📢 New post: From Authorized to Certified: Reading the CR26 Relabel for What It Is · 📝 Also fresh: When the KEV Item Is the Sandbox Itself: CVE-2022-0492 and the Floor Under Your Agents · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict
← Blog
FedRAMPComplianceGRC

From Authorized to Certified: Reading the CR26 Relabel for What It Is

A couple of weeks ago we wrote that 20x is permanent now and the Consolidated Rules for 2026 land at the end of June. That post was about the schedule — finalize end of June, effect July 1, valid through 2028. This one is about a smaller thing inside the same package that's easy to wave off as marketing and shouldn't be: the program is changing what it calls you.

When CR26 lands, "FedRAMP Authorized" — the phrase that's sat on vendor websites and contract language for a decade — gets retired. The single official label becomes "FedRAMP Certified." And the baselines you know as Low, Moderate, and High pick up new names too: Certification Classes A, B, C, and D.

The honest one-line summary is the one FedRAMP itself is leading with: same controls, same boundary, new label. That's true, and it's worth saying first so nobody panics. But "it's just a rename" is the kind of thing that's right at the program level and wrong at the operational level, and the gap between those two is where the work hides.

What's actually changing

NTC-0004 is the notice that spells it out. Two pieces:

The verb changes. FedRAMP authorizations become FedRAMP certifications. The notice grounds this in the FedRAMP Authorization Act itself, which defines a FedRAMP authorization as a certification — so the new label is arguably the program catching its language up to its own statute rather than inventing something. Notably, FedRAMP is not minting parallel labels like "FedRAMP Validated" for the different routes. There's one word — Certified — and the marketplace adds filters to show whether a given certification came through the 20x path or the Rev 5 path. One label, metadata to disambiguate.

The baselines get class names. Under Rev 5, the mapping is:

  • Class A — a new pilot baseline (new ground, not a rename of something you already hold)
  • Class B — today's Li-SaaS and Low baselines
  • Class C — today's Moderate baseline
  • Class D — today's High baseline

So a CSP that's "FedRAMP Moderate Authorized" today reads as "FedRAMP Certified, Class C" tomorrow. The control set underneath Class C is the Moderate control set you already know. Nothing about your boundary or your evidence requirements moves because the label did.

The part that's cosmetic, and the part that isn't

Here's the split worth holding in your head.

Cosmetic: your security posture, your control implementations, your continuous monitoring obligations, the shape of your boundary. None of that is touched by the relabel. If you were meeting Moderate yesterday, you meet Class C today, with the same evidence. Don't refactor anything because of a noun.

Not cosmetic: every place the old phrase is load-bearing in something a customer or a contract reads. That's a longer list than it looks:

  • Marketing and trust pages. "FedRAMP Authorized" appears on websites, one-pagers, and security portals. At some point the accurate phrase is "FedRAMP Certified," and the transition window is the time to get ahead of that rather than have a prospect's procurement team flag stale language.
  • Contract and proposal language. Anywhere a statement of work or a security addendum cites "FedRAMP Authorized at the Moderate level," there's now a more current way to say it — and a question of whether existing language still reads correctly during the transition.
  • Internal mappings and crosswalks. If you maintain a compliance matrix that crosswalks FedRAMP to SOC 2, ISO 27001, or your own controls, the baseline names in that matrix are about to be one vocabulary behind. The same goes for any tooling that keys on the string "Moderate."
  • Customer questionnaires. Your security team answers "are you FedRAMP Authorized?" dozens of times a year. The answer's substance doesn't change; the words do, and for a while both vocabularies will be in flight at once.

None of these is hard. All of them are the kind of thing that's invisible until a deal is the thing that surfaces it.

Why a relabel is a reasonable moment to look at your posture anyway

There's a temptation to file this under "do nothing, it's a rename," and for your controls that's the right call. But a vocabulary change that touches every customer-facing claim is a natural prompt to ask the question CR26 is really built around: not "what do we call our certification," but "can we produce the evidence behind it on demand?"

That's the thread connecting this back to everything else in the consolidated rules. CR26 is moving FedRAMP away from program-provided templates toward machine-readable, structured requirements — packages a machine can check rather than narratives a human has to read. In that world, the label on your certification matters far less than whether your posture is generatable: whether "we meet Class C" is a report you can produce from live evidence, or a claim you'd have to go assemble.

The teams who'll move through the relabel without friction are the same ones who'll move through the format change without friction — the ones already treating evidence as a standing output. The new noun is a good reminder to check that you're one of them.

Where this leaves you

Concretely, for the next few weeks:

  • Inventory where "FedRAMP Authorized" appears in anything external — site, contracts, questionnaires, crosswalks — and plan the swap to "FedRAMP Certified" plus the relevant Class. This is a content task, not an engineering one, but it has an owner and a deadline now.
  • Translate your baseline once, everywhere. Pick the moment to move from "Moderate" to "Class C" in your internal vocabulary so you're not maintaining two for longer than the transition requires.
  • Use the prompt for the real question. While you're touching every place the old label lives, confirm the evidence behind the claim is something you can generate — because that's the thing CR26 actually grades.

We built the Novaprospect audit suite on the bet that the label is the least interesting thing about a certification — that what matters is whether your environment maps cleanly to the catalog and produces its own evidence. The browsable Rev 5 + 20x KSI catalog at /fedramp/controls is the same set the engine evaluates against, and it doesn't care what the marketplace calls the result. Class C, Moderate, Authorized, Certified — underneath the noun, it's the same controls and the same question: can you show your work?

Reference