The General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP) opened job applications for its FedRAMP Cybersecurity Service (FRCS) and is offering the first look into its consolidated rules, which are set to release next month. 

In a blog post Monday, the program said interested applicants can apply via USAJOBS for the initial cohort of four lead cloud security engineers in FRCS. Applications will close after the program reaches 400 applicants or one after one week.  

In the coming weeks, the program said it will open applications for senior cloud security engineers, followed by cloud security engineers. 

FedRAMP announced FRCS last month and said it plans to hire 15 employees for two-year terms of service. Successful applicants will be hired as government employees – General Schedule (GS)-13 through GS-15 – and will undergo a standardized federal hiring process.  

Cohort participants will rotate between learning, performing FedRAMP certifications, supporting the FedRAMP experience, improving policy and guidance, helping agencies adopt cloud services, and training the next FRCS cohort. 

Meanwhile, the FedRAMP program said its finalized 2026 Consolidated Rules will be completed between now and the end of June. Those rules will standardize guidance and expectations through 2028.  

The consolidated rules will include program changes made to FedRAMP since March 2025, when the 20x initiative launched to revamp the cloud security program.  

Specifically, FedRAMP said the rules will spell out clear timelines and requirements for updating existing Rev. 5 authorizations in an aim to eliminate disruptive, last-minute changes and give cloud providers greater planning certainty. They will also define the path to general availability for FedRAMP 20x following early pilot phases.  

The consolidated rules reflect a major shift in how guidance is written and delivered. FedRAMP said the new framework emphasizes plain-language, directive-style requirements, and clear, actionable statements that leave implementation details to providers where appropriate. 

In addition, FedRAMP said it is moving away from government-issued templates for Rev. 5, replacing them with machine-readable, structured requirements for all required artifacts, paired with human-readable summaries.  

“This is the first big step encouraging providers to maintain security decision records and related artifacts using systems designed to integrate information from external sources of truth,” FedRAMP said. 

While FedRAMP is placing an emphasis on clarity, the program noted it will still include narrative context where needed.  

“It turns out some information is just best conveyed via narrative, like the information you’re reading right now,” FedRAMP said. “Interspersed in the rules you’ll also find theory, exposition, explanation, and other support. Instead of confusing conversations … all of this content will be mostly fixed in time for a steady period so we’re all talking about the same stuff.” 

The program said it is releasing a public preview of the consolidated rules on GitHub to give industry a real-time look at evolving content as it is finalized – though it noted that the final set of rules “will be changing at a bonkers pace.” 

Read More About
CIO Briefing Room
FedRAMP
Recent
More Topics

Categories

About
Weslan Hansen
Weslan Hansen is a MeriTalk Senior Technology Reporter covering the intersection of government and technology.
Tags