The Federal Risk and Authorization Management Program (FedRAMP) intends to engage continuously and iteratively with our stakeholders. This repository will be used as an ongoing digital meeting place for us hear your experiences and perspectives.
All FedRAMP RFCs are open to responses from the public and government, including representatives from cloud service providers, third party indepent assessment organizations, federal agencies, industry organizations, or individuals with an interest in cybersecurity and cloud services.
All RFCs will provide alternate methods for providing comments for folks who are unfamiliar with github or would simply prefer to submit comments in a different way.
44 U.S. Code § 3609(a)(6) requires FedRAMP to:
"establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives"
FedRAMP will create a fork of this repo to initiate an RFC for specific topics. All discussion and participation will take place in the fork, with the outcome merged into this repo when the RFC is closed.
The forked repo will have Discussions enabled and stakeholders are encouraged to create new discussions with your feedback and interact with feedback provided by others. The FedRAMP team may seek clarification or participate in the discussion as appropriate, and may close discussions that have run their course after review.
FedRAMP will communicate to the public about open RFCs via its various social channels, including blogs, email lists, and more. Multiple RFCs may be run simultaneously by the team, and the status of all RFCs can be seen here.
There are multiple ways to provide feedback on a full RFC:
-
Participate in the Discussion
-
Suggest changes to a document by opening a pull request (you will need to fork this repo first). The pull request must suggest one or more changes and describe the rationale for the change(s).
-
Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as on-line forms or email.
It is important that each bit of feedback is concise and actionable, providing enough information to allow the document maintainers to adequately address the feedback.
Please follow our Code of Conduct at all times!
This engagement process is a feedback cycle, where discussion drives changes and further discussion. During the public comment period, the following will occur as a cycle:
-
Feedback and Discussion
- Engagement between FedRAMP authors and commenters, with responses to feedback.
-
Continuous Revision
- FedRAMP authors will review and decide to accept or reject the feedback, making appropriate edits.
The end of the public comment period does not mean the policy will be immediately implemented. Other governance activities and final approval will be required; when ready for adoption or publication, final policies or documents will be widely shared publicly with appropriate implementation activities.
Currently, only members of the FedRAMP team can initiate the formal RFC process.
FedRAMP stakeholders, including cloud service providers (CSPs), security professionals, government agencies, and industry experts, may provide public feedback on these documents for several key reasons:
-
Influencing Policy and Framework Development: FedRAMP documents, such as updates to security guidelines, assessment frameworks, or requirements impact stakeholders directly. By providing feedback, stakeholders have an opportunity to shape the policies to ensure they are practical, effective, and align with industry standards. This can help ensure that the requirements and guidelines are feasible for implementation and improve overall security.
-
Addressing Practical Implementation Challenges: Stakeholders who are directly involved in the FedRAMP authorization or in the process of securing federal could use may experience unanticipated practical challenges. Public feedback allows these stakeholders to highlight real-world issues, propose solutions, and ensure that policies are aligned with technological trends and operational realities.
-
Advocating for Cost-Effectiveness and Efficiency: Cloud service providers and other affected parties are often concerned about the costs and administrative burden associated with meeting FedRAMP requirement. Providing feedback allows stakeholders to advocate for streamlined processes, suggest more efficient frameworks, or raise concerns about requirements that might be too expensive or complex.
-
Ensuring Transparency and Accountability: Public feedback fosters an open dialogue between the government and industry. It promotes transparency and ensures that stakeholders are part of the decision-making process. This collaboration helps build trust between federal agencies and private sector participants and ensures that the government remains accountable for considering diverse perspectives.
-
Mitigating Security Risks: Security professionals may provide feedback to ensure that FedRAMP security guidelines are rigorous enough to mitigate evolving cybersecurity threats. Their insights help ensure that the government's security posture remains up-to-date and effective in protecting sensitive data.
-
Encouraging Innovation: By participating in the public feedback process, stakeholders can propose innovative approaches, highlight emerging technologies, and suggest ways to incorporate these into the FedRAMP program. This ensures that the program remains adaptive to the fast-paced evolution of cloud technologies.
Ultimately, public feedback helps ensure that FedRAMP documents and policies reflect the needs and expertise of both government and private sector entities, fostering a more secure, efficient, and collaborative cloud security environment.
All contributions to this repository are licensed under the CC0 1.0 Universal dedication unless otherwise specified.