Skip to main content

FedRAMP Tailored Comment-A-Thon , Final Comments Due Monday!

The FedRAMP Tailored Comment-a-Thon kicked off with a bang on Tuesday, April 18, with over 50 representatives from industry and government in attendance in person and over 100 connecting remotely via video and chat link.

The session’s purpose was to capture FedRAMP stakeholders’ best thinking, input, and expertise on the Tailored baseline via a coding and collaboration tool called Github.

When prompted for their first-blush reactions to the overall concept of FedRAMP Tailored, attendees voiced the following:

*“Provides a new venue for CSPs and 3PAOs to meet, interact and offer innovation to Agencies.” 

“Pragmatic approach to accelerate adoption of low risk cloud applications.”

“Implementation of FedRamp Tailored could have a profound and positive effect on both the candidate companies (vendors) and the agencies seeking to consume those services in a timely manner.”*

The FedRAMP PMO knows it must harness the power of the collective to ensure that the forthcoming FedRAMP Tailored policy is as clear, effective, and implementable as possible , the Comment-a-Thon represented ongoing efforts to continue to build a true partnership between industry and government.

The Comment-a-Thon resulted in over 331 comments and reactions with regard to the Tailored policy and framework itself. Each of these suggestions will be carefully reviewed and addressed by the FedRAMP PMO during the coming days, and will result in an updated and improved policy. There were several issues that generated significant discussion during the session, including General Policy, PII, the criteria for determining if a cloud system qualifies for FedRAMP Tailored, attestation, and the authority section of the policy.

While the discussion surrounding some of the broader aspects of the policy were fruitful, the PMO is still looking for comments related to specific control requirements based on the discussions that we’ve had so far. We’re obviously interested in your feedback on all of the requirements, but here are a few examples of controls where we’d be interested to hear additional feedback:

Required Control: N0. 28, IA-1 (1)

Required Control: No. 81, PS-3, Personnel Screening #82

Required Control: No. 88, RA-2, Security Categorization #81

This first round of public comment will remain open until 5pm on Monday, April 24th. If you’d like to make your voice heard, you can join the conversation at A second round of public comment will likely take place in June, so keep your eyes open for more opportunities to collaborate! We also hope to have the final baseline out for official use by the end of summer!

Page of