Focusing on Delivery
January 17 | 2025
FedRAMP has shifted to a more aggressive cadence for releasing draft updates for policies and directives. We expect to see Requests for Comment (RFC) become a routine activity with multiple RFCs open at any given time as FedRAMP continuously works to improve. We’ve also added a Policy and Guidance Updates page to our website that reflects the current status of policy and guidance that we’re working on.
FedRAMP Cryptographic Module Selection and Use Policy
This new policy takes a risk-based approach to navigating competing requirements for the use of FIPS-140 validated cryptographic modules by prioritizing the application of updates to remediate known vulnerabilities that can pose immediate risk to federal information. This policy was approved by the FedRAMP Board and published on January 16, 2025.
FedRAMP Boundary Policy (draft, request for comment)
The draft policy defines the FedRAMP boundary as all services that handle federal information and/or directly impact the confidentiality, integrity, or availability of federal information. It also limits the scope of the FedRAMP boundary to reduce listing of duplication or ancillary services. This draft policy was released for public comment on January 16, 2025.
Learn more and comment on our open FedRAMP RFCs
All priority FedRAMP initiatives now have dedicated sections on our website in the Updates & Priorities menu that will be updated regularly. We’ve also created a simple Changelog Page that we’ll continue to maintain as initiatives advance, announcements are made, or other significant changes happen within the program.
Bookmark https://www.fedramp.gov/updates/changelog/
FedRAMP’s developer team is hard at work enhancing the data, documentation, and tools to make digital authorization package submissions with the FedRAMP Platform possible. The team runs several industry engagement touchpoints, including bi-weekly OSCAL Implementers meetings for the Digital Authorization Pilot; monthly briefings on all the automation initiatives; ad-hoc office hour sessions with developers; and troubleshoots real-time GitHub requests from the developer community.
In case you missed it
Operating in the open with a focus on delivery means we’ve been publishing some key content (even over the holidays!) as quickly as possible without a lot of fanfare. That’s why we want to highlight our new Requests for Comment (RFC) landing page and all the activity happening around our work towards improving FedRAMP policies and directives. We need your insight to ensure our changes have the greatest benefit with the least operational impact. Here’s what you can review and comment on today:
- Exploring new ways to scale FedRAMP - an opening discussion on charging industry fees to consistently scale and improve the quality of FedRAMP services based demand.
- RFC0001: A New Comment Process for FedRAMP - we’re piloting the use of informal discussion forums in addition to the more formal letter-style submission process.
- RFC0002: Proposed Revisions to FedRAMP 3PAO Requirements - we listened to a bunch of pain points from independent assessors and are proposing changes to address them. Are we on the right track?
- RFC0003: Review Initiation Checks (RICs) - if a CSP had a (relatively) simple checklist they could follow to likely receive FedRAMP authorization on the first review… would they use it? You tell us.
- RFC0004: Boundary Policy - the most frequently requested policy update is out for the first of what is likely to be multiple rounds of comment to ensure we can get this right.
Want to share your thoughts and experiences on something else? You can always reach out directly to the FedRAMP Director at pete@fedramp.gov with a note or ask to schedule a chat.
