Requesting Comment on A New Comment Process for FedRAMP DEMO
RFC ID | Name | Status | Opened | Closed | Direct Link to RFC | Discussion / Output |
---|---|---|---|---|---|---|
0001 | A New Comment Process for FedRAMP | Demo | 2024-11-01 | pending | https://github.com/FedRAMP/rfc0001-new-comment-process/blob/main/rfc/0001.md | https://github.com/FedRAMP/rfc0001-new-comment-process/discussions |
The Federal Risk and Authorization Management Program (FedRAMP) intends to engage continuously and iteratively with our stakeholders. This repository will serve as an ongoing digital meeting place for us to hear your experiences and perspectives.
All FedRAMP Requests For Comments (RFCs) are open to responses from the public and government, including representatives from cloud service providers, third-party independent assessment organizations, federal agencies, industry organizations, or individuals interested in cybersecurity and cloud services.
All RFCs will provide alternate comment submission methods for people unfamiliar with GitHub or who prefer to submit comments differently.
FedRAMP will create a fork of this repo to initiate an RFC on specific topics. All discussion and participation will occur in the fork, and the outcome will be merged into this repo when the RFC is closed.
The forked repo will have Discussions enabled and stakeholders are encouraged to create new discussions with your feedback and interact with feedback provided by others. The FedRAMP team may seek clarification or participate in the discussion as appropriate, and may close discussions that have run their course after review.
FedRAMP will communicate with the public about open RFCs via its various social channels, including blogs, email lists, and more. The team may run multiple RFCs simultaneously, and the status of all RFCs can be seen here.
There are multiple ways to provide feedback on a full RFC:
-
Participate in the Discussion
-
Suggest changes to a document by opening a pull request (you will need to fork this repo first). The pull request must suggest one or more changes and describe the rationale for the change(s).
-
Follow the instructions in the RFC to use alternative mechanisms for public feedback, such as online forms or email.
It is important that each piece of feedback is concise and actionable, providing enough information for the document maintainers to address the comment adequately.
Please follow our Code of Conduct at all times!
This engagement process is a feedback cycle that drives changes and further discussion. During the public comment period, the following will occur as a cycle:
-
Feedback and Discussion
- Engagement between FedRAMP authors and commenters, with responses to feedback.
-
Continuous Revision
- FedRAMP authors will review and decide to accept or reject the feedback, making appropriate edits.
The end of the public comment period does not mean FedRAMP will immediately implement the policy. Other governance activities and final approval will be required. When ready for adoption or publication, final policies or documents will be widely shared publicly, with appropriate implementation activities.
Currently, only members of the FedRAMP team can initiate the formal RFC process.
FedRAMP stakeholders, including cloud service providers (CSPs), security professionals, government agencies, and industry experts, may provide public feedback on these documents for several key reasons:
-
Influencing Policy and Framework Development: FedRAMP documents, such as updates to security guidelines, assessment frameworks, or requirements, directly impact stakeholders. By providing feedback, stakeholders have an opportunity to shape the policies to ensure they are practical, effective, and aligned with industry standards. This can help ensure that the requirements and guidelines are feasible for implementation and improve overall security.
-
Addressing Practical Implementation Challenges: Stakeholders who are directly involved in the FedRAMP authorization or in the process of securing federal use may experience unanticipated practical challenges. Public feedback allows these stakeholders to highlight real-world issues, propose solutions, and ensure that policies are aligned with technological trends and operational realities.
-
Advocating for Cost-Effectiveness and Efficiency: Cloud service providers and other affected parties are often concerned about the costs and administrative burden associated with meeting FedRAMP requirements. Providing feedback allows stakeholders to advocate for streamlined processes, suggest more efficient frameworks, or raise concerns about requirements that might be too expensive or complex.
-
Ensuring Transparency and Accountability: Public feedback fosters an open dialogue between the government and industry. It promotes transparency and ensures that stakeholders are part of the decision-making process. This collaboration helps build trust between federal agencies and private sector participants and ensures that the government remains accountable for considering diverse perspectives.
-
Mitigating Security Risks: Security professionals may provide feedback to ensure that FedRAMP security guidelines are rigorous enough to mitigate evolving cybersecurity threats. Their insights help ensure the government's security posture remains up-to-date and effectively protects sensitive data.
-
Encouraging Innovation: By participating in the public feedback process, stakeholders can propose innovative approaches, highlight emerging technologies, and suggest ways to incorporate these into the FedRAMP program. This ensures that the program remains adaptive to the fast-paced evolution of cloud technologies.
Ultimately, public feedback helps ensure that FedRAMP documents and policies reflect the needs and expertise of both government and private sector entities, fostering a more secure, efficient, and collaborative cloud security environment.
All contributions to this repository are licensed under the CC0 1.0 Universal dedication unless otherwise specified.