Reporting Concerns to FedRAMP¶
Once a cloud service provider obtains a FedRAMP Certification, their interactions with the FedRAMP PMO are limited. Agencies who are participating in collaborative continuous monitoring will typically have much greater insight into cloud service provider activities and will likely be the first to know if a provider is failing to meet FedRAMP’s standards.
If a cloud service provider is failing to comply with FedRAMP requirements, we recommend that you take the following steps to address any compliance issues with your vendor:
-
Your first step should be to escalate the issue within the Cloud Service Provider directly. Agencies have closer relationships with the vendor than FedRAMP will (because you’re paying them!) and can usually influence the behavior of the vendor directly.
-
Notify your Contracting Officer. Depending on your contract language, failing to comply with FedRAMP guidance may be a breach of contract.
If these steps are not successful in resolving the issue, it is important for the agency to notify FedRAMP by emailing info@fedramp.gov. FedRAMP will follow up with the provider and, if necessary, request corrective action in addition to notifying other agencies.
FedRAMP cannot provide assistance if a cloud service provider is not meeting agency-specific requirements.
FedRAMP’s authority is limited to FedRAMP defined requirements. Any performance issue not directly related to FedRAMP requirements must be addressed through your agency’s procurement office.