FedRAMP's Biggest Modernization in a Decade Opens New Doors for Cloud Service Providers
TAMPA, Fla., June 25, 2026 (GLOBE NEWSWIRE) -- Schellman, the nation's No. 1 FedRAMP Independent Assessor (formerly referred to as Third-Party Assessment Organizations, or 3PAOs) and the only Independent Assessor to have completed more than 200 FedRAMP assessed cloud service offerings, today published its analysis of the FedRAMP Consolidated Rules for 2026. Released June 24, 2026, the Consolidated Rules represent the most consequential modernization of the federal cloud security program since its inception and one that opens meaningful new doors for cloud service providers looking to enter or advance within the federal marketplace.
The new rules meaningfully lower the barrier to federal market entry. The agency sponsorship requirement, historically one of the most significant obstacles for CSPs pursuing FedRAMP certification, is eliminated under the new Program Certification path for FedRAMP 20x. A new Class A Certification path allows CSPs holding a recent SOC 2 Type II, GovRAMP, or existing FedRAMP Rev5 assessment to leverage that work toward FedRAMP Certification. For technology companies that have held back from pursuing federal business, these changes create a genuine opening.
"FedRAMP is entering a new era," said Matt Hungate, Federal Practice Leader at Schellman. "These rules represent a ground-up restructuring of the program, and the organizations that succeed will be those that engage now, understand their gaps, and build the tooling and operational workflows the new rules demand. Helping organizations navigate this transition is exactly what we're here for."
For CSPs already on the FedRAMP Marketplace, the rules modernize how compliance is managed day to day. A new four-tier Certification Class system, machine-readable documentation requirements, and quarterly reporting cycles replace legacy structures, resulting in reduced overhead and more efficient engagement with agency customers.
One deadline warrants immediate attention. Vulnerability management compliance under Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 26-04 is mandatory by Dec. 7, 2026, ahead of the Jan. 1, 2027 deadline governing most other requirements. CSPs that prioritize this now will be better positioned as broader compliance deadlines approach.
Schellman's full analysis is available at schellman.com/blog/federal-compliance/fedramp-updates-csps-needs-to-know. CSPs with questions can contact Schellman's federal practice at schellman.com/contact.
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP Independent Assessor, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor. Learn more at schellman.com
Media Contact:
V2 Communications
schellman@v2comms.com
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/5fb4f562-f357-4929-ad78-c06de3380e46
© Copyright Globe Newswire, Inc. All rights reserved. The information contained in this news report may not be published, broadcast or otherwise distributed without the prior written authority of Globe Newswire, Inc.
