
On May 4, 2026, the FedRAMP PMO published the public preview of the Consolidated Rules 2026 (CR26) — the document the program has been pointing at for nearly two years. The 20x pilots wrapped. The first cohort of providers is live on the marketplace. The path-to-authorization that everyone has been calling "the future" finally has a written rulebook.
The bad news: if you have been waiting to plan your FedRAMP authorization until 20x "stabilizes," that wait is now your problem. CR26 closes its adoption window in late 2026 and locks for the next 2.5 years. Decisions you make in the next six months will set your compliance posture through 2029.
Here is what actually shipped, what is still vapor, and what cloud providers should do this quarter.
> WHAT ACTUALLY SHIPPED
The FedRAMP 20x program ran two pilots: a Low baseline cohort and a Moderate baseline cohort. Both completed. Authorized providers are live on the federal marketplace today.
FedRAMP 20x Pilot Outcomes
The Phase 2 Cohort 1 (announced December 11, 2025) named three providers that carried the moderate pilot into completion: Confluent Cloud for Government, Meridian LMS, and Paramify Cloud. Cohort 2, selected in early January 2026, added up to ten more participants.
What changed between Phase 1 and Phase 2 is not the certifications — it is the operating model. Phase 2 participants did not just submit packages. They submitted pilot proposals demonstrating their planned approach in advance, got time with PMO leadership to iterate, then ran an authorization that emphasized continuous validation over point-in-time evidence. That model is what CR26 codifies.
> CR26: THE NEW RULEBOOK
The Consolidated Rules 2026 is one document that does three things: finalizes the 20x rules for Low and Moderate baselines, updates the Rev 5 requirements that 20x inherits, and replaces several pieces of program scaffolding that the previous authorization model leaned on. The most consequential changes are operational, not control-level.

Maintaining multiple versions of System Security Plans manually is practically impossible.
Waterman's framing matters because it explains the entire program direction. The PMO is not asking CSPs to write better SSPs. It is asking CSPs to stop writing SSPs the way they have been writing them, period. CR26 is the architecture decision that follows from that judgment.
> KSI OR BUST
The Key Security Indicator concept is the part of CR26 most CSPs underestimate. A KSI is not a metric you report. It is a verifiable, machine-readable data point that proves a control was operating as designed at a specific moment, queryable on demand.

What a KSI Replaces
A traditional Rev 5 SSP describes how access reviews happen: who runs them, on what cadence, with what approval path. A KSI-driven artifact shows the most recent review's timestamp, the user population evaluated, the reviewers who acted, and the disposition of each entry — as structured data the PMO or an agency can ingest directly. The narrative does not disappear; it just stops being the primary evidence.
This shift is why the AI services that came through 20x exclusively did so. New providers building cloud-native control planes can emit KSIs as a side effect of how their systems already work. Legacy CSPs trying to retrofit narrative-based ConMon programs into a deterministic telemetry model face a real engineering investment.
CR26 is the first FedRAMP rulebook that assumes you have an API for your security posture, not just a Word document about it.
> WHAT IS STILL VAPOR
Two pieces of the 20x story have not landed. Either could change your authorization calculus between now and 2027.
Rev 5 itself is not going anywhere. It stays a valid authorization track in parallel with 20x for the foreseeable future. The PMO is hosting agency liaison meetings and road shows for both tracks. The question for any CSP is not "which one is alive" — both are — it is "which one fits our architecture, our customers, and the next five years of our roadmap."
> WHAT TO DO NOW
The CSPs that come out ahead of CR26 are not the ones who chase the newest path. They are the ones who decide which path matches their architecture, then build the telemetry to make either choice cheap to operate. The era where you could buy your way through FedRAMP with a documentation team is closing. The era where you ship your security posture as data is the one CR26 is writing into the rules. Pick a track and start instrumenting.
The Illumenati // Boutique GRC for the AI-First Era // illumen.io
> SOURCES
- [01]FedRAMP 20x Overview— FedRAMP.gov
- [02]FedRAMP Changelog— FedRAMP.gov
- [03]FedRAMP 20x Is Live. Now What?— FedTech Magazine
- [04]FedRAMP Kicks Off 20x Phase 2 Pilot With Cohort 1 Selection— ExecutiveGov
- [05]FedRAMP 20x Update & CR26: 5 Critical Takeaways for 2026 Compliance— Paramify
- [06]FedRAMP 20x: Here’s What We Know About the Goals, Timeline & Results to Date— Secureframe
- [07]FedRAMP 20x in 2026: What’s changed and what cloud providers should prepare for— CyberArrow
- [08]What New Changes Are Coming to FedRAMP in 2026?— Ignyte Platform


