TL;DR
- FedRAMP's 2026 consolidated rules (currently in public preview) define four MUST requirements for a FedRAMP-compatible trust center: just-in-time access (CDS-TRC-USH), programmatic data availability (CDS-TRC-PAC), agency access inventory (CDS-TRC-AAI), and six-month log retention (CDS-TRC-ACL)
- A trust center is an alternative to the USDA Connect Community Portal, not a mandate to abandon it, but the 2026 rules make the direction of travel clear
- The trust center platform itself does not need its own FedRAMP authorization for sharing certification data
- Two SHOULD requirements (machine-readable formats and self-service provisioning) are recommended but not mandatory
- Rev5 providers face a January 1, 2027 hard deadline; 20x providers are required to use a compliant trust center from July 4, 2026
What is a FedRAMP-compatible trust center?
A FedRAMP-compatible trust center is a vendor-hosted platform that meets FedRAMP's CDS-TRC (Certification Data Sharing, Trust Center) requirements and can be used instead of the USDA Connect Community Portal for sharing FedRAMP certification data with federal agencies. The term comes directly from FedRAMP's 2026 consolidated rules, published in public preview at preview.fedramp.gov/2026.
To qualify, a trust center must meet four MUST requirements and is encouraged, but not required, to meet two SHOULD requirements. The distinction matters: meeting the MUSTs is what makes a platform FedRAMP-compatible. Missing any one of them means the trust center does not meet the program's standard, regardless of how polished the UI is or how many features it offers.
The term "FedRAMP-compatible trust center" is new. Before the 2026 rules, no formal requirement set existed for trust center platforms in the federal market. Providers either used USDA Connect or built something ad hoc. The 2026 rules change that by creating exact requirement IDs that procurement teams, FedRAMP program managers, and GRC leads can use as a checklist.
Why FedRAMP is steering providers toward trust centers
The USDA Connect Community Portal has been the default mechanism for FedRAMP providers to share certification packages with federal agencies. Agencies navigating USDA Connect to access a provider's security documentation often encounter manual approval workflows and inconsistent access paths.
The CDS-TRC requirement set addresses this directly. The just-in-time provisioning language in CDS-TRC-USH exists specifically because manual approval cycles are the friction point that agencies have consistently flagged. FedRAMP's 2026 rules create a defined standard for on-demand access, not a polite suggestion.
Providers migrating away from USDA Connect must also meet CDS-CSF-TCM: notify all necessary parties of the migration and leave forwarding instructions in existing USDA Connect folders. This obligation ensures agencies with existing bookmarks or folder references are not stranded during the transition. For the full rule-by-rule breakdown of every CDS requirement and deadline, see our guide to the FedRAMP certification data sharing rules.
The four MUST requirements every trust center must meet
The CDS-TRC MUST requirements draw a clear line between a compliant trust center and a general document portal. Each has a specific requirement ID in FedRAMP's 2026 framework:
CDS-TRC-USH: Share FedRAMP certification data with all necessary parties without interruption, via on-demand just-in-time provisioning rather than manual approval cycles. If a trust center routes an agency reviewer through a queue that requires a compliance team member to manually approve access, it fails this requirement.
CDS-TRC-PAC: Provide documented programmatic access to all certification data, including human-readable materials. A browseable UI alone does not satisfy this requirement. An API or structured export path must exist and be documented.
CDS-TRC-AAI: Maintain an inventory and history of federal agency users and systems that have accessed certification data, available to FedRAMP on request. This is an auditable access record, not just a raw log dump.
CDS-TRC-ACL: Log access and store summaries for at least six months. Platforms without structured access logging, or with retention windows shorter than six months, do not qualify.
These four requirements define the floor. A platform meeting all four is FedRAMP-compatible. A platform missing any one is not, regardless of other capabilities.
What do the SHOULD requirements add?
The SHOULD requirements are CDS-TRC-HMR and CDS-TRC-SSM. FedRAMP explicitly marks these as recommended, not mandatory.
CDS-TRC-HMR calls for certification data in both human-readable and machine-readable formats. Providers planning to meet the public metadata requirement CDS-CSO-PUB (which requires JSON output for service metadata) will find CDS-TRC-HMR is effectively required to satisfy that obligation cleanly.
CDS-TRC-SSM calls for self-service access provisioning and management. This is what separates a functional trust center from a well-operated one. Self-service means agency reviewers can request and receive access without waiting for a provider's compliance team to process each request. Platforms without self-service provisioning will meet the MUST requirements on paper but create manual work and friction in everyday access flows.
What are a provider's own obligations beyond the trust center?
Providers have three MUST obligations that sit alongside the trust center platform requirements and apply regardless of which sharing mechanism they use. These govern the certification data itself, not just the delivery channel.
CDS-CSO-HAD requires providers to keep historical versions of certification data available for three years. Version control is a provider obligation, and the trust center platform must support it.
CDS-CSO-PUB requires publicly sharing service metadata in both human-readable and JSON formats. The required fields are: FedRAMP Marketplace link, service and deployment models, Unique Entity Identifier (UEI), key contacts, trust center landing page link, next assessment date, and current assessor. This metadata must be discoverable by agencies without authentication.
CDS-UTC-AAD requires notifying FedRAMP within five business days of denying an agency access request. This creates an obligation to track denials specifically, not just grants, and to report them on a defined timeline.
Rev5 vs 20x: what the timeline looks like
| Provider type | Optional adoption | Must be met by | Maintained from | Grace period ends |
|---|---|---|---|---|
| Rev5 | July 4, 2026 | January 1, 2027 | August 1, 2027 | February 1, 2028 |
| 20x | July 4, 2026 (required) | n/a | January 1, 2027 | First annual assessment after Jan 1, 2027 |
For 20x providers, there is no optional period: the trust center path is required from July 4, 2026. Rev5 providers have a longer runway but a firm hard requirement of January 2027. Providers in active federal sales or renewal conversations should not treat the grace period as extra time. Agencies will begin expecting trust center access as soon as the option is available, and a provider without one will look behind on compliance hygiene in competitive evaluations.
Does your trust center platform need FedRAMP authorization?
No. Per FedRAMP's scope guidance, when a federal agency accesses a commercial trust center to evaluate a vendor's security posture, that activity falls outside FedRAMP scope. The trust center platform itself does not need its own FedRAMP authorization for this use.
This is the most common misunderstanding in early conversations about the CDS-TRC requirements. The trust center is the mechanism for sharing FedRAMP certification data about a cloud service, rather than a cloud service being offered to the government under its own authorization boundary. The authorization boundary belongs to the cloud service being assessed.
Providers should not expect trust center vendors to claim FedRAMP authorization status for the trust center platform, and should flag any vendor that makes such a claim as a red flag, not a feature.
How to evaluate trust center vendors against CDS-TRC requirements
Most trust center platforms were built for commercial due diligence workflows. The CDS-TRC requirements introduce specific constraints that generic platforms were not designed to meet. Run every vendor through this checklist before committing:
CDS-TRC-USH (just-in-time access):
- Can agency reviewers access certification data on-demand without waiting for manual approval from your compliance team?
- Does the platform support NDA-gated or click-through self-service access requests with automated provisioning?
CDS-TRC-PAC (programmatic access):
- Is there documented API access to all certification data?
- Can structured exports be triggered programmatically, not just downloaded manually through a UI?
CDS-TRC-AAI (access inventory):
- Does the platform maintain a per-user access history your team can query and export?
- Can you produce that inventory in a format suitable for FedRAMP review?
CDS-TRC-ACL (six-month log retention):
- Are access events logged with timestamps, user identity, and document accessed?
- Are logs retained for at least six months and exportable?
CDS-CSO-HAD (three-year version history):
- Does the platform support document versioning with historical retrieval?
- Can prior-version packages be accessed by agencies during the three-year window?
Pricing model: Federal compliance workflows can involve large reviewer counts and high document request volume. Platforms with per-seat or per-access pricing create unpredictable cost exposure at scale. All-inclusive pricing eliminates that variable.
Platforms like SafeBase (acquired by Drata in 2025), Vanta, and Conveyor were built primarily for commercial buyer-facing trust centers and do not publicly document CDS-TRC alignment. Self-hosted trust pages typically lack the access logging, programmatic access, and version history the CDS rules require.
How Wolfia maps to the CDS-TRC requirements
Wolfia's trust center is built around gated, logged, self-service access, which maps directly to the CDS-TRC requirement set. Wolfia is built for security and GRC teams managing both commercial and federal-market compliance workflows.
Self-service provisioning and just-in-time access (CDS-TRC-USH, CDS-TRC-SSM): Wolfia's trust center supports self-service access requests with NDA-gated and click-through workflows. Agency reviewers request access and receive it without a compliance team member manually processing each request. CRM integration gives your team full visibility into who requested access, when, and under what agreement.
Access inventory and logging (CDS-TRC-AAI, CDS-TRC-ACL): Every access event is logged and visible in the Wolfia dashboard. You can see which users accessed which documents, when, and via which request path. That log serves as both the CDS-TRC-AAI inventory and the CDS-TRC-ACL compliance record in one view.
Document hosting and version control (CDS-CSO-HAD): Wolfia's trust center hosts certification documents with version control. Historical versions remain accessible, satisfying the three-year historical availability obligation on the provider side.
Questionnaire intake from the same knowledge base: Wolfia's trust center also handles questionnaire upload intake answered from the same self-maintaining knowledge base, with source citations on every answer. For FedRAMP providers fielding SIG Lite, CAIQ, or agency-specific security questionnaires alongside their trust center, this means a single platform rather than two separate tools. Our trust center implementation guide covers how that intake workflow operates in practice.
For a side-by-side look at how Wolfia compares to other trust center platforms on the commercial and federal-market side, see Wolfia vs Vanta, Whistic, and SafeBase for trust centers in 2026.
All-inclusive pricing: Wolfia charges a flat subscription with no per-seat, per-access, or per-document fees. For providers expecting high federal agency reviewer volume, this removes the cost variable that usage-based platforms introduce.
On the questionnaire automation side, Wolfia applies 10-plus hallucination prevention guardrails and surfaces a source citation on every answer. How AI accuracy affects security questionnaire deal velocity explains why that matters specifically in federal procurement timelines, where a wrong answer in a security package has consequences well beyond a commercial sales cycle.
Final Thoughts
FedRAMP's 2026 CDS rules create a defined technical standard for trust centers for the first time. The four MUST requirements give procurement teams and FedRAMP program managers a concrete checklist rather than a vague ask for "a trust center." The timeline is real: 20x providers are required from July 4, 2026; Rev5 providers face a January 2027 hard deadline.
The selection decision comes down to three questions: does the platform provision just-in-time access without manual intervention, does it log and inventory that access with six-month retention, and does it provide documented programmatic access to all certification data? Generic trust center platforms built for commercial buyers were not designed with these constraints in mind, and that gap will surface during a FedRAMP program manager review or agency access audit.
These rules are in public preview. Review the current text at preview.fedramp.gov/2026 before finalizing vendor decisions, since specific requirement IDs may be updated before final publication.
