FedRAMP®

You’re FedRAMP “Ready” under Rev. 5 — now what?

Karen laughton

Karen Laughton

EVP, Advisory Services, Coalfire

July 9, 2026
Fedramp blog 7 7

What CSPs should do after the FedRAMP rules update

If your cloud service provider (CSP) achieved FedRAMP Ready under FedRAMP Rev. 5, the new rules changed your next move.

FedRAMP Ready is no longer a long-term holding pattern. Under the newly published rules, providers that hold FedRAMP Rev. 5 Ready need to convert to a full FedRAMP Certification by the later of their next annual assessment expiration or November 17, 2026.

That means the right question is no longer, “How long can we keep Ready?” The right question is, “Which certification path makes sense for the market we want to serve?”

Start with the deadline, not the label

The first step is simple. Treat FedRAMP Ready as a countdown.

The new rules retire FedRAMP Ready as a destination and push Ready holders toward full certification. If you already invested the time and money to become Ready, that work still matters. It gives you a head start. It just does not let you sit still.

If you have not already done it, pull your most recent annual assessment date and work backward from the later of that expiration date or November 17, 2026. That is your real planning horizon.

Decide what market you actually need to serve

Not every Ready holder should make the same move.

Some providers need the fastest practical path into the federal market. Others need a stronger long-term position for civilian agencies, Department of Defense (DoD) buyers, or both. The new rules make that choice more explicit.

FedRAMP now uses a certification model built around Certification Type, Certification Path, and Certification Class. FedRAMP 20x uses the Program Path, which removes the old agency sponsor requirement. The Agency Path remains a legacy option tied to Rev. 5.

For many Ready holders, that creates two realistic choices:

  • use FedRAMP 20x, often starting with Class A, as the fastest on-ramp into the new model
  • pursue a legacy Rev. 5 path if your buyers, contracts, or operating model still depend on that structure

If you want the fastest bridge, look hard at Class A

The most important new opening for Ready holders is Class A.

The new rules create a Class A certification path that lets providers reuse recent commercial or federal compliance work, including FedRAMP Rev. 5 Ready, to obtain FedRAMP Certification. For many providers that already hold Ready, that will be the most direct bridge into the new model.

That does not mean Class A is the right end state for every provider. It means Class A may be the cleanest first move if you want to preserve momentum and get into the new certification structure without rebuilding from zero.

If you want to serve both civilian agencies and DoD, build a dual-track plan

This is the part many providers need to think through more carefully.

If your target market includes both civilian agencies and Department of Defense (DoD) programs, do not treat FedRAMP 20x as a one-size-fits-all answer. A 20x path may be a strong move for civilian market access, but it does not by itself satisfy current DoD expectations tied to Cybersecurity Maturity Model Certification (CMMC) and Federal Risk and Authorization Management Program (FedRAMP) Moderate equivalency.

That means you should map your certification plan to the buyers you actually need to satisfy. A provider pursuing civilian demand only may choose one route. A provider that needs to support both civilian agencies and DoD-related buyers should build a dual-track strategy early.

In practice, that means:

  • decide which market you need to unlock first
  • determine whether one offering can support both markets cleanly or whether separation is smarter
  • build one operating backbone where possible for evidence, change management, vulnerability handling, and customer reporting
  • use FedRAMP 20x where it strengthens the civilian-market path without assuming it closes the DoD requirement on its own

The goal is not to run two disconnected compliance motions if one deliberate operating model can support both. The goal is to avoid making a civilian-first certification choice that creates unnecessary friction later with DoD buyers.

Build a conversion plan, not a document plan

The rules change more than the name of the program.

They move providers toward full certification and away from a narrow “readiness artifact” mindset. FedRAMP said the 2026 changes replace a patchwork of legacy guidance with a single ruleset, and it set January 1, 2027 as the date when the new rules become mandatory for all stakeholders.

For a Ready holder, that means your plan should cover more than paperwork. It should answer:

  • which certification path you are choosing
  • which class you are targeting
  • which buyers you need to satisfy first
  • whether your current evidence model can support the new certification process
  • whether your operating model is good enough for where you want to go next

If you need a Rev. 5 bridge, watch the timing closely. FedRAMP said temporary Rev. 5 Program Certification pipelines will open on August 10, 2026 for eligible Class B and Class C providers through the Ready Conversion and Lost Sponsor paths.

Update your internal language and expectations

This is not just branding.

FedRAMP has moved from “authorization” language to “certification” language, and the old market categories are being replaced by a class-based structure. Your internal planning, leadership updates, and customer messaging should reflect that now.

That matters because the old way of talking about FedRAMP Ready can hide the real decision in front of you. Ready used to signal that you were moving toward the market. Now you need to decide how you will actually enter it.

What a practical next step looks like

If you already achieved FedRAMP Ready under Rev. 5, a practical next step looks like this:

  • confirm your actual Ready conversion deadline
  • decide whether your near-term business case points you toward a Class A bridge, a higher certification class, or a legacy Rev. 5 path
  • pressure-test that decision against your target buyers, especially if DoD demand is part of the plan
  • build a certification roadmap around the market you want, not the label you already earned

The worst move now is to assume FedRAMP Ready bought you more time than it did. The better move is to use Ready for what it is: a head start.

If you are unsure which path fits your market, timeline, or DoD requirements, ask our FedRAMP advisors. We can help you assess your current Ready status, compare certification options, and build a practical roadmap for moving from FedRAMP Ready to full certification.