FedRAMP Public Notices Explained: What They Mean for FedRAMP 20x

As FedRAMP modernization accelerates under FedRAMP 20x, the Program Management Office (PMO) has introduced a new communication channel: FedRAMP Public Notices.
These notices provide a centralized, chronological record of updates that may not require a full blog post but are still important for the community. They will provide CSPs, Assessors, and Agencies with more transparency concerning the PMOs decisions, which have major effects on assessment costs, leveraging external security frameworks in pursuit of FedRAMP certification, and the future of the FedRAMP Certification process.
The first notice introduces the FedRAMP Public Notices page and its purpose.
Below is a breakdown of the rest of the notices released so far and what they mean for the industry.

Notice Two: Outcome from RFC-0019 Reporting Assessment Costs
Notice two shares the outcome of RFC-0019, which proposed requiring CSPs to publicly report FedRAMP assessment costs.
After reviewing industry feedback, the PMO decided not to move forward with the requirement. Many commenters noted that assessment costs vary widely depending on system complexity, architecture, and scope, making comparisons difficult and potentially misleading.

Notice Three: Notification of Planned FedRAMP Security Inbox Test
FedRAMP previously announced a testing window and confirmed that these tests will occur quarterly moving forward. The goal is to ensure CSPs have operational processes in place to monitor security notifications and respond appropriately.
The first test focused on ensuring CSPs are aware of and have satisfied FedRAMP Secure Configuration guide requirements.

Notice Four: Initial Outcome from RFC-0020 FedRAMP Authorization Designations
Notice four outlines important changes to FedRAMP terminology.
The previously proposed term “FedRAMP Validated” will be removed. Instead, the program will use a single designation: FedRAMP Certified.
FedRAMP is also moving away from numeric levels and introducing alphabet-based certification classes:
•    Class A – Pilot certification
•    Class B – Low / LI-SaaS
•    Class C – Moderate
•    Class D – High
This shift helps avoid confusion with other frameworks that also use numbered levels, such as DoD Impact Levels or CMMC maturity levels.

Notice Five: Initial Outcome from RFC-0021 Expanding the FedRAMP Marketplace
Notice five focuses on updates to the FedRAMP Marketplace.
One notable change is the removal of a previously proposed requirement for CSPs, advisors, and assessors to publish pricing information. Industry feedback indicated that this requirement would create challenges without delivering meaningful value.
The notice also clarifies that CSPs MAY pursue multiple certification pathways, such as both Rev. 5 and FedRAMP 20x, if it supports their compliance and business strategy.

Notice Six: Emergency Directive 26-03 Mitigate Vulnerabilities in Cisco-SD WAN Systems
Notice six documents a security directive related to Cisco-SD WAN devices.
Similar directives have been issued before. Moving forward, Emergency Directives will be included on the public notices page, creating a formal record of the communication.

Notice Seven: Initial Outcome from RFC-0022 Leveraging External Frameworks
Notice seven discusses leveraging external security frameworks to support FedRAMP certification pathways.
The PMO noted that the most frequently used framework in commercial environments is SOC 2 Type II, and FedRAMP plans to begin using it as a starting point for certain pilot certifications.
This approach will reduce barriers for CSPs entering the FedRAMP ecosystem by allowing organizations to leverage existing compliance work while progressing toward FedRAMP certification.

Notice Eight: Initial Outcomes from RFC-0023 Rev5 Program Certifications
Notice eight focuses on the Initial Outcomes from the comment period for RFC-0023.
FedRAMP Ready is still expected to be retired, with a target timeline in late July.
In its place, CSPs currently listed as FedRAMP Ready will have a path to transition to FedRAMP Certified Class A, which represents the pilot-level certification under the new class structure.
The notice also explains that the upcoming 2026 Consolidated Rules will provide the full implementation details for program certification and the retirement of FedRAMP Ready.
FedRAMP outlined a two-stage transition approach. During Stage 1, CSPs listed as FedRAMP Ready will be able to transition to Class A certification. During Stage 2, CSPs can pursue higher levels such as Class B (Low / LI-SaaS) or Class C (Moderate) through the program certification pathway.
To qualify, CSPs must demonstrate certain recent milestones, such as being listed as FedRAMP Ready or In Process, completing a readiness assessment, or completing a full security assessment within a defined timeframe.
Overall, the notice provides additional clarity on how the program certification model will help CSPs move forward without being stuck in the FedRAMP Ready stage.

Final Thoughts
FedRAMP Public Notices may seem like small updates, but they provide valuable insight into how the program is evolving under FedRAMP 20x.
For cloud service providers, advisors, and assessors, the notices page is becoming one of the best ways to stay informed about:
•    policy updates
•    RFC outcomes
•    operational expectations
•    evolving certification pathways
As FedRAMP continues modernizing, keeping an eye on these notices will help organizations stay ahead of upcoming changes.
Ready to lead the way in FedRAMP 20x compliance? Partner with InfusionPoints, your premier 20x advisor, to proactively navigate regulatory changes, unlock new opportunities, and accelerate your cloud authorization journey. Connect with us today to get expert answers, tailored guidance, and gain a competitive edge with FedRAMP.

Want a deeper breakdown of these updates and what they could mean for cloud providers and assessors?
Listen to the full discussion on the Behind the Shield podcast here: https://youtu.be/mKLEMaztnfw