Skip to main content

Requests for Comment

Open FedRAMP Requests for Comment (RFCs)

ID Request for Comment On Description Open Close
0002 Proposed Revisions to FedRAMP 3PAO Requirements FedRAMP is proposing revisions to six requirements and an appendix for the American Association for Laboratory Accreditation (A2LA) R311 requirements for 3PAOs. 2024-12-19 2025-01-31
0001 A New Commment Process for FedRAMP Extended open discussion period for feedback on the pilot FedRAMP RFC process using GitHub. 2024-12-18 2025-01-31

Background

The Federal Risk and Authorization Management Program (FedRAMP) intends to engage continuously and iteratively with our stakeholders. This repository will be used as an ongoing digital meeting place for us hear your experiences and perspectives.

All FedRAMP RFCs are open to responses from the public and government, including representatives from cloud service providers, third party indepent assessment organizations, federal agencies, industry organizations, or individuals with an interest in cybersecurity and cloud services.

All RFCs will provide alternate methods for providing comments for folks who are unfamiliar with github or would simply prefer to submit comments in a different way.

44 U.S. Code § 3609(a)(6) requires FedRAMP to:

“establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives”

How will FedRAMP request comments?

FedRAMP will copy this repo to initiate an RFC for specific topics. All discussion and participation will take place in the copy, with the outcome merged into this repo when the RFC is closed.

The copied repo will have Discussions enabled and stakeholders are encouraged to create new discussions with your feedback and interact with feedback provided by others.

FedRAMP will communicate to the public about open RFCs via its various social channels, including blogs, email lists, and more. Multiple RFCs may be run simultaneously by the team, and the status of all RFCs can be seen here.

Providing feedback

There are multiple ways to provide feedback on a full RFC:

  • Participate in the Discussion

  • Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as on-line forms or email.

  • Suggest changes to a document by opening a pull request (you will need to fork the repo first). The pull request must suggest one or more changes and describe the rationale for the change(s). Pull requests will be treated as comments.

It is important that each bit of feedback is concise and actionable, providing enough information to allow the document maintainers to adequately address the feedback.

How FedRAMP will participate

The FedRAMP team may interact with the public discussion in this repository in a limited manner, similar to a digital town hall, as follows:

  • Requesting clarification or additional information if the content of a comment is not clear to the FedRAMP reviewer.

  • Acknowledging that comments have been reviewed.

  • Responding to requests for clarification from the public when that clarification would be relevant to a significant portion of the public.

FedRAMP will consider only the content of the message when responding, and will not prioritize or otherwise consider the individual or organization when determining which messages to respond to. A response from FedRAMP is not an endorsement and does not represent concurrence with the content.

Each public comment request may have multiple rounds, with comments being addressed in no smaller than 30 day increments.

The end of the public comment period does not mean the policy will be immediately implemented. Other governance activities and final approval will be required; when ready for adoption or publication, final policies or documents will be widely shared publicly with appropriate implementation activities.

Currently, only members of the FedRAMP team can initiate the formal RFC process.

Why should I submit RFC feedback?

FedRAMP stakeholders, including cloud service providers (CSPs), security professionals, government agencies, and industry experts, may provide public feedback on these documents for several key reasons:

  • Influencing Policy and Framework Development: FedRAMP documents, such as updates to security guidelines, assessment frameworks, or requirements impact stakeholders directly. By providing feedback, stakeholders have an opportunity to shape the policies to ensure they are practical, effective, and align with industry standards. This can help ensure that the requirements and guidelines are feasible for implementation and improve overall security.

  • Addressing Practical Implementation Challenges: Stakeholders who are directly involved in the FedRAMP authorization or in the process of securing federal could use may experience unanticipated practical challenges. Public feedback allows these stakeholders to highlight real-world issues, propose solutions, and ensure that policies are aligned with technological trends and operational realities.

  • Advocating for Cost-Effectiveness and Efficiency: Cloud service providers and other affected parties are often concerned about the costs and administrative burden associated with meeting FedRAMP requirement. Providing feedback allows stakeholders to advocate for streamlined processes, suggest more efficient frameworks, or raise concerns about requirements that might be too expensive or complex.

  • Ensuring Transparency and Accountability: Public feedback fosters an open dialogue between the government and industry. It promotes transparency and ensures that stakeholders are part of the decision-making process. This collaboration helps build trust between federal agencies and private sector participants and ensures that the government remains accountable for considering diverse perspectives.

  • Mitigating Security Risks: Security professionals may provide feedback to ensure that FedRAMP security guidelines are rigorous enough to mitigate evolving cybersecurity threats. Their insights help ensure that the government’s security posture remains up-to-date and effective in protecting sensitive data.

  • Encouraging Innovation: By participating in the public feedback process, stakeholders can propose innovative approaches, highlight emerging technologies, and suggest ways to incorporate these into the FedRAMP program. This ensures that the program remains adaptive to the fast-paced evolution of cloud technologies.

Ultimately, public feedback helps ensure that FedRAMP documents and policies reflect the needs and expertise of both government and private sector entities, fostering a more secure, efficient, and collaborative cloud security environment.

GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov