In January 2026, FedRAMP quietly released six Requests for Comment that, taken together, represent the most significant restructuring of federal cloud security authorization in the program's history. Two of them — RFC-0017 and RFC-0024 — are directly relevant to anyone thinking seriously about vendor risk.
Not because they change FedRAMP's scope. Because they validate a thesis that VCRI has been built on from the beginning: point-in-time, self-reported vendor security data is structurally insufficient, and the future is continuous, machine-readable posture signals.
The federal government just said so in regulatory language, with a compliance deadline.
What FedRAMP Just Changed
RFC-0024 is a proposed rule — but the direction of travel is clear, and the industry is treating it as directionally final: cloud service providers would be required to produce machine-readable authorization packages — structured, OSCAL-formatted data that computer systems can ingest and process automatically — by September 30, 2026. New providers from that date; existing providers at their next annual assessment thereafter. Providers who don't comply by September 30, 2027 would lose FedRAMP certification entirely.
RFC-0017 goes further. For FedRAMP 20x — the next-generation authorization model — it proposes replacing annual point-in-time assessments with persistent validation: continuous, automated checking of security controls, with validation cycles as frequent as every 72 hours for machine-based systems. Third-party assessors (3PAOs) would no longer audit snapshot outputs. They'd audit the processes — the code, the pipelines, the automation — that produce continuous posture signals.
Together, these two RFCs describe a world where cloud vendor security posture is no longer a PDF filed once a year. It's a continuous stream of structured, machine-readable data.
Why This Is the Data VCRI Was Built to Use
The core VCRI thesis is that vendor security posture should be independently assessed from objective, normalized data sources — not derived from questionnaires vendors fill out themselves.
That thesis has always faced a practical objection: where does the independent data come from? How do you normalize posture across thousands of vendors with different frameworks, different certification schemes, different tool stacks?
RFC-0024 answers part of that question for the federal supply chain. By mandating OSCAL-formatted authorization packages, FedRAMP is creating a standardized, machine-readable posture data stream for every cloud provider seeking federal authorization. Structured. Normalized. Independently produced (by 3PAOs) rather than self-reported.
That's exactly the kind of data VCRI is built to ingest, score against the CMMI maturity framework, and make available to the organizations responsible for vendor risk decisions. The CAM matrix maps vendor posture across six TIPPSS dimensions and five CMMI maturity levels. OSCAL-formatted FedRAMP packages map directly into that schema.
The Questionnaire Is Not the Assessment
A vendor filling out a security questionnaire has every incentive to present the most favorable picture of their posture. The organization receiving it has no independent data to validate against. The entire transaction is built on the assumption that vendors will accurately and completely report their own weaknesses — an assumption that fails in exactly the situations where accurate posture data matters most.
RFC-0017's persistent validation model rejects this assumption explicitly. It doesn't ask vendors to describe their security posture. It requires them to continuously demonstrate it, in machine-readable form, with pass/fail criteria defined in advance.
That's the right direction. It's also what VCRI is building toward for the broader vendor ecosystem — not just federal cloud providers, but any vendor in any supply chain.
The Timing Matters
The RFC-0024 compliance deadline is September 30, 2026. The first wave of machine-readable FedRAMP packages will start appearing in the second half of this year.
That timeline aligns with VCRI's development roadmap. The CRIBL data pipeline — the technical core of VCRI's ingestion and normalization capability — is being built now. The CAM matrix methodology is complete. The goal is to be positioned as the clearinghouse that can receive and normalize this incoming stream of machine-readable posture data before it exists at scale.
This isn't a reactive posture. It's building the infrastructure ahead of the data it's designed to receive.
What To Watch
Watch which cloud providers comply early, which comply at the deadline, and which lose authorization for non-compliance. The compliance distribution will tell you a great deal about where the actual posture gaps are in the federal cloud supply chain.
Also watch whether OSCAL adoption spreads beyond FedRAMP. The EU's ICT Supply Chain Security Toolbox and Japan's ISMAP framework are both moving toward structured, machine-readable vendor assessment data. When the largest buyer in the world requires something, suppliers build the capability — and then offer it to other buyers too.
The clearinghouse that normalizes posture data across all of these frameworks — federal, EU, Japanese — doesn't exist yet. That's what VCRI is building.