Skip to main content

Policy and Guidance Updates

2024-11-07 Please Note: This page needs a look-and-feel update that may take some time, but FedRAMP is making the information available in a rudimentary form now rather than waiting. Thank you for your patience with the formatting.

FedRAMP is fostering transparency for its policy and guidance development efforts. This page reflects the current status of policy and guidance that has been released recently or is expected to be released soon. Public feedback is welcome anytime at info@fedramp.gov.

Recently Completed

Finalizing

The following documents are being prepared for final publication.

Guidance or Policy Goal Actions Taken Actions Remaining Estimated Completion
FIPS-140 Cryptographic Modules This guidance will clarify requirements for use of cryptographic modules within a system boundary.
  • 2024-08-09 Draft Published
  • 2024-09-09 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q2
    FedRAMP Metrics Propose a set of metrics that will measure the FedRAMP authorization experience and measure the program's security impact.
  • 2024-07-30 Draft Published
  • 2024-09-05 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q3
    FedRAMP Penetration Test Guidance Provide guidelines for conducting a penetration test to identify weaknesses in a FedRAMP cloud service.
  • 2024-03-04 Draft Published
  • 2024-04-24 Public Comment Closed
  • Revising document
    		•
  • Government consensus
  • Board approval
  • Publish final guidance
    		•  End of FY25 Q3

    Requests for Comments

    No documents are avaible for active public discussion and comment at this time.

    In Development

    The following documents are under active development and have not yet been published for public comment.

    Guidance or Policy Goal
    Review Initiation Criteria (RIC) These guidelines will help CSPs, IAs, and federal agency partners evaluate and verify the completeness, consistency, accuracy, and clarity of an authorization package prior to submission. The RIC is intended to expedite FedRAMP's initial review, reduce pass-backs/resubmissions, and ultimately reduce authorization timelines by identifying package issues prior to submission for review.
    Authorization boundary guidance This update to the boundary guidance is based on stakeholder feedback, common issues identified during review, and to revise requirements related to leveraged cloud and corporate services. Additionally, all JAB mentions and specific JAB requirements that conflict with the current policy memo are being removed.
    Program authorization approach Work in progress
    3PAO a2la training requirements Work in progress
    GSA logo

    FedRAMP.gov

    official website of the GSA’s Technology Transformation Services

    Looking for U.S. government information and services?
    Visit USA.gov