FedRAMP Ready, Class A Certification, and Breaking Into the Federal Market

The updates and expansion of FedRAMP make a few things clear, the most significant of which is that government agencies are counting on cloud tools to help them do their work. But they also want certainty. The FedRAMP Ready designation was meant to bridge the gap between agencies seeking audited platforms and SaaS providers seeking authorization on a more realistic path. 

Now, with the Ready designation retiring in July 2026, it seems that the door may be closing. But the move from traditional ATOs to persistent validation opens it up again and makes it much more viable for these SaaS providers to enter the federal market. 

New Impact Designations and Class A “Readiness”

The FedRAMP “Ready” status was created to help cloud providers navigate the FedRAMP Rev5 process. As of July 2026, however, the program will move entirely to FedRAMP 20x, and CSPs with Ready status will have until November 2026 (at the latest) to be delisted from the marketplace. 

As a result, the Ready designation is being phased out. Instead, the PMO is building new authorization paths that shorten audit times and provide a gentle on-ramp for SaaS providers entering the market. 

The most obvious of these pathways is Class A Certification, a pilot baseline that essentially replaces FedRAMP Ready. Organizations that have FedRAMP Ready status can convert into a Class A Certification or, if they do not meet the requirements, seek another path forward. 

That being said, there isn’t a massive shift in requirements between the Ready designation and Class A Certification. SaaS providers are expected to meet six federal mandates:

• FIPS-Validated Encryption: For systems seeking Class A Certification, tools must use FIPS 140-validated cryptographic modules. Cryptographic modules must be used consistently everywhere encryption, hashing, or key generation is required, including data at rest and in transit 
• Multi-Factor Authentication: Multi-factor authentication (MFA) solutions must use FIPS 140-validated encryption for the tools themselves, as required by NIST SP 800-63B. 
• Common Access and PIV Support: The system must fully support user authentication using agency Common Access Cards (CACs) or Personal Identity Verification (PIV) credentials.
• DNS Security Extensions: The system’s external authoritative and internal recursive DNS solutions must support DNS Security Extensions (DNSSEC) to provide origin authentication.
• Vulnerability Remediation: CSPs must demonstrate the ability to remediate High vulnerabilities within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days.
• Authorization Boundary and Data Flow Documentation: Providers must produce two foundational artifacts that document data flow through their application and infrastructure: an Authorization Boundary Diagram and a Data Flow Diagram. Both diagrams must be precise enough that an assessor can independently verify each claim through live demonstration or documentation review.

Additionally, Class A Certification carries some operational requirements:

No POA&Ms

Engineering teams accustomed to the full authorization process, in which it is common to submit dozens of open POA&M items representing known but accepted risks, must recalibrate entirely. For Class A, every must-have control must be implemented, tested, and demonstrably operational. 

Shift to OSCAL

Historically, a FedRAMP authorization package was a massive collection of documents, spreadsheets, and PDFs. Reviewing these packages required human analysts to read and validate claims, a process that directly contributed to the 12- to 24-month authorization timelines.

FedRAMP is transitioning to machine-readable authorization packages built on Open Security Controls Assessment Language (OSCAL). OSCAL allows control implementation statements, assessment results, and system metadata to be expressed in structured formats (JSON, XML, YAML) that can be ingested, validated, and compared by automated tools.

The Path to Class A Certification

For a well-prepared provider, achieving Class A Certification can be completed in three to six months. However, it takes a solid plan of attack to make that happen.

Step 1: Gap Analysis

Conduct a thorough assessment of the system’s current security posture and how it fits into the existing class/impact system. As with FedRAMP Ready, there isn’t a core set of controls to meet for compliance. Instead, the expectation is that the SaaS provider meet six federal mandates (listed above). 

Step 2: Technical Remediation

Execute against the remediation backlog, focusing on the must-have requirements to be evaluated. Priority items typically include:

• Deploying FIPS 140-validated cryptographic modules for encryption at rest and in transit
• Implementing FIPS-validated MFA for all privileged and user-level access
• Establishing a continuous monitoring infrastructure, such as vulnerability scans and logging
• Producing compliant Authorization Boundary and Data Flow Diagrams
• Configuring automated evidence collection for control validation
• Hardening system configurations against applicable DISA STIGs or CIS Benchmarks

Step 3: 3PAO Engagement

Engage an accredited Third-Party Assessment Organization to perform the Readiness Assessment. The 3PAO evaluation includes document review, technical testing, live demonstrations of control implementations, and, in some cases, site inspections of data center or operational facilities. 

Step 4: PMO Review And Marketplace Listing

Submit the completed RAR to the FedRAMP PMO for review. Upon acceptance, the provider receives the “Ready” designation and is listed in the FedRAMP Marketplace, visible to all federal agencies.

Beat the July 2026 Deadline and Achieve Ready Status with Lazarus Alliance

Don’t wait for a federal customer to ask if you’re FedRAMP-compliant. With the move to FedRAMP 20x, there’s plenty of room for SaaS providers, large and small, to seek certification and offer services in the federal space.  

To learn more about how Lazarus Alliance can help, contact us. 

• FedRAMP
• GovRAMP
• NIST 800-53
• DFARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• ENS
• C5
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• CJIS
• LA DMF
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!