Open FedRAMP Requests for Comment (RFCs)
| ID | Request for Comment On | Description | Opened | Closing |
|---|
Closed FedRAMP Requests for Comment (RFCs)
| ID | Request for Comment On | Description | Closed |
|---|---|---|---|
| 0018 | FedRAMP Security Inbox Requirements | This set of requirements ensures all FedRAMP Authorized cloud service providers can receive and will respond to urgent communications from FedRAMP. Outcome: This draft has been considerably reworked to focus only on communication from FedRAMP and to apply specific requirements to FedRAMP when communicating important security information. The FedRAMP Security Inbox requirements will apply to both 20x and Rev5, with additional information to follow about Rev5 adoption by FY26 Q2. More information | 2025-11-17 |
| 0017 | Persistent Validation and Assessment Standard | This standard outlines requirements for the assessment and validation of Key Security Indicators for FedRAMP 20x. Outcome: This draft was significantly reorganized based on public comment with many changes. It has been published as the Persistent Validation and Assessment standard for FedRAMP 20x. More information | 2025-11-17 |
| 0016 | Collaborative Continuous Monitoring | This standard outlines requirements for cloud services to support government-specific continuous monitoring needs. Outcome: Minor adjustments were made to this draft based on public comment and published as the Collaborative Continuous Monitoring standard for 20x. Balance Improvement Releases for Rev5 will follow. More information | 2025-11-17 |
| 0015 | Recommended Secure Configuration Standard | This standard requires providers to publish information about securing critical aspects of their cloud service offerings. Outcome: Minor adjustments were made to this draft based on public comment, with the final requirements published as Recommended Secure Configuration guidance. This will apply to both 20x and Rev5, with more communication to come about Rev5 implementations. More information | 2025-11-17 |
| 0014 | Phase Two Key Security Indicators | This summarized standard includes changes to Phase One Key Security Indicators and adds additional KSIs for the FedRAMP Moderate baseline. Outcome: Phase Two Security Indicators received an additional overhaul after public comment, including adding a new theme for Authorization by FedRAMP, and are documented in the formal Phase Two Key Security Indicators standard. More information | 2025-11-17 |
| 0013 | SC-7 Boundary Protection Balance Improvement Release | This Balance Improvement Release clarifies that boundary protection requirements can be achieved using logical capabilities instead of IETF RFC-950 subnets. Outcome: The wording was slightly tweaked based on public comment to include combinations of technical capabilities and all FedRAMP Rev5 baselines were updated. | 2025-09-11 |
| 0012 | FedRAMP Continuous Vulnerability Management Standard | The FedRAMP Continuous Vulnerability Management Standard proposes updated requirements for the continuous discovery, assessment, mitigation, and remediation of detected weaknesses in FedRAMP Authorized cloud service offerings. Outcome: After a considerable amount of public feedback this draft standard was modified significantly and released as FedRAMP Vulnerability Detection and Response requirements. More information | 2025-08-21 |
| 0011 | FedRAMP Pilot Standard for Storing and Sharing Authorization Data | The FedRAMP Pilot Standard for Storing and Sharing Authorization Data outlines requirements for cloud service providers who wish to self-host FedRAMP related authorization data and package materials within their own managed services. Outcome: The requirements and recommendations in this RFC were modified significantly based on public comment and released as the Authorization Data Sharing standard. More information | 2025-06-22 |
| 0010 | FedRAMP Scope Interpretation Technical Assistance | FedRAMP Scope Interpretation Technical Assistance provides draft interpretive guidance and examples to help agencies determine which cloud services are excluded from FedRAMP requirements, as outlined in Section 3 of OMB Memorandum M-24-15. Outcome: This technical assistance was updated, reviewed by OMB, and posted publicly as the Scope of FedRAMP. More information | 2025-06-15 |
| 0009 | Significant Change Notification Technical Assistance | Significant Change Notification Technical Assistance provides draft guidance to support Cloud Service Providers (CSPs) and Third-Party Assessment Organizations (3PAOs) in understanding and applying the FedRAMP Significant Change Notification Standard (RFC-0007).assistance. Outcome: This technical assistance was updated and integrated into the Significant Change Notification requirements. More information | 2025-06-15 |
| 0008 | Continuous Reporting Standard | FedRAMP intends to replace the previous Continuous Monitoring standards with an updated Continuous Reporting standard. The standard replaces previous requirements that focused on direct scanning with Key Security Metrics that must be monitored by cloud service providers and made available to agencies and FedRAMP to maintain FedRAMP authorization. Outcome: This draft standard did not move forward in this form. An updated RFC-0012 was later released for a Continuous Vulnerability Management Standard that incorporated feedback from this standard aligned with an updated direction for FedRAMP. More information | 2025-06-09 |
| 0007 | Significant Change Notification Standard | FedRAMP intends to replace the previous Significant Change Request process with an updated Significant Change Notification standard. The process asserts authorizations granted to cloud service providers include the authority to make changes that are in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases. Outcome: The Significant Change Notification standard was finalized with considerable changes to this draft and applied to FedRAMP 20x. A Balance Improvement Release process will slowly bring this standard to Rev5. More information | 2025-05-25 |
| 0006 | 20x Phase One Key Security Indicators | In FedRAMP 20x, Key Security Indicators summarize the security capabilities expected of cloud-native service offerings to meet FedRAMP Low authorization requirements. Outcome: Phase One Key Security Indicators were finalized and published More information | 2025-05-25 |
| 0005 | Minimum Assessment Scope | The FedRAMP Minimum Assessment Scope Standard is an updated approach to determining what is included in a FedRAMP assessment and authorization. The approach avoids the unnecessary detail to support FedRAMP’s ongoing shift from compliance-based to security-based decision making and assessment. Outcome: FedRAMP boundary guidance for the Minimum Assessment Scope has been formalized as a FedRAMP 20x standard with eventual partial support in Rev5. More information | 2025-05-25 |
| 0004 | Boundary Policy | This draft policy opens discussion on clarifications for the documentation and assessment of the FedRAMP boundary and the reuse of FedRAMP authorized cloud service offerings by cloud service providers. Outcome: In response to extensive feedback, FedRAMP released a follow-up RFC for a Minimum Assessment Scope to replace historical boundary guidance. More information | 2025-04-02 |
| 0003 | Review Initiation Checks (RICs) | These optional checklists will help cloud service providers self-verify the completeness of FedRAMP authorization packages. Outcome: The need for checks described in this RFC were overcome by events as FedRAMP moved towards a new authorization path. This RFC is entirely rescinded. | 2025-04-02 |
| 0002 | Proposed Revisions to FedRAMP 3PAO Requirements | FedRAMP is proposing revisions to six requirements and an appendix for the American Association for Laboratory Accreditation (A2LA) R311 requirements for 3PAOs. Outcome: Proposed revisions were sent to A2LA with modifications. | 2025-04-02 |
| 0001 | A New Commment Process for FedRAMP | Extended open discussion period for feedback on the pilot FedRAMP RFC process using GitHub. Outcome: FedRAMP continues the RFC process as proposed with periodic review and improvement. The current status of RFCs is available as follows: More information | 2025-04-02 |
How will FedRAMP request comments?
FedRAMP will communicate to the public about open RFCs via its various social channels, including blogs, email lists, and more. Multiple RFCs may be run simultaneously by the team.
Providing feedback
There are multiple ways to provide feedback on a full RFC:
Participate in the Discussion in the rfcs repository on GitHub
Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as online forms or email.
It is important that each bit of feedback is concise and actionable, providing enough information to allow the document maintainers to adequately address the feedback.
How FedRAMP will participate
The FedRAMP team may interact with the public discussion repository in a limited manner, similar to a digital town hall, by:
Requesting clarification or additional information if the content of a comment is not clear to the FedRAMP reviewer.
Acknowledging that comments have been reviewed.
Responding to requests for clarification from the public when that clarification would be relevant to a significant portion of the public.
FedRAMP will consider only the content of the message when responding, and will not prioritize or otherwise consider the individual or organization when determining which messages to respond to. A response from FedRAMP is not an endorsement and does not represent concurrence with the content.
Each public comment request may have multiple rounds, with comments being addressed in no smaller than 30-day increments.
The end of the public comment period does not mean the policy will be immediately implemented. Other governance activities and final approval will be required; when ready for adoption or publication, final policies or documents will be shared publicly with appropriate implementation activities.
Currently, only members of the FedRAMP team can initiate the formal RFC process.
Why should I submit RFC feedback?
FedRAMP stakeholders, including cloud service providers (CSPs), security professionals, government agencies, and industry experts, may provide public feedback on these documents for several key reasons.
Influencing Policy and Framework Development: FedRAMP documents, such as updates to security guidelines, assessment frameworks, or requirements impact stakeholders directly. By providing feedback, stakeholders have an opportunity to shape the policies to ensure they are practical, effective, and align with industry standards. This can help ensure that the requirements and guidelines are feasible for implementation and improve overall security.
Addressing Practical Implementation Challenges: Stakeholders who are directly involved in the FedRAMP authorization or in the process of securing federal cloud use may experience unanticipated practical challenges. Public feedback allows these stakeholders to highlight real-world issues, propose solutions, and ensure that policies are aligned with technological trends and operational realities.
Advocating for Cost-Effectiveness and Efficiency: Cloud service providers and other affected parties are often concerned about the costs and administrative burden associated with meeting FedRAMP requirements. Providing feedback allows stakeholders to advocate for streamlined processes, suggest more efficient frameworks, or raise concerns about requirements that might be too expensive or complex.
Ensuring Transparency and Accountability: Public feedback fosters an open dialogue between the government and industry. It promotes transparency and ensures that stakeholders are part of the decision-making process. This collaboration helps build trust between federal agencies and private sector participants and ensures that the government remains accountable for considering diverse perspectives.
Mitigating Security Risks: Security professionals may provide feedback to ensure that FedRAMP security guidelines are rigorous enough to mitigate evolving cybersecurity threats. Their insights help ensure that the government’s security posture remains up-to-date and effective in protecting sensitive data.
Encouraging Innovation: By participating in the public feedback process, stakeholders can propose innovative approaches, highlight emerging technologies, and suggest ways to incorporate these into improving FedRAMP. This ensures that the program remains adaptive to the fast-paced evolution of cloud technologies.
Ultimately, public feedback helps ensure that FedRAMP documents and policies reflect the needs and expertise of both government and private sector entities, fostering a more secure, efficient, and collaborative cloud security environment.
