The General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) is planning to publish by the end of June a “clean set” of consolidated rules for 2026.
The consolidated rules for 2026 will reflect a blizzard of program changes that FedRAMP has put in place since March 2025, when it kicked off its ongoing 20x initiative to revamp the cloud security program. The goal is to boost the use of automation to accelerate the approval of secure cloud services for federal agency use.
In a Feb. 26 blog post, the program said the rules for 2026 “are being transparently developed by FedRAMP for publishing by the end of June 2026.”
“These rules will be valid until the end of 2028 to provide consistency and predictability for all stakeholders,” the program said.
The coming set of rules changes is being informed by requests for comments published by the program in January, with more to come shortly.
“You can expect a torrent of smaller technical Requests For Comment in March,” the program said in its most recent blog post.
Elsewhere in the post, FedRAMP said its board voted to support wide adoption of a “significant change notifications (SCN)” process instead of relying on the “significant change request” process (SCR) if cloud providers have government customers.
“One of the largest historical incentives for the creation of government-specific versions of cloud services is being removed this month: cloud service providers will no longer be required to ask the government for permission to improve their own service just because they have a government customer,” the program said.
“The FedRAMP Board has voted to support wide-scale adoption of the Significant Change Notifications process within the government and to help ensure consistency and transparency between agencies and cloud service providers that are adopting this process,” the program said, adding, “This will be a priority for FedRAMP over the next two months.”