Skip to main content

Existing Frameworks Community Working Groups

This Community Working Group will host biweekly townhalls on Tuesdays from 1:00-1:30 PM ET starting on 4/22/2025:

Register here to attend.

Find us on GitHub

Each working group has a GitHub repository where GitHub Discussions are open for public participation. The Applying Existing Frameworks repository can be found here.

What You’ll Work On

In a world where FedRAMP is relying on automated validations to the greatest extent possible, simplifying the documentation and management requirements will require us to think innovatively about how we leverage existing commercial frameworks. To the greatest extent possible, we want FedRAMP to rely on existing best practices and commercial security frameworks.

The focus in this working group will be to help us drive toward a world where agencies can easily understand how a company’s existing commercial security frameworks can be used to make risk-based decisions in lieu of creating new materials for FedRAMP. By examining leading industry security standards, the group will investigate opportunities to leverage commercial frameworks that can address some or all of the federal cloud security requirements without creating redundant compliance processes. The evaluation will focus on identifying frameworks with proven effectiveness, assessing their potential for direct application through a rigorous analysis of scalability, cloud environment adaptability, implementation simplicity, vendor-neutral design, and economic efficiency of adoption. It may also seek to understand any gaps between these frameworks and FedRAMP requirements so that any additional tasks are focused only on those requirements not already met.

A potential outcome of this work is streamlining the authorization pathway by implementing commercial security approaches and standards in lieu of government-unique compliance mechanisms.

Below is a list of activities to be accomplished by this CWG.

  • Research commercial standards that have a risk posture appropriate for federal use
  • Explore gaps between commercial frameworks and current FISMA requirements
  • Consider automation potential in framework application

Target Audience

  • Cloud Service Providers
  • Agency security teams
  • Cybersecurity experts
  • Industry groups
  • Commercial and community-driven security standard organizations
  • Third Party Assessment Organization
  • FedRAMP advisors/consultants
GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov