NTC-0009: FedRAMP's Machine-Readable Future Just Got Real (and More Reasonable)
FedRAMP dropped NTC-0009 on March 25, 2026, the initial outcome from RFC-0024 on machine-readable authorization packages for Rev5. If you’re a cloud service provider with a FedRAMP authorization, pursuing one, or advising companies through the process, this notice reshapes how you’ll manage your security documentation for the foreseeable future.
This post breaks down what NTC-0009 says, how it differs from the original RFC-0024 proposal, and what it means practically for CSPs, 3PAOs, and agencies. If you haven’t been tracking the RFC process closely, this should get you up to speed.
The Backstory: What RFC-0024 Proposed
Back in January 2026, FedRAMP published RFC-0024 as part of a batch of six RFCs (0019 through 0024) aimed at modernizing the Rev5 authorization process. RFC-0024 was the most operationally impactful of the set.
The core proposal: every Rev5 certified cloud service would need to produce machine-readable authorization packages in a structured format like OSCAL, replacing the Word documents and Excel spreadsheets that have been the backbone of FedRAMP documentation for over a decade.
The original timelines were aggressive:
- April 15, 2026: FedRAMP would publish the list of approved machine-readable formats and begin accepting machine-readable submissions.
- September 30, 2026: All new submissions for initial FedRAMP certification had to be in machine-readable format. No exceptions, no grace period. Existing certified services would need to submit a full machine-readable package at their next annual assessment.
- September 30, 2027: Any service that hadn’t converted to machine-readable format would lose its FedRAMP certification entirely.
On top of that, RFC-0024 proposed that CSPs update their machine-readable package within 30 days of completing any significant change. For providers shipping frequently, that would have been a relentless documentation treadmill.
The RFC also introduced some important concepts: deterministic telemetry (machine-generated evidence from actual systems rather than human-written narratives), per-service data separation within authorization packages, and marketplace prioritization for providers who adopted machine-readable formats early.
The community responded with a significant volume of public comments. The consensus: the direction was right, but the pace was unsustainable for the existing Rev5 ecosystem.
What NTC-0009 Actually Says
FedRAMP listened. NTC-0009 walks back the most aggressive parts of RFC-0024 while holding firm on the long-term direction. The result is a tiered, longer-runway approach that gives providers more time and a clearer path.
Here’s what changed.
Tiered Requirements by Certification Class
The biggest structural shift: machine-readable requirements are now tiered by the new certification classes introduced in NTC-0004.
Class D (High) is the only tier that requires comprehensive machine-readable authorization data. These providers must maintain per-service authorization materials and integrate significant changes into their package twice per year (once during annual assessment, once at the midpoint between annual assessments). That’s a major concession from the original 30-day rolling update requirement.
Classes A (Pilot), B (Low), and C (Moderate) get a lighter lift. Some machine-readable data is required, but the bulk of the authorization package can remain in a semi-structured text format. The key change for these tiers: DOCX and XLSX are being retired as acceptable formats. Providers will need to move to simple text-based equivalents.
This tiering makes sense. High environments are typically larger, better resourced, and already have more sophisticated tooling. Asking a small SaaS company with a Moderate authorization to stand up a full OSCAL pipeline on the same timeline as AWS GovCloud was always going to be a problem.
Five Balance Improvement Releases Become Mandatory
This is the piece that impacts every Rev5 provider regardless of certification class. Five processes that originated from the FedRAMP 20x modernization effort are being folded into default Rev5 requirements:
-
Minimum Assessment Scope replaces the traditional authorization boundary approach. Providers get flexibility to present their information resources across multiple levels of abstraction and grouping in a way that accounts for continuous change. This also eliminates the requirement for traditional diagrams and illustrations entirely (more on that below).
-
Significant Change Notifications (SCN) replaces the legacy Significant Change Request (SCR) process. This is a philosophical shift from a pull-based approval model (submit an SCR, wait for the AO to approve) to a push-based notification model (categorize the change, notify stakeholders, document it). CSPs take ownership of categorizing changes as routine recurring, adaptive, transformative, or impact categorization changes (when the security categorization of a service within the offering changes).
-
Collaborative Continuous Monitoring replaces part of the traditional monthly ConMon reporting approach. The details will be in CR26, but the direction is toward a more interactive, less paperwork-heavy model for ongoing monitoring.
-
Vulnerability Detection and Response (VDR) replaces the traditional vulnerability scanning and POA&M workflow. Instead of the scan-report-remediate-track cycle that often becomes a compliance checkbox exercise, VDR pushes toward continuous detection and response with machine-readable reporting.
-
Authorization Data Sharing replaces the FedRAMP Secure Repository model. This is where providers will share their authorization materials going forward. Connect.gov is being retired. If your ConMon workflows, repository uploads, or package submissions depend on Connect.gov, start planning your transition now. NTC-0009 also signals where this is heading long-term: the notice mentions integration into “FedRAMP compatible trust centers” to ensure agencies can eventually consume authorization data via API. Instead of downloading packages from a repository, agencies would pull structured security data directly from provider trust centers through standardized interfaces.
Each of these Balance Improvement Releases will receive minor adjustments as they’re finalized for the Consolidated Rules for 2026 (CR26), but the direction is set.
Diagrams and Illustrations No Longer Required
This one is bigger than it might seem at first glance. NTC-0009 states that after the transition to Minimum Assessment Scope, FedRAMP will not require diagrams or illustrations at all. That’s not just killing the monolithic authorization boundary diagram. It’s eliminating the requirement for diagrams entirely.
If you’ve ever spent weeks maintaining a Visio diagram that tries to show every EC2 instance, every VPC peering connection, every S3 bucket, and every data flow in a single view, you know why this matters. Those diagrams were often inaccurate by the time they were finished and nearly impossible to maintain as environments changed.
Under the new model, providers have flexibility to present the structure of their information resources across multiple levels of abstraction and grouping in whatever way makes the most sense for their particular service. That could include diagrams if you find them useful for your customers, but it doesn’t have to. The point is that the information needs to be complete and account for continuous change, and the format is up to you.
Deterministic Telemetry: Encouraged, Not Mandated
RFC-0024 introduced the concept of deterministic telemetry, meaning machine-generated evidence collected directly from authoritative sources (your actual infrastructure, configurations, and security tools) rather than human-written narratives or AI-generated text.
NTC-0009 strongly encourages Class C (Moderate) and Class D (High) providers to use deterministic telemetry where feasible, with a focus on Minimum Assessment Scope, Significant Change Notifications, and Vulnerability Detection and Response. But it’s not a hard requirement yet.
Worth noting: RFC-0024’s definitions section explicitly states that generative AI outputs (probabilistic inferences and generative transformer model outputs) do not qualify as deterministic telemetry. If you’re thinking about using Claude or GPT to auto-generate your control implementation statements, that’s considered probabilistic output, not a factual record of system state. NTC-0009 doesn’t restate this exclusion, but since it carries the deterministic telemetry concept forward, expect the distinction to hold in CR26.
The practical implication: RFC-0024 proposed that providers using deterministic telemetry would receive marketplace prioritization and additional FedRAMP support. NTC-0009 says all proposed requirements will be “modified” in the Consolidated Rules, with many carrying forward “in the same spirit.” Whether the specific marketplace ranking incentive survives into CR26 isn’t confirmed, but the directional signal is clear: providers who can demonstrate security posture through actual system data rather than manual narratives will be better positioned as the program evolves.
Human-Readable Materials Still Required
Machine-readable is the source of truth going forward, but CSPs must still produce human-readable versions of all materials when requested by FedRAMP or an agency. The expectation is that these human-readable versions are generated from the machine-readable source rather than maintained separately.
FedRAMP is also giving providers flexibility in how they present human-readable materials. As long as the underlying machine-readable data is consistent, providers can optimize the customer experience of their human-readable documentation without penalty. This is a nod to the reality that a well-designed trust center or customer-facing security portal is more useful to agencies than a 400-page Word document.
FedRAMP Will Not Build Tooling
This is worth calling out explicitly. FedRAMP states clearly that they will not produce, manage, or operate services or software to help CSPs produce machine-readable materials. They cite government restrictions, budget constraints (building in-house tooling would require a 3-5x budget increase), and the belief that industry-led innovation will produce better outcomes.
Instead, FedRAMP is establishing informal partnerships with non-profit organizations that support open-source or public domain capabilities. The OSCAL Foundation is called out as an established partner.
At minimum, partner organizations are expected to produce and maintain templates and materials aligned with FedRAMP requirements and help providers transition from legacy manual documentation. FedRAMP sets the requirements and validates the materials; industry builds the tools.
This is a meaningful market signal. If you’re a GRC vendor, compliance automation platform, or OSCAL tooling provider, FedRAMP just told you the door is wide open.
The Timelines
All timelines below are from NTC-0009 and may shift slightly in the final CR26 release. FedRAMP committed that none of these dates will move forward (i.e., they won’t get earlier).
For Existing FedRAMP Certified Services
| Deadline | What Happens |
|---|---|
| January 1, 2027 | Mandatory adoption of Significant Change Notifications and Minimum Assessment Scope (MAS at next annual assessment) |
| April 2, 2027 | Mandatory adoption of Collaborative Continuous Monitoring |
| June 1, 2027 | Mandatory adoption of Vulnerability Detection and Response |
| August 1, 2027 | Mandatory adoption of Authorization Data Sharing; Connect.gov retired |
| November 1, 2027 | Class A/B/C must provide semi-structured text packages at next annual assessment. Class D must provide comprehensive machine-readable packages at next annual assessment. |
Progressive corrective action for non-compliance is applied quarterly.
For New FedRAMP Certifications
| Deadline | What Happens |
|---|---|
| January 1, 2027 | New Class A/B/C submissions must use semi-structured text and adopt all five Balance Improvement Releases |
| May 1, 2027 | New Class D (High) submissions must use comprehensive machine-readable format and adopt all five Balance Improvement Releases |
Both have grace periods for services already In Process with an agency before October 1, 2026.
The Competitive Pressure Underneath All of This
NTC-0009 makes the strategic context explicit in a way that previous FedRAMP communications haven’t. The notice acknowledges the 500+ cloud services that have invested in FedRAMP Rev5 certifications and states that FedRAMP cannot allow them to stagnate while 20x-certified services provide superior continuous assurance. But the solution isn’t to shelter Rev5 providers from competition. It’s to bring them forward.
FedRAMP 20x certifications will include machine-readable data across the entire authorization package from day one. Every 20x package will have structured, automation-ready data covering initial security materials, ongoing authorization reports, significant change data, and vulnerability information. FedRAMP anticipates what they call “an explosion in adoption of automation capabilities government-wide” as agencies get access to this data.
This isn’t subtle. FedRAMP is telling the Rev5 ecosystem: modernize or get left behind. The extended timelines are a concession to operational reality, not a signal that the direction is negotiable.
What This Means Practically
If you’re a Rev5 Moderate CSP: Your immediate action items are understanding the five Balance Improvement Releases and planning your documentation migration off DOCX/XLSX. You have until January 2027 for SCN and MAS adoption, with the full semi-structured text package due at your next annual assessment after November 2027. That feels far away, but if your annual assessment falls in December 2027, you’re looking at under two years from today to retool your documentation workflow.
If you’re a Rev5 High CSP: Same as above, plus you need to plan for comprehensive machine-readable package production. Start evaluating OSCAL tooling and other structured format options now. The twice-per-year package update cadence (annual assessment plus midpoint) is more manageable than the original 30-day proposal, but it still requires a fundamentally different approach to documentation management than what most High providers are doing today.
If you’re pursuing a new Rev5 certification: If your package won’t land until after January 2027 (for Moderate) or May 2027 (for High), build to the new requirements from the start. Don’t invest in legacy DOCX/XLSX templates and the old SCR process only to migrate later.
If you’re a 3PAO: The assessment model is changing underneath you. MAS, SCN, VDR, and the rest will alter what you’re assessing and how. Start building familiarity with machine-readable formats and the Balance Improvement Releases so you can advise clients effectively.
If you’re an agency AO: The shift from SCR to SCN changes your role from gatekeeper to informed consumer. Authorization Data Sharing will change how you receive and interact with provider security data. Connect.gov retirement means your existing workflows need updating.
Looking Ahead
The full details land in the Consolidated Rules for 2026 (CR26), expected by end of June 2026. CR26 will be valid through December 31, 2028, giving the ecosystem a stable two-and-a-half-year runway to operate under a known set of rules.
Between now and CR26, the play is straightforward: read the Balance Improvement Releases, understand how they map to your current processes, and start planning. The direction is locked in. The only question is how smoothly you make the transition.
The full notice is here: https://www.fedramp.gov/notices/0009/
Mario Lunato is the Field CISO at Knox Systems and writes about FedRAMP, cloud security, and GRC engineering at OneUpSec.tech.