Efterlev · 13 May 2026 · 6 min read · Part 1 of 5

So your CEO just said we need FedRAMP. Start here.

Your CEO just told you the company needs FedRAMP Class C (Moderate). You have never done this before. The playbook you will find online is already out of date.

This article and the series after it explain what is actually involved, what is changing in 2026, and what to do this week.

What changed in 2026

In late 2025, the FedRAMP Program Management Office finished Phase 1 of a new authorization track called FedRAMP 20x for the Low impact level. In November 2025 they opened Phase 2 for Moderate, invite-only. Aeroplicity reached FedRAMP Moderate through 20x on April 13, 2026, becoming the first publicly named Phase 2 authorization most people can point at.

Public rollout of 20x for Low and Moderate is targeted for the second half of FY 2026, roughly July through December on the calendar. A new set of rules called the Consolidated Rules for 2026 (CR26) is expected to publish at the end of June 2026 and stay in effect through December 31, 2028.

Translation: if your authorization will start in late 2026 or 2027, the path you walk is going to be different from the one most online guides describe.

The path that still mostly applies

Until 2026, getting FedRAMP Class C (Moderate) looked like this. Hire a specialist consultant, who charges from $250,000 and up. Spend 12 to 18 months producing a System Security Plan (SSP) that runs many hundreds of pages and describes how your system implements over 300 controls from NIST Special Publication 800-53. Hire a Third Party Assessment Organization (3PAO) to test those controls. Submit the package to a sponsoring federal agency or the FedRAMP PMO. Eventually receive an Authorization to Operate (ATO). Then maintain Continuous Monitoring (ConMon) for as long as you want federal customers.

Most of that does not go away with 20x. The SSP turns into structured machine-readable data instead of a thousand-page Word document. The 3PAO still exists. The controls still exist. Continuous monitoring still exists. What changes is the format of the artifact, which makes the work easier to automate. The specialty does not disappear; the paperwork shrinks.

What it really costs

A first-time Moderate authorization that finishes in 12 months for under $400,000 all-in is on the fast and cheap end of what people actually experience. A more typical number is $500,000 to $700,000 over 15 months. That includes the consultant, the 3PAO, and an honest accounting of internal staff time. ConMon is recurring on top of that.

20x will compress some of this once it is broadly available. It will not compress the actual security work, the 3PAO time, or the ongoing ConMon obligation.

Why your team has not seen this before

This is the part that is hard to convey to leadership.

Federal compliance is a specialty. The companies you compete with on commercial deals do not do this work. The compliance platforms most SaaS companies already use are very good at SOC 2 and ISO 27001; they are not built for FedRAMP depth. The engineers on your team who know cloud security cold have never seen 800-53 Rev 5, never written an SSP, never produced a POA&M, and never sat through a 3PAO interview.

Your team is not behind. They are entering a different professional discipline.

A quick note on infrastructure

If you are running on AWS today, the platform under your application has already done a meaningful chunk of this work. AWS commercial regions carry FedRAMP Moderate authorization. AWS GovCloud carries FedRAMP High. Both let you inherit underlying infrastructure controls so you do not evidence them from scratch. Whether you stay in commercial regions or move to GovCloud depends on which agency is buying and what data they will send. The platform under your code is not where the 12 months goes.

What to do this week

Three things, in order.

First, find out exactly who is asking. The path through FedRAMP changes based on whether you have an agency sponsor, whether the buyer is DoD or civilian, and whether you are targeting 20x or one of the legacy tracks. The first useful question is "who specifically wants this, and on what timeline."

Second, draw your authorization boundary on a whiteboard. Every system, every database, every third party that processes federal data. Most first-time companies discover their boundary is bigger than they thought. Boundary work is not glamorous and consultants underprice it. It is also the single biggest determinant of how long your authorization runs.

Third, before you sign a consulting engagement, ask the consultant three questions. Have you successfully landed a 20x authorization since Phase 2 opened? What is your plan for the CR26 transition? How do you handle clients who do not yet know their boundary? The answers tell you a lot.