FedRAMP RFC-0023 and the New Sponsorless Rev5 Certification Path

What It Means for Federal Cloud Security and CSP Strategy
By Christopher Wallace 

On January 13, 2026, the FedRAMP Program Management Office (PMO) published RFC-0023: Rev5 Program Certifications (No Sponsor Required) as part of a coordinated set of modernization proposals under the FedRAMP Authorization Act and the ongoing FedRAMP 20x initiative. This Request for Comment (RFC) marks a pivotal shift in how cloud service offerings (CSOs) can achieve FedRAMP authorization — particularly by providing an alternative to the traditional agency sponsorship model.

Background: Modernizing FedRAMP Authorization

FedRAMP has long provided a standardized framework for security assessment, authorization, and continuous monitoring of cloud services used by federal agencies. Traditionally, a FedRAMP Agency Authorization required a sponsoring federal agency to initiate and support the authorization process, making it difficult for many high-quality cloud service providers (CSPs) to progress due to limited agency bandwidth or budget.

Against this backdrop, the FedRAMP PMO has launched a multi-RFC modernization effort that aims to reduce friction, better align with statutory requirements (like OMB M-24-15), and introduce automation and clarity into the process. RFC-0023 is one of six new RFCs published to solicit public comment on targeted improvements.

What RFC-0023 Proposes

❖ A Sponsorless Path to Rev5 Certification

Traditionally, CSPs needed an agency sponsor for FedRAMP Rev5 authorization — a significant hurdle that delayed or stalled many projects. RFC-0023 introduces a time-limited opportunity for CSPs to obtain a FedRAMP Certification at Level 1-4 without a sponsoring agency. The key components include:

• CSPs must have made significant progress toward a FedRAMP Rev5 Certification.

• CSPs must adopt selected optional Rev5 Balance Improvement Releases, designed to streamline and improve efficiency.

• CSPs must undergo a complete independent assessment under the new criteria.

• The FedRAMP Ready status — a preliminary step that historically signaled readiness to pursue authorization — will be phased out in favor of this new path.

This sponsorless path seeks to remove bottlenecks while preserving security rigor, offering a more achievable pathway for providers previously stalled due to lack of agency engagement.

❖ Timeline and Phase-Out of FedRAMP Ready

One of the most consequential aspects of RFC-0023 is the planned phase-out of FedRAMP Ready — a status historically used to indicate that a CSP was prepared to pursue full authorization. Under the new proposal:

• FedRAMP Ready becomes a transitional construct rather than a program milestone.

• CSPs meeting the criteria under the sponsorless Rev5 path may bypass this step entirely.

• This change aligns with broader efforts to simplify and accelerate FedRAMP pathways while maintaining security assurance.

By transitioning away from FedRAMP Ready, FedRAMP aims to reduce redundant effort and focus CSP energy on achieving full certification through more efficient means.