RFC-0019: Reporting Assessment Costs

[pete-gov]

RFC-0019 Reporting Assessment Costs

Status: Closed
Start Date: January 13, 2026
Closing Date: February 12, 2026

The outcome from this RFC can be seen here: https://www.fedramp.gov/notices/0002/

Summary

This RFC outlines a new cost reporting requirement for FedRAMP recognized independent assessors (aka Third-Party Assessment Organizations/3PAOs) and cloud service providers, how this data will be managed, and related corrective actions for those who fail to supply it as required.

Motivation

The FedRAMP Authorization Act requires FedRAMP to regularly review the costs associated with independent assessment services related to the FedRAMP process. Traditionally these services are contracted directly between cloud service providers and FedRAMP recognized independent assessors such that FedRAMP has no insight into these costs. This must be corrected to meet FedRAMP’s statutory requirements and to understand the impact of ongoing changes to the FedRAMP assessment process.

FedRAMP acknowledges that this information may be considered sensitive for cloud service providers and independent assessors; understanding the potential impact of collecting, reviewing, and sharing this information is a critical aspect of public comment for this updated guidance.

Rev5 Security Assessment Report (SAR) Costs Appendix

A new Rev5 Security Assessment Report (SAR) Appendix will be created for cloud service providers to submit information about the cost of their assessment services. This Cost Appendix will include fields for at least:

1. Total cost for initial assessment
2. Total hours of effort for assessment services for initial assessment (estimated if necessary - please specify)
3. Beginning and end dates of the initial assessment
4. Total cost for each annual assessment
5. Total hours of effort for assessment services for each annual assessment (estimated if necessary - please specify)
6. Beginning and end dates of the annual assessment
7. Total costs for FedRAMP-related ongoing assessment services between annual assessment
8. Total hours of effort for FedRAMP-related ongoing assessment services between annual assessment (estimated if necessary - please specify)

Proposed Rev5 Requirements for Reporting Assessment Costs

Note: This RFC contains separate requirements for Rev5 and 20x that are structured differently. This section applies only for Rev5 Certifications and uses the LAC (Legacy Assessment Costs) designation.

The following requirements for reporting assessment costs apply to ALL cloud service offerings that obtain and maintain FedRAMP Certification.

This process will have an effective date of 1AM ET on March 25, 2026 (tentatively).

LAC-FRX-IDS Identified Data Sharing

FedRAMP MUST NOT share any identified cost data collected under this process with members of the public OR within the federal government UNLESS necessary to meet a legal requirement.

Note: This means that the name of the cloud service provider or FedRAMP recognized independent assessor will not be shared unless legally required, and FedRAMP will otherwise take steps to avoid de-identification reversal when sharing cost data.

LAC-GEN-IAC Initial Authorization Costs

Providers MUST submit a complete Security Assessment Report Costs Appendix directly to FedRAMP during initial authorization.

Note: Instructions for submission will be formalized prior to this requirement taking effect but FedRAMP will generally plan to accept any sort of reasonable secure sharing mechanism.

Corrective Action: Failure to meet this requirement will result in denial of authorization and a 3 month resubmission penalty.

LAC-GEN-OAC Ongoing Assessment Costs

Providers MUST submit a complete Security Assessment Report Costs Appendix directly to FedRAMP during each annual assessment.

Note: Instructions for submission will be formalized prior to this requirement taking effect but FedRAMP will generally plan to accept any sort of reasonable secure sharing mechanism.

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Certification for at least 6 months.

LAC-GEN-HAC Historical Assessment Costs

Providers MUST include historical assessment costs dating back to the initial authorization of the cloud service offering; data submitted for assessments prior to this process taking effect may be estimated and limited to total costs per year.

Note: This requirement applies only when submitting the next annual assessment after the effective date.

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Certification for at least 6 months.

LAC-GEN-ASA Assessor Signed Attestation

Providers MUST submit a signed attestation from their independent assessor that confirms the information submitted per LAC-GEN-IAC and LAC-GEN-OAC are accurate.

Note: In the event of a dispute between the cloud service provider and the independent assessor related to these requirements, corrective action will be paused until the dispute is resolved or alternative corrective action is taken (appropriate to the circumstances).

Corrective Action: Failure to meet this requirement will result in public notification against the assessor with a grace period of 3 months, followed by revocation of FedRAMP recognition for at least 6 months.

Proposed 20x Requirements for Reporting Assessment Costs:

Note: This RFC contains separate requirements for Rev5 and 20x that are structured differently. This section applies only for 20x Validations and will be integrated into the Persistent Validation and Assessment process for FedRAMP 20x.

This process will be effective for all 20x Phase 2 pilot participants and future FedRAMP 20x Validations. The Persistent Validation and Assessment process will be amended as follows:

PVA-GEN-IAC Initial Assessment Costs

Providers MUST share summary information with FedRAMP regarding the costs of assessment services for Initial FedRAMP Assessment, broken out by independent assessment company (if applicable), including at least:

1. Total cost of assessment services related to Initial FedRAMP Assessment
2. Total hours of effort for assessment services related to Initial FedRAMP Assessment
3. Beginning and end dates of Initial FedRAMP Assessment (estimated if necessary)

Corrective Action: Failure to meet this requirement will result in a denial of FedRAMP Validation and a 3 month resubmission penalty.

PVA-GEN-OAC Ongoing Assessment Costs

Providers MUST share summary information with FedRAMP regarding the costs of ongoing assessment services, broken out by independent assessment company (if applicable), updated at least every six months, including at least:

1. Total cost of assessment services during Persistent Validation (after initial FedRAMP Validation)
2. Total hours of effort for assessment services during Persistent Validation (after initial FedRAMP Validation)
3. Beginning and end dates for the period covered

Note: In the event of a dispute between the cloud service provider and the independent assessor related to these requirements, corrective action will be paused until the dispute is resolved or alternative corrective action is taken (appropriate to the circumstances).

Corrective Action: Failure to meet this requirement will result in public notification with a grace period of 3 months, followed by revocation of FedRAMP Validation for at least 6 months.

PVA-GEN-IDS Identified Data Sharing

FedRAMP MUST NOT share any identified cost data collected under this process with members of the public OR within the federal government UNLESS necessary to meet a legal requirement.

Note: This means that the name of the cloud service provider or FedRAMP recognized independent assessor will not be shared unless legally required, and FedRAMP will otherwise take steps to avoid de-identification reversal when sharing cost data.

[rgutwein]

Comment on RFC-0019: Reporting Assessment Costs

I support FedRAMP's effort to meet its statutory mandate under the FedRAMP Authorization Act to understand assessment costs. Cost transparency is essential for identifying barriers to entry and measuring the impact of modernization efforts. However, the proposed requirements raise several concerns that warrant refinement.

On Data Sensitivity and FOIA Exposure

While LAC-FRX-IDS and PVA-GEN-IDS commit FedRAMP to not voluntarily sharing identified cost data, this does not insulate the data from FOIA requests. Cost data submitted to a federal agency is generally presumed to be agency records subject to FOIA, with narrow exemptions (e.g., Exemption 4 for confidential commercial information). The RFC should clarify:

• Whether FedRAMP will invoke Exemption 4 protections for this data
• Whether CSPs and 3PAOs will receive predisclosure notification under Executive Order 12600 if a FOIA request is received
• What "steps to avoid de-identification reversal" FedRAMP intends to take when publishing aggregate data (given that small cohorts at specific impact levels may be trivially re-identifiable)

Without these assurances, CSPs and 3PAOs may rationally underreport or structure engagements to obscure true costs.

On Historical Cost Reporting (LAC-GEN-HAC)

Requiring historical costs "dating back to the initial authorization" is problematic for long-tenured authorizations. CSPs authorized 5+ years ago may lack detailed records, and cost structures have changed dramatically (different 3PAO, different scope, pre-Rev5 baselines). The requirement to estimate and the limitation to "total costs per year" for pre-effective assessments is reasonable, but consider:

• Capping the lookback period (e.g., 3 years or back to Rev5 transition, whichever is shorter)
• Explicitly permitting "data unavailable" responses for legacy periods with attestation of good-faith effort

A 6-month revocation for failure to produce potentially unrecoverable historical data is disproportionate.

On Corrective Action Severity

The corrective actions are notably severe:

• LAC-GEN-IAC: Denial + 3-month penalty for missing cost appendix on initial authorization
• LAC-GEN-OAC/HAC: 6-month revocation for ongoing/historical cost reporting failures

These penalties exceed those for some security-related deficiencies. A CSP that fails to report assessment costs faces harsher consequences than one with unresolved POA&M items. Recommend recalibrating:

• Initial failures: Public notification + 30-day cure period before denial
• Ongoing failures: Public notification + 6-month grace period before suspension (not revocation)

On Assessor Attestation (LAC-GEN-ASA)

Requiring 3PAO attestation that CSP-reported costs are "accurate" places assessors in an uncomfortable position. 3PAOs have visibility into their own invoices but may not have full insight into:

• Internal CSP costs (staff time, tooling, remediation)
• Costs from other vendors (advisory, GRC platforms, penetration testing)
• How CSPs allocate shared costs across multiple compliance programs

Suggest narrowing the attestation scope to: "The independent assessor attests that the assessment services costs attributed to [3PAO name] are accurate to the best of their knowledge."

On Cost Data Scope

The proposed fields focus on direct assessment costs but omit significant cost drivers:

• Advisory/consulting services (often 2-3x assessment costs for first-time CSPs)
• GRC tooling and automation platforms
• Internal FTE effort
• Remediation costs arising from assessment findings

If the goal is to understand true cost-to-authorize, consider either expanding the scope or explicitly noting that reported costs represent a subset of total authorization investment.

On 20x vs. Rev5 Structural Differences

The 20x requirements (PVA-GEN-*) are lighter-touch and better aligned with the continuous nature of 20x. The Rev5 requirements, by contrast, treat cost reporting as a discrete annual event with significant punitive consequences. Consider whether the 20x model—ongoing updates every six months with proportionate corrective actions—should be the unified approach across both paths.

[cb-axon]

I generally agree with the concerns raised in this comment and support FedRAMP’s goal of improving visibility into assessment costs. Several aspects of the standard would benefit from simplification and a stronger focus on current, representative data.

The historical cost reporting requirement is the primary concern for me. For CSPs authorized many years ago, detailed cost records may no longer exist, assessment scopes have changed, and many providers have since switched 3PAOs. Costs from eight to ten years ago are unlikely to be comparable to today’s assessment model and do not meaningfully inform current cost drivers. Focusing reporting on current and recent assessments (Last 2-3 years at most) would better support FedRAMP’s stated objectives.

Related to this, requiring a current 3PAO to attest to historical costs introduces practical challenges when assessments were performed by a different assessor. This creates verification gaps and may discourage CSPs from changing assessors over time. Limiting attestation to costs associated with the signing assessor’s own services would be more realistic.

Overall, a forward-looking, proportionate model—closer to the 20x approach—would likely produce more accurate data and reduce unintended operational impacts.

[kcarr91]

3PAO should be submitting assessment costs not CSPs

• Recommendation - FedRAMP should require 3PAOs to submit cost data directly rather than having CSPs.
• Streamlined Process - Since 3PAOs must already attest to the accuracy of the cost data under LAC-GEN-ASA, they should simply submit it themselves. This eliminates the unnecessary step of CSPs acting as intermediaries and reduces administrative burden for everyone.
• Fewer Reports to Process - According to the FedRAMP Marketplace the top six 3PAOs assess 589 products, more than the total number of FedRAMP authorized offerings. Having 3PAOs submit quarterly (or monthly) consolidated reports would mean processing dozens of reports instead of 500+ individual CSP submissions, making the data collection and tracking more manageable for FedRAMP.

[jsantore-cgc]

I can see this be part of the R337 form 3PAOs have to submit for all activity post assessment. As @kcarr91 stated, I think the onus should be on the 3PAO directly. Using the R337 simplifies this requirement significantly, and almost renders the SAR addendum moot.

In fact, one might argue that financials aren't relevant in a SAR anyway, which is why I think the R337 is a better mechanism for this.

[wisecryptic]

I had the same thought about the appropriateness of including this in a SAR

[cb-axon]

I agree with this recommendation. Since the data being collected is primarily about assessment services, it is more appropriate for 3PAOs to submit this information directly rather than requiring CSPs to act as intermediaries.

Having 3PAOs report their own assessment costs would reduce administrative burden on CSPs, eliminate unnecessary coordination and validation steps, and improve data accuracy by sourcing it from the originator. Leveraging an existing mechanism such as the R337, rather than adding a cost appendix to the SAR, would also better align the data with its purpose and avoid overloading security assessment artifacts with financial information.

Overall, placing the reporting responsibility with 3PAOs and using an existing reporting channel would simplify implementation for all parties while still meeting FedRAMP’s statutory requirements.

[TheVantaCat]

Recommend that 3PAOs report these assessment costs on an anonymous basis. This approach mitigates the risk of CSP data being disclosed via FOIA through PMO, addressing concerns previously noted by @rgutwein.

[cbiggsrun]

The cost of the 3PAO assessment is just a drop in the bucket for some CSPs when it comes to how much they must spend to become FedRAMP-certified. Even the most security-minded CSP can spend millions of $$ to switch tools and cloud services because the ones they use for their commercial solution don't meet all FedRAMP requirements, especially FIPS and FedRAMP-only cloud services. So I would suggest FedRAMP collect assessment costs from 3PAOs and "upgrade" costs from CSPs.

Also, suggest adding the cost of out-of-cycle SCR assessments for Rev 5 systems if agencies continue to require separate assessments for significant changes.

[cb-axon]

I disagree with expanding the scope of cost reporting beyond assessment services. While it is true that many CSPs incur significant expenses preparing for FedRAMP, those costs are highly variable, difficult to isolate, and often intertwined with broader product, security, or cloud modernization initiatives. Attempting to quantify indirect or “upgrade” costs would be subjective and inconsistent across providers, particularly for CSPs that designed their platforms with FedRAMP requirements in mind from the outset.

For long-tenured offerings, maintenance and compliance costs are frequently shared across multiple environments and initiatives, making accurate attribution impractical. Including these categories would reduce data quality and comparability without materially improving FedRAMP’s understanding of assessment costs.

For these reasons, cost reporting should remain focused on direct assessment services rather than broader implementation or operational investments, in my opinion.

[JustAnother3PAO]

I fully support these changes. Shopping for a FedRAMP assessment should be like buying a TV, not used car shopping.

[acloudcj]

If I look at this from the angle of a CSPs experience I observe that a 3PAO prices an engagement based on scope complexity, their own risk tolerance for findings they might inherit, and where they want to position in the market. Some assessors charge more because they go deeper. Some charge less because they've templated their approach. That differentiation is how CSPs find the right fit and it's reflected in what they pay. Now FedRAMP collects all of that. Even with LAC-FRX-IDS protections, once you segment "average cost for High initial assessment" across 48 recognized assessors, fewer actively taking new work, the numbers start to mean something. A 3PAO can back into where they sit. A CSP procurement office can wave a benchmark at a vendor and ask why they're above the mean.

The RFC explains collection but not use. If the data sits in a drawer to satisfy the statutory "review" requirement, the compliance burden seems disproportionate. If it gets published as benchmarks, that's a different policy choice with real market effects and one worth discussing explicitly rather than discovering later. I'm not suggesting the intent is price regulation. But when cost becomes a tracked metric, there's gravity toward the middle. The 3PAO charging a premium for thoroughness feels pressure to justify it. The one differentiating on speed gets questioned on quality. The market flattens.

What's the intended use of this data once collected?

[cb-axon]

I agree with the concern that the RFC explains collection but not intended use of the data.

If the data is solely for internal statutory review, that should be clearly stated. If it may be published or used as benchmarking data, that has real market implications. Even aggregate cost data can influence pricing behavior and procurement expectations.

Clarifying how the data will be used is important to understanding the full impact of this requirement.

[vedigaurav]

I concur with what others have already shared above. In addition, some other observations as well.

Gap #1
Relevant Requirements: RFC-0019 requires submission of assessment cost and hours data but does not define standardized units, accounting methods, or cost normalization rules.
Issue: Without standardized cost definitions (e.g., hourly rate treatment, blended rates, fixed-price engagements, subcontractor costs), the collected data will be inconsistent and analytically weak. FedRAMP may receive non-comparable data across CSPs, 3PAOs, and authorization models, undermining the statutory goal of understanding assessment costs.
Recommendation: Publish a cost reporting schema with explicit definitions (e.g., how to report fixed-price vs time-and-materials, handling of discounts, bundled services, subcontractor labor). Provide examples to ensure consistent interpretation.

Gap #2
Relevant Requirements: Cost data is collected but the RFC does not specify how FedRAMP will validate, analyze, or use the data.
Issue: CSPs are being asked to submit sensitive and burdensome data without transparency into its purpose, success metrics, or how it will inform policy decisions. This weakens stakeholder buy-in and increases resistance to compliance.
Recommendation: Define intended use cases for the data (e.g., benchmarking, program oversight, Congressional reporting) and publish anonymized aggregate insights on a recurring basis to demonstrate value and accountability.

Gap #3
Relevant Requirements: Cost reporting is tied to authorization and annual assessment submission timelines.
Issue: The RFC does not address misalignment between assessment billing cycles and FedRAMP submission timelines. Assessment invoices may be finalized after SAR submission, leading to estimates, revisions, or retroactive corrections.
Recommendation: Allow provisional cost reporting with a defined reconciliation window (e.g., 60–90 days) for finalized billing. Explicitly permit updates without penalty to reflect invoicing realities.

Gap #4
Relevant Requirements: The RFC requires reporting of both cost and hours of effort.
Issue: Hours-of-effort reporting may inadvertently expose proprietary efficiency, staffing models, or competitive differentiation among 3PAOs and CSPs. This creates competitive sensitivity beyond pure pricing data and could distort assessor behavior.
Recommendation: Evaluate whether hours-of-effort data is strictly necessary to meet statutory intent. If retained, allow reporting in ranges or bands to reduce competitive exposure while preserving analytical value.

Gap #5
Relevant Requirements: RFC-0019 applies equally to new authorizations and reauthorizations.
Issue: The RFC does not account for materially different assessment scopes (e.g., inheritance-heavy systems, leverage of prior authorizations, delta assessments). Raw cost data without context may misrepresent efficiency or complexity.
Recommendation: Require contextual metadata (e.g., authorization type, inheritance percentage, scope size) to accompany cost data so analysis reflects assessment complexity rather than raw spend.

Gap #6
Relevant Requirements: CSPs are required to submit cost data as part of compliance artifacts.
Issue: The RFC does not specify secure handling, access controls, or segregation of cost data within FedRAMP systems. Cost data has a different sensitivity profile than security artifacts.
Recommendation: Define explicit data handling, access control, and retention policies for cost data, including role-based access and separation from general authorization packages.

Gap #7
Relevant Requirements: The RFC introduces new reporting obligations but does not address transition or onboarding.
Issue: There is no phased implementation, pilot, or grace period for CSPs and 3PAOs to adapt internal processes, contracts, and tooling. Immediate enforcement risks widespread noncompliance due to readiness gaps rather than intent.
Recommendation: Introduce a phased rollout (e.g., optional reporting year one, mandatory year two) or pilot program to validate data quality, tooling, and burden before full enforcement.

Gap #8
Relevant Requirements: The RFC assumes cost reporting will not materially affect assessment market behavior.
Issue: Cost transparency requirements may unintentionally drive price convergence, discourage innovative pricing models, or incentivize underreporting or cost reshaping to avoid scrutiny.
Recommendation: Conduct a market impact assessment and explicitly acknowledge potential behavioral effects. Adjust reporting granularity to minimize unintended market distortion.

[cb-axon]

concur with several of the gaps identified, particularly around clarity of purpose and potential market impact, but I do not support expanding the scope or complexity of the reporting requirement.

On Gap 1 and Gap 5, I do not believe additional normalization rules or contextual metadata are necessary at this stage. The RFC does not state that the objective is to create apples-to-apples comparisons across CSPs or assessors. Introducing standardized accounting schemas, inheritance metrics, or complexity indicators would significantly increase reporting burden while adding subjective elements that may not materially improve insight. Until the intended analytical use is clearly defined, additional granularity should be avoided.

On Gap 2, I strongly agree. CSPs and 3PAOs are being asked to provide sensitive data without clarity on how it will be used. If the purpose is statutory review, benchmarking, policy development, or publication of aggregate data, that should be stated explicitly. Clear articulation of intended use will improve transparency and stakeholder confidence.

On Gap 3, I do not see misalignment as a major issue. Tying reporting to the SAR keeps the process simple and anchored to the completion of the assessment. Aggregate final costs at the close of the engagement are sufficient and avoid unnecessary reconciliation complexity.

On Gap 4, I agree that hours-of-effort reporting introduces competitive sensitivity beyond price alone. If retained, reporting in ranges or bands would reduce exposure while still enabling high-level analysis.

On Gap 6, clarification around handling and access controls would be helpful, but it is not essential that cost data be segregated from other authorization artifacts. Consistent treatment within existing secure repositories may be sufficient, provided expectations are defined.

On Gap #7, I would prefer reducing the initial reporting scope rather than introducing a phased rollout. Simplification is more valuable than staging a complex requirement.

On Gap #8, I agree that greater consideration should be given to potential market effects. Transparency requirements can influence pricing behavior and competition, and those implications should be evaluated before determining how or whether aggregate data will be published.

[GreenTechnoWizard]

I do not see the point in this RFC. I was told this was mandatory to get this info from CSPs and 3PAOs, but it is not.

In the M-24-15 it only puts that burden on the agency from what I read on page 18 under "d. Agencies --- 8) Report costs related to the issuance of FedRAMP authorizations, in accordance with OMB budget guidance;"

https://www.whitehouse.gov/wp-content/uploads/2024/07/M-24-15-Modernizing-the-Federal-Risk-and-Authorization-Management-Program.pdf

Scrap this and redo it so agencies report this info to you.

[wisecryptic]

My preference is to not share internal cost and labor data with agencies. These are really two separate cost centers: the CSP's cost of delivering a product and the Agency's cost of reviewing and authorizing the product.

[cb-axon]

I share the concern that this requirement may be misaligned with where the statutory reporting burden was originally directed. If OMB guidance primarily contemplates agency reporting of authorization-related costs, FedRAMP should clearly articulate its authority and rationale for collecting assessment cost data directly from CSPs and 3PAOs.

More broadly, FedRAMP’s modernization efforts should prioritize reducing the cost and friction of agency authorization decisions. Imposing new reporting obligations on CSPs and 3PAOs introduces additional administrative burden that may ultimately increase, rather than decrease, overall program costs.

If cost transparency is the goal, greater focus on agency-side authorization costs may provide more actionable insight without expanding compliance requirements for industry participants.

[Max-sudo-hub]

1. RFC should explain data use and how it helps with transparency via anonymized data made available to the public.
2. RFC should also capture cost covered by Agencies not just CSPs and 3PAOs
3. RCF should also capture cost related to engineering and other activities before the assessment (bigger number) and could have an added benefit of trimming non-value add controls.
4. RFC should encourage the data to be used for a formal Regulatory Impact Analysis (RIA) - a document created before creating new rules to understand the social benefit against the cost.

Everything else is fantastic! Great work PMO!

[cb-axon]

I agree with some of these recommendations.

On 1, the RFC should clearly explain how the collected data will be used and whether anonymized aggregate insights will be published. Transparency around intended use is important to justify the reporting burden and build stakeholder trust.

On 2, capturing agency-side authorization costs would provide a more complete picture of total FedRAMP-related expenditures. If the objective is to understand cost drivers across the ecosystem, agency costs are a material component and should not be excluded.

On 3, I do not support expanding reporting to include engineering, tooling, or pre-assessment preparation costs. These expenses are highly variable, often intertwined with broader product development or security investments, and difficult to attribute consistently. For long-tenured or FedRAMP-first offerings in particular, isolating these costs would be subjective and reduce comparability across providers.

On 4, I agree that the potential market and behavioral impacts of cost transparency warrant further analysis. A more deliberate approach—potentially through a formal impact analysis—would help ensure that data publication or benchmarking does not unintentionally distort the assessment market.

[KHFedR]

Overall, I support increased transparency around the costs associated with FedRAMP assessments. Currently, service fees vary significantly among 3PAOs, leaving stakeholders uncertain about what others are paying and the quality of their assessments. However, I am skeptical that cost submissions from CSPs alone will provide meaningful insights, as costs can vary widely depending on factors such as product type, CSP organization size, and whether significant changes are tested during the assessment or off-cycle.

I also agree with previous comments that obtaining historical assessment cost data may be challenging, especially for CSPs with authorizations dating back several years and with staffing changes over time. Additionally, costs from assessments conducted five or more years ago may not be a reliable benchmark due to evolving FedRAMP requirements and changes in 3PAO availability.

While there are additional costs associated with maintaining a FedRAMP authorization—as noted earlier—capturing those comprehensively would require more effort. Ultimately, the greatest value of reporting assessment costs lies in enhancing pricing transparency to support contract negotiations and internal budgeting. The best source of this information may come from a regular solicitation of bids for the assessment.

[cb-axon]

I generally agree.

Transparency around assessment costs can be useful, but the reporting burden should remain minimal. Historical data is unlikely to be representative, and cost differences are often driven by scope and system complexity, making raw comparisons less meaningful.

If the goal is to help CSPs understand pricing, competitive bidding already provides contextual, market-based insight. Additional reporting requirements risk increasing overhead and potentially driving costs up rather than down. A lighter-touch approach would better balance transparency and burden.

[Peter-Harroun]

I particularly agree with specific issues identified by rgutwein and vedigaurav. kcarr91 also provides a great rationale the 3PAO should be submitting the data, rather than CSPs.
The fact that RFC 0019 must be performed by CSPs implies that the 'assessment costs' are not simply the costs to contract with a 3PAO and provide the Service Order costs. It suggests that CSPs must also provide labor costs to respond with interviews and artifacts during the assessment. But RFC 0019 does not clearly state that. If it does, what counts as assessment costs: all participants in the interview, time spent running scans, time spent resolving POA&Ms, time spent reviewing the draft RET, time spent creating artifacts? Without RFC 0019 specifying the required costs to include, each CSP would be providing different interpretations of which costs to include.
Many CSPs will not have broken out the labor costs of each example above. Time spent resolving POA&Ms may not be separated between those involved in standard ConMon activities and those specific to an assessment. Is there really a difference, as ConMon is continuous? (re: vedigaurav's Gap 4)
If RFC 0019 requires cost associated with the CSP reacting to the Assessment, then the 3PAO will need to acquire and review cost records which necessarily will increase the costs of FedRAMP assessments for all CSPs. That seems a regulatory burden unnecessary to fulfill FedRAMP's statutory requirements.

Therefore, my suggestion is specify only the cost to contract with the 3PAO. In which case, as kcarr91 stated, the data should be provided by the 3PAO, not the CSP. That would reverse LAC-GEN-ASA to "Independant assessors MUST submit a signed attestation from their CSP that confirms the information submitted per LAC-GEN-IAC and LAC-GEN-OAC are accurate."

I presume "Beginning and end dates of the annual assessment" would be between Charter date and Submission to MAX.gov. But that is not clearly defined. Does every 3PAO get to choose which dates begin and end the annual assessment?

LAC-GEN-HAC will be impossible for CSOs that were purchased from one CSP to another. The data would only be available to the initial CSP, if the data has not been deleted. The 3PAO may not share the previous costs with the purchaser of the CSO, nor should they. Since the nature of the industry includes mergers and acquisitions, the requirement as currently stated is problematic.
Therefore, I must agree with rgutwein on capping an historical period and good-faith unrecoverable exemptions (and the above is an excellent example).

I also agree with rgutwein that the Corrective Actions are severe and worse than security issues.

The process cannot have an effective date of 1AM ET on March 25, 2026, as the RFC will not closed public comment until Feb 12, 2026 and it is not yet published. Given historical publish times for FedRAMP, this is way too fast to evaluate this github comment thread and resolve all issues.

[cb-axon]

I agree with these concerns.

The RFC does not clearly define what counts as “assessment costs.” If internal CSP labor is included, reporting will be inconsistent and subjective. Limiting the requirement to 3PAO contract costs would be more practical, and in that case the data should be submitted directly by the 3PAO.

Historical reporting is also problematic, especially in cases of assessor changes or acquisitions. A capped lookback period and good-faith exceptions are reasonable.

[TBailey223]

Curious to see how the proposed appendix to the SAR denoting costs will defer between annual assessments and significant change assessments. Of course, there are changes coming to significant change processes with the SCN balance improvement and 20x requirements; however, ensuring there is clear distinction between annual assessments and significant change assessments, particularly with regards to historical costs, will be vital to providing the PMO with proper cost insights.

[cb-axon]

This is a good point.

Many CSPs bundle significant changes into their annual assessments, which can materially increase cost in a given year. Without distinguishing baseline annual assessment costs from SCR-related work, the resulting data may misrepresent normal assessment trends.

At a minimum, the resultant standard from this RFC should account for significant change activity separately, or require acknowledgment when annual costs include expanded scope. It should also be recognized that costs may naturally increase over time as systems evolve, add features, or expand boundary components.

[wisecryptic]

There are many types of costs that go into FedRAMP. My assumption is that FedRAMP would like to focus purely on 3PAO assessment costs, not system, advisory, or compliance costs.

Rev5 Security Assessment Report (SAR) Costs Appendix #5: If a vendor is assisting with the assessment, the total hours should include the time the vendor spends on the assessment as well, but not the time that the assessor spends on the assessment (unless it is desired to track this separately).

While I would like a way to determine the difference between a public cloud mega-offerings' data and startup niche offerings' data, I believe respecting the anonymity and the simplicity of this form does not justify such granularity. Users of the data gathered from this process, however, should keep in mind the vast differences in the various CSOs. Adding a disclaimer to this effect will orient those less experienced in FedRAMP to make sense of the numbers.

[cb-axon]

I agree the scope should stay limited to 3PAO assessment costs.

If aggregate data is published, anonymity must be preserved. Given the wide differences between large and small offerings, clear disclaimers will be necessary to prevent misinterpretation. Simplicity and anonymity should take priority over added granularity.

[TrevorLowing]

Feedback: Cost Reporting and Assessment Transparency

Thank you for RFC-0019 addressing cost transparency in FedRAMP assessments. I support the goal of enabling federal agencies to make informed procurement decisions based on assessment cost data. However, I have identified several implementation gaps that require PMO guidance before March 25, 2026 (mandate date).

Critical Issue #1: FOIA Disclosure Liability — Legal Safe Harbor Required

Problem: RFC-0019 requires CSP cost data to be published to the FedRAMP Marketplace. However, CSPs will likely claim this information is confidential commercial data protected under FOIA Exemption 4 (5 U.S.C. § 552(b)(4)). This also raises Paperwork Reduction Act (44 U.S.C. § 3501 et seq.) considerations if the new reporting requirements are not supported by a clear burden justification and approval pathway.

Conflict Identified:

• CSP Position: "Cost data is proprietary; we claim FOIA protection"
• FedRAMP Position: "Cost must be published to Marketplace"
• Legal Gap: RFC-0019 does not address this FOIA conflict or provide CSPs with legal safe harbor

Potential Agency Impact:
If agencies publish cost data and CSP later disputes FOIA protection, agencies could face litigation expense defending the disclosure decision. CSPs may refuse to participate in FedRAMP if legal liability is unclear.

Recommendation to FedRAMP PMO:

1. Request DOJ FOIA guidance: Clarify whether FedRAMP-published cost data can be treated as publicly-disclosed (and thus no longer confidential/protectable under Exemption 4)
2. Establish cost data redaction guidelines: Specify which elements of cost data can be redacted without violating RFC-0019 transparency goal (e.g., CSP profit margin; hourly rates; indirect cost allocations)
3. Provide CSP legal safe harbor: Document that CSPs publishing cost per RFC-0019 are not waiving FOIA protections (if applicable) and clarify FedRAMP's position on Exemption 4

Success Criteria: Agencies should be able to cite FedRAMP/DOJ guidance stating "RFC-0019 cost publishing does not waive FOIA protections" OR "RFC-0019 cost data is considered public record, FOIA Exemption 4 does not apply"

---

Issue #2: Cost Reporting Scope — 3PAO Pricing Transparency vs. Costs to Comply

Problem: RFC-0019 scope is ambiguous on what "cost" means:

• Option A: CSP spending to comply with FedRAMP controls (implementation cost)
• Option B: 3PAO assessment fees charged to CSP (pass-through cost)
• Option C: Final CSP product cost to federal agencies (procurement cost)

RFC-0019 Reality: The RFC appears to focus on 3PAO assessment fees (Option B), but agencies need Option A (CSP compliance cost) and Option C (federal procurement cost) to make informed decisions.

Agency Context Feedback:
The current draft asks for 3PAO pricing (good), but doesn't clarify:

1. Should CSPs report implementation cost (cost to add FedRAMP controls to baseline product)?
2. Should CSPs report federal adoption cost (do agencies pay more if FedRAMP is required)?
3. How are multi-tenant CSPs supposed to allocate shared costs across federal/non-federal customers?

Recommendation to FedRAMP PMO:
Define cost reporting categories in March guidance:

• Mandatory: 3PAO assessment cost (already in RFC-0019)
• Required: CSP compliance cost (cost to add/maintain FedRAMP controls)
• Optional: Federal procurement cost (cost agencies pay for FedRAMP services)

Specify how to handle: shared costs, multi-year contracts, continuous monitoring cost, updated assessment cost (if system changes).

---

Issue #3: Race-to-Bottom Prevention — Minimum Quality Standards for Budget CSPs

Problem: Cost transparency creates incentive for CSPs to undercut each other on assessment/compliance cost. Low-cost assessments may correlate with low-quality assessments, creating federal risk.

RFC-0019 Concern: If 3PAO assessment cost becomes the metric for selecting assessors, agencies may select low-cost, low-quality 3PAOs to reduce federal expenditure. This shifts federal risk from CSP to customer.

Agency Experience: I've seen this in other federal procurements (lowest-cost contractors often deliver lowest-quality audits).

Recommendation to FedRAMP PMO:

1. Establish minimum assessment quality standards in parallel with cost transparency requirement
2. Define "qualified 3PAO" standards beyond just being FedRAMP-listed (e.g., minimum professional credentials, re-assessment frequency, quality metrics)
3. Publish cost ranges with quality metrics (e.g., "Low-cost 3PAOs: $150K–$250K assessment, average customer satisfaction 3.2/5; Standard 3PAOs: $300K–$500K, average satisfaction 4.1/5")

This prevents agencies from equating "cheap" with "good."

---

Issue #4: Cost Data Stale-Aging Guidance

Problem: CSP and 3PAO costs change annually. RFC-0019 doesn't specify:

• How often cost data must be updated in Marketplace
• When cost data becomes "stale" (outdated)
• How agencies should interpret 2-year-old cost data

Recommendation to FedRAMP PMO:
Specify in March guidance:

• Cost data must be updated annually (by specific date, e.g., Dec 31)
• Marketplace must flag data older than 18 months as "outdated"
• Agencies should not select services based on outdated cost data without confirming current pricing with CSP

---

Implementation Readiness

By March 25 Deadline, FedRAMP PMO should publish:

• FOIA guidance clarifying cost data public disclosure status
• Cost reporting template (what categories CSPs must report)
• Redaction guidelines (if applicable under FOIA)
• Quality standards for 3PAOs (to accompany cost transparency)
• Update frequency and staleness guidelines

CFO/Budget Questions for Agencies:

1. Should agencies require CSPs to lock in assessment costs for 2–3 year contracts?
2. Should federal cost (what agencies pay for FedRAMP) be differentiated from CSP compliance cost?
3. How should agencies handle CSPs that bundle FedRAMP compliance into baseline product (cost not separately shown)?

---

Closing

I support RFC-0019's transparency goal. With the above guidance clarifications, cost data will enable better federal procurement decisions while protecting CSPs from unfair FOIA disclosure liability. I recommend fast-tracking DOJ consultation on Exemption 4 interpretation.

Submitted by: Trevor Lowing (private citizen, personal capacity)
Contact: Trevor.Lowing@gmail.com
Disclaimer: The views expressed are my own.

[cb-axon]

I agree with the concern in Issue 1. If cost data will be published, FOIA treatment and disclosure posture should be clearly addressed before implementation.

On Issue 2, I disagree with expanding scope beyond 3PAO assessment costs. Implementation, compliance, and internal operating costs are highly subjective, difficult to allocate consistently, and often intertwined with broader product development. Agencies are purchasing commercial, multi-tenant services—not auditing CSP internal cost structures. The RFC motivation centers on independent assessment services, and the scope should remain there.

On Issue 3, I do not support tying cost transparency to new quality tiers. 3PAOs are already subject to qualification requirements and accreditation standards with A2LA. CSPs can already select among authorized assessors to find the lowest price, and cost does not automatically equate to quality even among CSPs. A low quality assessment is also a burden for CSPs, which helps motivate selecting quality assessors. Adding formal cost-quality linkages risks overcomplicating the program.

On Issue 4, annual submission with the annual SAR is already required, so most staleness concerns are addressed, in my opinion. Clarifying how historical data will be presented publicly—and how older data will be labeled—would be helpful.

[CSP-AB]

The Cloud Service Providers – Advisory Board submits the following comments:

Regarding the Rev5 Security Assessment Report (SAR) Costs Appendix:

These seem like important metrics for the FedRAMP program to track but caution that FedRAMP should weigh the effort for CSPs to produce these metrics against the value to agency customers. For example, do individual agencies care about the cost of assessments for CSPs? We recommend this be a separate form completed and submitted at the time of the SAR but not an appendix.

It is also important to understand how FedRAMP will normalize the size and complexity of systems to make cost information able to be analyzed to provide FedRAMP useful information about the financial state of the marketplace.

Additional clarification from FedRAMP is needed here and/or in section FRX-IDS. Specifically, FedRAMP should clearly define that this SAR Cost Appendix will be separate from the rest of the SAR and only be shared between FedRAMP and CSPs unless necessary to meet a legal requirement.

Regarding LAC-GEN-IAC Initial Authorization Costs - Providers MUST submit a complete Security Assessment Report Costs Appendix directly to FedRAMP during initial authorization:

CSP-AB understands FedRAMP’s statutory requirement to review costs associated with independent assessment services. However, the cost associated with independent assessments for initial authorization may vary depending on several factors, including size and complexity of a system. CSP-AB feels strongly that CSPs should NOT be sharing costs from other 3PAO providers. Instead, FedRAMP should require 3PAOs to share their pricing structure which would better allow FedRAMP and its stakeholders to receive standardized information on the cost of assessments.

Regarding LAC-GEN-IAC Initial Authorization Costs Corrective Action – Failure to meet this requirement will result in denial of authorization and a 3 month resubmission penalty:

This corrective action is way too harsh given that this data has no impact on security. There should be a different enforcement mechanism or public note about the lack of this information from a CSP.

Regarding LAC-GEN-HAC Historical Assessment Costs – Providers MUST include historical assessment costs dating back to the initial authorization of the cloud service offering; data submitted for assessments prior to this process taking effect may be estimated and limited to total costs per year.

There should be a reasonable time frame for the historical data. For long standing CSPs this information might not be available. Reasonable timelines in line with data retention policies should be used for timeframes. It should also be clear that CSPs are not sharing information between different 3PAOs.

Regarding LAC-GEN-ASA Assessor Signed Attestation – Providers MUST submit a signed attestation from their independent assessor that confirms the information submitted per LAC-GEN-IAC and LAC-GEN-OAC are accurate.

For CSPs who have switched 3PAOs, this requirement must only apply to the current 3PAO assessment. It might not be possible to get this information and confirmation from older assessments. FedRAMP should clarify what the expectation is and ensure the enforcement of not sharing data between 3PAO providers.

[cb-axon]

I concur with CSP-AB’s position.

The Cost Appendix should be separate from the SAR, even if required to be submitted concurrently to the PMO. Agencies routinely access SARs as part of authorization decisions, and there is no stated need for agencies to have direct access to CSP cost data. Keeping the appendix separate better supports least-privilege handling and avoids unnecessary exposure of sensitive financial information.

There should also be clear disclaimers that reported costs do not inherently reflect system size, architectural complexity, or assessment quality. Without that context, aggregate figures could easily be misinterpreted.

I strongly oppose requiring full historical cost data back to initial authorization. As stated by the CSP-AB - more reasonable timelines are needed. For CSPs on the Marketplace for more than three years, detailed records may no longer exist due to standard financial retention practices, M&A activity, or 3PAO transitions. A reasonable lookback period and good-faith exceptions for unavailable data are necessary.

Corrective actions tied to cost reporting are overly harsh given that this requirement has no direct impact on system security. Denial or revocation should not be the default enforcement mechanism for a financial reporting deficiency.

Finally, 3PAO attestation must be limited to the current assessment and the current assessor’s own costs. A 3PAO cannot reasonably attest to historical costs incurred under a different firm, and the requirement should not force disclosure of prior engagement details between competing assessors.

[cb-axon]

I do not believe this requirement should be imposed as written. If it proceeds, I would suggest the following changes:

• Scope should remain limited to direct 3PAO assessment fees. Broader engineering, remediation, or product development costs are subjective, difficult to allocate consistently, and outside the stated motivation of the RFC.
• The Cost Appendix should be separate from the SAR, even if submitted concurrently to the PMO. Agencies do not require access to CSP financial data, and separation supports least-privilege handling.
• Historical reporting should be capped (e.g., three years) with good-faith exceptions for unavailable data, mergers/acquisitions, or prior 3PAO transitions.
• 3PAO attestation should apply only to the current assessor’s own costs. No assessor should be expected to validate another firm’s historical pricing.
• Significant Change (SCR) costs should be distinguished from baseline annual assessment costs. Many CSPs bundle SCR work into annual assessments, which can materially increase totals in a given year. The appendix should either separate SCR-related costs or clearly indicate when annual totals reflect expanded scope.
• Corrective actions should be proportionate. Reporting deficiencies that do not impact security should not result in denial or revocation.
• If aggregate data is published, anonymity must be preserved and clear disclaimers included. Reported costs do not inherently reflect system size, complexity, or assessment quality.
• FedRAMP should clearly define how the data will be used and presented. Will it be published publicly in aggregate bands, displayed on individual CSP Marketplace listings, associated with specific 3PAOs, or used solely for internal analysis? Stakeholders need this clarity to meaningfully assess the impact and risk of the reporting requirement.
• FOIA posture must be clearly defined. FedRAMP should explicitly state how it intends to protect submitted cost data from disclosure and whether Exemption 4 or other protections will be asserted.

[TM-Microsoft]

Microsoft offers the feedback outlined below:

Issue #1:
The FY23 NDAA establishes a statutory requirement for FedRAMP to collect 3PAO cost information; however, the law defines the requirement, not the method.

Recommendation:
FedRAMP should revise this section to place the responsibility for providing cost information on the 3PAOs, not the CSPs.

Rationale:
3PAOs are the entities that generate and own the assessment cost information, and therefore are best positioned to provide accurate, complete, and consistent data.

Issue #2:
PVA-GEN-IDS references protections for CSP provided information, but the requirement does not clearly explain how FedRAMP will safeguard sensitive cost or operational data from disclosure, including FOIA exposure or unintended release.

Recommendation:
FedRAMP should provide explicit detail on the mechanisms, processes, and legal protections that will be used to protect CSP information collected under PVA-GEN-IDS. This should include how the data will be stored, who will have access, how it will be used, and what safeguards exist to prevent disclosure.

Rationale:
Without clear explanation of the protections in place, CSPs cannot assess the risk associated with providing sensitive information. Given the potential for FOIA requests and other forms of external disclosure, CSPs need assurance that FedRAMP has defined, enforceable safeguards to prevent sensitive business data from being exposed.

[cb-axon]

Strongly Agree!

[Lowebrew]

My feedback for:
RFC-0019: Assessment Cost Reporting - Concerns About Competitive Disadvantage

Asymmetric Negotiating Power Through Cost Transparency
• The mandatory disclosure of assessment costs per the M-24-15 on page 18 under "d. Agencies --- 8) Report costs related to the issuance of FedRAMP authorizations, in accordance with OMB budget guidance;" is intended for agencies to report their costs for FedRAMP accreditation, it is not directed at 3PAO assessment organizations, as written today.
• Having said that, and in the case this RFC does proceed and get approved here are consideration for why this is not a favorable RC for the industry:
o The mandatory disclosure of assessment costs creates an information asymmetry that favors large enterprises:
o Large CSPs with economies of scale can demonstrate lower per-assessment costs, which may be used by agencies and FedRAMP to pressure smaller competitors to match "market rates" that are only achievable at massive scale
o Cost data aggregation, even if de-identified, could reveal patterns that disadvantage smaller providers who pay premium rates for specialized 3PAO services
o Procurement leverage: Federal buyers may use this cost data to negotiate down smaller CSPs' pricing, arguing "Competitor X achieved FedRAMP certification for $Y thousand less"

Disproportionate Reputational Impact of Public Notifications
• The corrective action framework in RFC-0019 includes public notification for failure to submit cost data:
• For enterprise providers (AWS, Microsoft, Google), a public notification is a minor administrative blip
• For small and mid-sized CSPs, public notification of non-compliance can be devastating:
o Loss of customer confidence
o Difficulty securing future agency sponsors
o Damaged reputation in a market where trust is paramount
o Potential loss of existing contracts
• The penalty structure treats all CSPs equally on paper but creates wildly different real-world consequences based on company size and market position.

Administrative Burden Falls Harder on Smaller Teams
• Large enterprises have dedicated compliance teams, legal departments, and FedRAMP specialists. Smaller CSPs often rely on a single security professional or small team to handle:
• Tracking and documenting assessment hours across multiple years
• Coordinating with 3PAOs for signed attestations
• Managing submission processes and deadlines
• Responding to disputes or clarification requests
• The historical cost reporting requirement (LAC-GEN-HAC) is particularly burdensome for smaller providers who may not have maintained granular cost records dating back to their initial authorization, as they lacked the infrastructure to anticipate this future requirement.

We urge FedRAMP to consider the following modifications to ensure these RFCs do not inadvertently favor large incumbents:

For RFC-0019 (Cost Reporting):

1. Eliminate public notification penalties for cost reporting failures; use private corrective action instead to avoid disproportionate reputational harm to smaller CSPs
2. Aggregate and publish cost data in broad ranges (e.g., $1-$1mil) rather than precise figures to prevent misuse in procurement negotiations
3. The historical data requirement should be eliminated entirely. It creates avoidable cost and administrative burden, disproportionately impacts smaller providers, and offers no clear justification or measurable benefit to assessment quality or federal acquisition objectives.
4. Get rid of the requirement for any cost submission together As noted in another comment there is no law requiring this, however there was mentioned of this being in law and requiring FedRAMP to gather cost data. It has been pointed out that only Agencies will need to report any cost.

[PS-SEC-MSG]

RFC-0019 Comment, Cost Appendix Structure and Definitions (Rev5 and 20x) [Comment 1]

Thank you for publishing RFC-0019. I support the statutory goal of improving FedRAMP visibility into the costs of independent assessment services. Several themes below have been raised by other commenters (including cost data sensitivity, historical lookback, and clarity on what counts as assessment cost). I am adding implementation-focused suggestions that aim to keep the requirement minimal, consistent, and enforceable.

1. Separate the Cost Appendix from the SAR body (submitted concurrently)
   Suggested clarification language: Define the Cost Appendix as a distinct attachment or form that is submitted at the same time as the SAR, but is not distributed with the SAR package to agencies by default. This supports least-privilege handling because agencies typically do not need CSP financial details to make security risk decisions.

2. Define "assessment cost" scope for this RFC, and keep it limited to independent assessment services
   Suggested clarification language: Explicitly state that the reported costs are limited to fees for independent assessment services (3PAO services and directly related subcontracted assessment services, if applicable). Clarify that internal CSP labor, CSP tooling, remediation, engineering, and broader compliance investments are out of scope for this RFC unless FedRAMP chooses to add an optional section later.

3. Provide a lightweight schema and definitions so submissions are comparable, without requiring complex normalization
   Suggested clarification language: Publish a short definition list for each field, including how to report fixed-price versus time-and-materials engagements, whether discounts should be reported as net or gross, and whether pass-through subcontractor labor is included. Keep definitions narrowly tailored to "assessment services" so the reporting remains low burden.

4. Clarify how "hours of effort" should be reported, and consider ranges to reduce competitive sensitivity
   Suggested clarification language: If hours are retained, allow reporting in ranges/bands (for example, 0 to 250, 251 to 500, 501 to 1,000, 1,001+), and clarify that "hours" refers to assessment services labor hours, not CSP internal labor. This maintains analytical value while reducing exposure of proprietary staffing models.

5. Clarify date fields, and align them to a consistent assessment period definition
   Suggested clarification language: Define the "beginning and end dates" as the period of assessment services delivery, for example from assessment kickoff/charter date through final report issuance, or other explicit milestone pair. Allow the reporting party to use the same definition consistently across years and include a short note if an atypical timeline occurs.

6. Distinguish baseline annual assessment costs from significant change (SCR) or out-of-cycle work
   Suggested clarification language: Add a yes/no indicator for whether the annual assessment totals include SCR or other expanded scope work, and optionally a separate line item for SCR-related assessment services. Without this, year-over-year cost trends can be misleading.

7. Clarify intended use and presentation of the data (internal review versus public aggregate reporting)
   Suggested clarification language: State whether the PMO intends to use the data solely for internal statutory review, or also to publish aggregate summaries, and at what granularity (for example, high-level bands by impact level and assessment type). If any aggregate reporting is planned, include clear disclaimers that costs do not inherently reflect system size, complexity, or assessment quality.

8. Clarify FOIA posture and protective handling for cost submissions
   Suggested clarification language: Expand on the identified data sharing language by describing the PMO's planned handling posture for sensitive commercial information, including whether FedRAMP expects to assert applicable FOIA protections where appropriate, and whether submitters will receive predisclosure notification consistent with established federal practice.

9. Consider shifting primary submission responsibility to the entity that owns the assessment services cost data
   Suggested clarification language: Consider an option where the independent assessor submits assessment services cost data directly (or submits a signed confirmation of assessor-only costs), rather than relying on the CSP to act as an intermediary. If the CSP remains the submitter, clarify that CSPs are not expected to disclose a prior assessor's detailed costs to a different assessor.

Personal capacity note: This comment is submitted in an individual capacity and does not represent any employer or organization.

Matthew S. Graham, CISSP
https://www.linkedin.com/in/msgcyberassessments/

[PS-SEC-MSG]

RFC-0019 Comment, Assessor Attestation, Dispute Pause, and Corrective Actions [Comment 2]

Thank you for publishing RFC-0019. I support improved visibility into assessment services costs, but the assessor attestation and dispute mechanics need additional precision to avoid unintended liability and operational deadlocks. Several points below align with themes already raised by other commenters (including attestation scope limits, feasibility for historical costs, and proportional enforcement). I am adding specific decision rules and wording options.

1. Narrow what the assessor is attesting to, and avoid implying an audit of CSP finance systems
   Suggested clarification language: Replace a broad "accurate" attestation with a scoped statement, for example: "The independent assessor attests that the assessment services costs and hours attributed to the assessor's own services for the stated period are accurate to the best of the assessor's knowledge, based on the assessor's invoices, time records, and engagement documentation."

2. Limit the attestation to the signing assessor's own services, especially where multiple assessors or vendors are involved
   Suggested clarification language: Explicitly state that an assessor is not expected to attest to costs incurred under a different assessor, or to unrelated third-party advisory, tooling, or remediation costs. Where multiple independent assessment companies are used, allow separate attestations per company for their portion of assessment services.

3. Address historical lookback feasibility in attestation expectations
   Suggested clarification language: If historical reporting remains required, clarify that the current assessor attestation applies only to periods where that assessor provided the assessment services, and that earlier periods may be reported as CSP estimates without an assessor attestation when the original assessor is not available.

4. Define what constitutes a "dispute" and who can initiate it
   Suggested clarification language: Define a dispute as a documented disagreement between the CSP and the independent assessor regarding the submitted cost appendix values or attestation scope. Clarify that either party may initiate a dispute by notifying the PMO in writing and providing a brief statement of the contested items.

5. Clarify what is paused during a dispute, and what continues
   Suggested clarification language: Specify whether the pause applies only to corrective action enforcement for the cost reporting requirement, not to other security-related corrective actions. Clarify whether the PMO will accept a provisional submission while the dispute is pending (for example, CSP submission with assessor-attested assessor-only costs, plus a notation for disputed fields).

6. Add a bounded timeline and escalation path to prevent indefinite pauses
   Suggested clarification language: Establish a simple timeline, for example: acknowledge dispute within 10 business days, require a proposed resolution path within 30 days, and allow the PMO to set an outcome if the dispute remains unresolved after a defined period. This reduces the risk of a permanent pause without resolution.

7. Make corrective actions proportionate to the nature of the requirement
   Suggested clarification language: Because cost reporting does not directly impact system security, consider a graduated enforcement model, for example: initial noncompliance results in notice and cure, then public notification only if noncompliance persists, and suspension only after an extended grace period. Avoid default denial or revocation for a first-time administrative reporting issue.

8. Align effective date language to realistic implementation readiness
   Suggested clarification language: If a near-term effective date is retained, consider a short readiness period for templates, submission mechanisms, and guidance so stakeholders can implement consistently. At a minimum, clarify when final instructions will be published and how updates will be communicated.

Personal capacity note: This comment is submitted in an individual capacity and does not represent any employer or organization.

Matthew S. Graham, CISSP
https://www.linkedin.com/in/msgcyberassessments/

[PS-SEC-MSG]

RFC-0019 Comment, Acceptable Evidence, Historical Reporting, and Record Retention [Comment 3]

Thank you for publishing RFC-0019. The RFC will collect sensitive and potentially hard-to-reconstruct information. To keep reporting consistent and reduce disputes, it would help to define acceptable evidence and provide practical limits for historical reporting. Several themes below have been raised by other commenters (including lookback feasibility, multi-vendor scenarios, and privacy risk). I am adding concrete, minimal-burden evidence expectations.

1. Define a minimal set of acceptable evidence types for assessment services cost reporting
   Suggested clarification language: Identify an acceptable evidence set that supports the reported assessment services costs and hours, such as executed SOWs or task orders, invoices, and high-level time records (if hours are required). Clarify that FedRAMP is not requesting granular internal accounting artifacts beyond what is normally available for contracted assessment services.

2. Clarify how to handle fixed-price engagements and blended rate arrangements
   Suggested clarification language: For fixed-price work, allow the CSP or assessor to report the fixed amount and the covered period, with hours reported as optional or in ranges. For blended rate or bundled assessment scopes, allow reporting of the total assessment services fees for the period without requiring a per-labor-category breakout.

3. Provide a practical historical lookback cap and good-faith exceptions
   Suggested clarification language: Consider capping the historical lookback (for example, last 2 to 3 annual cycles) or aligning to typical financial retention practices. Explicitly allow "data unavailable" responses for legacy periods when records cannot be reconstructed with reasonable effort, including situations involving mergers and acquisitions or changes in independent assessors.

4. Clarify multi-vendor and assessor-transition situations without requiring disclosure across competitors
   Suggested clarification language: State that CSPs are not expected to disclose a prior assessor's detailed costs to a different assessor, and assessors are not expected to validate another firm's historical pricing. Allow CSP-provided historical totals for earlier years, with an attestation limited to the current assessor's own portion.

5. Clarify retention expectations for the cost appendix evidence set
   Suggested clarification language: Establish a simple retention baseline for the cost appendix supporting records, for example, aligned to the annual assessment cycle and typical record retention, and clarify whether FedRAMP expects records to be retained by the CSP, the assessor, or both.

6. Clarify how updates and corrections are handled when invoices finalize after submission
   Suggested clarification language: Allow post-submission corrections without penalty within a defined window if final invoicing occurs after the SAR submission date. This supports accuracy without forcing estimates to persist permanently.

7. If aggregate cost data is published, reduce re-identification risk and prevent misinterpretation
   Suggested clarification language: If FedRAMP publishes aggregate insights, use broad bands and small-cohort suppression, and include disclaimers that costs can vary due to system complexity, scope, and significant change activity. This supports transparency while minimizing competitive harm and re-identification risk.

Personal capacity note: This comment is submitted in an individual capacity and does not represent any employer or organization.

Matthew S. Graham, CISSP
https://www.linkedin.com/in/msgcyberassessments/

[Rene2mt]

Thank you to the FedRAMP PMO for issuing this RFC and for continuing to seek community input.

BLUF: OMB M-24-15 appears focused on agencies reporting “costs related to the issuance of FedRAMP authorizations.” This RFC, however, seems to focus primarily on CSP assessment costs, which feels somewhat tangential to that directive. While the FedRAMP Authorization Act references “costs incurred by agencies and cloud service providers related to issuance of FedRAMP authorizations,” there is significant room for interpretation regarding what specific costs should be reported and why.

Concerns with Current RFC

1. Total Cost vs. Assessment Cost

CSPs have highly variable and proprietary cost drivers (internal engineering, architecture, operations, tooling, advisory support, etc.) that should remain out of scope. These costs are not standardized and are not comparable across providers.
If CSP cost reporting is required, limiting it to 3PAO assessment costs (SAP through SAR) for initial and annual assessments would provide a more normalized data point. Even then, it does not directly address the agency “authorization cost” referenced in M-24-15.
It is also important to note:
• CSP primary costs → engineering, operations, audits
• FedRAMP PMO → administrative/programmatic
• Agency → review and ongoing monitoring
There is no clear or direct correlation between CSP spend and agency authorization cost. A CSP may spend significantly more on advisory services and 3PAO preparation, resulting in a higher CSP cost but a higher-quality package that reduces agency review burden. Conversely, efficiencies or automation may reduce CSP cost while improving package quality. CSP cost alone is not a reliable leading indicator of agency or PMO cost. Additionally, process delays (e.g., delayed due to agency sponsorship, or limited agency review bandwidth) can contribute significantly to total cost but may be difficult to quantify.

2. Corrective Actions

Issuing corrective action for CSP not reporting total costs seems excessive. This data does not materially impact the security posture of the CSO. A CSP’s decision not to report (total) cost information does not create a security risk, nor does it prevent an agency from making a risk-based authorization decision.
The RFC would benefit from clarifying how this information will be used by FedRAMP, OMB, or authorizing agencies, and whether it meaningfully supports authorization efficiency or program oversight objectives.

3. Historical Assessment Costs

Requiring historical cost reporting may not be a good use of time. This could be quite burdensome and detract CSPs other high priority items (e.g., Rev5 BIRs, transitioning to 20x,etc.). Its also unclear how far back CSPs would be expected to go. Most providers would likely supply rough-order-of-magnitude (ROM) estimates just to comply. The data will not be verifiable and may not provide desired/actionable insight.

4. Minor Clarification

The RFC should clarify that the effective date (3/25/2026) applies to assessments conducted after that date and does not retroactively apply to previously authorized CSOs.

Summary Recommendations

• Clarify the objective: How will this data be used, and how will proprietary vendor information be protected?
• Narrow CSP reporting to assessment costs only (initial and annual assessments).
• Apply reporting requirements to CSOs authorized after the effective date (no historical reporting).
• Consider incentives for voluntary CSP reporting (e.g., review queue or marketplace listing prioritization “fast pass”) rather than corrective actions.
Appreciate the opportunity to provide input and look forward to further clarification on how this reporting will advance program transparency without introducing unnecessary administrative burden.

[Jain-Garima]

Microsoft Azure Comments -
Issue - As required by LAC-GEN-IAC Initial Authorization Costs and LAC-GEN-HAC Historical Assessment Costs - Historical 3PAO initial assessment costs from 10 years ago may be challenging to obtain as well not relevant given the numerous scope changes that occur over the years for CSPs.
Recommendation- FedRAMP to consider changing the requirement to reporting of ongoing assessment costs and hours. If the initial assessment was completed more than a year or two ago, the cost reporting should not be applicable.

Issue - LAC-GEN-OAC Ongoing Assessment Costs - 3PAO total assessment costs collected by FedRAMP across multiple CSPs would not be comparable and/or provide accurate estimates to other CSPs regarding 3PAO costs, as it does not take into account the number of products, significant change requests, data center assessments, IAAS/PaaS/SaaS cloud environments, continuous monitoring reviews that are assessed for a specific CSP.
Recommendation - FedRAMP to consider providing a cost reporting template to include scope (# of controls/products/SCRs/Data Centers/Cloud Environments assessed) and requiring a range of amount versus a fixed total cost.

[AbnormalMary]

Abnormal AI appreciates the intent to increase transparency across the FedRAMP authorization process through the collection of assessment cost information. When collected consistently over time, this data enables not only visibility, but meaningful trend analysis that can inform program improvement, resource planning, and future policy decisions.

For example, analysis of total cost and total assessor hours for initial assessments, paired with assessment start and end dates, could reveal trends in assessment duration, cost variability, and changes in effort over time. Similarly, tracking costs and hours associated with annual assessments could enable comparison between initial and recurring authorization activities, helping to identify where efficiencies are being realized and where effort remains disproportionately high. Aggregated data on costs and hours for FedRAMP-related ongoing assessment services between annual assessments could further surface trends in continuous monitoring effort, recurring control areas driving sustained cost, and opportunities to better align ongoing assessment activities with actual risk.

If paired with high-level characteristics of the assessor (such as firm size, assessment model, or authorization volume), this data could also support analysis of how assessment approaches correlate with cost, duration, and consistency of outcomes. Over time, such analysis could help identify best practices, reduce unexplained variability across assessments, and inform refinements to guidance that promote more consistent and predictable assessment execution across the ecosystem.

CSPs would benefit from published trend analysis derived from this data, including patterns in cost drivers, assessment duration, and assessor effort across authorization phases. Providing this type of insight would help CSPs, assessors, and the program itself make more informed, data-driven decisions while reinforcing FedRAMP’s transparency and modernization objectives.

[TheVantaCat]

GAP 1: This cannot be mandatory for CSPs to provide this data - only voluntary.

The FedRAMP PMO lacks the legal authority under the FedRAMP Authorization Act to require CSPs to provide historical or commercial cost data as outlined in this RFC. The existing statutes only authorize the government to track its own internal expenditures. While the PMO is tasked with identifying ways to reduce costs for CSPs, it does not have the power to compel private entities to report their internal financial metrics.

https://www.fedramp.gov/docs/authority/m-24-15/industry/#central-point-of-contact

FedRAMP should continue to seek feedback from industry on how to increase agency reuse of FedRAMP authorizations, drive more authorizations of small or disadvantaged businesses, and reduce the burden and cost of the FedRAMP authorization process for both CSPs and Federal agencies.

GAP 2: This data collection is unlawful to be collected historically.

Requiring CSPs to provide a decade of historical cost data is an unsubstantiated administrative burden that lacks a legal basis. The Paperwork Reduction Act requires agencies to prove that any information collection is 'necessary for the proper performance of the functions of the agency' and that it minimizes burden. This RFC fails both tests: the PMO lacks the statutory authority to collect CSP-side financial data, and the retroactive nature of the request makes compliance technically and legally infeasible for commercial entities.

GAP 3: Corrective actions are unlawful to be enforced.

Administrative agencies, like GSA and FedRAMP, do not have the inherent authority to engage in rule making or retroactive rulemaking unless explicitly granted by Congress. The FedRAMP Authorization Act contains no such grant. Any attempt to mandate "corrective actions" based on data constitutes an "arbitrary and capricious" application of power under the Administrative Procedure Act (APA), as it seeks to punish entities for non-compliance with a standard that was not in effect during the period in question.

GAP 4: Data collection should use anonymization techniques to remove uniqueness of individual records for re-identification.

There are significant concerns that FedRAMP collects this data from commercial entities, it can become public record via FOIA process.

As proposal, when collecting this data,

• Use of statistical numerical binning or banding for any types of hours or cost data.
• Use of date range generalization from exact dates to month/years or even quarters/years.
• Additional collection of company size if an SBA, but not actual size or company name (for SBA objective)
• Be submitted via a standardized form, controlled by FedRAMP.

GAP 5: RFC does not address how to standardize the collection of cost data as required by the GAO report.

https://www.gao.gov/assets/gao-24-106591.pdf - page 17:

Of the CSPs that reported costs, they also varied in the types of costs that they included. Although each CSP included their costs for 3PAOs, four did not include their costs for labor and contractor support. In addition, three CSPs, two of which were small businesses, included costs for updating their infrastructures to meet FedRAMP requirements. For example, one CSP reported costs of approximately $367,000, which only included its 3PAO cost. Another small business CSP reported costs of $3 million, which included its labor and contractor support costs, 3PAO costs, and costs to update its infrastructure. According to representatives from three CSPs, data on each type of cost were not readily available and, as a result, it would be a significant effort for them to obtain the data.

The proposed items in the RFC do not meet this objective and should be modified as follows to align to the phases of an Agency Authorization:
https://www.fedramp.gov/rev5/agency-authorization/

Preparation:

• Readiness Assessment:
  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)
• Pre-Authorization:
  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)

Authorization:

• Full Security Assessment
  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)
• Agency Authorization Process
  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with Agency, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)

Continuous Monitoring:

• Post Authorization:

  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with Agency, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)

• Annual Assessment:

  • Beginning and end dates
  • Total effort of time spent in hours (internally, with 3PAO, with Agency, with PMO)
  • Total cost spent in process (development, operations, contracting with 3PAO)

[pete-gov]

The following public comment was received via email from Coalfire on Thu Feb 12 @ 5:14pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

Hi Pete & Team - Here's Coalfire’s feedback on RFC-0019 Reporting Assessment Costs.

LAC-GEN-ASA Assessor Signed Attestation

The IA or 3PAO should be the one responsible for listing/providing this data. There should be consideration for the costs directly imposed by the 3PAO and those that are internal to the CSP as part of implementing and maintaining a FedRAMP compliant CSO. FedRAMP should consider adjusting this requirement and creating separate fields for CSPs and IA/3PAOs to provide their own cost info.

3PAO costs should be specific to performing the required assessment activities (manual control testing, vulnerability scanning, and penetration testing).

CSP costs should have categories that allow for cost data to be associated with a specific category to support future analysis by FedRAMP."

LAC-FRX-IDS, PVA-GEN-IDS

FedRAMP should request this from 3PAO directly for assessment costs and not be another manual PDF/Word form. If we are modernizing compliance lets modernize these submissions to be online form submissions and aggregated data on a quarterly or annual basis. Other accreditation bodies do this today such as PCI to collect relevant program details from accredited organizations, and it is aggregated to reduce the risk of any data associated with a single assessment in the case of data leakage. As part of the submission the 3PAO can attest to the accuracy of the information provided.

Rev 5 and 20X Costs Reporting

Costs and hours in a vacuum will not be valuable, and the information collected should include aggregated information related to data points that can drill costs down to common denominators. For example:

• How many services are included in the scope for the assessment?
• How many assets are included in the boundary?
• For PaaS/SaaS, how many PaaS or IaaS environments are included in the boundary?

The idea being that cost and hours as a standalone data point does not help illustrate average costs because every boundary and environment is different so finding common data points to account for costs across the FedRAMP program will help FedRAMP quantify and average out costs between large, medium and smaller CSPs.

CSP Submissions

CSP data submissions should be limited to their costs for supporting the management of the environment, continuous monitoring and supporting the initial and annual assessment. It should not be a PDF/Word appendix but an online form that can then be used from the system capturing the information for reporting, Finally, CSPs should also submit data point that define the size and complexity of the environment similar to the 3PAO:

• How many services are included in the scope fo the authorization?
• How many assets are included in the boundary?
• For PaaS/SaaS, how many PaaS or IaaS environments are included in the boundary?

[pete-gov]

The following public comment was received via email from Rubrik on Thu Feb 12 @ 4:35pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

Hi Pete-

Thanks for the opportunity to provide feedback on RFC-0019. Rubrik's comments are captured below:

Comment #	Comment
1	Rubrik requests that the PMO clarify whether all cost data submitted under this RFC will be treated as 'Confidential Commercial Information' exempt from disclosure under FOIA Exemption 4.
2	Rubrik supports the industry consensus that 3PAOs are the most accurate source of assessment cost data. We recommend that 3PAOs submit this data directly to the PMO via existing channels (e.g., Form R337), removing the administrative burden from CSPs and eliminating the need for complex cross-party attestations.
3	The proposed penalty of authorization revocation for reporting errors is disproportionate to the nature of the requirement. We propose that corrective actions be limited to administrative notices, rather than revocation of the Authority to Operate (ATO), which disrupts mission-critical government services.

[pete-gov]

The following public comment was received via email from Salesforce on Thu Feb 12 @ 3:23pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

Requirement_ID	Title	Salesforce Comment
LAC-FRX-IDS	Identified Data Sharing	1. Competitive Misuse and Misleading Comparisons Concern: Raw cost and hours data could be used to imply assessment quality or diligence (e.g., lower hours or cost interpreted as “lower quality” or “less thorough”). In reality, effort varies widely with scope and approach—for example, some assessors test 100% of the control scope in a single assessment while others spread a similar scope over multiple years. Without context, comparisons are misleading. Recommendation: Add a comment or context field to the Cost Appendix (or equivalent form) so CSPs/3PAOs can briefly describe assessment scope, methodology, and any factors that explain the reported costs and hours (e.g., control count, environment complexity, sampling approach). Consider optional fields for size/complexity (e.g., control set size, number of in-scope systems, or similar) so cost and hours can be understood in context and not used as standalone quality indicators. 2. Separate Submission Mechanism (Form vs. Appendix) Concern: Making cost data an appendix to the SAR creates risk that it is shared with federal customers (e.g., via the FedRAMP Marketplace or as part of the SAR package). Stakeholders do not see clear value to agency customers (e.g., FDA, FCC) in viewing assessment cost data; the benefit appears to be FedRAMP program tracking, not customer decision-making. Recommendation: Treat cost data as program-level reporting, not part of the customer-facing SAR. Use a standalone form submitted to FedRAMP at the time of (or in conjunction with) the SAR, rather than an appendix bound to the SAR document. This would: Reduce the risk of accidental disclosure to agencies or the public. Align structure with purpose (FedRAMP-only use). Simplify compliance with the intent that cost data is shared only between FedRAMP and CSPs/3PAOs unless legally required. 3. Explicit Clarification on Sharing and Handling Concern: The current text says FedRAMP must not share cost data with the public or within the federal government unless legally required, but it does not clearly state that the Cost Appendix (or equivalent) is not part of the SAR package that is shared with federal customers. Because the SAR is often shared with agencies (and may appear on the FedRAMP Marketplace), there is ambiguity about whether cost data travels with it. Recommendation: In this section and/or in FRX-IDS (or the relevant sharing/handling section), explicitly state that: The SAR Cost Appendix (or cost reporting form) is separate from the rest of the SAR. It is only shared between FedRAMP and the CSP (and 3PAO, if applicable), and not included in the SAR package provided to federal customers or the Marketplace, except where legally required. Clarify that when cost data must be shared (e.g., for legal or aggregate reporting), CSP and 3PAO names will be removed or otherwise de-identified, and that FedRAMP will take steps to prevent re-identification, as noted in the current note. 4. Context for Cost and Effort (Size and Complexity) Concern: Cost and hours are highly dependent on environment size and complexity (e.g., number of controls, systems, and boundaries). The proposed fields do not capture this, which can lead to inappropriate comparisons and the competitive/quality inference risks above. Recommendation: Add optional (or required) fields for basic scope/context, such as: Number of controls in scope, and/or A simple size/complexity indicator (e.g., tier or category), so that cost and hours can be interpreted in context and not used out of context against CSPs or 3PAOs. Summary: Stakeholders support FedRAMP collecting cost and effort data for program management but recommend: (1) a comment/context field and optional scope/size fields to avoid misleading comparisons; (2) a standalone form submitted at SAR time rather than an SAR appendix to avoid accidental sharing with customers; (3) explicit language that cost data is separate from the customer-facing SAR and shared only with FedRAMP unless legally required, with de-identification of CSP/3PAO names when sharing is necessary.
LAC-GEN-IAC	Initial Authorization Costs	1. Proportionality of the corrective action Concern: The proposed corrective action (denial of authorization plus a 3‑month resubmission penalty) may be disproportionate for a requirement that is limited to submitting the Costs Appendix. Because this is cost/administrative data rather than core security assessment findings, stakeholders have raised concern that the consequence is overly severe compared to the nature of the failure. Recommendation: Consider whether a tiered or less severe corrective action is more appropriate for this specific requirement (e.g., conditional approval with a short cure period, or a lesser resubmission penalty), while reserving the full denial and 3‑month penalty for more substantive assessment failures. 2. Assigning the requirement to the 3PAO rather than the CSP Concern: The requirement currently places the submission obligation on “Providers” (CSPs). Commenters suggest that the obligation would be better placed on the 3PAO (Third Party Assessment Organization), because: The 3PAO prepares the Security Assessment Report and the Costs Appendix. The 3PAO is the natural owner and controller of this data. Holding the 3PAO responsible would align accountability with the party that produces and submits the assessment deliverables. Recommendation: Consider revising the requirement so that the 3PAO, rather than the CSP, must submit the complete Security Assessment Report Costs Appendix to FedRAMP, with corrective action applied to the 3PAO (per existing or updated 3PAO accountability mechanisms) rather than resulting in denial of the CSP’s authorization. Summary: The feedback is (1) that the penalty may be too steep for cost-data submission alone, and (2) that the requirement and any associated consequences should attach to the 3PAO rather than the CSP. You can use the two sections above as separate bullets or paragraphs in your written feedback.
LAC-GEN-HAC	Historical Assessment Costs	1. Lookback period and feasibility Concern: Requiring historical assessment costs “dating back to the initial authorization of the cloud service offering” is not feasible for many CSPs. Some offerings have been authorized for 10+ years (e.g., authorizations dating to 2016 or earlier). Records may be incomplete, and the burden of reconstructing or estimating many years of data is high relative to the benefit. Recommendation: Limit the lookback period (e.g., 5 or 7 years from the effective date, or from the next annual assessment), with older data optional or explicitly out of scope. Or require “best effort” for periods beyond a defined cutoff (e.g., “full data for the last X years; for prior years, estimated total costs per year where available, with no penalty for missing or estimated data beyond Y years”). Clarify that for assessments before the process takes effect, data may be estimated and limited to total costs per year, and that “best effort” satisfies the requirement for the oldest authorizations so that long-standing CSPs are not disproportionately burdened. 2. Clarify “revocation of FedRAMP Certification” in the corrective action Concern: The corrective action states that failure will result in “revocation of FedRAMP Certification for at least 6 months,” but “Certification” is ambiguous. It is unclear whether this means: Authorization to Operate (ATO) is withdrawn for 6 months (agency authorizing official revokes or suspends the ATO), or FedRAMP Marketplace listing is removed or suspended for 6 months (CSP is delisted and cannot be designated by agencies), or Something else (e.g., “FedRAMP certified” status only, with ATO and Marketplace treatment described separately). Recommendation: Define “revocation of FedRAMP Certification” in the document (or in a defined-terms section) so it is clear whether it means: removal/suspension from the FedRAMP Marketplace, impact on existing ATOs (e.g., notification to authorizing officials, suspension of authorization), or both, and in what sequence. Specify whether the 6‑month period applies to Marketplace listing, ATO status, or both, and what is required for the CSP to be reinstated (e.g., submission of historical cost data, corrective submission, and any review process). Summary: (1) Add a lookback limit or best-effort rule for older authorizations so CSPs with 10+ years of history are not required to produce full historical cost data for the entire period. (2) Define “revocation of FedRAMP Certification” so it is clear whether the 6‑month consequence affects ATO, Marketplace listing, or both, and what reinstatement entails.

[pete-gov]

The following public comment was received via email from CoreWeave on Wed Feb 11 @ 2:45pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

RFC	Requirement	Current Text	Comment	Proposal
0019	LAC-FRX-IDS	FedRAMP MUST NOT share any identified cost data collected under this process with members of the public OR within the federal government UNLESS necessary to meet a legal requirement.	How does FedRAMP plan to protect the identity of some CSPs and 3PAOs when the sample size for a specific 'Impact Level + 'Service Model' + 'Deployment Model' might be statistically small? Even if the name is sanitized, given a niche enough combination, someone may be able to infer the parties involved.	Could FedRAMP release only aggregated data with only mean, median, mode, etc. available vs. data at the CSO level?

[pete-gov]

This also came in just under the wire from ADI last week.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

The Alliance for Digital Innovation (ADI) appreciates the opportunity to comment on RFC-0019, the Reporting Assessment Costs.

We respectfully request that FedRAMP clarify and explicitly state a defined cap on the Historical Assessment Costs lookback period. As written, the RFC references reporting dating back to the initial authorization but does not specify a time limitation. In the absence of a stated cap, this could be interpreted as requiring reporting in perpetuity.

We recommend aligning the requirement with the current standard of a two-year lookback period. More broadly, we strongly prefer that the timeframe be explicitly stated rather than left ambiguous