FedRAMP is fostering transparency for its policy and guidance development efforts. This page reflects the current status of policy and guidance that has been released recently or is expected to be released soon. Public feedback is welcome anytime at info@fedramp.gov.
Requests for Comment
For a list of active Requests for Comment (RFCs), please review the RFCs page.
Recently Completed
- FedRAMP Policy for Cryptographic Module Selection and Use - Posted Jan 16, 2025
- 3PAO Readiness Assessment Report Guide, Version 3.2 - Posted Oct 17, 2024
Finalizing
The following documents are being prepared for final publication.
| FedRAMP Metrics | Propose a set of metrics that will measure the FedRAMP authorization experience and measure the program's security impact. | | | End of FY25 Q3 |
| FedRAMP Penetration Test Guidance | Provide guidelines for conducting a penetration test to identify weaknesses in a FedRAMP cloud service. | | | End of FY25 Q3 |
In Development
The following documents are under active development and have not yet been published for public comment.
| Guidance or Policy | Goal |
| Authorization boundary guidance | This update to the boundary guidance is based on stakeholder feedback, common issues identified during review, and to revise requirements related to leveraged cloud and corporate services. Additionally, all JAB mentions and specific JAB requirements that conflict with the current policy memo are being removed. |
| Program authorization approach | Work in progress |
