RFC: New Marketplace and Authorization Designations

[pete-gov]

This Request for Comment (or set of RFCs) related to the FedRAMP Marketplace and authorization designations will attempt to address many gaps in the current process. Goals for this RFC include:

• Adding a "Preparation" step aligned with the NIST RMF Step 1 that will allow any cloud service provider to publicly attest that they are carrying out the essential activities to prepare their cloud service offering for a FedRAMP authorization.
• Replacing "FedRAMP Ready" with a CSP + 3PAO attested "Independently Assessed" state.
• Adding a "Remediation" status
• Replacing final status with "Continuous Monitoring" and "Persistent Validation" instead of "authorized"
• Renaming "In Process" to "Agency Authorization In Process" for Rev5

Plus supporting requirements for these various states and a few other interesting things.

[pete-gov]

This work in progress RFC is new to the roadmap today.

[pete-gov]

Due to the holidays we're tentatively planning to release this RFC on Jan 12-14. We're also going to try something new for this RFC: a short podcast style discussion about the background and motivation as well as an overview of the RFC itself. Some folks like to just read RFCs but we want to provide a bit more for folks who want to listen to us ramble.

[pete-gov]

These RFCs were released on January 13 as:

• https://www.fedramp.gov/rfcs/0020/ FedRAMP Authorization Designations
• https://www.fedramp.gov/rfcs/0021/ Expanding the FedRAMP Marketplace