U.S. flag

An official website of the United States government

Mountain background

Notice Thumbnail

Outcome from RFC-0019 Reporting Assessment Costs

NTC-0002 published at Wed, 18 Feb 2026 17:01:00 GMT // Markdown Version

The proposed rules from RFC-0019 Reporting Assessment Costs will not be finalized or implemented by FedRAMP.

Cloud service providers and FedRAMP-recognized independent assessment services will not be required to report information to FedRAMP regarding the expenses incurred for any assessment at this time. This determination may be reconsidered in the future, however a new public comment period would be required.

Explanation

On January 13, 2026, FedRAMP proposed reporting requirements to gather assessment costs in RFC-0019 to help address the statutory responsibility in 44 USC § 3609 (a) (10) (A) to “regularly review, in consultation with the FedRAMP Board … the costs associated with independent assessment services…”

RFC-0019 generated more public comments than many previous FedRAMP RFCs, with 30 distinct commenters supplying 48 comments on the proposed requirements. FedRAMP appreciates the many carefully considered comments that addressed the underlying potential impact to industry and the associated concerns for companies. This notice summarizes and explains the outcome from RFC-0019 Reporting Assessment Costs.

The primary theme FedRAMP identified in public comments was that collecting this information would impose a burden on cloud service providers that was not relevant to the assessment and authorization of cloud computing services. Assessment costs are paid by cloud service providers as part of a commercial agreement with an assessment organization that does not involve the government; therefore, FedRAMP would be collecting proprietary business information. Some commenters even indicated that companies might choose to deliberately obfuscate or falsify their assessment cost reporting to protect themselves.

A critical secondary theme was that the cost paid by any particular cloud service provider for an assessment would only be relevant to the experience of that specific provider due to the wide variance in scope and complexity across providers. Commenters indicated that these costs could not and should not be compared across providers.

Overall, public comments have made it clear that implementing the proposed requirements would create a significant problem for some companies who might choose to reject it, would likely create significant problems for FedRAMP in oversight and management of the information, and might cause a slew of other issues due to the perception that, effectively, this is none of FedRAMP’s business and that the cost of services between private-sector entities should be left to private-sector entities to negotiate.

FedRAMP concurs with the public that requiring businesses to report on the costs of assessment services for FedRAMP-related assessment is unreasonable. As a result, FedRAMP will not implement these requirements and will only be able to rely on limited publicly available information to review the cost of assessment services.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov