BLOG
July 6, 2026
decorative
Travis Good

FedRAMP Class A: How SOC 2 Holders Can Enter the Federal Market

Everything you need to know about FedRAMP Class A, a new designation introduced under FedRAMP 20x to help get more businesses into the FedRAMP marketplace.

The federal market has always been difficult to break into, especially for modern SAAS and cloud-native companies. Traditional FedRAMP Rev5 authorization required an agency sponsor to open the door, then a 12-18 month timeline as you prepared for authorization, and often $500k-1m+ in costs. 

Now, things are changing. Starting August 3, 2026, FedRAMP's new Class A certification lets you list in the federal Marketplace using a SOC 2 Type II, without an agency sponsor. The catch? Class A is an on-ramp, not a destination. Once you’re through the door with Class A, you have two years to reach a full Class B, C, or D certification in order to stay in the marketplace. 

What Is FedRAMP Class A?

FedRAMP Class A is a new entry-level FedRAMP certification that lets a cloud service provider get listed in the federal Marketplace by leveraging an existing commercial security certification, with no agency sponsor required.

Class A is the lowest of four FedRAMP certification classes (A, B, C, and D) introduced in the FedRAMP Consolidated Rules for 2026 (CR26). CR26’s lettered classes will replace the old Low, Moderate, and High labels, which caused some confusion with the Department of War’s similarly named impact levels. The swap isn’t one-to-one though, Class A is a new designation, with Class B, C, and D aligning to the old Low, Moderate, and High baselines.

Instead of requiring an agency sponsor, which previously locked many startups and cloud service providers (CSPs) from entering the federal marketplace, Class A is available through Program Certification via the FedRAMP Program Management Office (PMO).

A Class A listing places your organization in the Preparation phase of the marketplace. At this phase, an agency can adopt your technology or service offering for a low-risk pilot. However, higher security systems and projects will still require a full Class B, C, or D authorization. At Class A, a federal agency could also require you to meet additional requirements and implement further controls. 

When Can You Apply for FedRAMP Class A?

The FedRAMP Class A pipeline opens on August 3, 2026. And if you already hold a current SOC 2 Type II, you can get in the queue for Class A as soon as the pipeline opens on August 3, 2026. 

Here are the key dates you need to know:

Date What happens
June 25, 2026 FedRAMP publishes the Consolidated Rules for 2026 (CR26)
July 1, 2026 CR26 takes effect; transition to the new certification model begins
July 6, 2026 Marketplace listings open for initial-implementation providers
July 28, 2026 FedRAMP Ready becomes “Legacy FedRAMP Ready”; no new FedRAMP Ready submissions
August 3, 2026 The Class A pipeline opens for submissions
August 31, 2026 The Class B and Class C pipelines open
January 1, 2027 CR26 becomes mandatory program-wide; existing Rev. 5 certifications must align
June 11, 2027 Last day to apply for a new Rev. 5 certification

Why FedRAMP Opened a SOC 2 On-Ramp

FedRAMP is keen to open the door to more innovative, cloud-native businesses that the Rev5 authorization path locked out.

By opening up Class A to organizations holding a valid SOC 2 Type II report, and removing the need for an agency sponsor, it gives most commercial CSPs a route into the marketplace.

The path was first discussed in the Office of Management and Budget memo M-24-15, which directed FedRAMP to expand the Marketplace and add new authorization paths. RFC-0022 proposed leveraging external commercial frameworks to do it, and the Initial Outcome in NTC-0007 narrowed the launch to SOC 2 Type II.

The reason FedRAMP started with SOC 2 is practical and indicative. It's something that most commercial CSPs that sell into the enterprise already have in place and it's also the framework agencies lean on most when they evaluate a commercial product for a low-risk pilot. It also shows FedRAMP's motivation to appeal to commercial CSPs.

Who Qualifies for FedRAMP Class A?

A CSP will qualify for Class A with a recognized commercial security certification completed within the last 12 months. The eligible frameworks under rule FRC-CLA-ASF are:

  • SOC 2 Type II
  • GovRAMP at any historical impact level
  • An existing FedRAMP Rev. 5 or FedRAMP Ready assessment at any historical impact level

For most companies reading this, that means a current SOC 2 Type II.

These accepted certifications are what FedRAMP calls Approved Alternative Security Frameworks.

Approved Alternative Security Framework (AASF) A recognized commercial certification that FedRAMP will accept as a starting foundation for Class A, used alongside FedRAMP-specific requirements rather than in place of them.

ISO 27001, HITRUST, StateRAMP, and CMMC Level 2 were all proposed in the original RFC and may be added later based on demand and FedRAMP's review capacity, but they will not be usable for a Class A submission from August 3, 2026.

What Carries Over From Your SOC 2?

A SOC 2 Type II report gets you to the starting but Class A layers in some additional  FedRAMP-specific requirements on top of your existing certification. 

FedRAMP's evidence rule for Class A, FRC-CLA-EAM, requires you to submit your complete SOC 2 report and audit-engagement documentation as part of the certification package. The security policies and procedures across access control, change management, encryption, incident response, and vendor management also crossover for Class A.

What Your SOC 2 Doesn't Cover for Class A

Alongside your SOC 2, Type II report, CSPs will also need to meet 25 mandatory FedRAMP rules to achieve a Class A certification. The required rules span incident reporting, vulnerability detection, and a set of FedRAMP 20x Key Security Indicators (KSIs) covering change management, identity and access management, and incident response. All must-have controls will need to be implemented, tested, and validated in order to achieve Class A. 

CSPs may also need to provide additional documentation and more granular evidence that the SOC 2 Type II audit typically produces and the KSIs will require you to build a system that delivers continuous evidence, something that again goes above what's needed to achieve SOC 2.

In short, a SOC 2 Type II report can make your organization eligible for the Class A path, but it doesn’t get you across the finish line without additional work. 

How Do You Get a FedRAMP Class A Certification?

The path to Class is relatively short compared to traditional Rev5 authorization or FedRAMP 20x authorization at Class B (Low), C (Moderate), or D (High). But it'll still require a good amount of work and effort.

  1. Confirm your eligibility: Verify you hold a qualifying AASF certification. This will be SOC 2 Type II for most organizations.
  2. Assemble your evidence package: Rule FRC-CLA-EAM requires your complete SOC 2 report, a bridge or gap letter if applicable, verified audit engagement documentation, and the estimated schedule for your upcoming report. B
  3. Implement the mandatory FedRAMP rules: Stand up and test the roughly 25 mandatory rules under FRC-CLA-MFR, which include the relevant FedRAMP 20x KSIs.
  4. Submit through Program Certification: Apply directly to the FedRAMP PMO.
  5. Get listed and start the clock: Once accepted, your offering appears in the Marketplace Preparation phase, and your two-year window to reach a full certification begins.

When Class A Makes Sense (and When It Doesn't)

Class A gets you in the door. From there you have two years from your Class A certification to reach a full Class B, C, or D certification. So Class A  buys you access to the FedRAMP marketplace. But it doesn’t enable you to skip any of the work required to achieve Class B, C, or D authorization. 

The Preparation-phase listing places your business in the FedRAMP marketplace, alongside organizations that already hold Class B (Low), C (Moderate, and D (High) authorizations which at the very least can be good for branding and getting your name in front of decision-makers at federal agencies. However, each agency will have its own acceptance process. Some will be happy to run low-risk pilots with Class A providers, while others will prefer fully certified (Class B, C, or D) partners for any contracts.

Class A makes sense if you hold a current SOC 2 Type II and you’re planning to expand into the federal market through FedRAMP 20x. Class A is a good way to start building your name and getting in front of federal buyers while you progress towards Class B or C authorization. 

Go straight for a full certification if you are already chasing large contracts that demand Class B (Low) or C (Moderate) authorization.

Ready to Discuss Class A?

The federal market is opening up to more startups and CSPs. Class A offers an entry point for any business with a valid SOC 2 Type II report, but it’s the first step in the journey to winning government contracts. 

If you’re weighing up this path, the best next step is to map your current security posture against the Class A requirements so you know where you stand and how much work may be involved in achieving authorization and entry into the FedRAMP Preparation phase marketplace. 

At Workstreet, we work directly with organizations looking to move from commercial into government and federal work. Our team manages SOC 2, ISO 27001, and 20+ frameworks for clients including FedRAMP, GovRAMP and CMMC. If you’d like to see where you stand and how much work would be involved in meeting the Class A standards and implementing the required KSIs, connect with our team here — we’d be happy to assist you.

Turn compliance into a growth engine: Workstreet delivers full-stack solutions that transform security and compliance into growth accelerators. Talk to an expert →
Build trust, accelerate growth.
Workstreet offers Al-first security solutions that help high growth technology companies get compliant, scale securely, and close bigger deals.
Get started
Ready to Transform Security into a Growth Advantage
Schedule a consultation with our trust solutions experts to see how we can accelerate your security program and compliance journey.
Talk to an engineer
Travis Good

Architect of security and privacy programs for 1,000+ hypergrowth companies. Author of "Complete Cloud Compliance," HITRUST 3rd Party Council member, and recognized speaker on startup security.