RFC-0011 FedRAMP Pilot Standard for Storing and Sharing Authorization Data

• Status:
• Created By: FedRAMP PMO
• Start Date: 2025-05-23
• Closing Date: 2025-06-22
• Short Name: rfc–0011-standard-for-storing-and-sharing

Where to Comment

• Discussion Forum: https://github.com/FedRAMP/rfcs/discussions/33
• Public Comment Form: https://forms.gle/sZtXKVYesB7GRpak7
• Email: pete@fedramp.gov with the subject “RFC-0011 Feedback”

Summary

The FedRAMP Standard for Storing and Sharing Authorization Data outlines requirements for cloud service providers who wish to self-host FedRAMP related authorization data and package materials within their own managed services. Providers who self-host this authorization data, including continuous monitoring materials, would not need to upload materials to the FedRAMP Secure Repository.

This standard will be accompanied by an optional pilot phase to allow FedRAMP, cloud service providers, and agencies to learn directly how to best implement this process. Requirements are likely to change based on feedback and learnings during the pilot. More information on the pilot will be provided separately at fedramp.gov. The pilot will be announced during June of 2025.

Motivation

FedRAMP has managed a centralized file repository that hosted most information about cloud service provider’s security plans for low and moderate FedRAMP authorizations in a single place for many years. The risks, complexity, and cost for managing a centralized repository is growing rapidly as FedRAMP scales past 400+ cloud services in the marketplace. This document-based sharing model must change so FedRAMP and cloud services can move increasingly towards relying on machine-readable information developed and shared via apis that facilitates automation.

Cloud service providers often provide trust centers or similar capabilities for commercial customers. These trust centers provide security information to potential and current customers, all controlled by the provider following standard commercial processes and procedures. These existing commercial practices should be reused to the greatest extent possible to ease the burden for both cloud service providers and agency customers.

This standard outlines the requirements that will underpin initial pilots for customer managed trust centers that include FedRAMP authorization data.

Explanation

The full draft standard is approximately 5 pages and is available for review in the following formats:

• Basic web formatting on fedramp.gov (below)
• Basic text markdown on GitHub
• PDF file: 0011-standard-for-storing-and-sharing.pdf
• Word file: 0011-standard-for-storing-and-sharing.docx

Discussion Requested

This draft standard is open for any public comment. FedRAMP encourages fast, informal comments from any member of the public. The public may submit multiple comments and may respond to other public comments. All comments from the public sent via email will be made public.

The FedRAMP Rev5 working group will continue to host discussions on potential best practices and implementation associated with this standard as well as related pilot activities.

---

RFC-0011 FedRAMP Pilot Standard for Storing and Sharing Authorization Data

Friday, May 23, 2025

---

Background

The FedRAMP Authorization Act (44 USC § 3609 (a) (8)) directs the Administrator of the General Services Administration to “provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies…” This responsibility is delegated to the FedRAMP Director.

Oxford Languages defines a mechanism as “a natural or established process by which something takes place or is brought about.”

OMB Memorandum M-24-15 on Modernizing FedRAMP section 6 states that “In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs’ commercial customer base.”

Introduction

The FedRAMP Pilot Standard for Storing and Sharing Authorization Data defines requirements for cloud service providers to store and share authorization data with federal agencies using their existing commercial processes and trust centers. This standard provides a secure mechanism to enable better reuse of authorization data across agencies and to make all necessary information and data available to agencies.

This standard will initially be implemented as an opt-in pilot open to cloud service providers, allowing FedRAMP, providers, and agencies to learn directly how to best implement and adopt an effective shared responsibility model for storing and sharing authorization data. Providers who establish trust centers that meet these requirements, as verified by FedRAMP, will be exempted from FedRAMP requirements to share materials via the FedRAMP Secure Repository on the USDA Connect Community Portal or existing secure repositories. Please note that explicit requirements during the pilot may vary slightly from the draft standard.

Cloud service providers MAY continue to rely on the FedRAMP secure repository they currently use for sharing information with agencies during the pilot and any following transition period. Providers SHOULD monitor the pilot as the existing FedRAMP Secure Repository and related mechanisms will likely be replaced with this model during FY26 (or earlier).

FedRAMP Trust Center Requirements

Cloud service providers SHOULD establish a trust center or similar centralized location to make security information and materials (“authorization data”) available to stakeholders.

1. The FedRAMP trust center MUST be highly visible on a provider’s core website and MUST clearly state that it includes FedRAMP related materials. The FedRAMP related section SHOULD be available via a direct link that can be included in the FedRAMP marketplace.

2. The FedRAMP trust center MUST publicly share the following information about the cloud service offering:

   1. Direct link to the FedRAMP Marketplace for the offering

   2. Description of the services offered within the FedRAMP authorization scope

   3. Information for requesting access to non-public FedRAMP materials

3. The FedRAMP trust center MUST store additional information about the cloud service offering. This information MAY be available to the public based on a risk assessment by the cloud service provider, and MUST be available to federal agencies upon request, including:

   1. Security Plans and Appendices

   2. Assessments and Authorizations, including supporting artifacts

   3. Continuous Monitoring reporting/documentation and supporting artifacts

   4. Plan Of Action And Milestones (POA\&M)

   5. Significant Change Notifications (SCN)

   6. Incident Reports

   7. Listing of other FedRAMP authorized services being leveraged

   8. Any other authorization data required by FedRAMP

4. The FedRAMP trust center MUST provide a well-documented API or similar machine access to authorization data for federal agencies.

5. Providers MUST make authorization data available in both human-readable and machine-readable formats.

6. Providers migrating from the FedRAMP Secure Repository on the USDA Connect Community Portal MUST provide migration information for agencies in their secure folder.

7. Providers SHOULD follow FedRAMP’s best practices and technical assistance on storing and sharing authorization data where applicable.

Provider Access Responsibilities

Cloud service providers are entirely responsible for the intellectual property stored in their FedRAMP trust centers and MUST manage all access to the authorization data stored in their trust centers.

1. Providers MUST publicly provide plain-language policies and guidance for federal government customers to follow to obtain and manage access to authorization data stored by the cloud service provider.

2. Providers MUST grant FedRAMP full access to all authorization data. This MUST include reasonable API access and a secure mechanism to routinely manage API credentials.

3. Providers MUST grant agency authorizing officials (and/or their delegates) full access to all authorization data if they have active customer agreements or indirectly use the service. This MUST include reasonable API access and a secure mechanism to routinely manage API credentials.

4. Providers SHOULD NOT store federal information that is within the FedRAMP Minimum Assessment Scope within the trust center; providers MUST limit access to such information according to the owner of that federal information.

5. Providers SHOULD include standard mechanisms that allow customers to manage authorization data access for their users and services directly; these mechanisms SHOULD be the same that customers use to manage access to other aspects of the cloud service offering.

6. Providers SHOULD grant agency Authorizing Officials and/or their delegates without an active customer agreement temporary full access to all authorization data as appropriate if an agency is directly or indirectly considering use of the system.

7. Providers SHOULD follow FedRAMP best practices and technical assistance related to storing and sharing authorization data as appropriate.

Agency Request Responsibilities

Agencies SHOULD use native mechanisms provided by cloud service offerings to manage their own user and/or service access to authorization data.

If such mechanisms are unavailable, agencies SHOULD follow the request process identified in the FedRAMP Marketplace for a specific cloud service offering to request access to authorization data for review.

In all cases:

1. Agencies MUST limit access of employees and services to non-public authorization data to employees and services with an explicit need for access.

2. Agencies MUST limit distribution of non-public authorization data to that required for agency operations and delete data after it is no longer needed.

3. Agencies SHOULD follow FedRAMP best practices and technical assistance related to storing and sharing authorization data as appropriate.