U.S. flag

An official website of the United States government

Requests for Comment

RFC-0025 Retrospective on the Public Comment Process

Summary

This Request for Comment (RFC) asks FedRAMP stakeholders to share their experiences with our public comment process over the past year to ensure we can continuously improve the stakeholder experience. FedRAMP has some specific areas of interest but the public is encouraged to share all thoughts.

FedRAMP is subject to strict limitations on this process such that many good ideas from the public for a more engaging or interactive process are unfortunately not on the table; it is still worth our time to hear your thoughts even if we may not be able to implement many suggested improvements.

Background & Authority

This RFC marks the 25th time FedRAMP has requested public comment on proposals and guidance since RFC-0001 (A New Comment Process for FedRAMP) was closed on April 2, 2025. This is an appropriate milestone to revisit this process in a retrospective that encourages the public to share their experiences of participating in this process with us.

FedRAMP has worked hard over the past year to clear traditional bureaucratic hurdles for government interaction with the FedRAMP community but is still limited by many existing laws and rules that govern these interactions. Much of our ability to engage the community is enabled by explicit authorities and responsibilities for FedRAMP that we have to reconcile with the broader laws and rules (such as the Administrative Procedure Act):

The Administrator shall: … (6) establish and maintain a public comment process for proposed guidance and other FedRAMP directives that may have a direct impact on cloud service providers and agencies before the issuance of such guidance or other FedRAMP directives;

44 USC § 3609 (a) (6) // The FedRAMP Authorization Act

To further the program’s goals, GSA and the FedRAMP Board should engage with industry, through the Federal Secure Cloud Advisory Committee (FSCAC) and other mechanisms as appropriate, to maintain a current understanding of industry technologies and practices, to understand where FedRAMP could improve its policies or operations, and to otherwise build a strong working relationship between the commercial cloud sector and the Federal community.

OMB Memorandum M-24-15, Section VIII Industry Engagement

All historical RFCs following this mechanism are available publicly along with the outcome from each RFC at our FedRAMP RFC page. FedRAMP has received 500+ comments on RFCs published to date.

Motivation

This feedback cycle has enabled critical changes during the process of developing guidance and directives, from small wording changes and clarifications, to proposed updates being reworked or scrapped entirely. Maintaining an effective process with high participation from those inside and outside the FedRAMP community is critical. We want to do what we can to improve and grow our public comment process within the constraints of existing rules and regulations.

Our core limitations include:

  1. The comment period must be at least 30 days.

  2. FedRAMP cannot influence public comment by responding to public comments while the comment period is open.

  3. The opportunity to comment must be open to any member of the public.

  4. FedRAMP must consider all public comments equally, whether it is submitted by a large trade organization, a well known cloud service provider, or a random individual.

  5. All comments from the public must be publicly available.

Thankfully, we were not required to use the Federal Register - it does not provide a very good experience nor allow for discussion between commenters. We tried a few different approaches in 2023 and 2024 before settling on the current approach:

  1. RFCs are published on the web at https://fedramp.gov/rfcs so that anyone can find and see them easily.

  2. Primary comment and discussion is available via GitHub discussions in the FedRAMP Community due to its accessibility to the public and the fact that it is an authorized service for use by GSA.

  3. Commenters who are not able to use GitHub may email the FedRAMP Director with their comment directly; comments received like this are then posted publicly to the GitHub discussions in the FedRAMP Community on the commenters behalf by FedRAMP.

Initially, this approach also included a public form where comments could be submitted, but this form was rarely used by commenters and required additional maintenance so it was retired after RFC-0018.

Retrospective Questions

FedRAMP would like to hear anything and everything that stakeholders would like to share regarding our public comment process. Some questions to spark initial comment include:

  • Some stakeholders have indicated that they do not participate in public comment because they do not want their customers or partners to see what they think. What can FedRAMP do to mitigate this and encourage all stakeholders to participate?

  • GitHub and email make anonymous posting difficult, should FedRAMP pursue additional anonymous options?

  • How do you typically discover new FedRAMP RFCs? What can FedRAMP do to improve notifications to the community when new RFCs are posted?

  • Is the 30-day comment period sufficient for you to internalize the proposal and coordinate a response?

  • Have you used the separate “General Discussion / Q&A” threads for informal questions and discussion? Is the distinction between general discussion and public comment clear?

  • Do you feel that your comments are genuinely considered by FedRAMP, even if the final policy doesn’t change exactly as you requested?

  • Do the outcome summaries after an RFC, especially the recent notices on Initial Outcomes, sufficiently explain why certain feedback was or wasn’t incorporated?