U.S. flag

An official website of the United States government

Initial Outcome of RFC-0025 Retrospective on the Public Comment Process

NTC-0011 published at Wed, 27 May 2026 20:30:00 GMT // Markdown Version

FedRAMP’s Requests for Comment (RFC) process is designed to share potential guidance changes early to gather feedback before decisions are finalized. Unlike more traditional government comment processes, which can be lengthy and highly procedural, FedRAMP uses RFCs as a practical way to test ideas, refine guidance, and improve outcomes.

RFC-0025, opened on March 18, 2026, invited feedback on how FedRAMP has managed this new RFC process. The strongest theme in the responses was a request for more insight into how comments shape final guidance, and this Initial Outcome responds by outlining planned improvements to future RFCs while addressing key themes raised by commenters.

We’ve enjoyed reading and discussing all of your feedback during this time - during a busy RFC period we often spend hours arguing about the things you have written. FedRAMP is demonstrably better because of the RFC process and we want to encourage many more stakeholders to interact directly with us in the FedRAMP Community. We’re not quite there yet, but we’ll know when we’re successful when more people are actually commenting instead of just talking about RFCs on social media platforms!

Changes to Future RFCs

FedRAMP will make the following changes to our Request For Comments process based on this retrospective:

  1. Initial Outcomes will all include a “General Comment Themes” or similar section that summarizes key themes and how FedRAMP responded to those themes in shaping the outcome.
  2. In rare situations, the comment window may be extended past 30 days. Future RFCs will clarify that individual, partial comments about specific issues throughout the comment window are strongly preferred over large consolidated comments submitted at the end of the window.
  3. Open RFCs will be limited to a maximum of 3 simultaneous RFCs at any given time.
  4. A public comment form option will return, replacing the option to submit comments over email (except for federal agencies).

GitHub will continue to be our primary mechanism for interacting with the public in the FedRAMP Community. Stakeholders are strongly encouraged to participate in this forum.

General Comment Themes

This section contains additional optional insights and background on this RFC. It is information dense and does not add any critical information beyond that expressed earlier in this outcome. This section is intended for FedRAMP stakeholders who always request additional information to understand decisions and are willing to invest considerable time in reviewing additional context.

Sharing Insight on How Public Comment Shapes Outcomes

FedRAMP considers every public comment both individually and as part of the broader feedback received. Specific edits, such as clarifying language or correcting errors, may be incorporated directly. Broader themes are reviewed more carefully in light of the overall intent and purpose of the proposed guidance.

The most important factor for FedRAMP is the intent and purpose of the proposed guidance - this usually, but not always, remains unchanged by public comment. We do not intend to address comments about the intent or purpose a second time by reinforcing them during the outcome unless there is a considerable change to the intent or purpose during the outcome. (See Outcome from RFC-0019 Reporting Assessment Costs as an example of public comment overriding the original intent or purpose of an RFC)

We began sharing Initial Outcomes to help folks quickly understand the results of RFCs before things are integrated into larger documentation or policy updates, and intend to continue this process. We have avoided sharing explanations of why certain themes or comments were not incorporated but moving forward we will add a section similar to this one that addresses the major common themes with additional explanation of how they were handled.

Many commenters requested a detailed comment-by-comment disposition; this is not and will not be part of the formal FedRAMP public comment process due to the extensive burden and lack of utility for addressing every single statement in every single public comment. The public is welcome to engage FedRAMP in discussion in the FedRAMP Community about any topic and any time.

Length of the Public Comment Window

Many commenters brought up the 30 day default public comment window and raised concerns about the difficulty of reviewing, gathering, and creating detailed responses in that time frame; many requested longer time-frames.

The intent of FedRAMP’s RFC process is to generate rapid partial comments on specific issues; incredibly long consolidated responses, especially those from groups of cloud service providers, are not what FedRAMP is looking for. We consider all comments, but parsing through broad thematic comments representing many different sections with many different stakeholders is unnecessarily complex.

Our short comment windows are designed to incentivize early participation with partial comments, and commenters are strongly encouraged to supply separate comments for separate things. We prefer many different perspectives from individual members of the public or individual companies, and intentionally do not provide extra time for consolidation because that weakens the incentive for individual comments. Early and frequent participation encourages additional participation, allows commenters to respond to other commenters, and generally provides richer feedback.

In the future, FedRAMP will consider extending comment windows if a significant amount of proposed guidance is being adjusted at the same time. At the same time, FedRAMP will clarify that we expect early and frequent partial comment, and that commenters who provide large consolidated comments at the end of the window are not ideal.

Too Many RFCs at the Same Time!

Yup, fair.

This past year FedRAMP has been under intense pressure (mostly from you, the stakeholder community) to rapidly address long-standing issues with the FedRAMP process at high speed. Stakeholders were expected to invest considerable time in following FedRAMP and maintaining insight and awareness into these changes on purpose.

During the next year we expect most RFCs to be small or targeted around a specific theme, such as for the FedRAMP 20x Class D pilot. These RFCs will be targeted at folks who are ready and able to invest the time and effort necessary to keep up with FedRAMP. We will still post multiple RFCs at the same time so that folks can approach them together in context, but will limit them in the future to avoid “RFC bombs” of many simultaneous RFCs across a wide variety of subjects.

Anonymity and Accessibility for Commenting

Various commenters indicated a desire to comment anonymously, or expressed concerns about the accessibility of GitHub discussions for comments. The primary option to address this feedback would be for FedRAMP to move all RFCs to Regulations.gov, but that would significantly reduce the feeling of community and create a much higher barrier to entry. We expect that folks expressing concerns on the difficulty of using FedRAMP’s RFC process may not have seen the way most government programs are forced to handle this activity.

GitHub will continue to be our primary mechanism for collecting and displaying public comment, using a community-based modern platform that we are authorized to use, following a process that has been vetted and approved by our Office of General Counsel.

In the future, we will also create a public form that will allow anonymous comments. At the same time, we will stop accepting public comments sent via email or attached via documents (agencies will still be allowed to submit via email), so that we can automate the process of publicly sharing comments that are not submitted in GitHub.

Providing Extensive Context on each RFC

Several commenters asked for before-and-after comparisons, additional background, and broader context in future Requests for Comment. FedRAMP understands why that information can be helpful, especially for stakeholders who are newer to a topic or reviewing a proposal quickly.

At the same time, FedRAMP has found that very long Requests for Comment are harder to review and reduce participation. In many cases we have seen that additional background links and other information is entirely ignored by commenters as they dive into specific statements or write down feedback linearly without considering the entire context. For that reason, FedRAMP will continue aiming for shorter, clearer Requests for Comment that focus on the proposed change and the feedback needed from the community.

Publicizing New RFCs

A surprising number of commenters indicated that they were unaware of RFCs in process until late in the comment period.

FedRAMP announces RFCs through several channels, including email updates, social media, the FedRAMP website Changelog, the Changelog RSS feed, and Community Updates. We effectively saturate all of our official channels when an RFC is posted, but do not have an official way to reach stakeholders that are outside these official channels.

The best way to receive FedRAMP updates is to subscribe to the FedRAMP email list using the “Subscribe” button under “Keep Up to Date” at the bottom of the FedRAMP website. FedRAMP uses this list for meaningful updates and does not intend to overwhelm subscribers with unnecessary messages.

FedRAMP will continue using multiple announcement channels, but stakeholders who want to stay closely informed should subscribe to email updates, follow FedRAMP on social media, or subscribe to the Changelog RSS feed.