RFC-0021 Expanding the FedRAMP Marketplace

Summary

This RFC proposes expanding the FedRAMP Marketplace to better serve the entire FedRAMP community by changing the following:

• Cloud service providers will be able to list a cloud service offering while Preparing to obtain a FedRAMP Certification or Validation.
• All cloud service providers will be required to share general pricing information.
• Advisory companies that provide FedRAMP-related advisory and consulting services will be able to be listed as such by sharing some information including pricing structure.
• FedRAMP-recognized independent assessors will be required to provide additional information including pricing structure.
• FedRAMP will strive to meet time targets for certain activities that map to GSA’s FY26 Strategic Plan.
• FedRAMP will transparently publish detailed information about Marketplace-related activities.

This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:

• RFC-0020: FedRAMP Authorization Designations
• RFC-0022: Leveraging External Frameworks
• RFC-0023: Sponsorless Rev5 Certifications

Motivation

The FedRAMP Marketplace currently shows a small snapshot of the entire FedRAMP-related ecosystem, with cloud service providers needing to be close to the end of their FedRAMP journey to be listed while advisory services are completely ignored. This makes it difficult for agencies to understand the potential early progress of cloud service providers while making it unnecessarily confusing for cloud service providers trying to find help implementing FedRAMP.

Every month companies publicly announce with great fanfare that they are establishing programs to pursue FedRAMP Certification or Validation… then the rest of us hear very little about their progress. Often agencies reach out to FedRAMP to ask for the status of a company that made an announcement many months ago and frequently that company didn’t even tell FedRAMP about their plans! Creating a formal process with a low barrier to entry that allows companies serious about FedRAMP to indicate this on the FedRAMP Marketplace and to keep interested potential customers up to date is a strong win for everyone.

Adding an option for advisory services to be listed directly will similarly address a frequent request from industry - FedRAMP can’t recommend specific vendors or services, but we can at least ensure that everyone who takes FedRAMP advisory seriously is listed in a central Marketplace to help industry move faster.

---

FedRAMP Marketplace Listings (MPL) Process

The following requirements and recommendations apply to any cloud service offering listed in the FedRAMP Marketplace:

MKT-FRX-TRT Target Response Time in General

FedRAMP SHOULD complete the initial review, determination, and appropriate action within 14 days of receiving a qualifying request for the following:

1. Submission for Preparation listing
2. Submission for FedRAMP Validated Level 1
3. Submission of Agency Authorization in Process
4. Submission of a Prioritization request

Notes:

• Denial due to an incomplete, insufficient, or non-qualifying request will reset this time counter.
• The 14 day action window is a target, not a formal agreement; FedRAMP’s ability to meet this window will depend on demand and staffing.

MKT-FRX-TAT Target Authorization Time

FedRAMP SHOULD complete its assessment and Certification or Validation process within 30 days of receiving a qualifying submission package; however, any cloud service offering that receives a denial decision due to an incomplete or insufficient package will receive a 1 month penalty for resubmission.

Notes:

• The FedRAMP authorization process can end in a positive or negative authorization decision.
• A 1 month penalty means FedRAMP will close the application as “denied” and will wait 3 months before considering a follow-up application.
• The 1 month penalty is to offset the expense in both time and resources of a government-funded review by FedRAMP and ensure that cloud service providers do not take advantage of government-funded review by repeatedly submitting incomplete materials for feedback from FedRAMP.
• The 30 day authorization window is a target, not a formal agreement; FedRAMP’s ability to meet this window will depend on demand and staffing.

MKT-FRX-SUM Summary of Authorization Decision

FedRAMP MUST include a review summary with any authorization decision that explains why the decision was made; in the event of a denial the review summary MUST include an explanation of the deficiencies that led to the denial.

Note: This review summary, regardless of the decision outcome, may be available for agency review but will not be shared publicly by FedRAMP except to comply with legal requirements.

MKT-FRX-PAD Publishing Activity Data

FedRAMP MUST publish activity data showing the status of all non-sensitive Marketplace-related activities, including historical time and results; this data will be loosely de-identified by providing a unique ID to the requestor and sharing this unique ID publicly in place of the cloud service provider name.

Notes:

• This is most likely to be limited data showing what was requested, when, and what the current status for open activities. For closed activities it will include the time but probably will not include the outcome.
• It may be possible to perform de-identification reversal of some records using other public information such as the marketplace status, but all Marketplace activity data should generally be non-sensitive as it is requesting a change to public information.

MKT-GEN-SOF Scope of FedRAMP

Providers MUST demonstrate that a cloud service offering is intended for one of the following use cases to be listed in the FedRAMP Marketplace:

1. Direct Use: The product will be used directly by agency customers for integration into a federal information system that falls within the scope of 44 USC § 3506 and will receive an agency Authorization to Operate.
2. Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

Note: FedRAMP will not list products or services that are outside the explicit statutory scope of FedRAMP; services used by private companies to meet other compliance requirements (such as CMMC) that do not also meet one of the above use cases are outside the scope of FedRAMP.

MKT-GEN-DOD Demonstration of Ongoing Demand

Providers MUST demonstrate ongoing demand and utility by including the following additional information as part of each Ongoing Authorization Report as required by FRR-CCM-01:

1. A list of all agencies that are directly using the product
2. A list of all agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report

Note: Classified and national security systems are outside the scope of FedRAMP; such use does not need to be disclosed to FedRAMP.

MKT-GEN-SPI Service Pricing Information

Providers MUST include general pricing information for the cloud service offering (or links to existing public pricing information) in their Marketplace data; this general pricing information should include the general price for services offered to agencies and to other customers if applicable.

Note: Cloud service providers use many different pricing strategies for their services; this requirement is for the convenience of potential customers so providers are expected to identify the most effective way to meet this requirement for their own cloud service.

Effective Date: August 26, 2026

Corrective Action: Failure to meet this requirement will result in public notification and place the cloud service offering into indefinite Remediation until the requirement is addressed (but it will not be removed from the Marketplace or have Certification or Validation revoked).

MKT-GEN-PKO Pick One: 20x or Rev5

Providers MUST NOT request both a FedRAMP Program Certification (Rev5) and a FedRAMP Validation (20x); providers need to pick one to implement.

Notes:

• This requirement ensures that FedRAMP and other government entities are not wasting time, resources, and funding to support multiple options for the same cloud service provider.
• A path for Rev5 Certified cloud service offerings to transition to 20x Validated will be available in the future.

Cloud Service Offerings in the Preparation State

The following requirements and recommendations also apply to ALL cloud service offerings listed in the Preparation state.

MKT-PRE-SUR Subset of Requirements

Providers MUST implement at least a subset of either the FedRAMP 20x or related Rev5 Balance Improvement Release processes as follows:

1. Authorization Data Sharing: FRR-ADS-01 through FRR-ADS-02
2. Collaborative Continuous Monitoring: FRR-CCM-01 through FRR-CCM-07

MKT-PRE-DCP Demonstrating Continuous Progress

Providers MUST demonstrate continuous progress towards a complete FedRAMP 20x Validation and agency adoption, documented in their quarterly Ongoing Authorization Reports.

Note: These reports are explained in the Collaborative Continuous Monitoring process, i.e. FRR-CCM-01 Ongoing Authorization Reports.

MKT-PRE-DLA Deadline for Authorization

Providers MUST meet the requirements for FedRAMP Certified or FedRAMP Validated within 12 months of initial listing in the Preparation phase.

Corrective Actions: Failure to meet this requirement will result in removal from the Marketplace for a minimum period of 6 months.

Advisory Services Listings

The following requirements and recommendations apply to all advisory services listed in the Marketplace.

MKT-ADV-WEB Website Requirements

Advisors MUST have an appropriate web site that publicly shows at least the following in consistent machine-readable and human-readable formats:

1. Types of consulting services offered, including a clear pricing structure.
2. General description of the consulting service.
3. Contact information.
4. Current Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
5. Previous Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
6. Any related information.

Notes:

• Comments or suggestions for additional details that advisory services should provide so that FedRAMP can include it in the Marketplace listing would be appreciated; expect this requirement to expand with additional information after public comment. (sorry, FedRAMP will not be able to host reviews of advisory services)
• FedRAMP will publish a JSON Schema for the required machine-readable data

MKT-ADV-ATT Attestation Requirements

Advisors MUST publicly maintain positive attestations from at least 3 cloud service providers that have used the consultant within the past 12 months and include them with the information required by MKT-ADV-WEB.

Note: These attestations must always be current; that is on any particular date there must be 3 attestations dated within the past 12 months.

Corrective Action: Failure to meet this requirement will result in public notification and a grace period of 3 months, followed by removal from the Marketplace for a minimum of 6 months.

MKT-ADV-ACI Attestant Contact Information

Advisors MUST supply contact information (of the cloud service provider) to FedRAMP for the public attestations in MKT-ADV-ATT for verification as needed.

MKT-ADV-SWS Separate Web Site for Other Listings

Advisors MAY also maintain a FedRAMP-recognized independent assessor listing if applicable but should use separate web pages to avoid confusion.

Note: For example, company.com/consulting and company.com/assessment

FedRAMP-Recognized Independent Assessor Listings

The following requirements and recommendations apply to all FedRAMP-recognized independent assessors listed in the Marketplace; the final form of these requirements are expected to take effect on May 26, 2026.

MKT-RIA-WEB Website Requirements

Assessors MUST have an appropriate web site that publicly shows at least the following information in consistent machine-readable and human-readable formats:

1. Types of assessment services offered, including a clear pricing structure.
2. General description of the independent assessor.
3. Contact information.
4. Current Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
5. Previous Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
6. Any related information.

Notes:

• Comments or suggestions for additional details that independent assessors should provide so that FedRAMP can include it in the Marketplace listing would be appreciated; expect this requirement to expand with additional information after public comment. (sorry, FedRAMP will not be able to host reviews of independent assessors)
• FedRAMP will publish a JSON Schema for the required machine-readable data

MKT-RIA-ATT Attestation Requirements

Assessors MUST publicly maintain positive attestations from at least 3 FedRAMP Certified or FedRAMP Validated cloud service offerings that have used the assessor within the past 24 months and include them with the information required by MKT-RIA-WEB.

Notes:

• These attestations must always be current; that is on any particular date there must be 3 attestations dated within the past 24 months.
• FedRAMP recognized independent assessors that do not actually perform independent assessments will be removed from the Marketplace to avoid confusion.

Corrective Action: Newly FedRAMP-recognized independent assessors have an automatic grace period of 24 months from the date of initial recognition to meet this requirement without any corrective action; failure to meet these requirements after this period will result in public notification and a grace period of 6 months, followed by FedRAMP recognition being withdrawn for a minimum of 6 months.