If you've been tracking FedRAMP 20x, you know that there’s been a lot of updates to keep up with.
Earlier in May, there was a quieter change you may have missed. But it’s just as significant as the Phase One and Phase Two pilot programs, KSIs, and new 20x guidance and standards.
Here’s why.
FedRAMP Certification replaced FedRAMP Authorization
On May 4, 2026, the FedRAMP 20x program officially replaced "FedRAMP Authorization " with "FedRAMP Certification." And the familiar baseline labels (Low, Moderate, High) are now called Class A, Class B, and Class C.
A week later at the Secureframe National Cybersecurity Summit 2026, Dan Chandler, Cloud Security Engineer, FedRAMP, U.S. General Services Administration, explained why this language change happened. And why it’s more than just a rebrand.
"A FedRAMP Certification is not a blanket approval that this service is secure enough for the entire federal government to use for whatever they want," Chandler said.
Instead, the Certification tells agencies what security capabilities have been validated, and then each agency decides whether that risk profile fits their specific needs.
That's a meaningful distinction from how FedRAMP Authorization was often interpreted in practice. Previously, agencies sometimes treated a FedRAMP Moderate Authorization as a universal green light for any use case for data categorized under the Moderate impact level. Others sometimes went the opposite direction, refusing to use a FedRAMP High system for Moderate data, even though that was perfectly acceptable.
The language shift is designed to make clear that a FedRAMP Certification is not an assertion about whether or not the system is secure enough for an agency’s particular purpose. It’s simply access to information that agencies need to “make much more nuanced decisions about their security needs,” Chandler explained.
The new FedRAMP Certification paths at a glance
| Old language | New language |
|---|---|
| FedRAMP Authorization | FedRAMP Certification |
| FedRAMP Low | Class A Certification |
| FedRAMP Moderate | Class B Certification |
| FedRAMP High | Class C Certification |
These changes align with the purpose of the 20x program, which is two-fold, according to Chandler:
- To create a process that resulted in better security and better communication about that security posture for agencies.
- To make it easier for vendors to get into the program and start working with the federal government to make their products available.
In other words, 20x is designed to reduce barriers to get into the FedRAMP Marketplace, not to reduce rigor.
“Now under 20x, any vendor can achieve a FedRAMP Certification, without an agency sponsor, just by meeting a short list of requirements that are pretty easy to achieve for a company of any size,” Chandler explained.
Class A Certification
Class A Certification is the new entry point. If your organization already has a SOC 2, you meet most of the qualifications and can get listed on the FedRAMP Marketplace in weeks, with no agency sponsor and no 3PAO required.
“This can be done usually in a couple of weeks, or at most, a couple of months, usually for very little investment,” Chandler said.
Class B and C Certification
Class B (replacing Low) and Class C (replacing Moderate) still require a FedRAMP-recognized assessor to validate your security capabilities, but that assessor no longer has to be a 3PAO.
More importantly, the relationship is now explicitly collaborative so CSPs no longer need to hire one 3PAO firm for documentation and a separate one for the assessment.
Class D Certification
Class D Certification (replacing High) still requires organizations to take the FedRAMP Agency Certification path.
What Changes for CSPs and Agencies Under FedRAMP Certification
The change from “Authorization” to “Certification” reflects a deliberate redistribution of responsibility among the FedRAMP PMO, CSPs, and agencies: The program validates, and agencies decide. This has practical implications for both CSPs pursuing Certification and the agencies evaluating them.
1. A lower barrier to entry for smaller cloud companies
Under the old agency authorization process, getting FedRAMP Authorized could take two years and cost millions, according to Chandler. This effectively locked out most smaller and earlier-stage vendors.
“20x changes that math significantly,” he said.
20x Certification makes it easier to:
- find an assessor
- get listed on the Marketplace
- start working with agencies
- start generating revenue from that relationship
“It really opens the door for a lot of small businesses that have wanted to make themselves available in the market to the federal government, but didn't necessarily have the resources or the capital to invest in the old FedRAMP process that costs millions of dollars,” Chandler explained.
However, he emphasized the goal wasn’t to make the process better for only one type of cloud service provider, but to level the playing field for all.
"In other words, the four people building a cool web app in a garage now have essentially the same access to government sales as Microsoft and Google.”
2. Agencies decide if you’re “secure enough”
Under 20x, the assessor's job is to validate that what a cloud service provider claims about their security posture is accurate and complete. From there, Chandler explained, "the agency is going to decide: is this risk something that we're comfortable with?"
That's the core philosophy behind the language change. FedRAMP Certification gives agencies the information they need to make an informed, risk-based decision. It doesn't make the decision for them.
3. The “right” Certification class balances security and cost
For CSPs, this reframe is worth internalizing as you go to market with federal agencies. A Class A Certification may not be enough assurance for agencies for certain use cases. Similarly, a Class B Certification isn't a promise that you're approved for all “Moderate” use cases across the federal government. It's a validated signal that your security capabilities have been assessed, and agencies will evaluate fit from there.
Chandler said that’s actually the intent.
“It lets you [as a CSP] start working with agencies to figure out what is the right balance between security and cost to make your product most valuable to those agencies.”
