- Status: Open
- Created By: FedRAMP
- Start Date: 2024-12-18
- First Closing Date: 2025-01-31
- Short Name: rfc0001-new-comment-process
Where to Comment:
- Discussion Forum: https://github.com/FedRAMP/rfc0001-new-comment-process/discussions
- Public Comment Spreadsheet: pending
- Email: pete@fedramp.gov with the subject “FedRAMP RFC-0001 Feedback”
Summary
We are piloting the use of GitHub to host focused discussions and public comments on FedRAMP changes that will affect cloud service providers. We will use the process for at least five engagements before reviewing its effectiveness, but will seek to improve it continuously based on feedback.
Motivation
Commenting on FedRAMP changes shouldn’t feel like sending a letter into a black box. As we explored ways to solve this we revisited an old idea to use GitHub and treat policy as code. Folks have expressed initial support for this idea in small group discussions, so we’re testing it out to understand how effective this method will be compared to just asking folks to fill out a spreadsheet.
Requesting comments is the best way to test a new option for public comment, so here we are!
Explanation
From the main README:
The Federal Risk and Authorization Management Program (FedRAMP) intends to engage continuously and iteratively with our stakeholders. This repository will serve as an ongoing digital meeting place for us to hear your experiences and perspectives.
All FedRAMP Requests For Comments (RFCs) are open to responses from the public and government, including representatives from cloud service providers, third-party independent assessment organizations, federal agencies, industry organizations, or individuals interested in cybersecurity and cloud services.
All RFCs will provide alternate comment submission methods for people unfamiliar with GitHub or who prefer to submit comments differently.
How will FedRAMP request comments?
FedRAMP will copy this repo to initiate an RFC for specific topics. All discussion and participation will take place in the copy, with the outcome merged into this repo when the RFC is closed.
The copied repo will have Discussions enabled and stakeholders are encouraged to create new discussions with your feedback and interact with feedback provided by others.
FedRAMP will communicate to the public about open RFCs via its various social channels, including blogs, email lists, and more. Multiple RFCs may be run simultaneously by the team, and the status of all RFCs can be seen here.
Providing feedback
There are multiple ways to provide feedback on a full RFC:
-
Participate in the Discussion
-
Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as online forms or email.
-
Suggest changes to a document by opening a pull request (you will need to fork the repo first). The pull request must suggest one or more changes and describe the rationale for the change(s). Pull requests will be treated as comments.
It is important that each bit of feedback is concise and actionable, providing enough information to allow the document maintainers to adequately address the feedback.
How FedRAMP will participate
The FedRAMP team may interact with the public discussion in this repository in a limited manner, similar to a digital town hall, as follows:
-
Requesting clarification or additional information if the content of a comment is not clear to the FedRAMP reviewer.
-
Acknowledging that comments have been reviewed.
-
Responding to requests for clarification from the public when that clarification would be relevant to a significant portion of the public.
FedRAMP will consider only the content of the message when responding, and will not prioritize or otherwise consider the individual or organization when determining which messages to respond to. A response from FedRAMP is not an endorsement and does not represent concurrence with the content.
Each public comment request may have multiple rounds, with comments being addressed in no smaller than 30 day increments.
The end of the public comment period does not mean FedRAMP will immediately implement the policy. Other governance activities and final approval will be required. When ready for adoption or publication, final policies or documents will be widely shared publicly, with appropriate implementation activities.
Currently, only members of the FedRAMP team can initiate the formal RFC process.
Discussion Requested
FedRAMP would like to understand how stakeholders would engage in GitHub Discussions in response to requests like this and if the alternatives are sufficient for folks unfamiliar with this type of discussion. How can we improve this experience?
We would also like to understand other priority issues people are thinking about that we might pursue during the next public comment period.
