Secani
Secani
  • Company
  • Roadmap
Request demo

Summarize with AI

Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok
SIBB Startups
Berlin
Kofinanziert von der Europäischen Union
Secani

Jonathan Bezdek

Wörther Straße 9

10435 Berlin


hello@secani.com

Product

  • Security
  • Roadmap
  • Documentation
  • OSCAL

Legal

  • Privacy Policy
  • Terms
  • Cookie settings
  • Legal Notice

Company

  • Company
  • Contact
  • Blog

Support

  • Help
    Blog

    FedRAMP goes machine-readable

    Derya AltinayCEO
    6 min read
    July 16, 2026

    Explore with AI

    Open in ChatGPTOpen in ClaudeOpen in PerplexityOpen in MistralOpen in Grok

    On this page

    The end of the Word packageFrom RFC-0024 to the Consolidated Rules 2026The deadlines at a glanceThe role OSCAL playsWhat cloud providers should do now

    The end of the Word package

    For years, a FedRAMP authorization package was above all one thing: a lot of document. System security plans running to hundreds of pages, control descriptions in Word templates, inventories and test results in Excel. As late as 2025, Rev5 authorizations ran almost entirely on these templates – even though OSCAL had long existed as the machine-readable alternative.

    In January 2026, FedRAMP initiated the course change with RFC-0024: authorization data is to be submitted as structured, machine-readable data instead of stacks of documents. For agencies, this means faster reviews and comparable packages. For cloud service providers, it means a transition that is far better planned early than late.

    • Word and Excel templates are being retired as submission formats
    • Structured data makes packages checkable, comparable, and reusable
    • The transition applies to all providers, not only the 20x modernization track

    From RFC-0024 to the Consolidated Rules 2026

    The road to the final rule is itself a lesson in public standardization. The original proposal set hard cutoffs as early as September 30, 2026. During the comment period, which closed on March 11, 2026, providers almost universally asked for more preparation time.

    FedRAMP responded: the interim outcome published in March 2026 moved the deadlines out. Everything was then consolidated into the final Consolidated Rules for 2026 (CR26), published at the end of June 2026, which organize the requirements into certification classes A through D. The message is unchanged: machine-readability is coming – only the schedule became more realistic.

    The deadlines at a glance

    What counts is the final CR26 schedule; earlier interim drafts with per-class format cutoffs are superseded.

    • Since July 4, 2026: optional early adoption of the new ruleset, with the class pipelines opening from August 2026
    • From January 1, 2027: the Consolidated Rules apply mandatorily; new certifications in the highest class D require machine-readable authorization data as JSON validating against the published FedRAMP schemas
    • Existing certifications: transition no later than the first independent assessment that starts after January 1, 2027
    • June 11, 2027: end of new Rev5 certifications – from then on, new applications run entirely on the new ruleset

    Important for planning: anyone targeting a new authorization in 2027 is effectively working with the new formats in 2026 – package preparation, gap analyses, and testing start well before the cutoff.

    The role OSCAL plays

    The final rules anchor machine-readability in JSON documents that validate against published FedRAMP schemas – FedRAMP does not prescribe a specific authoring tool. In practice, the road leads through OSCAL: the NIST standard is the established open data model for exactly this content, FedRAMP works with the OSCAL community on templates and resources, and the tool ecosystem is growing fastest there – our post on the OSCAL tools landscape gives an overview.

    How the document models fit together – from catalog to profile to SSP and assessment – is covered in our introduction What is OSCAL?

    Schema validation checks structure, not substance

    That a package validates against a FedRAMP schema is necessary – not sufficient. The substantive work of structuring control descriptions, inventories, and evidence cleanly stays the same. Do it once in OSCAL, and you can serve any required target schema from it.

    What cloud providers should do now

    From our work with structured compliance data, a simple sequence has proven itself. It works regardless of whether the target is FedRAMP or another program with machine-readable requirements.

    • Inventory: which parts of today's package live where – and in what quality?
    • Pilot: convert a slice of the SSP to OSCAL and check it against the schemas, for example with our free OSCAL Validator
    • Working model: set up owners, reviews, and evidence handling so that structured data is the default, not an export at the end

    This is exactly what we are building Secani for: a platform where authorization data is structured from the start – with sources, approvals, and history. If you are planning the transition, talk to us.

    Build auditable compliance workflows

    Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.

    Request demo

    Related posts

    All posts
    OSCAL
    What is OSCAL?

    OSCAL turns compliance documents into structured data: eight document models, three formats, and an ecosystem that is becoming the standard for regulation.

    Read
    OSCAL
    The OSCAL tools landscape

    The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.

    Read
    IT baseline protection
    IT-Grundschutz++ meets OSCAL

    With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.

    Read