RFC-0019 Reporting Assessment Costs

Summary

This RFC outlines a new cost reporting requirement for FedRAMP recognized independent assessors (aka Third-Party Assessment Organizations/3PAOs) and cloud service providers, how this data will be managed, and related corrective actions for those who fail to supply it as required.

Motivation

The FedRAMP Authorization Act requires FedRAMP to regularly review the costs associated with independent assessment services related to the FedRAMP process. Traditionally these services are contracted directly between cloud service providers and FedRAMP recognized independent assessors such that FedRAMP has no insight into these costs. This must be corrected to meet FedRAMP’s statutory requirements and to understand the impact of ongoing changes to the FedRAMP assessment process.

FedRAMP acknowledges that this information may be considered sensitive for cloud service providers and independent assessors; understanding the potential impact of collecting, reviewing, and sharing this information is a critical aspect of public comment for this updated guidance.

Rev5 Security Assessment Report (SAR) Costs Appendix

A new Rev5 Security Assessment Report (SAR) Appendix will be created for cloud service providers to submit information about the cost of their assessment services. This Cost Appendix will include fields for at least:

1. Total cost for initial assessment
2. Total hours of effort for assessment services for initial assessment (estimated if necessary - please specify)
3. Beginning and end dates of the initial assessment
4. Total cost for each annual assessment
5. Total hours of effort for assessment services for each annual assessment (estimated if necessary - please specify)
6. Beginning and end dates of the annual assessment
7. Total costs for FedRAMP-related ongoing assessment services between annual assessment
8. Total hours of effort for FedRAMP-related ongoing assessment services between annual assessment (estimated if necessary - please specify)

Proposed Rev5 Requirements for Reporting Assessment Costs

Note: This RFC contains separate requirements for Rev5 and 20x that are structured differently. This section applies only for Rev5 Certifications and uses the LAC (Legacy Assessment Costs) designation.

The following requirements for reporting assessment costs apply to ALL cloud service offerings that obtain and maintain FedRAMP Certification.

This process will have an effective date of 1AM ET on March 25, 2026 (tentatively).

LAC-FRX-IDS Identified Data Sharing

FedRAMP MUST NOT share any identified cost data collected under this process with members of the public OR within the federal government UNLESS necessary to meet a legal requirement.

Note: This means that the name of the cloud service provider or FedRAMP recognized independent assessor will not be shared unless legally required, and FedRAMP will otherwise take steps to avoid de-identification reversal when sharing cost data.

LAC-GEN-IAC Initial Authorization Costs

Providers MUST submit a complete Security Assessment Report Costs Appendix directly to FedRAMP during initial authorization.

Note: Instructions for submission will be formalized prior to this requirement taking effect but FedRAMP will generally plan to accept any sort of reasonable secure sharing mechanism.

Corrective Action: Failure to meet this requirement will result in denial of authorization and a 3 month resubmission penalty.

LAC-GEN-OAC Ongoing Assessment Costs

Providers MUST submit a complete Security Assessment Report Costs Appendix directly to FedRAMP during each annual assessment.

Note: Instructions for submission will be formalized prior to this requirement taking effect but FedRAMP will generally plan to accept any sort of reasonable secure sharing mechanism.

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Certification for at least 6 months.

LAC-GEN-HAC Historical Assessment Costs

Providers MUST include historical assessment costs dating back to the initial authorization of the cloud service offering; data submitted for assessments prior to this process taking effect may be estimated and limited to total costs per year.

Note: This requirement applies only when submitting the next annual assessment after the effective date.

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Certification for at least 6 months.

LAC-GEN-ASA Assessor Signed Attestation

Providers MUST submit a signed attestation from their independent assessor that confirms the information submitted per LAC-GEN-IAC and LAC-GEN-OAC are accurate.

Note: In the event of a dispute between the cloud service provider and the independent assessor related to these requirements, corrective action will be paused until the dispute is resolved or alternative corrective action is taken (appropriate to the circumstances).

Corrective Action: Failure to meet this requirement will result in public notification against the assessor with a grace period of 3 months, followed by revocation of FedRAMP recognition for at least 6 months.

Proposed 20x Requirements for Reporting Assessment Costs:

Note: This RFC contains separate requirements for Rev5 and 20x that are structured differently. This section applies only for 20x Validations and will be integrated into the Persistent Validation and Assessment process for FedRAMP 20x.

This process will be effective for all 20x Phase 2 pilot participants and future FedRAMP 20x Validations. The Persistent Validation and Assessment process will be amended as follows:

PVA-GEN-IAC Initial Assessment Costs

Providers MUST share summary information with FedRAMP regarding the costs of assessment services for Initial FedRAMP Assessment, broken out by independent assessment company (if applicable), including at least:

1. Total cost of assessment services related to Initial FedRAMP Assessment
2. Total hours of effort for assessment services related to Initial FedRAMP Assessment
3. Beginning and end dates of Initial FedRAMP Assessment (estimated if necessary)

Corrective Action: Failure to meet this requirement will result in a denial of FedRAMP Validation and a 3 month resubmission penalty.

PVA-GEN-OAC Ongoing Assessment Costs

Providers MUST share summary information with FedRAMP regarding the costs of ongoing assessment services, broken out by independent assessment company (if applicable), updated at least every six months, including at least:

1. Total cost of assessment services during Persistent Validation (after initial FedRAMP Validation)
2. Total hours of effort for assessment services during Persistent Validation (after initial FedRAMP Validation)
3. Beginning and end dates for the period covered

Note: In the event of a dispute between the cloud service provider and the independent assessor related to these requirements, corrective action will be paused until the dispute is resolved or alternative corrective action is taken (appropriate to the circumstances).

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Validation for at least 6 months.

PVA-GEN-IDS Identified Data Sharing

FedRAMP MUST NOT share any identified cost data collected under this process with members of the public OR within the federal government UNLESS necessary to meet a legal requirement.

Note: This means that the name of the cloud service provider or FedRAMP recognized independent assessor will not be shared unless legally required, and FedRAMP will otherwise take steps to avoid de-identification reversal when sharing cost data.