Future Info@
Will there be Rev5 Class D Program sponsorship?
No, only agency sponsorship.
When can a provider submit for Class A?
August 3rd, 2026
What certification can I convert my FR Ready / RAR to?
Rev5 Class B or C OR 20x Class A
Are providers required to have a Marketplace listing before submitting package materials?
Yes, all Class types must be listed on Marketplace first.
As an agency, can I sponsor a Class A certification?
No. Class A is only for 20x which is program sponsorship only.
As an advisory service or independent assessor, can I apply for a FR certification for my client on their behalf?
No see FRC-APP-NTP
When can I submit for a 20x Class D?
Not available yet, but will be piloting in Phase 4 which is currently scheduled for FY27 Q1 - FY27 Q2
Can I use a FR Moderate Equivalency Audit for a Class C?
No, only a SOC 2 Type II, GovRAMP or FR Rev5 are approved alternative security frameworks.
What template should I use to document POA&Ms for VDR?
None! No POA&M with VDR
Can FR approve access to a 20x package?
Talk to the CSP for access instructions and approval
I am not planning on selling to an agency, can I still get a FR Certification?
Yes, IF you fall under the indirect use category where you will be a third-party information resource for other cloud providers.
Who will be going on an epic motorcycle voyage, when and for how long?
We all know who! :D This weekend and for 3 wks
Can I use an ISO 27001 for FR?
No, only a SOC 2 Type II, GovRAMP or FR Rev5 are approved alternative security frameworks.
What replaces the System Security Plan & Appendices , for all certification types?
Certification Package Overview and Security Decision Record (SDR)
If a CSP lost their agency sponsor will FR help?
Yes, limited time Class B or C if CSP was listed on Marketplace but was removed or Completed full assessment with SAP/SAR between January 2025 and March 2026
Does my Trust Center need to be a FR Certified service?
No. This is YOUR data, so long as you are not storing Federal Information in this location.
When are CR26 Rules required to be implemented by existing providers?
January 1st, 2027
Is a Class A certification package required to be independently verified and validated by an assessor before submission?
No, they may, but it is not required.
What effectively replaces the SAP and SAR, in all certification types?
Certification Package Overview and Security Decision Record (SDR)
Is a Class A Certification Sufficient for use in a production environment at my agency?
That is up to you the agency!
What happens if an existing service does not adopt the VDR \ VER by the mandatory date?
Providers will be under a CAP and allowed a grace period until March 7, 2027. After that, they will be removed from the Marketplace.
Until when do CR26 rules apply?
Jan 1 2028
What FR certification is equivalent to CMMC for DOW?
None
What data is not certification data?
Federal customer data is not certification data - It's produced by the CSP for its own purposes. That includes legacy vuln scans and POA&Ms etc., those are all owned by the CSP.
Does FR monitor agencies and compliance with the law and policy?
No. OMB, Inspectors General, and the Government Accountability Office have this role/responsibility.