FedRAMP Consolidated Rules for 2026 (CR26) Released!

Our full post on CR26 release is coming shortly, but here is a teaser!

What's New vs. the Earlier VDR/VER Process Documents

1. VER is now a separate ruleset from VDR. The evaluation and reporting requirements that were part of the VDR process document are now their own ruleset (VER) for organizational convenience. Same substance, cleaner structure.
2. VER-EVA-AIA (Assume It's Automatable) is confirmed as a new MUST rule: providers must assume exploitation is automatable unless evidence says otherwise. This is more conservative than BOD 26-04's approach.
3. VDR-CSO-FAV (Failures Are Vulnerabilities) — explicitly codifies that problems with your VDR process are themselves vulnerabilities subject to the same detection and response lifecycle.
4. VDR-CSO-DET expanded scope — vulnerability detection now explicitly includes verifying that information resources and processes are operating as intended and documented for FedRAMP Practices. An out-of-date SDR entry is a vulnerability.
5. Certification Class system (A/B/C/D) replaces Moderate/High baselines with a graduated assurance model. Timelines and requirements scale by class throughout all 17 rulesets.
6. Security Decision Record (SDR) replaces SSP at the control documentation level. Certification Package Overview (CPO) replaces the SSP overview.
7. CTL section redirects — RA-05, SI-02, SI-04, and their enhancements all now say "Follow the FedRAMP VDR and VER rules" instead of containing independent implementation guidance.
8. VDR/VER status explicitly reads "Mandated by CISA BOD 26-04" in the effective dates — confirming the BOD as the forcing function.
    

Top 5 Insights

1. The December 7 deadline is non-negotiable and affects every FedRAMP CSP. Not just 20x pilots — every Rev5 certified CSO must adopt VDR/VER by December 7 or be on a corrective action plan by March 7, 2027 or lose certification. Any client still on legacy monthly scanning needs to start transitioning now.

2. The VDR scope is broader than vulnerability scanning. VDR-CSO-DET now explicitly includes verifying that documented controls are operating as intended. An out-of-date control statement in the SDR is a vulnerability. This collapses the traditional boundary between "vulnerability management" and "continuous monitoring" into a single lifecycle.

3. The Class system changes how you scope advisory engagements. Every MUST requirement that varies by class (and many do — incident reporting timelines, machine verification cadences, assessment frequency, package maintenance, KSI metrics depth) needs to be mapped to the client's target class. Class B is the baseline; Class C and D have significantly more aggressive timelines across every ruleset.

4. Trust centers and machine-readable data are mandatory infrastructure. CDS rules require programmatic API access, JSON format compliance, access logging, and historical snapshots. This isn't a future aspiration — it's a MUST. CSPs need a trust center solution, and agencies need GRC tools that can ingest machine-readable artifacts.

5. The Presumption of Adequacy is now codified with teeth. AGU-AGC-NAR says agencies MUST NOT require additional security info beyond FedRAMP rules unless agency head determines demonstrable need. AGU-AGC-NAI says agencies MUST notify FedRAMP when they request extras. This is a real lever for CSPs being asked to produce duplicative artifacts.