FedRAMP Just Dropped CR26 in Public Preview, and the Whole Game Is Changing
· 9 min read

FedRAMP Just Dropped CR26 in Public Preview, and the Whole Game Is Changing

#FedRAMP#FedRAMP20x#CR26#Compliance-as-Code#GRC-engineering#Compliance

On Monday, May 4, 2026, FedRAMP launched the public preview of the Consolidated Rules for 2026, better known as CR26. If you’ve been tracking the steady drumbeat of RFCs and NTCs over the last six months (RFC-0019 through 0024, NTC-0004 through NTC-0009), this is where it all converges. CR26 is the document that pulls those threads into a single, consolidated ruleset for every cloud service provider, agency, and assessor in the FedRAMP ecosystem.

The full release is still scheduled for end of June 2026, with an effective window of July 1, 2026 through December 31, 2028. But the preview that dropped Monday is already a genuinely useful artifact, and the way FedRAMP is publishing it is almost as significant as what’s in it.

Let’s get into both.

What Actually Dropped

CR26 is FedRAMP’s attempt to consolidate its operating rules into a single, coherent document instead of the patchwork of memos, templates, guides, and notices that has accumulated over the last decade. The preview site is live at fedramp.gov/preview/2026 and is structured around five stakeholder groups: FedRAMP itself, agencies, cloud service providers, independent assessors, and advisors.

A few things stood out to me on first read.

Plain Language Is Now a Design Requirement

This sounds boring. It is not boring. FedRAMP is explicitly replacing narrative guidance with direct, declarative rules. Their own example from Monday’s announcement: instead of a paragraph describing the desirability of exterior maintenance, the rule reads “You MUST paint the exterior of your house.”

If you’ve read a FedRAMP SSP template, an annual assessment guide, or any of the older ConMon documentation, you know why this matters. The legacy materials are written in a hedged, narrative style that often leaves the actual requirement open to interpretation. Plain language closes the gap between what FedRAMP wants and what providers think FedRAMP wants. It also closes the gap between what assessors test and what providers expect to be tested.

This is a small rhetorical change with large operational impacts. Once requirements are written as MUST/MUST NOT statements, they’re trivially auditable, and increasingly machine-checkable.

Machine-Readable Structured Requirements

This is the piece that ties CR26 directly back to NTC-0009 (which I wrote about in March). CR26 doesn’t just allow machine-readable submissions, it’s structured from the ground up to make machine-readable the default mode of interaction. The rules themselves are being published in a machine-readable format on GitHub, alongside an enhanced markdown version, so providers can integrate FedRAMP requirements directly into their compliance tooling rather than copy-pasting them out of PDFs.

For CSPs, this means the FedRAMP requirements catalog is becoming an API rather than a library shelf. If you’ve built a GRC platform or compliance pipeline, you can pull updated requirements directly. If you haven’t, your vendors can.

A Stable Two-and-a-Half-Year Content Window

CR26 is intended to be the operating ruleset from July 1, 2026 through December 31, 2028. That’s a deliberate concession to one of the loudest pieces of feedback FedRAMP has received over the last year: the rules keep changing, and providers can’t plan against a moving target.

Stable content doesn’t mean frozen content. FedRAMP will continue to publish notices and minor adjustments. But the structural rules, the certification classes, the assessment model, the marketplace mechanics, are intended to hold for thirty months. For anyone trying to plan a multi-year FedRAMP roadmap, this is the first time in a while that’s been a remotely realistic exercise.

Marketplace Moves From Impact Levels to Classes

Per NTC-0004, the marketplace is transitioning away from the legacy Low/Moderate/High impact level labels and toward FedRAMP Certification Classes A, B, C, and D. CR26 codifies the transition.

Here’s the rough mapping:

Legacy LabelNew Class
FedRAMP ReadyClass A (Pilot)
Low / Li-SaaSClass B (Low)
ModerateClass C (Moderate)
HighClass D (High)

The mapping looks cosmetic, but the class system is doing real work in CR26. Machine-readable requirements, assessment scope expectations, and continuous monitoring obligations are now tiered by class rather than uniformly applied. If you’re a Class C provider, you have a different set of obligations than a Class D provider, even though under the legacy model both were sitting under the same Rev5 rulebook.

CR26 also confirms a few changes that have been quietly telegraphed for months: pricing information will no longer be published on the marketplace, and independent assessors must complete a minimum of two assessments every two years to maintain their status. Both are housekeeping moves, but the assessor requirement in particular is going to shake out the long tail of 3PAOs that hold accreditation but rarely actually assess.

The Public Preview Model Is Doing Something New

This part is worth slowing down on, because I don’t think it’s getting enough attention.

FedRAMP didn’t just publish a draft document. They built the entire CR26 development process in public. The preview site is hosted on GitHub. Every page is tagged as Stable Content, Placeholder Content, or Empty Content so you know what’s load-bearing and what’s still being drafted. Comments and discussion happen through GitHub Discussions via Giscus, attached to each page.

FedRAMP Director Pete Waterman was direct about the preferred channel: “Stakeholders that avoid the FedRAMP community on GitHub and email us directly create a significant burden for me.” Email isn’t prohibited, but the public GitHub channel is where the program wants the work to happen, and that’s by design. If a CSP asks a clarifying question about a particular rule, every other CSP, every assessor, and every agency can see the question and the answer.

For a federal program, that’s a meaningful posture shift. The traditional FedRAMP feedback loop ran through closed channels: industry days, working groups, vendor relationships. Those channels still exist, but the canonical record is now public.

A few practical implications:

Your feedback gets weighed alongside everyone else’s. If you have a substantive concern about how a rule is written, the preview window is when to raise it. After CR26 finalizes in late June, the door narrows considerably.

You can monitor changes the same way you’d monitor a software project. GitHub watch, RSS, whatever. The rule set is now a versioned artifact you can integrate into your own tooling.

Stable Content is the signal you’ve been waiting for. If a rule is tagged Stable, it’s safe enough to start planning against, with the standard caveat that anything in the preview can still change. Empty and Placeholder content is, definitionally, not.

That last point matters because FedRAMP is explicit in the preview: don’t directly implement preview rules until the final version publishes. The preview is for shaping the final, not for executing against. Read it, comment on it, internalize it. Don’t rewrite your SSP from it yet.

How CR26 Connects to Everything Else

If you’ve been trying to track all of this in your head, here’s the rough mental model I’ve been using.

  • NTC-0004 locked in the Class A/B/C/D structure. CR26 operationalizes it across every other rule.
  • NTC-0009 set the direction on machine-readable submissions and rolled in the Five Balance Improvement Releases (Minimum Assessment Scope, Significant Change Notifications, Collaborative ConMon, Vulnerability Detection and Response, Authorization Data Sharing). CR26 is where those become formal rule text instead of policy notices.
  • The 20x program is the parallel modernization track for cloud-native, automation-forward providers. CR26 publishes both 20x and Rev5 paths in one consolidated document, with explicit rules for each. Providers pick a lane; the lanes are not reciprocal.

If your mental model has been “FedRAMP keeps changing things every few weeks,” CR26 is the moment that resolves into “FedRAMP made a lot of related changes that are now consolidated into one stable rulebook.” It’s not a new direction. It’s the same direction, finally legible in one place.

What CSPs Should Be Doing This Month

The temptation is to wait for the final June release and react then. I think that’s the wrong play. Here’s what I’d be doing if I were on the provider side right now.

Read the preview as a working document, not a draft. The structural pieces (classes, machine-readable expectations, the dual Rev5/20x paths, the assessment model) are not going to materially change between now and end of June. The wording will tighten and the gaps will fill in, but the shape is set. Internalize the shape now.

Identify your class and your path. If you’re a current Rev5 Moderate provider, you’re on a path toward Class C. If you’re considering 20x for a new offering, the rules for that lane are now visible in detail for the first time. Pick your lane deliberately, not by inertia.

Map your existing documentation to the new structure. CR26’s plain-language MUST/MUST NOT structure is going to make a lot of legacy SSP narrative read as either redundant (because the rule is now declarative) or insufficient (because the rule expects machine-readable evidence you weren’t producing). Get a sense of where your current materials sit on that spectrum.

File substantive comments through GitHub. If a rule is unclear or unworkable for your environment, the preview window is when that feedback actually shapes the final. After June, you’re stuck with the language for thirty months.

Watch the Stable Content tags. Tagged-stable rules are the parts of CR26 that FedRAMP is signaling won’t shift. Those are the parts you can begin reasoning about as if they’re final, with the caveat that you don’t implement until the final release.

The Broader Read

There’s a pattern in how FedRAMP has been operating over the last year that’s worth naming. They’ve been increasingly explicit about the trade-offs they’re making, the resourcing constraints they’re working under, and the directional bets they’re placing. NTC-0009 admitted that the original RFC-0024 timeline was unrealistic. Phase 2 of 20x told most providers to wait until tooling matures. CR26’s preview model is openly acknowledging that the previous closed-loop feedback process was creating an information asymmetry between insiders and everyone else.

That candor is genuinely refreshing for a federal program, and it’s also a signal. FedRAMP is operating with a smaller team and a more ambitious mandate than at any point in its history. They’re choosing to do this work in public partly because they want better feedback, and partly because they don’t have the bandwidth to do it any other way. CR26 is the artifact that makes the program legible at scale.

Whether the final June release lands cleanly is a separate question. The preview lets you participate in the answer.

The full announcement is here: https://www.fedramp.gov/2026-05-04-public-preview-consolidated-rules-2026/. The preview itself is at fedramp.gov/preview/2026.

Mario Lunato is the Field CISO at Knox Systems and writes about FedRAMP, cloud security, and GRC engineering at OneUpSec.tech.