Six major FedRAMP Requests for Comment (RFCs) were released at the same time, signaling one of the biggest shifts in federal cloud compliance in years. Together, these proposals outline the next phase of FedRAMP modernization and the transition toward automation, continuous validation, cost transparency, and a more open and competitive marketplace.
In this episode of Behind the Shield, Jason, Mike, and Tanner break down all six RFCs and explain what they mean for cloud service providers, assessors, advisors, and federal agencies. The team connects the dots across the proposals, shares real-world perspectives from working with FedRAMP customers, and explains what organizations should be doing now while the public comment period is still open.
What we cover
RFC-0019 – Assessment Cost Reporting
FedRAMP plans to require reporting of independent assessment and ongoing authorization costs. We discuss why the PMO wants cost transparency, potential penalties for non-reporting, how this may drive competition and reduce costs, and what currently authorized providers should prepare for in upcoming assessments.
RFC-0020 – New Authorization Designations
FedRAMP is shifting terminology to new certification and validation designations. We cover certified vs validated paths, the move to numbered levels, how this reduces confusion around “ATO vs FedRAMP authorization,” and how the changes align with the long-term transition away from Rev. 5 toward FedRAMP 20x.
RFC-0021 – Expanding the FedRAMP Marketplace
The marketplace is evolving into a true procurement and discovery platform. Topics include publishing pricing structures, trust center requirements, advisor and assessor listings, and the new “Preparation” stage that allows CSPs to signal intent and progress earlier in their journey.
RFC-0022 – Leveraging External Frameworks
A new pathway allows CSPs to use existing certifications such as SOC 2, ISO, CMMC, and StateRAMP to achieve validated Level 1. This reduces duplicate compliance work, accelerates entry into the federal market, and helps solve the long-standing sponsorship chicken-and-egg problem.
RFC-0023 – Program Certification Without a Sponsor
A temporary sponsor-less pathway for Rev. 5 authorization could help organizations that lost sponsors or stalled in the pipeline. We explain who qualifies, key deadlines, and how this could reshape the near-term FedRAMP authorization pipeline.
RFC-0024 – Machine-Readable Authorization Packages
FedRAMP is moving toward machine-readable packages and automation. We discuss OSCAL, AI-ready authorization data, automated SSP generation, and the broader impact across FedRAMP, FISMA, and DoD authorization processes.
These RFCs collectively signal a major shift toward faster authorizations, lower barriers to entry, greater transparency, and continuous validation. If you are pursuing FedRAMP or already operating in the federal cloud, this episode will help you understand what is changing, what to watch closely, and how to respond before the RFC comment deadlines.
Like and subscribe to stay up to date on FedRAMP, cloud security, and compliance trends.
0:00 Six FedRAMP RFCs Just Dropped… Why This Matters
1:06 The Big Picture: FedRAMP’s Final Vision
5:35 RFC 19: FedRAMP Will Track Assessment Costs
13:57 Action Required: New Reporting Starts Soon
16:36 RFC-20 FedRAMP Is Renaming Authorization
21:45 Certified vs Validated Explained
30:25 FedRAMP Marketplace Becomes a Real Marketplace
30:42 RFC 21 Expanding the FedRAMP Marketplace
35:32 The New Preparation Stage Changes Everything
44:00 RFC 22: Use SOC2 and ISO to Get FedRAMP Faster
44:13 RFC22 Leveraging external frameworks
49:55 Solving the FedRAMP Chicken and Egg Problem
53:11 FedRAMP Without an Agency Sponsor
59:19 Limited Time Certification Path and Deadlines
1:01:52 Machine Readable FedRAMP Packages
1:06:05 Impact Beyond FedRAMP and Into DoD
1:10:03 Final Thoughts and How to Comment on the RFCs
Comment on Each RFC:
RFC-0019: https://github.com/FedRAMP/community/...
RFC-0020: https://github.com/FedRAMP/community/...
RFC-0021: https://github.com/FedRAMP/community/...
RFC-0022: https://github.com/FedRAMP/community/...
RFC-0023: https://github.com/FedRAMP/community/...
RFC-0024: https://github.com/FedRAMP/community/...
🔔 Subscribe for more insights on FedRAMP, cloud security, and compliance.
Read the blog here: https://infusionpoints.com/blogs/six-...
Информация по комментариям в разработке