FedRAMP CR26 Just Dropped in Public Preview — Here’s What It Actually Means for Your Authorization
FedRAMP changed on May 4, 2026. The program launched CR26, Consolidated Rules 2026, in public preview, with a final release scheduled for the end of June. If your organization holds a FedRAMP authorization, pursues one, or sells to federal agencies that require it, CR26 is not a minor update to skim. It rewrites how FedRAMP requirements are expressed, assessed, and tracked.
The deepest change is epistemological. FedRAMP has always been requirements-based, but the requirements lived in documents — Word files, PDFs, spreadsheets — that humans read and argued over. Assessors and cloud service providers disagreed about what those documents meant, which produced inconsistency across assessments and extended authorization timelines. CR26 publishes the requirements catalog as structured data on GitHub. Each requirement is a discrete, versioned, machine-readable record. Instead of an assessor reading a System Security Plan narrative and making a judgment call, a system can now check whether an implementation satisfies a declared requirement. The MUST/MUST NOT formulation removes interpretive ambiguity at the source.
The implication for SSP documentation is concrete. SSPs written against the old narrative framework will need to be mapped to the new class structure. That mapping work is best done now, while the public preview is open for comment, so organizations can identify gaps before the final version publishes.
5 Key Takeaways
1. Narrative guidance gives way to machine-readable rules.
CR26 replaces prose compliance documentation with declarative MUST/MUST NOT statements published as structured data on GitHub — moving FedRAMP meaningfully closer to programmatic compliance enforcement. Each requirement becomes a versioned, queryable record rather than a document passage. Assessors and cloud service providers can no longer disagree about what requirements mean; the requirements now express themselves in language automation can validate. The Kiteworks FedRAMP authorization posture is built to align with this shift.
2. Impact labels become Certification Classes A through D.
Low/Moderate/High is replaced by a lettered class system. The structure is additive — each class includes all controls from the prior class plus additional requirements. Class C is the operative tier for most federal cloud deployments and maps to the former Moderate designation. Class D covers the former High. For organizations with existing FedRAMP Moderate authorization, the primary task is mapping current documentation to the Class C structure.
3. FedRAMP Ready retires July 28.
The designation becomes Legacy FedRAMP Ready on that date. Its commercial weight will diminish as federal procurement teams adjust to the new framework. Organizations using FedRAMP Ready as a sales credential without pursuing full authorization should treat July 28 as a hard planning deadline — full authorization under the CR26 class framework will become the baseline expectation.
4. A thirty-month stable window opens through December 31, 2028.
CR26 rules hold for thirty months — giving cloud service providers an unusually clear planning horizon for authorization strategy. This changes the ROI calculation for authorization investment: the cost of maintaining authorization was historically complicated by requirements shifting before the investment paid off. A defined stable horizon makes that calculation cleaner and supports multi-year procurement planning.
5. Do not rewrite authorization packages against the preview language.
The final version publishes at the end of June. The comment period closes then as well — organizations that want to shape the final language should file on GitHub before that window closes. Start mapping current SSP documentation to the new class structure now, but wait for the final version before making material changes to packages in flight.
What Data Compliance Standards Matter?
How the New Certification Class Structure Works
Replacing Low/Moderate/High with Classes A through D is more than relabeling. The class structure is additive — each successive class includes all requirements of the prior class plus additional controls. That makes the class boundary clearer and easier to explain.
For most federal contractors and cloud service providers, Class C is the operative authorization tier. It corresponds to what was Moderate — the level required for systems handling CUI and the majority of civilian agency workloads. Kiteworks holds FedRAMP authorization, and the Class C structure maps directly to what the platform supports: secure email, managed file transfer, secure file sharing, and compliant collaboration across agency boundaries.
Class D covers the former High designation — systems handling the most sensitive unclassified data, including law enforcement, emergency services, and financial information. At that tier, the machine-readable requirements catalog matters more, not less, because the control density is higher and interpretive inconsistency is more costly.
There is also a practical communication benefit. “We are Class C authorized” is a cleaner statement than “we have a FedRAMP Moderate Authorization to Operate.” When the underlying requirements are machine-readable and publicly accessible on GitHub, a procurement officer can verify what Class C requires without asking for a briefing.
What the FedRAMP Ready Retirement Means
FedRAMP Ready has served as a preliminary designation — a signal that a cloud service provider has been reviewed by a 3PAO and is considered ready to pursue full authorization. It has been a meaningful sales credential in the federal market because it demonstrated rigor without a full Authorization to Operate.
That designation retires on July 28, 2026. Existing holders keep it as Legacy FedRAMP Ready, but the competitive weight of that label will diminish as the federal procurement community adjusts to the new framework. Organizations that have been using FedRAMP Ready as a sales credential without pursuing full authorization should treat July 28 as a hard deadline.
Field CISO Mario Lunato’s guidance from Knox Systems is direct: wait for the final version, which publishes at the end of June, before making material changes to packages in flight. The mapping work — aligning existing SSP language and controls to the new class structure — is the right activity right now.
The Thirty-Month Stability Window and What to Do With It
The commitment to rules stability through December 31, 2028, may be the most strategically significant aspect of CR26. FedRAMP has historically created planning uncertainty because requirements evolved and authorization timelines stretched. A thirty-month stable horizon changes the calculus for cloud service providers and their federal agency customers.
For Kiteworks customers in the federal market, this window supports multi-year procurement planning. An agency CIO can make a platform decision with confidence that the authorization basis will not shift materially before the end of 2028. A defense contractor pursuing CMMC 2.0 alongside FedRAMP authorization can align both roadmaps against stable requirements.
NIST 800-171 and FedRAMP Class C requirements overlap substantially for organizations handling CUI. The machine-readable CR26 catalog will make it easier to map controls across frameworks and identify where a single implementation satisfies multiple requirements. That is the direction Kiteworks has supported with its Private Data Network approach: one platform, one set of enforced controls, demonstrated compliance across multiple frameworks.
How Kiteworks Supports the CR26 Transition
Kiteworks holds FedRAMP authorization, and the CR26 transition maps directly to how the platform is built: compliance enforced programmatically rather than documented in narrative form and reviewed periodically. The Kiteworks data policy engine enforces content governance controls at the system level — governing who can access what data, through which communication channels, under what conditions. Rules are defined, applied automatically, and logged for audit. As FedRAMP moves toward MUST/MUST NOT requirements that are machine-checkable, the alignment between how Kiteworks enforces controls and how CR26 expresses requirements is direct.
Audit logs capture every file access, transfer, and sharing event. That level of visibility is what Class C compliance documentation requires, and it is what agency customers need to maintain their own authorization posture. The SFTP server, MFT, and all other exchange channels produce the same unified audit trail with FIPS 140-3 validated encryption.
The comment period on CR26 closes at the end of June. Organizations with FedRAMP authorizations — or pursuing them — should map current SSP documentation to the new class structure now, file substantive comments on GitHub if requirements affect their control implementations, and plan for the final version publication before rewriting authorization packages.
To learn more about FedRAMP Authorization and protecting your most sensitive data, schedule a custom demo today.
Frequently Asked Questions
FedRAMP CR26 (Consolidated Rules 2026) launched in public preview on May 4, 2026, replacing narrative compliance guidance with declarative MUST/MUST NOT requirements published as structured data on GitHub. The final version is scheduled for end of June 2026. The rules hold through December 31, 2028 — a thirty-month stable planning window. Do not rewrite authorization packages against the preview language before the final version publishes. Kiteworks’ FedRAMP compliance platform is built to align with these evolving requirements.
Class C is the functional equivalent of the former Moderate designation, covering the majority of federal cloud deployments including systems handling CUI. Class D corresponds to the former High designation. The class structure is additive — each class includes all controls from the prior class. For organizations with existing FedRAMP Moderate authorization, the primary task is mapping current documentation to the Class C structure before the comment period closes.
The FedRAMP Ready designation retires July 28, 2026 and becomes Legacy FedRAMP Ready. Its commercial weight will diminish as federal procurement teams adjust to the new framework. Organizations using it as a sales credential should plan now for full authorization under the CR26 class framework. Understanding FedRAMP for the private sector can help non-government organizations understand why full authorization matters beyond federal contracts.
Each requirement becomes a versioned, queryable GitHub record rather than a document passage — compliance teams can build validation pipelines against specific requirements instead of interpreting prose. SSP language needs to map to the new class structure with controls aligned to MUST/MUST NOT statements. Platforms with programmatic control enforcement can generate that evidence automatically. Audit logs are the primary vehicle for demonstrating that declared controls are operating as required.
Map current SSP documentation to the new class structure to identify gaps; file substantive comments on GitHub if specific requirements create conflicts with current control architecture; and avoid rewriting authorization packages against the preview language. Organizations pursuing CMMC compliance alongside FedRAMP authorization should examine how both roadmaps align under the new framework — NIST 800-171 and Class C requirements overlap substantially.
Additional Resources
- Blog Post How to Protect Clinical Trial Data in International Research
- Blog Post The CLOUD Act and UK Data Protection: Why Jurisdiction Matters
- Blog Post Zero Trust Data Protection: Implementation Strategies for Enhanced Security
- Blog Post Data Protection by Design: How to Build GDPR Controls into Your MFT Program
- Blog Post How to Prevent Data Breaches with Secure File Sharing Across Borders