by Michael Peters
Bookmark

Navigating FedRAMP’s Move to Certification Classes 

Anchored by the FedRAMP Authorization Act and OMB Memo M-24-15, FedRAMP is undergoing a major change that affects virtually every aspect of how cloud service providers pursue, achieve, and maintain federal authorization. Named FedRAMP 20x, this program is meant to streamline compliance and make it easier for cloud products to enter the federal marketplace.

The most visible of those changes is the retirement of the legacy FIPS 199 security categories (Low, Moderate, and High) in favor of a new alphabetical system: Certification Classes A through D.

We’re walking through these new classes and what they mean for agencies seeking Authorization.

 

Why Are Impact Levels Being Replaced?

FedRAMP image compact. Authorized 2025 cloud solutions.For years, FedRAMP’s “impact levels” created persistent confusion with the Department of Defense’s own Impact Level designations (IL2 through IL6) and similar labeling schemes used by the Department of the Navy. A cloud provider holding a FedRAMP Moderate authorization would regularly face questions about whether that equated to a DoD IL4, or whether a FedRAMP High was somehow interchangeable with an IL5 (it wasn’t). 

More importantly, FedRAMP is consolidating around a single official designation: FedRAMP Certified. A provider is either certified or it isn’t, but the class attached to that certification defines the scope and depth of the assessment materials the provider has submitted. It does not serve as a universal verdict on a system’s security posture, and individual agencies must still perform their own risk analysis and issue their own Authority to Operate. 

To understand how these Certification Classes work, it’s important to grasp two major changes:

 

Automation and Persistent Validation

First, FedRAMP is making a decisive move away from human-written narrative documents and toward machine-generated deterministic evidence. That means data drawn directly from system configurations, tool outputs, and operational logs, which can be parsed and validated without a human having to read paragraphs of description.

The cornerstone of this shift is the OSCAL (Open Security Controls Assessment Language) mandate. All FedRAMP Rev5 and 20x providers must transition their authorization packages to OSCAL’s machine-readable format. 

For providers pursuing or maintaining Class C certification under the 20x paradigm, the expectations around validation frequency are particularly aggressive. Automated validation for machine-based resources must be executed at least once every three days. 

The practical requirements of this model include:

  • Automated evidence collection pipelines that pull configuration states, vulnerability scan results, and access control data from production systems on a continuous basis.
  • OSCAL-native documentation tooling capable of generating and updating machine-readable security packages without manual conversion from Word or PDF source documents.
  • Integration between security tooling and compliance platforms so that findings from SIEM, CSPM, vulnerability management, and identity governance tools flow directly into validation workflows.
  • Continuous monitoring infrastructure architected around the three-day validation cycle, with alerting and exception-handling processes that operate at that cadence.
  • Version-controlled control implementations that track changes to security configurations with the same rigor applied to application source code.

Organizations still relying on spreadsheet-driven compliance tracking or consultant-assembled narrative packages will find the 20x model incompatible with their current processes.

 

Key Security Indicators

Second, certification is moving away from narrative control descriptions to Key Security Indicators (KSIs) generated by automated systems into OSCAL. KSIs are not a replacement for the NIST SP 800-53 security requirements, just how they are mapped and reported:

  • Mapping to Controls: Each KSI is designed to map to multiple underlying NIST 800-53 controls. Instead of writing a narrative for every individual control, providers prove they have met the required security outcomes through these consolidated indicators.
  • Baseline Requirements: Alignment with NIST SP 800-53 controls remains mandatory. The transition moves the program from proving compliance on paper to proving security in real time.
  • Narrative vs. Data: Under the legacy model, providers wrote descriptive narrative statements to justify control implementations. In the 20x paradigm, these written artifacts are replaced by machine-generated OSCAL and automated validations derived from system logs and event management tools.
  • Continuous Proof: While traditional reliance on NIST controls involved a point-in-time annual assessment, the KSI model requires systems to provide continuous evidence that those safeguards are actively working every day.

 

A blue digital lock in a red circle on an abstract digital landscape

Certification Classes A Through D

Certification Class A: Replacing FedRAMP Ready

Class A is an entirely new category with no direct predecessor in the legacy framework. It replaces the FedRAMP Ready designation, although in reality, it carries many of the requirements from that level into the new paradigm. For providers locked out of the federal market by the cost and complexity of traditional authorization, Class A represents a potential entry point. 

Currently, there isn’t a set number of KSIs to meet for Class A. Instead, CSPs must meet six federal mandates regarding encryption, authentication, incident reporting, and related requirements. 

 

Certification Class B: Low Impact

Class B consolidates the requirements that previously lived under the Low Impact baseline and the Li-SaaS (Low Impact Software-as-a-Service) designation. This is the baseline for services that handle data where a breach would have limited adverse effects. It also simplifies fragmentation from Li-SaaS and Low, both of which were similar enough that maintaining separate tracks created confusion without adding commensurate security value.

Class B services must meet 51 KSIs. 

 

Certification Class C: Moderate Impact

Class C maps to the current Moderate baseline, which has historically been the center of the FedRAMP program. The vast majority of authorized cloud services sit at this level, and it remains the primary target for most providers entering the federal market. What changes dramatically under Class C is how compliance is demonstrated. 

Class C services must meet 56 KSIs.

 

Certification Class D: High Impact

Class D corresponds to the High baseline and is reserved for systems that process, store, or transmit data where a breach would have severe or catastrophic consequences. This includes law enforcement data, healthcare records, and other categories where the government’s risk tolerance is minimal. Class D retains the most rigorous assessment requirements and, unlike Classes A through C, continues to require a specific agency sponsor for authorization.

Class D services don’t have an announced number of KSIs as of March 2026. 

 

Crucial Deadlines for 2026 and Beyond

The transition is already underway, and the milestones are arriving quickly. The dates that matter most are:

  • June 2026: Final publication of the FedRAMP Consolidated Rules for 2026 (CR26), which will codify the full certification class framework and associated requirements.
  • July 28, 2026: Official retirement of the “FedRAMP Ready” label, replaced by the Class A baseline. CSPs with the Ready designation have the option to move to Class A (after review) by November 2026. 
  • September 30, 2026: All new Rev5 authorization submissions must be delivered in machine-readable OSCAL format.
  • September 30, 2027: Grace period ends for existing authorized providers to convert their packages to OSCAL or have their authorization revoked. 

These dates leave a limited runway, particularly for organizations that have not yet adopted OSCAL or are still operating under legacy documentation workflows.

 

Moving with the New FedRAMP with Continuum GRC Automated Compliance

The federal cloud market is being redesigned to operate at fundamentally different speeds and scales. The providers who will thrive in it are those building compliance into their engineering workflows today.

We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cybersecurity® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect your systems and ensure compliance.

[wpforms id= “43885”]