FedRAMP goes machine-readable
The end of the Word package
For years, a FedRAMP authorization package was above all one thing: a lot of document. System security plans running to hundreds of pages, control descriptions in Word templates, inventories and test results in Excel. As late as 2025, Rev5 authorizations ran almost entirely on these templates – even though OSCAL had long existed as the machine-readable alternative.
In January 2026, FedRAMP initiated the course change with RFC-0024: authorization data is to be submitted as structured, machine-readable data instead of stacks of documents. For agencies, this means faster reviews and comparable packages. For cloud service providers, it means a transition that is far better planned early than late.
- Word and Excel templates are being retired as submission formats
- Structured data makes packages checkable, comparable, and reusable
- The transition applies to all providers, not only the 20x modernization track
From RFC-0024 to the Consolidated Rules 2026
The road to the final rule is itself a lesson in public standardization. The original proposal set hard cutoffs as early as September 30, 2026. During the comment period, which closed on March 11, 2026, providers almost universally asked for more preparation time.
FedRAMP responded: the interim outcome published in March 2026 moved the deadlines out. Everything was then consolidated into the final Consolidated Rules for 2026 (CR26), published at the end of June 2026, which organize the requirements into certification classes A through D. The message is unchanged: machine-readability is coming – only the schedule became more realistic.
The deadlines at a glance
What counts is the final CR26 schedule; earlier interim drafts with per-class format cutoffs are superseded.
- Since July 4, 2026: optional early adoption of the new ruleset, with the class pipelines opening from August 2026
- From January 1, 2027: the Consolidated Rules apply mandatorily; new certifications in the highest class D require machine-readable authorization data as JSON validating against the published FedRAMP schemas
- Existing certifications: transition no later than the first independent assessment that starts after January 1, 2027
- June 11, 2027: end of new Rev5 certifications – from then on, new applications run entirely on the new ruleset
Important for planning: anyone targeting a new authorization in 2027 is effectively working with the new formats in 2026 – package preparation, gap analyses, and testing start well before the cutoff.
The role OSCAL plays
The final rules anchor machine-readability in JSON documents that validate against published FedRAMP schemas – FedRAMP does not prescribe a specific authoring tool. In practice, the road leads through OSCAL: the NIST standard is the established open data model for exactly this content, FedRAMP works with the OSCAL community on templates and resources, and the tool ecosystem is growing fastest there – our post on the OSCAL tools landscape gives an overview.
How the document models fit together – from catalog to profile to SSP and assessment – is covered in our introduction What is OSCAL?
What cloud providers should do now
From our work with structured compliance data, a simple sequence has proven itself. It works regardless of whether the target is FedRAMP or another program with machine-readable requirements.
- Inventory: which parts of today's package live where – and in what quality?
- Pilot: convert a slice of the SSP to OSCAL and check it against the schemas, for example with our free OSCAL Validator
- Working model: set up owners, reviews, and evidence handling so that structured data is the default, not an export at the end
This is exactly what we are building Secani for: a platform where authorization data is structured from the start – with sources, approvals, and history. If you are planning the transition, talk to us.
Build auditable compliance workflows
Secani connects scopes, evidence, tasks, and AI agents in one shared workspace.
Related posts
All postsOSCAL turns compliance documents into structured data: eight document models, three formats, and an ecosystem that is becoming the standard for regulation.
The OSCAL ecosystem is growing fast: viewing and validating are well covered, while authoring and day-to-day workflows remain the biggest gap.
With the Stand-der-Technik-Bibliothek, IT-Grundschutz leaves the PDF behind: IT-Grundschutz++ ships as an OSCAL catalog – changing how ISMS work is organized.