Skip to main content

Policy and Guidance Updates

FedRAMP is fostering transparency for its policy and guidance development efforts. This page reflects the current status of policy and guidance that has been released recently or is expected to be released soon. Public feedback is welcome anytime at info@fedramp.gov.

Requests for Comment

For a list of active Requests for Comment (RFCs), please review the RFCs page.

Recently Completed

Finalizing

The following documents are being prepared for final publication.

Guidance or Policy Goal Actions Taken Actions Remaining Estimated Completion
FIPS-140 Cryptographic Modules This guidance will clarify requirements for use of cryptographic modules within a system boundary.
  • 2024-08-09 Draft Published
  • 2024-09-09 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q2
    FedRAMP Metrics Propose a set of metrics that will measure the FedRAMP authorization experience and measure the program's security impact.
  • 2024-07-30 Draft Published
  • 2024-09-05 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q3
    FedRAMP Penetration Test Guidance Provide guidelines for conducting a penetration test to identify weaknesses in a FedRAMP cloud service.
  • 2024-03-04 Draft Published
  • 2024-04-24 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q3

    In Development

    The following documents are under active development and have not yet been published for public comment.

    Guidance or Policy Goal
    Review Initiation Criteria (RIC) These guidelines will help CSPs, IAs, and federal agency partners evaluate and verify the completeness, consistency, accuracy, and clarity of an authorization package prior to submission. The RIC is intended to expedite FedRAMP's initial review, reduce pass-backs/resubmissions, and ultimately reduce authorization timelines by identifying package issues prior to submission for review.
    Authorization boundary guidance This update to the boundary guidance is based on stakeholder feedback, common issues identified during review, and to revise requirements related to leveraged cloud and corporate services. Additionally, all JAB mentions and specific JAB requirements that conflict with the current policy memo are being removed.
    Program authorization approach Work in progress
    3PAO a2la training requirements Work in progress
    GSA logo

    FedRAMP.gov

    official website of the GSA’s Technology Transformation Services

    Looking for U.S. government information and services?
    Visit USA.gov