The Federal Risk and Authorization Management Program (FedRAMP) intends to engage continuously and iteratively with our stakeholders. This repository will serve as an ongoing digital meeting place for us to hear your experiences and perspectives.
All FedRAMP Requests For Comments (RFCs) are open to responses from the public and government, including representatives from cloud service providers, third-party independent assessment organizations, federal agencies, industry organizations, or individuals interested in cybersecurity and cloud services.
All RFCs will provide alternate comment submission methods for people unfamiliar with GitHub or who prefer to submit comments differently.
FedRAMP will copy this repo to initiate an RFC for specific topics. All discussion and participation will take place in the copy, with the outcome merged into this repo when the RFC is closed.
The copied repo will have Discussions enabled and stakeholders are encouraged to create new discussions with your feedback and interact with feedback provided by others.
FedRAMP will communicate to the public about open RFCs via its various social channels, including blogs, email lists, and more. Multiple RFCs may be run simultaneously by the team, and the status of all RFCs can be seen here.
There are multiple ways to provide feedback on a full RFC:
-
Participate in the Discussion
-
Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as online forms or email.
-
Suggest changes to a document by opening a pull request (you will need to fork the repo first). The pull request must suggest one or more changes and describe the rationale for the change(s). Pull requests will be treated as comments.
It is important that each bit of feedback is concise and actionable, providing enough information to allow the document maintainers to adequately address the feedback.
The FedRAMP team may interact with the public discussion in this repository in a limited manner, similar to a digital town hall, as follows:
-
Requesting clarification or additional information if the content of a comment is not clear to the FedRAMP reviewer.
-
Acknowledging that comments have been reviewed.
-
Responding to requests for clarification from the public when that clarification would be relevant to a significant portion of the public.
FedRAMP will consider only the content of the message when responding, and will not prioritize or otherwise consider the individual or organization when determining which messages to respond to. A response from FedRAMP is not an endorsement and does not represent concurrence with the content.
Each public comment request may have multiple rounds, with comments being addressed in no smaller than 30 day increments.
The end of the public comment period does not mean FedRAMP will immediately implement the policy. Other governance activities and final approval will be required. When ready for adoption or publication, final policies or documents will be widely shared publicly, with appropriate implementation activities.
Currently, only members of the FedRAMP team can initiate the formal RFC process.
FedRAMP stakeholders, including cloud service providers (CSPs), security professionals, government agencies, and industry experts, may provide public feedback on these documents for several key reasons:
-
Influencing Policy and Framework Development: FedRAMP documents, such as updates to security guidelines, assessment frameworks, or requirements, directly impact stakeholders. By providing feedback, stakeholders have an opportunity to shape the policies to ensure they are practical, effective, and aligned with industry standards. This can help ensure that the requirements and guidelines are feasible for implementation and improve overall security.
-
Addressing Practical Implementation Challenges: Stakeholders who are directly involved in the FedRAMP authorization or in the process of securing federal use may experience unanticipated practical challenges. Public feedback allows these stakeholders to highlight real-world issues, propose solutions, and ensure that policies are aligned with technological trends and operational realities.
-
Advocating for Cost-Effectiveness and Efficiency: Cloud service providers and other affected parties are often concerned about the costs and administrative burden associated with meeting FedRAMP requirements. Providing feedback allows stakeholders to advocate for streamlined processes, suggest more efficient frameworks, or raise concerns about requirements that might be too expensive or complex.
-
Ensuring Transparency and Accountability: Public feedback fosters an open dialogue between the government and industry. It promotes transparency and ensures that stakeholders are part of the decision-making process. This collaboration helps build trust between federal agencies and private sector participants and ensures that the government remains accountable for considering diverse perspectives.
-
Mitigating Security Risks: Security professionals may provide feedback to ensure that FedRAMP security guidelines are rigorous enough to mitigate evolving cybersecurity threats. Their insights help ensure the government's security posture remains up-to-date and effectively protects sensitive data.
-
Encouraging Innovation: By participating in the public feedback process, stakeholders can propose innovative approaches, highlight emerging technologies, and suggest ways to incorporate these into the FedRAMP program. This ensures that the program remains adaptive to the fast-paced evolution of cloud technologies.
Ultimately, public feedback helps ensure that FedRAMP documents and policies reflect the needs and expertise of both government and private sector entities, fostering a more secure, efficient, and collaborative cloud security environment.
All contributions to this repository are licensed under the CC0 1.0 Universal dedication unless otherwise specified.