FedRAMP Consolidated Rules for 2026
A fast, browsable reference for FedRAMP's 2026 ruleset — every requirement, definition, key security indicator, and control parameter, cross-linked and searchable.
Explore the datasets
FedRAMP's rules are split into four datasets, each with a three-letter prefix.
Requirements
249 rules · 17 families
The actual rules, grouped into topical families and split into subsets by who they apply to.
Explore →Key Security Indicators
46 indicators · 10 families
Outcome-based security objectives a provider must demonstrate, each mapped to NIST 800-53 controls.
Explore →Control Parameters
79 controls · 14 families
FedRAMP-specific parameter values and guidance applied on top of NIST SP 800-53 controls.
Explore →Definitions
75 definitions
Precise meanings for terms used across the rules. When a defined term appears in a rule, the definition is binding.
Explore →Requirement “force” keywords
Each requirement carries a force that tells you how binding it is (RFC 2119 style).
- MUSTMandatory.
- MUST NOTProhibited.
- SHOULDStrongly recommended; deviation needs justification.
- SHOULD NOTStrongly discouraged.
- MAYOptional / permitted.
Provider Certification Classes
Many rules vary by the provider's Certification Class. Class A is the lightest-touch tier and Class D the most rigorous.
- ALightest-touch, most automated tier.
- BIncreased rigor over Class A.
- CHigher assurance obligations.
- DMost rigorous tier.
Applicability dimensions
Subsets and rules are scoped along four axes.
Types
Authorization program: 20x (FedRAMP 20x) and/or Rev5 (Rev 5 baseline).
Paths
Program (FedRAMP-managed) and/or Agency (agency-sponsored).
Classes
Which Certification Classes (A–D) the rule reaches.
Affects
The responsible party (Provider, FedRAMP, Agencies, Assessor, etc.).