessors also no longer make an overall recommendation for or against Certification; that determination belongs to FedRAMP itself under the new Program Certification path. Now, it is possible that the DoD CIO could come back and say that CSPs pursuing FRME will need to be assessed using the legacy Agency Sponsorship path, which technically still exists for Rev5. That is definitely a concern to keep an eye on as DoD works through a response. But the fact right now is that several of the named Body of Evidence artifacts in the 2024 memo are already retired, eliminated, or reassigned: the SSP is no longer a CSP-produced document, the SAP and SAR are gone, and the POA&M is eliminated.

“Continuous Monitoring” is now “Ongoing Certification,” and the Monthly Executive Summary is gone with it. FedRAMP retired the term “continuous monitoring” entirely to avoid the widespread confusion that had collapsed it into meaning little more than monthly vulnerability scans and follow-up meetings. What replaces it is the Ongoing Certification framework, structured around quarterly reviews and an Ongoing Certification Report (OCR). The specific artifact named in the DoD CIO’s memo, the Continuous Monitoring Monthly Executive Summary, has no direct named successor in the new framework. That is the fifth artifact on the FRME memo list that no longer exists in the form the memo describes.

Certification packages are moving away from Word and Excel templates toward JSON, and in some cases OSCAL. FedRAMP explicitly says it expects providers to build or acquire modern GRC tooling rather than maintaining, in their words, “artisanal hand-crafted documents.” FedRAMP is moving away from providing document templates, pointing providers instead to machine-readable JSON schemas and human-readable summaries to structure their materials. If you have ever tried to hand a contracting officer a JSON file in lieu of a PDF Security Assessment Report, you already know where this is headed.

FIPS-140 encryption expectations narrowed. FedRAMP no longer assumes all federal data and metadata is automatically sensitive, so FIPS-140 validated encryption is now expected to protect sensitive data specifically, with providers documenting their approach rather than blanket-applying it everywhere. That is a meaningful shift from the assumption baked into most current FRME documentation packages. This is also relevant to the next point regarding FedRAMP organization-defined parameters and their assigned values. See below.

FedRAMP removed most prescriptive SP 800-53 organizational parameters, and established a “no ghost rules” policy. The Consolidated Rules strip out most of the FedRAMP-defined organizational requirements within the SP 800-53 control baselines and tell CSPs to define these on their own. FedRAMP also explicitly states that if a requirement is not written on fedramp.gov, it does not exist, and assessors are prohibited from enforcing it. Both of these changes matter for FRME because the DoD CIO’s memo anchors equivalency to “100 percent compliance with the latest FedRAMP Moderate security control baseline.” If that baseline is now partially CSP-defined rather than FedRAMP-prescribed, and if assessors can only enforce what FedRAMP has written down, there’s gotta’ be a disconnect between the DoD’s risk tolerance and what FedRAMP is enforcing through its assessors. Is the DoD going to accept the risk that FedRAMP’s requirements are sufficient to address the concerns around DoD-relevant Controlled Unclassified Information (CUI) being processed by these providers? This could significantly affect the DoD’s response to these changes, particularly because the ODP values for controls like SC-12 and SC-13, which under legacy Rev5 pointed to FIPS-validated or NSA-approved cryptography, are no longer prescribed as inline control parameters. SC-13 now carries only organization-defined assignments, with FedRAMP’s guidance reduced to “Follow the FedRAMP Cryptographic Module Use rules.” The expectation has been relocated to that separate ruleset rather than eliminated.

FedRAMP 20x is an entirely different assessment philosophy. FedRAMP 20x, which will eventually replace Rev5 entirely, does not assess control compliance at all. It assesses security outcomes through Key Security Indicators (KSIs) across ten domains, including Change Management, Identity and Access Management, Incident Response, Monitoring and Logging, Supply Chain Risk, and others. The expectation is that engineering and product teams lead the effort, demonstrate measurable automated evidence of security outcomes, and compete on quality rather than documentation completeness. This is a fundamentally different evidentiary model than anything the DoD CIO’s memo contemplates. The open question of whether a 20x Certification can ever serve as the basis for an FRME claim, or whether FRME stays anchored to Rev5’s control-compliance model forever, is one nobody has answered yet. I assume it will.

FedRAMP Rev5 is on a clock, and the deadlines are firm. Optional early adoption of the Consolidated Rules opens July 4, 2026, mandatory adoption for all stakeholders lands January 1, 2027, and FedRAMP stops accepting applications for new Rev5 Certifications after June 11, 2027. Existing Rev5 Certifications remain active until at least December 31, 2028, unless FedRAMP is otherwise directed. FedRAMP has built grace periods into much of this, but the direction is unmistakable. Every CSP currently building or maintaining an FRME package on a Rev5-style structure is building on a foundation FedRAMP itself has scheduled for demolition.

And then there is the line that, frankly, should be framed and mailed to every CSP marketing department claiming “FedRAMP equivalency” on their website: FedRAMP states outright that it “does not support or provide ‘equivalency.’” FedRAMP’s position is that equivalency is a DoD-defined concept tied to CMMC and DFARS, not a FedRAMP one, and any questions about it should be directed to the DoD, not FedRAMP. That is not a new position exactly, but seeing it stated this plainly, right as the underlying documentation that “equivalency” was built on top of gets restructured, is a lot to sit with.

How This Lands on CSPs

Let’s talk about what this actually means if you are a CSP, especially one who, like us at IntelliGRC, chose to pursue FedRAMP Moderate Equivalency voluntarily, not because a specific contract demanded it or because we had Federal agencies planning to use our tool at this time as part of a federal system, but because we wanted to be able to stand behind our own platform with something more substantial than a marketing claim.

First, the good news. None of this invalidates the security work itself. If your controls are genuinely implemented, your assessment evidence is genuinely defensible, and your Independent Assessor (formerly 3PAO, see above) genuinely validated your environment, the underlying security posture already has a lot of merit and that shouldn’t be discredited in your mind. Renaming a control does not unimplement it. The security work you have already done matters, regardless of the changes.

The bad news is that the paperwork trail proving that to a customer and, in turn, to their CMMC Assessment team is now in flux at exactly the moment the industry needed it stable. Of the Body of Evidence artifacts in the DoD CIO’s 2024 memo, at least five no longer exist in the form the memo describes: the SSP is no longer a CSP-authored document, the SAP and SAR are explicitly eliminated, the POA&M is gone, and the Continuous Monitoring Monthly Executive Summary has no direct named successor. CSPs pursuing or maintaining FRME now have to ask themselves a genuinely uncomfortable question: do we build our next assessment cycle’s documentation around the DoD CIO’s 2024 memo as literally written, knowing most of the named artifacts have been phased out of FedRAMP’s own vocabulary? Or do we build toward FedRAMP’s new structure and hope DoD aligns?

For us specifically, this lands a little differently than it might for a CSP under contractual obligation. We were not required to do any of this. We did it because we believe a CSP serving the DIB, even one offering a GRC platform like ours, should be able to show its work rather than just claim it. Watching the goalposts move the same year we are deep in maintaining that posture has definitely raised a lot of questions for the future. At the end of the day, the providers who built real security programs are the ones who will adapt fastest here. It just means that providers are going to have to learn and apply the new rules which, in many ways, are actually way more streamlined, simplified, and cleared up if all you were thinking about was Federal work. For FRME-focused CSPs that are used within the DIB, we have bigger clarifications needed.

Facing this exact decision for your next assessment cycle? [book a 30-minute review]

Meeting Link

The Questions DoD CIO and the CMMC PMO Still Owe Us

Here is where we’re in the dark since presumably nobody outside the Pentagon can answer these yet. FedRAMP just restructured the program FRME is built on top of, and somebody now has to reconcile a DFARS clause and a 2024 memo with a vocabulary and documentary framework that no longer exists in the form it was written in so, it’s going to take some time to get these answers.

However, here is what I think needs an answer, sooner rather than later:

  1. What replaces the Body of Evidence artifacts, one for one? The memo requires an SSP, SAP, SAR, CRM, closed-out POA&M, penetration testing documentation, and a Continuous Monitoring Monthly Executive Summary. At least five of those are retired, eliminated, or reassigned. Will DoD issue an updated memo that maps each old artifact to its new counterpart or another set of expectations explicitly? Will the Certification Package Overview plus Security Decision Record satisfy the SSP requirement? Will the OCR replace the Monthly Executive Summary? Or will CSPs and contractors be left to interpret that mapping themselves during a CMMC assessment?
  2. Which Certification Class is “Moderate” now? The DFARS clause and the 2024 memo are anchored to “the FedRAMP Moderate baseline.” FedRAMP’s Certification Classes explicitly do not map one-to-one to Low, Moderate, and High. So is FRME now keyed to Class C, which covers most Low and Moderate objectives? Class B? Some combination depending on the data type? What is the plan here to ensure the DoD’s risk tolerance is covered while also fitting in with these changes?
  3. How will Independent Assessors assess when the SAP and SAR no longer exist? The memo requires a SAP and SAR as named artifacts. FedRAMP now explicitly states those documents are not necessary under the new framework, with assessor findings going into the CSP’s Security Decision Record instead. When a DIBCAC reviewer or C3PAO asks a CSP for its Security Assessment Report and the CSP says that document is no longer used under FedRAMP’s current rules, what happens? Is the legacy Agency Sponsorship path (which technically still exists for Rev5) the only viable FRME path going forward? If so, does that mean FRME CSPs are permanently locked into Rev5, a framework FedRAMP is actively sunsetting?
  4. Does the “no ghost rules” policy create a conflict with the memo’s requirements? FedRAMP has stated that if a requirement is not written on fedramp.gov, assessors cannot enforce it. Will the FRME requirements for 100% conformity with the “Moderate Baseline” need to change since Independent Assessors will presumably not be assessing in line with those exact requirements any longer? Will the DoD place the burden of assessing specific expectations on C3PAO as part of CMMC assessments?
  5. What happens to the prescriptive SP 800-53 organizational parameters DoD relied on? The memo requires 100 percent compliance with the latest FedRAMP Moderate security control baseline. FedRAMP has now removed most of its prescriptive organizational requirements from that baseline and told CSPs to define their own parameters. If the baseline is now partially CSP-defined rather than FedRAMP-prescribed, what is a contractor’s contracting officer or auditor actually verifying when they review a CSP’s FRME claim?
  6. Can a 20x Certification ever support an FRME claim? FedRAMP 20x does not assess control compliance; it assesses security outcomes through Key Security Indicators. The DoD CIO memo is built on the assumption that equivalency means demonstrated compliance with a specific control baseline. Are these two frameworks compatible? Or does DoD intend FRME to remain permanently anchored to the Rev5 control-compliance model even as FedRAMP phases Rev5 out by 2028?
  7. What is the DoD-specific transition timeline? FedRAMP’s schedule runs from optional early adoption on July 4, 2026 to mandatory adoption on January 1, 2027, with no new Rev5 Certifications accepted after June 11, 2027 and existing Rev5 Certifications hold their active status only until at least December 31, 2028, unless FedRAMP directs otherwise. Will DoD publish a parallel schedule telling CSPs and contractors which version of the Body of Evidence is acceptable at which point in the transition, or will contractors be left to reconcile two agencies’ timelines on their own, the way we so often are?
  8. Will there be updates to the Federal Register? It’s one thing to update a memo to clarify certain points, but it’s another thing to address the specifics within the DFARS clause 252.204-7012(b)(2)(ii)(D) where it explicitly states the following: “…the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline…” I think we really just need to know if this will live on in infamy with memos or class deviations here and there or will there be further rulemaking to clarify these points at the source. I’d prefer the latter but know there are practical timeline concerns that make that incredibly difficult so I’ll settle for anything.

We do not have confident answers to any of these yet, and frankly I am skeptical anyone fully does at this moment. What I do know is that DoD CIO and the CMMC PMO have roughly six months before the Consolidated Rules become mandatory on January 1, 2027, and existing Rev5 Certifications remain active only until at least December 31, 2028, unless FedRAMP directs otherwise. The DIB needs clarity well before those dates, not after them.

What to Do Right Now

For the DIB, I think the advice we can give right now is limited. We’d encourage familiarizing yourself with a fuller understanding of the new rules and considering if your current technology stack and use of Cloud Services seems to bode well for the different possible outcomes. Ask yourself: “Could I see this or that CSP being diligent and urgent to meet whatever requirements and clarifications the DoD send out?” That should probably have already been a conversation and part of your consideration but better late than never. You’ll also need to keep a lookout for updates. This is a time of change so it’s super important to keep your head on a swivel for relevant changes that’ll impact your organization and your use of CSP offerings.

For other CSPs thinking through this, we get the struggle. It’s a good struggle because I think these changes are fundamentally good for the modernization and reformation of the security landscape related to Cloud computing and service offerings. Nonetheless, it’s a struggle. There are definitely some big decisions to make. Questions like the following are probably already swirling around in your mind:

  • “What path makes the most sense for our scenario?”
  • “Should we be jumping straight to Class C vs starting in Class A and working our way through the class types over time?”
  • “Should I stick with a Rev5 approach over prioritizing efforts to move to 20x alignment, knowing that the DoD hasn’t clarified what they will require yet?”
  • “Should we maintain our DoD CIO memo-aligned FRME Body of Evidence using legacy templates and documents until we hear differently? What about assessors? Will they assess us using the old methodology and legacy documents?”

We recommend that over the next few days, weeks, and months, you talk to your Independent Assessor about how they plan to handle the shift in assessment methodology. Ask them directly how they intend to produce or document findings when FedRAMP no longer accepts standalone SAPs and SARs, and whether they intend to use the legacy Agency Sponsorship path or the new Program Certification path for their Rev5 work. If they cannot answer those questions clearly, that is information you need before your next assessment cycle starts.

We will keep tracking this closely as DoD CIO and other authorities in the CMMC ecosystem begin filling in the gaps. If you want help thinking through how your specific environment and documentation posture lines up with FRME during this transition, reach out through our website at intelligrc.com/contact-us or at sales@intelligrc.com. We are happy to help you figure out what actually needs your attention first.

Happy Implementing!

Steven Molter

Lead GRC Consultant and GRC Evangelist, IntelliGRC

References

  • FedRAMP, FedRAMP Consolidated Rules for 2026, https://www.fedramp.gov/2026/
  • FedRAMP, FedRAMP Definitions, https://www.fedramp.gov/2026/definitions/
  • FedRAMP, Important Dates for the Consolidated Rules for 2026, https://www.fedramp.gov/2026/timeline/
  • FedRAMP, Cloud Service Providers, https://www.fedramp.gov/2026/providers/
  • FedRAMP, What’s Changing in 2026 (Providers), https://www.fedramp.gov/2026/providers/updating/changes/
  • FedRAMP, Important Deadlines, https://www.fedramp.gov/2026/providers/updating/deadlines/
  • FedRAMP, Choosing a Certification Class, https://www.fedramp.gov/2026/providers/start/class/
  • FedRAMP, FedRAMP 20x Certification Rules, https://www.fedramp.gov/2026/providers/20x/
  • FedRAMP, The 20x FedRAMP Boundary, https://www.fedramp.gov/2026/providers/20x/boundary/
  • FedRAMP, Assurance Rulesets, https://www.fedramp.gov/2026/providers/20x/assurance/
  • FedRAMP, Package Materials, https://www.fedramp.gov/2026/providers/20x/package/
  • FedRAMP, Key Security Indicators, https://www.fedramp.gov/2026/providers/20x/key-security-indicators/
  • FedRAMP, Independent Assessment Services, https://www.fedramp.gov/2026/assessors/
  • FedRAMP, What’s Changing in 2026 (Assessors), https://www.fedramp.gov/2026/assessors/updating/changes/
  • Department of Defense, Office of the DoD Chief Information Officer, FedRAMP Moderate Equivalency for Cloud Service Providers Memorandum (January 2, 2024), https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf
  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • 32 CFR Part 170, CMMC Program Final Rule, § 170.19(c)(2)(ii)