RFC-0021: Expanding the FedRAMP Marketplace

[pete-gov]

RFC-0021: Expanding the FedRAMP Marketplace

The initial outcome from this RFC can be seen here: https://www.fedramp.gov/notices/0005/

Status: Closed
Start Date: January 13, 2026
Closing Date: February 19, 2026

Summary

This RFC proposes expanding the FedRAMP Marketplace to better serve the entire FedRAMP community by changing the following:

• Cloud service providers will be able to list a cloud service offering while Preparing to obtain a FedRAMP Certification or Validation.
• All cloud service providers will be required to share general pricing information.
• Advisory companies that provide FedRAMP-related advisory and consulting services will be able to be listed as such by sharing some information including pricing structure.
• FedRAMP-recognized independent assessors will be required to provide additional information including pricing structure.
• FedRAMP will strive to meet time targets for certain activities that map to GSA’s FY26 Strategic Plan.
• FedRAMP will transparently publish detailed information about Marketplace-related activities.

This RFC is aligned with other concurrent RFCs that have additional detail on specific topics but have been published separately to encourage topic-specific comments:

• RFC-0020: FedRAMP Authorization Designations
• RFC-0022: Leveraging External Frameworks
• RFC-0023: Sponsorless Rev5 Certifications

Motivation

The FedRAMP Marketplace currently shows a small snapshot of the entire FedRAMP-related ecosystem, with cloud service providers needing to be close to the end of their FedRAMP journey to be listed while advisory services are completely ignored. This makes it difficult for agencies to understand the potential early progress of cloud service providers while making it unnecessarily confusing for cloud service providers trying to find help implementing FedRAMP.

Every month companies publicly announce with great fanfare that they are establishing programs to pursue FedRAMP Certification or Validation… then the rest of us hear very little about their progress. Often agencies reach out to FedRAMP to ask for the status of a company that made an announcement many months ago and frequently that company didn’t even tell FedRAMP about their plans! Creating a formal process with a low barrier to entry that allows companies serious about FedRAMP to indicate this on the FedRAMP Marketplace and to keep interested potential customers up to date is a strong win for everyone.

Adding an option for advisory services to be listed directly will similarly address a frequent request from industry - FedRAMP can’t recommend specific vendors or services, but we can at least ensure that everyone who takes FedRAMP advisory seriously is listed in a central Marketplace to help industry move faster.

---

FedRAMP Marketplace Listings (MPL) Process

The following requirements and recommendations apply to any cloud service offering listed in the FedRAMP Marketplace:

MKT-FRX-TRT Target Response Time in General

FedRAMP SHOULD complete the initial review, determination, and appropriate action within 14 days of receiving a qualifying request for the following:

1. Submission for Preparation listing
2. Submission for FedRAMP Validated Level 1
3. Submission of Agency Authorization in Process
4. Submission of a Prioritization request

Notes:

• Denial due to an incomplete, insufficient, or non-qualifying request will reset this time counter.
• The 14 day action window is a target, not a formal agreement; FedRAMP’s ability to meet this window will depend on demand and staffing.

MKT-FRX-TAT Target Authorization Time

FedRAMP SHOULD complete its assessment and Certification or Validation process within 30 days of receiving a qualifying submission package; however, any cloud service offering that receives a denial decision due to an incomplete or insufficient package will receive a 1 month penalty for resubmission.

Notes:

• The FedRAMP authorization process can end in a positive or negative authorization decision.
• A 1 month penalty means FedRAMP will close the application as “denied” and will wait 3 months before considering a follow-up application.
• The 1 month penalty is to offset the expense in both time and resources of a government-funded review by FedRAMP and ensure that cloud service providers do not take advantage of government-funded review by repeatedly submitting incomplete materials for feedback from FedRAMP.
• The 30 day authorization window is a target, not a formal agreement; FedRAMP’s ability to meet this window will depend on demand and staffing.

MKT-FRX-SUM Summary of Authorization Decision

FedRAMP MUST include a review summary with any authorization decision that explains why the decision was made; in the event of a denial the review summary MUST include an explanation of the deficiencies that led to the denial.

Note: This review summary, regardless of the decision outcome, may be available for agency review but will not be shared publicly by FedRAMP except to comply with legal requirements.

MKT-FRX-PAD Publishing Activity Data

FedRAMP MUST publish activity data showing the status of all non-sensitive Marketplace-related activities, including historical time and results; this data will be loosely de-identified by providing a unique ID to the requestor and sharing this unique ID publicly in place of the cloud service provider name.

Notes:

• This is most likely to be limited data showing what was requested, when, and what the current status for open activities. For closed activities it will include the time but probably will not include the outcome.
• It may be possible to perform de-identification reversal of some records using other public information such as the marketplace status, but all Marketplace activity data should generally be non-sensitive as it is requesting a change to public information.

MKT-GEN-SOF Scope of FedRAMP

Providers MUST demonstrate that a cloud service offering is intended for one of the following use cases to be listed in the FedRAMP Marketplace:

1. Direct Use: The product will be used directly by agency customers for integration into a federal information system that falls within the scope of 44 USC § 3506 and will receive an agency Authorization to Operate.
2. Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

Note: FedRAMP will not list products or services that are outside the explicit statutory scope of FedRAMP; services used by private companies to meet other compliance requirements (such as CMMC) that do not also meet one of the above use cases are outside the scope of FedRAMP.

MKT-GEN-DOD Demonstration of Ongoing Demand

Providers MUST demonstrate ongoing demand and utility by including the following additional information as part of each Ongoing Authorization Report as required by FRR-CCM-01:

1. A list of all agencies that are directly using the product
2. A list of all agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report

Note: Classified and national security systems are outside the scope of FedRAMP; such use does not need to be disclosed to FedRAMP.

MKT-GEN-SPI Service Pricing Information

Providers MUST include general pricing information for the cloud service offering (or links to existing public pricing information) in their Marketplace data; this general pricing information should include the general price for services offered to agencies and to other customers if applicable.

Note: Cloud service providers use many different pricing strategies for their services; this requirement is for the convenience of potential customers so providers are expected to identify the most effective way to meet this requirement for their own cloud service.

Effective Date: August 26, 2026

Corrective Action: Failure to meet this requirement will result in public notification and place the cloud service offering into indefinite Remediation until the requirement is addressed (but it will not be removed from the Marketplace or have Certification or Validation revoked).

MKT-GEN-PKO Pick One: 20x or Rev5

Providers MUST NOT request both a FedRAMP Program Certification (Rev5) and a FedRAMP Validation (20x); providers need to pick one to implement.

Notes:

• This requirement ensures that FedRAMP and other government entities are not wasting time, resources, and funding to support multiple options for the same cloud service provider.
• A path for Rev5 Certified cloud service offerings to transition to 20x Validated will be available in the future.

Cloud Service Offerings in the Preparation State

The following requirements and recommendations also apply to ALL cloud service offerings listed in the Preparation state.

MKT-PRE-SUR Subset of Requirements

Providers MUST implement at least a subset of either the FedRAMP 20x or related Rev5 Balance Improvement Release processes as follows:

1. Authorization Data Sharing: FRR-ADS-01 through FRR-ADS-02
2. Collaborative Continuous Monitoring: FRR-CCM-01 through FRR-CCM-07

MKT-PRE-DCP Demonstrating Continuous Progress

Providers MUST demonstrate continuous progress towards a complete FedRAMP 20x Validation and agency adoption, documented in their quarterly Ongoing Authorization Reports.

Note: These reports are explained in the Collaborative Continuous Monitoring process, i.e. FRR-CCM-01 Ongoing Authorization Reports.

MKT-PRE-DLA Deadline for Authorization

Providers MUST meet the requirements for FedRAMP Certified or FedRAMP Validated within 12 months of initial listing in the Preparation phase.

Corrective Actions: Failure to meet this requirement will result in removal from the Marketplace for a minimum period of 6 months.

Advisory Services Listings

The following requirements and recommendations apply to all advisory services listed in the Marketplace.

MKT-ADV-WEB Website Requirements

Advisors MUST have an appropriate web site that publicly shows at least the following in consistent machine-readable and human-readable formats:

1. Types of consulting services offered, including a clear pricing structure.
2. General description of the consulting service.
3. Contact information.
4. Current Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
5. Previous Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
6. Any related information.

Notes:

• Comments or suggestions for additional details that advisory services should provide so that FedRAMP can include it in the Marketplace listing would be appreciated; expect this requirement to expand with additional information after public comment. (sorry, FedRAMP will not be able to host reviews of advisory services)
• FedRAMP will publish a JSON Schema for the required machine-readable data

MKT-ADV-ATT Attestation Requirements

Advisors MUST publicly maintain positive attestations from at least 3 cloud service providers that have used the consultant within the past 12 months and include them with the information required by MKT-ADV-WEB.

Note: These attestations must always be current; that is on any particular date there must be 3 attestations dated within the past 12 months.

Corrective Action: Failure to meet this requirement will result in public notification and a grace period of 3 months, followed by removal from the Marketplace for a minimum of 6 months.

MKT-ADV-ACI Attestant Contact Information

Advisors MUST supply contact information (of the cloud service provider) to FedRAMP for the public attestations in MKT-ADV-ATT for verification as needed.

MKT-ADV-SWS Separate Web Site for Other Listings

Advisors MAY also maintain a FedRAMP-recognized independent assessor listing if applicable but should use separate web pages to avoid confusion.

Note: For example, company.com/consulting and company.com/assessment

FedRAMP-Recognized Independent Assessor Listings

The following requirements and recommendations apply to all FedRAMP-recognized independent assessors listed in the Marketplace; the final form of these requirements are expected to take effect on May 26, 2026.

MKT-RIA-WEB Website Requirements

Assessors MUST have an appropriate web site that publicly shows at least the following information in consistent machine-readable and human-readable formats:

1. Types of assessment services offered, including a clear pricing structure.
2. General description of the independent assessor.
3. Contact information.
4. Current Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
5. Previous Client(s) with link to the cloud service offering in the Marketplace (if applicable, desired, and approved by the client).
6. Any related information.

Notes:

• Comments or suggestions for additional details that independent assessors should provide so that FedRAMP can include it in the Marketplace listing would be appreciated; expect this requirement to expand with additional information after public comment. (sorry, FedRAMP will not be able to host reviews of independent assessors)
• FedRAMP will publish a JSON Schema for the required machine-readable data

MKT-RIA-ATT Attestation Requirements

Assessors MUST publicly maintain positive attestations from at least 3 FedRAMP Certified or FedRAMP Validated cloud service offerings that have used the assessor within the past 24 months and include them with the information required by MKT-RIA-WEB.

Notes:

• These attestations must always be current; that is on any particular date there must be 3 attestations dated within the past 24 months.
• FedRAMP recognized independent assessors that do not actually perform independent assessments will be removed from the Marketplace to avoid confusion.

Corrective Action: Newly FedRAMP-recognized independent assessors have an automatic grace period of 24 months from the date of initial recognition to meet this requirement without any corrective action; failure to meet these requirements after this period will result in public notification and a grace period of 6 months, followed by FedRAMP recognition being withdrawn for a minimum of 6 months.

[jsantore-cgc]

Two thoughts:

1. MKT-GEN-SOF Scope of FedRAMP
   I fundamentally agree with the definitions of Direct vs Indirect. I'd also say that Indirect is probably more prevalent in general. Many authorized CSPs have a small number of agency customers, but then many indirect, government adjacent customers. That said, as described my concern is that the definition of Indirect is making some assumptions.

"Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers."

(emphasis mine).

Really, all you can state is that it is intended to be included as a third-party resource in other CSOs. Whether or not it actually gets used is likely unknowable at this stage.

2. This one's a question. Advisory services and Assessment services listing. Does this supercede R311, A2LA, and similar requirements? Basically, it requires a minimum of 3 current advisory and/or assessment engagement attestations at any time, correct?

[wisecryptic]

Regarding question 2, I support maintaining a balanced structure that separates accreditation and recognition functions, allowing each body to focus on its distinct area of expertise. Previous experience has demonstrated that FedRAMP’s governance and appeals processes have been problematic for addressing 3PAO performance issues.

[cb-axon]

I strongly support inclusion of Indirect use. That visibility has been needed for a long time, as many CSPs primarily operate in indirect or government-adjacent roles.

I agree that the language should focus on “intended to be included” rather than implying actual downstream use, which may not yet be measurable. Over time, it would be reasonable to require evidence of marketplace demand or integration interest from existing FedRAMP services, similar to prior prioritization models for the JAB.

On advisory vs. assessment listings, I do not read this as superseding existing accreditation requirements. Advisory firms are not currently required to adhere to formal accreditation standards, but independent assessors are. Any assessor listed should still be required to maintain A2LA accreditation and existing FedRAMP recognition requirements. The attestation requirement appears additive to—not a replacement for—those standards. (Since we know the PMO won't respond/comment here, these are just my thoughts to your question).

[TheVantaCat]

+1 to both @wisecryptic and @cb-axon comments.

To add, indirect customers (other commercial entities with business to government) tend to be much more for CSPs than direct customers (agencies)

There are also additional indirect customers from reprocity of FedRAMP assessments - CMMC, Canadian Protected B, and GovRamp for State/Local/Tribal.

[Ken-Smith-Cisco]

MKT-FRX-TAT Target Authorization Time

Package review, historically, is subjective and there can be several rounds of discussions and resubmissions (even if not a formal resubmission, but a request for the PMO to review a single document and state acceptance/denial). CSPs should not be penalized for what they believe is a complete package, but the PMO reviewer still identifies issues (again, historically some of this has come down to grammar).

MKT-GEN-DOD Demonstration of Ongoing Demand

CSPs do not maintain a list of agencies requesting access to authorization data as it is stored in USDA connect and access is managed by the PMO. Additionally, via 20x, much of this information is going to be public and CSPs will not maintain a list of all people who have access the Trust Portal or CSP documents.

MKT-GEN-SPI Service Pricing Information

This is a bad idea. Costs are heavily dependent on features/services purchased including support and also may include discounts for specific customers. An "average" cost could be very skewed depending on a high number of variables. It may be best to simply include base-pricing instead, which should standardize all CSPs pricing information. While this is "up to the CSP" to implement, the Corrective Action is concerning. How often will this be required to be updated?

[cb-axon]

MKT-FRX-TAT – I agree the proposed penalty structure is too harsh. Package completeness has historically involved back-and-forth discussion, and what one reviewer considers sufficient may evolve over time. Some appeal mechanism or formal dialogue step should be built in before imposing a resubmission penalty, especially while industry adjusts to new expectations.

MKT-GEN-DOD – USDA Connect is being sunset per related RFCs, and FedRAMP High CSPs already host their own authorization materials. Additionally, 20x does not require all materials to be public, and I haven't seen a CSP post some FedRAMP requirements like detailed contingency plans with contact information publicly. That said, demonstrating ongoing demand has not historically been difficult; sales engagement and active agency interest are typically evident. The requirement should align with realistic data sources rather than assuming CSPs maintain formal logs of every authorization package access event.

MKT-GEN-SPI – I agree this requirement is problematic. Cloud pricing is highly variable and dependent on features, usage tiers, support models, and negotiated discounts. Publishing a generalized price risks misleading agencies and oversimplifying complex offerings. Even “base pricing” is often not meaningful across different architectures and service combinations. At minimum, strong disclaimers and flexibility are needed; ideally, this requirement should be reconsidered.

[vedigaurav]

Gap #1
Relevant Requirements: RFC-0021 introduces a Preparation Marketplace listing for CSPs working toward authorization, with requirements for demonstrating progress and meeting the full authorization within 12 months.
Issue: The continuous progress requirement and 12-month deadline lack defined metrics for what constitutes “continuous progress” or acceptable evidence of progress. Without measurable thresholds, CSPs could be uncertain whether their submissions meet the listing criteria and face removal without clear cause.
Recommendation: Incorporate measurable progress metrics (e.g., quarterly milestones completed, percentage of controls documented/assessed) with examples so CSPs clearly know what satisfies “continuous progress” toward certification/validation.

Gap #2
Relevant Requirements: Marketplace pricing requirements mandate that CSPs include “general pricing information” for services offered.
Issue: “General pricing information” is undefined and may result in inconsistent approaches. Without guidance on what constitutes acceptable pricing disclosure (e.g., rate card ranges, tiered pricing), agencies may find the information of limited utility and CSPs may be exposed to competitive risk.
Recommendation: Define acceptable formats and granularity for pricing (e.g., tiered agency rates, typical subscription bands, indicative ranges) and clarify whether pricing should include optional services (e.g., managed services) versus core platform costs.

Gap #3
Relevant Requirements: Assessor listings require public pricing structure, client listings, and attestations from recent clients.
Issue: The requirement for client listings and public attestations may expose sensitive business relationships or violate nondisclosure obligations between assessors and clients. Some clients may not want to be publicly listed for commercial or security reasons.
Recommendation: Allow opt-out mechanisms or alternative verification methods (e.g., anonymized attestations, hashed client identifiers, or private attestations submitted to FedRAMP) to balance transparency with client confidentiality.

Gap #4
Relevant Requirements: The RFC sets a 14-day target response time for certain Marketplace actions (e.g., Preparation listing submission review).
Issue: Labeling this as a “SHOULD” target without any capacity planning or commitments to resourcing could create unrealistic expectations. Stakeholders may infer performance guarantees that FedRAMP cannot meet without additional staffing or process investments.
Recommendation: Clarify that the response time target is aspirational tied to specific staffing levels or resource conditions, and include a mechanism (e.g., periodic reporting) for FedRAMP to publish actual performance metrics against these targets.

Gap #5
Relevant Requirements: Providers MUST demonstrate ongoing demand by listing agencies that directly use a product and those that have requested access to authorization data.
Issue: Requiring disclosure of agency demand data may create privacy or procurement sensitivity concerns and could unintentionally influence future procurement decisions (e.g., agencies being compared).
Recommendation: Specify how agency usage data will be handled (e.g., high-level summary counts vs exact agency names) and consider anonymization options if needed to protect procurement fairness while still signaling demand.

Gap #6
Relevant Requirements: The Marketplace listing process requires providers to choose one authorization path (Rev5 or 20x) and prohibits concurrent submissions.
Issue: This may discourage innovation or dual-track approaches where a CSP wants to pursue a 20x pilot while maintaining a Rev5 track for customers requiring legacy ATO compatibility. There’s no allowance for branching approaches based on market or customer needs.
Recommendation: Include a process exception or transitional provision to allow CSPs to pursue multiple coordinated pathways under defined conditions (e.g., documented strategy, distinct product lines) without duplicative administrative hurdles.

Gap #7
Relevant Requirements: The RFC mandates publication of Marketplace activity data with unique IDs replacing CSP names to “loosely de-identify” records.
Issue: The de-identification approach may still be reversible if combined with other public Marketplace signals (e.g., timing, service names), potentially compromising confidentiality of sensitive status information.
Recommendation: Define a formal de-identification protocol (e.g., k-anonymity thresholds, suppression of low-volume categories) that minimizes re-identification risk even when correlated data is available publicly.

[cb-axon]

Gap 2 – I agree this requirement is problematic. Cloud pricing is highly variable and dependent on features, usage tiers, support models, and negotiated discounts. Publishing a generalized price risks misleading agencies and oversimplifying complex offerings. Even “base pricing” is often not meaningful across different architectures and service combinations. At minimum, strong disclaimers and flexibility are needed; ideally, this requirement should be reconsidered.

Gap 3 – I agree. Client relationships should not be forced into public disclosure where contractual or business sensitivities exist. Anonymized attestations or private verification mechanisms would better balance transparency and confidentiality. FOIA exposure concerns should also be addressed explicitly.

Gap 5 – I agree with this recommendation. Some agencies explicitly request that their use or interest not be publicly disclosed, even outside classified contexts. The policy should allow anonymized or aggregated reporting of demand to respect agency preferences and procurement sensitivities.

[bjagasia]

Public Comment on RFC-0021: Expanding the FedRAMP Marketplace

---

First and foremost, we want to apologize upfront for the length of this comment. We are strong advocates of FedRAMP and genuinely enthusiastic about the modernization efforts underway, including the 20x initiative and the broader push toward transparency and efficiency. We believe the PMO is moving the program in the right direction, and we want to be constructive partners in that effort.

That said, certain aspects of RFC-0021 raise significant concerns for our organization and, we believe, for the broader FedRAMP ecosystem. We felt it was important to articulate those concerns thoroughly rather than superficially. We hope this comment is received in the spirit it is intended: as a good-faith effort to improve the proposal, not to obstruct progress.

---

Background: Advisory-Focused 3PAOs

Our organization is a 3PAO on the FedRAMP Marketplace that focuses primarily on advisory services. We want to be transparent about our position: we have a financial stake in this discussion, and we recognize that some may view our comments through that lens. We ask that our arguments be evaluated on their merits regardless.

When we pursued A2LA accreditation years ago, we did so with FedRAMP's full knowledge that we intended to focus on advisory work. FedRAMP listed us on the marketplace under this model, and we have operated transparently in this capacity ever since. Our clients engage us specifically because we offer the technical rigor of an accredited organization without the conflict of interest that arises when the same firm advises on and then assesses a security program.

We raise this history because some may ask why an organization that focuses on advisory services sought accreditation as an assessor. The answer is that for many of our customers, the accreditation demonstrates technical competence, and technical competence matters for advisory work. We maintain full assessment capabilities and could perform assessments for the right client engagement. Our business focus on advisory services is a strategic choice, not a limitation of capability. FedRAMP's decision to list 3PAOs on the marketplace reflected an understanding that CSPs benefit from having access to conflict-free advisors with verified qualifications. That understanding appears to have changed, and we believe the change warrants careful examination.

---

The Recategorization Problem

We anticipate that FedRAMP may respond to concerns like ours by noting that advisory-focused 3PAOs are not being eliminated, merely recategorized. Under this view, we would simply move from the 3PAO listing to the Advisory Services listing, and business would continue as usual. Some may further argue that our A2LA accreditation remains intact regardless of marketplace listing, and that we can continue to display our credentials on our own website and marketing materials. If our value proposition is real, the argument goes, the market will recognize it without needing a government URL.

This framing understates how the FedRAMP ecosystem actually works. For federal contractors, agencies, and CSPs navigating the authorization process, the FedRAMP Marketplace is not merely a directory. It is the definitive source of truth. When procurement officers evaluate potential service providers, marketplace presence and categorization carry significant weight. Being listed as a 3PAO signals that an organization has met rigorous, third-party-verified standards for technical competence. Being listed as an advisor under the proposed MKT-ADV-* requirements signals only that an organization has a website, three client attestations, and contact information.

If 3PAOs who do not perform assessments (or have not yet) are removed from the 3PAO listing, it does not simply change their category. It signals to the market that they have been decertified or are no longer in good standing. It forces affected organizations to explain a negative ("We are still accredited, we just aren't on the list anymore") rather than proving a positive. The government creates the market conditions in the FedRAMP ecosystem; changing the labeling schema has consequences for organizations that built their reputations within the existing framework.

For CSPs evaluating potential advisors, believe it or not, the 3PAO designation is often one of the deciding factors, as evident by many of our clientele. It answers the question: "How do I know this firm actually knows what they're doing?" If advisory-focused 3PAOs are moved into a category with no competency requirements, that signal disappears. CSPs would have no way to distinguish between a firm that invested years and substantial resources in earning accreditation and a firm that set up a website last month.

Some may argue that the market can sort this out, that sophisticated CSPs can evaluate advisors based on track record and reputation without relying on accreditation. We respectfully disagree. The FedRAMP market includes many first-time participants who lack the institutional knowledge to evaluate advisor qualifications independently. These CSPs rely on marketplace signals precisely because they cannot yet distinguish between qualified and unqualified guidance. Removing the only objective quality signal does not empower the market; it leaves inexperienced buyers vulnerable to poor advice.

---

Due Process and Equal Treatment Concerns

The note under MKT-RIA-ATT states that "FedRAMP recognized independent assessors that do not actually perform independent assessments will be removed from the Marketplace to avoid confusion." We have significant concerns about how this determination would be made and applied.

Lack of Defined Criteria

The RFC provides no criteria, process, or evidentiary standard for determining which 3PAOs "do not actually perform independent assessments." Who makes this determination? What factors are considered? Is it based on historical assessment volume? A stated business model? Marketing language? The RFC is silent on these questions, leaving the decision entirely to the discretion of the PMO without any defined parameters or accountability.

Equal Treatment Concerns

We note that there are currently fifteen 3PAOs listed on the FedRAMP Marketplace with zero completed assessments. Some of these organizations are traditional audit firms that maintain their accreditation and qualified staff but have not yet completed a FedRAMP assessment for various business reasons. Others may be newer entrants still building their practice. Still others, like our organization, focus their business development efforts on advisory services while maintaining full assessment capabilities.

Under the language of this RFC, all fifteen of these organizations could potentially be subject to removal. Yet we suspect the PMO's intent is more targeted. If so, the RFC should clearly articulate the criteria that distinguish a 3PAO that "does not actually perform assessments" from one that simply has not yet performed assessments, or one that performs assessments selectively, or one that focuses on advisory work while retaining assessment capabilities. Without such criteria, the PMO would be making subjective, case-by-case determinations about which accredited organizations deserve marketplace recognition and which do not.

If two 3PAOs both show zero assessments on the marketplace, both maintain A2LA accreditation, both employ qualified assessors, and both pay their annual certification fees, on what basis would one be removed while the other remains listed? The RFC provides no answer. The result is a policy that could be applied arbitrarily, favoring some organizations over others based on factors that are neither disclosed nor subject to review.

Accreditation vs. Activity

Most fundamentally, we question the authority and appropriateness of removing 3PAO marketplace status from an organization that maintains all accreditation requirements. Our organization holds current A2LA accreditation. We employ qualified personnel. We meet every technical and administrative requirement that FedRAMP and A2LA impose on 3PAOs. We recertify annually like every other accredited assessor. We have the demonstrated capability to perform assessments and would do so for clients whose engagements meet our terms.

The fact that we focus our business development on advisory services does not mean we lack assessment capability. It means we have made a business decision about where to concentrate our efforts. That decision could change. A client with the right circumstances could engage us for assessment work, and we would be fully qualified to perform it. Focusing on advisory work is not the same as being incapable of assessment work, and the RFC conflates these two very different situations.

By removing marketplace recognition from a 3PAO that maintains all requirements, FedRAMP would effectively be making a business judgment about how accredited organizations should allocate their resources. It would be telling qualified firms that their accreditation is insufficient unless they also generate assessment revenue. This goes beyond marketplace organization into active market interference, handicapping a private company's ability to compete for work despite that company meeting every objective qualification standard.

Questions for FedRAMP

We would ask FedRAMP to consider:

1. If an organization maintains A2LA accreditation, employs qualified assessors, and meets all ongoing 3PAO requirements, on what basis should FedRAMP override the accreditation body's determination that the organization is qualified to perform assessments?

2. If the concern is marketplace clarity, why is removal the appropriate remedy rather than a notation, filter, or category distinction that preserves recognition of the organization's accredited status?

3. If the PMO intends to remove certain 3PAOs but not others despite similar assessment histories, what objective criteria will govern that decision, and what process exists for affected organizations to understand and contest the determination?

4. What recourse does an organization have if it believes the PMO's removal decision was made in error or applied inconsistently?

We are not seeking special treatment. We are seeking clarity, consistency, and due process. If FedRAMP believes that 3PAO marketplace listing should be contingent on assessment activity rather than accreditation status alone, that represents a significant policy change that should be clearly articulated, applied uniformly, and subject to defined procedures. The current RFC language, which simply states that certain organizations "will be removed" without specifying how or why, does not meet that standard.

---

Why Advisor Competence Serves FedRAMP's Interests

We recognize that some within FedRAMP may view advisor qualifications as outside the program's scope. The argument is straightforward: FedRAMP's statutory mandate is to authorize secure cloud services for the federal government. The program accredits assessors because the government relies on their testing to make risk decisions. Advisors, by contrast, work for CSPs, not the government. Under this view, it is not the government's role to certify, accredit, or tier private-sector consultants.

We would offer a different perspective, one grounded in the practical realities of the authorization pipeline.

The "Garbage In" Problem

The PMO has long identified package quality as a significant challenge. Initial submissions frequently contain gaps, inconsistencies, and errors that require multiple rounds of revision before authorization can proceed. This "garbage in" problem contributes directly to the backlog that frustrates agencies, CSPs, and FedRAMP alike. Every deficient package consumes reviewer time that could be spent on well-prepared submissions.

Poor advisory work is often the root cause. When a CSP engages an unqualified advisor, the resulting SSP, SAR, and POA&M reflect that lack of expertise. Controls are implemented incorrectly. Documentation fails to meet requirements. Boundary definitions create confusion. The assessor may identify these issues, but by then the problems are baked into the submission. The PMO inherits packages that require extensive remediation.

Qualified advisors produce better packages. Organizations with demonstrated expertise in NIST 800-53, FedRAMP requirements, and cloud security architecture guide their clients toward compliant implementations from the outset. The resulting submissions are cleaner, more complete, and easier to review. This is not speculation; it is the predictable consequence of engaging qualified guidance early in the process.

By removing the distinction between A2LA-accredited advisors and firms with no verified qualifications, FedRAMP is not simply reorganizing a directory. It is eliminating the only quality filter that currently helps CSPs identify advisors likely to produce authorization-ready packages. The result will be more CSPs engaging unvetted advisors, more deficient initial submissions, and more strain on an already overburdened review process.

Preserving a quality signal for advisory services is not about helping accredited firms sell services. It is about helping FedRAMP receive better deliverables.

FedRAMP 20x Makes This Even More Critical

Everything we have described above applies to the traditional authorization process. With FedRAMP 20x, the stakes are higher.
The 20x initiative represents a fundamental shift in how FedRAMP evaluates cloud security. Rather than relying primarily on document-heavy assessment packages reviewed by human assessors, 20x moves toward automated validation through Key Security Indicators (KSIs), machine-readable evidence, and continuous compliance monitoring. This is the right direction for the program, and we support it fully.

However, it also raises the technical bar significantly. Under the traditional model, an advisor's primary deliverables were documentation: SSPs, policies, procedures, and assessment-ready artifacts. Under 20x, advisors must guide CSPs through implementing automated evidence collection, configuring systems to produce machine-readable compliance data, and architecting environments that can demonstrate security posture continuously rather than at a point in time. This requires genuine engineering depth, not just familiarity with NIST 800-53 control language.

The margin for error also shrinks. In the traditional process, a human assessor could identify implementation gaps, ask clarifying questions, and work with the CSP to remediate issues before the package reached the PMO. The 20x model reduces that human review layer. Automated validation is binary: the KSI evidence either meets the requirement or it does not. If an unqualified advisor guides a CSP toward an implementation that cannot produce valid KSI evidence, there is no assessor in the loop to catch the mistake before it becomes a rejection.

Put simply, 20x shifts more of the quality burden upstream, directly onto the advisory phase. The advisory engagement becomes the primary human touchpoint where implementation quality is determined. If that guidance is sound, the CSP enters the automated validation process well-positioned to succeed. If it is not, the CSP fails validation with less opportunity for human intervention to course-correct.

We believe this makes the current moment particularly important for preserving quality signals in advisory services. As FedRAMP raises the technical bar through 20x, the need for qualified, technically rigorous advisors grows in proportion. We are concerned that lowering the barrier to advisory listing while simultaneously demanding higher technical sophistication from CSP implementations could work at cross-purposes, potentially slowing the very modernization effort that FedRAMP is working to accelerate. We raise this not as a criticism of 20x, which we genuinely support, but as a reason to be more deliberate, not less, about how the marketplace signals advisor quality during this transition.

---

Why Advisor Competence Matters for CSPs

The MKT-ADV-* requirements establish no accreditation, certification, or technical competency standards for advisory services. We understand the appeal of a low barrier to entry: it encourages competition, avoids regulatory overreach, and lets the market determine which advisors succeed. Some may characterize a proposal for quality differentiation as gatekeeping, arguing that the only "good" advisors would be those wealthy enough to afford A2LA accreditation fees, while brilliant boutique consultants who know NIST 800-53 inside out would be locked out.

We respectfully disagree with this framing. In cybersecurity, "trust but verify" is not gatekeeping; it is the baseline expectation. ISO 17020 accreditation is not merely paperwork. It ensures impartiality, technical consistency, and adherence to quality management standards. If a boutique firm is truly expert in FedRAMP requirements, meeting those standards should not be an insurmountable barrier. The accreditation process exists precisely to distinguish verified competence from self-reported expertise.

The government relies on standards for virtually everything in the security and compliance space. Federal agencies require ISO 27001 certification for certain contractors. FedRAMP itself is built on NIST frameworks. The entire 3PAO program exists because self-attestation is insufficient for consequential security decisions. If standards matter for assessment, they should matter for advisory work as well, particularly given that advisors shape the security programs that assessors later evaluate.

Lowering the bar to "anyone with a website and three attestations" does not democratize the advisory market. It degrades it. CSPs seeking qualified guidance would have no reliable way to distinguish verified expertise from confident marketing.

Advisors Shape Outcomes

Advisors guide organizations through the entire FedRAMP journey. They help CSPs make foundational decisions about architecture, control implementation, boundary definition, and documentation. These early decisions shape everything that follows. An assessor evaluates a security program after it has been built; an advisor influences how it gets built in the first place.

When an unqualified advisor provides poor guidance, the consequences compound. A CSP may spend months implementing controls incorrectly, developing documentation that does not meet requirements, or designing an architecture that cannot support the security objectives. By the time an assessor identifies these problems, the CSP has invested significant time and money in a flawed approach. In some cases, the CSP must start over.

If FedRAMP requires rigorous accreditation for the entity that checks the work, it seems incongruous to require nothing for the entities that typically guide CSPs on how the work gets done.

---

Conflict of Interest Implications

FedRAMP has long recognized the importance of separating advisory and assessment functions. Existing rules prohibit a 3PAO from assessing a system on which they provided advisory services. We acknowledge these safeguards and do not suggest they are being removed.

Our concern is more subtle. If advisory-focused 3PAOs are recategorized into a listing with no quality differentiation, and if CSPs seeking qualified guidance cannot distinguish accredited advisors from unaccredited ones, the path of least resistance becomes engaging a 3PAO that offers both services. Those firms retain their accreditation signal. They can demonstrate verified competence. For a CSP trying to make a sound procurement decision, the 3PAO with both capabilities looks like the safer choice.

The existing COI rules would still apply: the same firm could not advise and assess the same system. But the market pressure this RFC creates would push more CSPs toward firms that offer both services, increasing the likelihood of creative interpretations, staff rotations, or other arrangements that technically comply with COI rules while undermining their intent. We have seen these dynamics play out in other compliance markets, and we are concerned about replicating them here.

Advisory-focused 3PAOs exist to give CSPs a third option: verified competence without the COI risk. Eliminating the quality signal that distinguishes this option does not eliminate demand for qualified, conflict-free advisory services. It simply makes that demand harder to satisfy.

---

Concerns Regarding Advisory Service Requirements

RFC-0021 proposes that advisory firms listed on the marketplace "MUST have an appropriate web site that publicly shows...Types of consulting services offered, including a clear pricing structure." We wish to raise several concerns about this requirement.

Statutory Authority

We note that the FedRAMP Authorization Act (44 USC 3607-3616) does not mention advisory services. The statute's scope is limited to cloud computing products and services, independent assessment services (defined as third-party organizations performing conformity assessments), and the authorization process itself. While FedRAMP may argue that marketplace listing is voluntary and therefore these requirements do not constitute regulation, we would ask for clarification on the authority under which FedRAMP proposes to mandate pricing disclosure for private-sector consultants who are not performing conformity assessments.

Pricing Transparency and Complex Engagements

More substantively, we question whether a "clear pricing structure" requirement serves CSPs well when applied to advisory services. We recognize and support the goal of price transparency. CSPs benefit from understanding the cost landscape before engaging service providers. However, the implementation assumes that advisory work can be meaningfully reduced to a published price list, and this assumption does not reflect how complex advisory engagements actually work.

Not all advisory engagements are equal. A gap assessment for a mature organization with existing compliance infrastructure looks very different from a gap assessment for a startup building from scratch. A readiness engagement for a straightforward SaaS application differs fundamentally from one involving complex hybrid architectures, multiple interconnected systems, or significant engineering work to achieve compliance. Advisory firms that provide deep technical and engineering services cannot accurately represent their pricing in the same format as firms offering commoditized, checklist-driven consulting.

The requirement for a "clear pricing structure" implicitly favors standardized, lower-touch advisory models. Firms that offer templated approaches can publish fixed prices because their scope is predictable. Firms that tailor their work to each client's architecture, maturity level, and specific challenges cannot meaningfully do the same without either understating their value or posting ranges so broad as to be uninformative.

Practical Market Effects

We are also concerned about the practical effects of published pricing on how CSPs evaluate potential advisors. In our experience, publishing price ranges can cause prospective clients to self-select out before understanding the value proposition. We have had multiple engagements where a CSP initially contacted us solely to satisfy their organization's "three vendor" procurement requirement, with no intention of pursuing our services because our published range appeared to exceed their budget. Yet once they had an opportunity to speak with us and understand our approach, they recognized the value and signed with us regardless of the initial range concern.

This dynamic would be disrupted by a marketplace that emphasizes pricing as a primary comparison metric. CSPs browsing the advisory listings may filter or sort by price, dismissing higher-value providers before ever engaging in a conversation. The result is not better-informed procurement decisions but rather a race toward the lowest published price point, which often correlates with less thorough, less technical, and ultimately less effective advisory work.

A Suggested Alternative

We are not opposed to price transparency in principle. We simply observe that a requirement designed for commoditized services may not translate well to complex, engineering-intensive advisory work. A CSP comparing advisory firms based on a published price grid is likely comparing fundamentally different scopes, approaches, and levels of expertise, none of which the pricing field can convey.

If FedRAMP's goal is to help CSPs make informed decisions about advisory services, we would suggest that qualitative information, such as areas of specialization, technical certifications, client references, and demonstrated expertise, may be more valuable than a pricing structure that cannot capture the variability inherent in serious advisory work. At minimum, we would ask that FedRAMP consider allowing advisory firms to indicate that pricing is engagement-dependent and available upon consultation, rather than requiring a public price list that may mislead more than it informs.

---

Statutory Considerations

The FedRAMP Authorization Act defines FedRAMP's scope around cloud computing products, services, and "independent assessment services." Advisory services are not mentioned in the statutory framework.

We recognize that marketplace listing is voluntary. FedRAMP is not requiring advisory firms to do anything; it is simply setting criteria for who appears in a directory. Under this view, concerns about regulatory authority are misplaced.

We would offer a practical counterpoint. The FedRAMP Marketplace has become the de facto mechanism through which agencies discover and evaluate cloud services and the firms that support them. For service providers, marketplace presence is not optional in any meaningful sense. Being unlisted, or being listed in a category that conveys no quality signal, has real market consequences that function similarly to regulatory exclusion even if they are not legally equivalent.

We do not claim that FedRAMP lacks authority to organize its marketplace as it sees fit. We simply observe that the practical impact of these organizational decisions extends beyond mere categorization, and we ask that FedRAMP consider those impacts carefully.

---

A Constructive Path Forward

We recognize that our recommendation may appear self-serving. We are proposing a framework that would preserve a category in which we currently hold a competitive advantage. We ask that the proposal be evaluated on whether it serves CSPs, agencies, and FedRAMP's operational efficiency, not on whether it benefits us.

We also understand the PMO's desire to ensure the "Assessor" list contains only organizations that actively perform assessments. When an agency or CSP clicks on the 3PAO listing, they reasonably expect to find firms that conduct assessments. Having some entries represent organizations that focus primarily on advisory work could create confusion and degrade the user experience. We take this concern seriously.

However, we believe this is a categorization challenge that can be solved through user interface improvements rather than by removing qualified firms from the marketplace entirely. De-listing is a disproportionate response to what is fundamentally a labeling and filtering problem.

Proposed Tiered Framework

Our suggestion is a tiered approach to advisory listings, implemented through marketplace filters or distinct tabs:

Tier 1 (Accredited Advisory) would include 3PAOs that maintain A2LA accreditation and focus primarily on advisory services while retaining assessment capabilities. These firms have demonstrated competence through the same process required of assessment-active firms and remain subject to ongoing oversight. Any organization willing to invest in accreditation could qualify for this tier; it is not limited to current participants. This tier could appear under an "Accredited Advisory" filter or tab, clearly distinguished from the "Assessment Services" listing while retaining recognition of verified A2LA status.

Tier 2 (Non-Accredited Advisory) would include firms meeting the proposed MKT-ADV-* requirements without accreditation. This tier would remain open to any organization that meets the website, attestation, and contact information requirements.

Benefits of This Approach

This approach:

• Addresses the user experience concern without eliminating qualified advisors
• Preserves a quality signal for CSPs seeking verified competence
• Maintains an accessible entry point for new advisory firms
• Avoids creating a government certification program for consultants while leveraging the accreditation infrastructure that already exists
• Directly supports FedRAMP's efficiency goals: accredited advisors are more likely to produce high-quality initial packages, reducing the burden on reviewers and helping move the authorization pipeline forward

Some may argue that a tiered system adds complexity to a marketplace that should be simple. We would respond that meaningful distinctions are worth preserving, particularly when they help buyers make better decisions and improve the quality of submissions entering the review process. A marketplace that lists all advisors identically regardless of qualifications is simple, but it is not informative. The goal should be clarity, not just brevity.

---

Conclusion

We support FedRAMP's efforts to improve marketplace transparency. We share the goal of helping CSPs find qualified assistance and navigate the authorization process more efficiently.

Our concern is that the current proposal achieves the opposite of its intent. By recategorizing accredited 3PAOs that focus on advisory services into a listing with no quality threshold, and by creating no meaningful standards for advisory competence, this RFC would eliminate the primary signal CSPs use to identify qualified, conflict-free advisors. The likely result is not a more transparent marketplace but a less informative one, where CSPs either cannot distinguish qualified advisors from unqualified ones or default to engaging 3PAOs that offer both advisory and assessment services.

The downstream consequences extend beyond market confusion. Unqualified advisors produce deficient packages. Deficient packages burden the authorization process. The authorization backlog grows. Everyone suffers.

We also have serious concerns about the lack of defined criteria and due process for removal decisions. Fifteen 3PAOs currently show zero assessments on the marketplace. If FedRAMP intends to remove some but not others, the basis for that distinction should be transparent, consistently applied, and subject to review. Organizations that maintain all accreditation requirements should not have their marketplace status revoked based on undisclosed criteria or subjective PMO determinations.

We believe FedRAMP can achieve its transparency and usability goals while preserving quality signals that serve CSPs, agencies, and the efficiency of the program itself. A simple UI solution, distinguishing "Accredited Advisory" from "Assessment Services" through filters or tabs, would address the user experience concern without the collateral damage of removing qualified firms from meaningful marketplace recognition.

We would welcome the opportunity to discuss these concerns and explore alternative approaches.

---

Thank you for considering this comment. We remain committed to supporting FedRAMP's mission and look forward to continued dialogue on these important issues.

[ethanolivertroy]

""

[Peter-Harroun]

MKT-GEN-DOD
We already must provide the list of agencies that directly use the product as part of FedRAMP R5. That does not seem to be a change.
The link to CCM-OAR-AVL is for FedRAMP 20x.

#2 "A list of all agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report"
I do not recall getting any report of all agencies that requested access to authorization data. Only FedRAMP would have that. So why is the Provider on the hook to demonstrate rather than FedRAMP? So I presume this will only be required once RFC 0011 (Trust Center) is fully implemented.

MKT-GEN-SPI
We have multiple offerings, each with distinct pricing models. As long as the CSP provides a link to a public website which has some of this information, we will be in compliance. And we will not need to contact info@fedramp.gov to update the pricing.

[TBailey223]

Very excited to see the benefits that come with the use of the FedRAMP "In Preparation" stage for Marketplace listing. This will allow CSPs to be listed on the Marketplace earlier, helping address the significant challenge of attaining a Marketplace listing via either FedRAMP In Process, which required sponsorship, or FedRAMP Ready, requiring a completed Readiness Assessment. This will reduce the cost of starting the FedRAMP Journey, which will expand the industry to even more providers.

[JustAnother3PAO]

I support this change to the Marketplace listings.

[TrevorLowing]

Feedback: Expanding the FedRAMP Marketplace

Thank you for RFC-0021 expanding the FedRAMP Marketplace to include advisory services, 3PAO assessors, and implementation support vendors. I support increased transparency and vendor competition. However, the expansion introduces procurement and quality assurance gaps that FedRAMP PMO must address in implementation guidance.

Critical Issue #1: Marketplace Vendor Quality Vetting Gap — FAR 15.304 Compliance Required (FAR 2.0 Context)

Problem: RFC-0021 expands Marketplace to include three new vendor categories (Tier 3 = advisors, Tier 4 = implementation support). These vendors are listed but not vetting like CSPs are. FedRAMP does not validate advisor quality, implementation vendor capability, or conflict-of-interest.

Impact on Federal Procurement:
Under FAR Part 15 (Competitive Procurements) and FAR 2.0 modernization principles, agencies must establish source selection criteria (FAR 15.304) to evaluate vendors. FAR 2.0 encourages streamlined commercial-like procurement, but quality vetting remains mandatory. If procurement officer sees 30 advisors on FedRAMP Marketplace, my question is: Does FedRAMP's listing constitute quality vetting, or must agencies perform independent evaluation?

Current Gap: RFC-0021 is silent on whether Marketplace listing = quality approval or = just a vendor directory.

Agency Context Feedback:
I assume Marketplace listing does NOT constitute FedRAMP quality vetting for advisory/implementation vendors (unlike CSPs which are assessed). Agencies must therefore perform independent evaluation per FAR 15.304. But this defeats RFC-0021's transparency benefit (if agencies can't trust the listing, adding 50 vendors doesn't reduce procurement effort).

Recommendation to FedRAMP PMO:
Establish minimum qualification standards for Tier 3 (Advisory) and Tier 4 (Implementation) vendors:

1. Mandatory qualifications (for Marketplace listing):

   • ✓ Federal contractor registration (SAM.gov active)
   • ✓ FedRAMP experience (≥3 completed FedRAMP assessments for advisors; ≥5 for implementation)
   • ✓ Professional credentials (CISSP, CCSK, or equivalent for security advisors)
   • ✓ Disclosure: Any conflicts of interest (e.g., "we work for 15 CSPs" vs. "we are independent advisory")

2. Recommended additions:

   • Customer reference availability (willing to provide 3 federal customer references)
   • Insurance coverage (cyber liability, E&O minimum thresholds)
   • Pricing transparency (published rate ranges or day-rate bands)

3. Quality feedback mechanism:

   • Marketplace should enable federal customers to rate/review advisors (like Amazon ratings)
   • Star ratings help procurement officers identify preferred vendors

Success Criteria: Agencies can cite FedRAMP Marketplace qualification standards in RFQs instead of creating custom evaluation criteria. Saves procurement effort; increases standardization; aligns with FAR 2.0 goals to reduce acquisition burden.

---

Issue #2: Conflict-of-Interest Vetting for Advisors — Privacy Act & FAR 3.704 Compliance (FAR 2.0 Transparency)

Problem: Advisors on Marketplace may represent competing interests:

• Example A: "Big 4 consulting firm" advising CSP on FedRAMP compliance → same firm also advising federal agency on cloud procurement → conflict of interest?
• Example B: Advisor claims independence but is subsidiary/partner of major CSP → not disclosed

Federal Procurement Risk:
If an agency hires an advisor who is also helping a selected CSP optimize its Marketplace listing, the advice may be biased. FAR 48 CFR § 3.704 addresses organizational/personal conflicts, but Marketplace listing doesn't require conflict disclosure.

Recommendation to FedRAMP PMO:
Require Marketplace Tier 3 (Advisory) vendors to disclose:

• "Do you currently work with any FedRAMP CSPs?" (Yes/No)
• If Yes: "Which CSPs and what services?" (listing)
• "Are you independent advisory firm, or subsidiary/partner of CSP/integrator?" (required disclosure)

Benefit: Agencies can evaluate whether advisor conflicts affect agency procurement decisions. Marketplace listing becomes more trustworthy. This transparency aligns with FAR 2.0 modernization emphasis on digital disclosure and commercial best practices.

FAR Citation: 48 CFR Part 3 (Improper Business Practices and Personal Conflicts of Interest)

---

Issue #3: 3PAO Marketplace Expansion — Quality Variation Risk (SIN Multiple Assessor Management)

Problem: RFC-0021 expands 3PAO listings on Marketplace (good: more competition, more transparency). But FedRAMP doesn't track which assessor completed which assessment. If one 3PAO's work is used across 50+ federal agencies, and that 3PAO's quality declines, how does FedRAMP identify affected authorizations?

Real-world risk:

• 3PAO A completes assessment for CSP X (good quality)
• Same 3PAO A later delivers low-quality assessment for CSP Y
• 20 federal agencies adopt CSP Y based on flawed assessment
• No central tracking; no recall mechanism

Recommendation to FedRAMP PMO:
Implement assessment audit trail tracking in Marketplace:

• For each CSP, list which 3PAO conducted the assessment
• If 3PAO is later found to have quality issues, FedRAMP can identify affected CSPs/agencies
• Consider performance metrics (CSPs re-authorized by same 3PAO vs. different 3PAO; satisfaction trends)

FAR Citation: FAR 46.401 (Quality Assurance standards applicable to contractors)

---

Issue #4: Implementation Support Tier — Who Validates Implementation Quality?

Problem: RFC-0021 lists implementation support vendors on Marketplace but provides no quality validation mechanism. If CSP hires low-cost implementation contractor and results in non-compliant system architecture, who is liable?

Example scenario:

• CSP hires Marketplace-listed implementation vendor
• Vendor delivers infrastructure that doesn't meet FedRAMP control requirements
• Assessment fails; CSP blames vendor; vendor claims CSP didn't follow guidance
• Agencies waiting for authorization are delayed

Responsibility Question:

• Is vendor responsible for meeting NIST control requirements?
• Is CSP responsible for vendor oversight?
• Does FedRAMP vet implementation quality, or just list vendors?

Recommendation to FedRAMP PMO:
Publish implementation vendor responsibility statement:

• "Marketplace listing does NOT constitute FedRAMP validation of implementation quality"
• "CSPs are responsible for validating that implementation vendors deliver control-compliant infrastructure"
• "If implementation vendor's work causes authorization failure, CSP (not vendor) is liable to FedRAMP"
• OR establish implementation vendor qualification standards similar to 3PAO standards

Consider implementation vendor insurance requirement (E&O coverage) to protect CSPs/agencies.

---

Issue #5: Pricing Transparency Risk — "Low-Cost Advisors" May Indicate Low Quality

Problem: RFC-0021 publishes advisor pricing, which is good for transparency. But agencies may equate low cost with good value. If cheap advisor provides poor guidance, an agency authorization may be delayed or rejected.

Agency Context Feedback:
Pricing transparency + quality transparency = effective competition. Pricing alone without quality data = risk of selecting low-cost, low-quality advisors.

Recommendation to FedRAMP PMO:
Include quality indicators alongside pricing in Marketplace:

• Pricing: $X per day (transparent)
• Customer satisfaction: 4.2/5 stars (based on federal customer reviews)
• Experience level: "15+ FedRAMP assessments completed" (transparent)
• Average assessment time: "6 months" (if tracked)

This helps procurement officers trade cost vs. quality trade-off.

---

Procurement Language Updates Needed

For agencies' RFQs, I recommend FedRAMP-provided templates for:

1. RFQ language for hiring FedRAMP-listed advisors (with quality/cost evaluation factors)
2. Conflict-of-interest certification template for advisors
3. 3PAO selection criteria (now that selection is more competitive)
4. Implementation vendor evaluation guide (what to look for; what to avoid)

---

Closing

RFC-0021's marketplace expansion is operationally sound but requires quality and conflict-of-interest guardrails to work effectively. Without vetting and transparency on advisor quality/conflicts, the expanded Marketplace becomes just a larger directory—still requiring agencies to perform independent due diligence.

Recommend FedRAMP PMO focus implementation guidance on:

1. ✅ Minimum qualification standards for Tier 3/4 vendors
2. ✅ Conflict-of-interest disclosure requirements
3. ✅ Quality feedback mechanism (customer ratings/reviews)
4. ✅ Implementation vendor responsibility/liability statement
5. ✅ Procurement language templates for agencies

Submitted by: Trevor Lowing (private citizen, personal capacity)
Contact: Trevor.Lowing@gmail.com
Disclaimer: The views expressed are my own.
Date: February 10, 2026

[cb-axon]

I disagree with several of the assumptions in these recommendations. Quick points:

• Marketplace = directory, not endorsement. Listing advisory or implementation firms is meant to surface industry partners for CSPs and integrators — it is not a FedRAMP quality stamp and shouldn’t be treated as one by procurement officers.
• Advisory ≠ assessment. Advisors provide consulting; 3PAOs perform accredited assessments (A2LA, FedRAMP recognition). The RFC’s marketplace listings don’t change those accreditation requirements or allow role conflation. An assessment firm can provide advisory services (and some are accredited assessment firms that solely provide advisory), but if you lack A2LA accreditation, you can't be an assessment firm.
• Existing traceability and corrective paths exist for 3PAOs. CSP listings already show which 3PAO performed an assessment, and FedRAMP has corrective-action/recognition mechanisms if assessor quality is at issue. FedRAMP doesn't need to enforce quality standards for advisors. The CSPs already do that with their own standards for the performance of their consultants. Ultimately its the CSPs responsibility to maintain the system.
• Pricing ≠ quality. Published prices (if retained) will be context-dependent; they don’t reliably indicate capability or suitability.
• FAR-based procurement concerns are largely misplaced here. Advisory and 3PAO services are procured by CSPs, not federal agencies. The Marketplace listing of these firms is not a federal source-selection vehicle and should not be treated as one. It is a visibility tool for industry participants, not a government quality endorsement or procurement shortcut.

Bottom line: RFC-0021’s Marketplace expansion should improve visibility for industry without being misconstrued as FedRAMP validation of third-party advisory/implementation quality.

[TheVantaCat]

I agree with @TrevorLowing that the FAR cannot be ignored here. By making MKT-GEN-SPI a requirement for Marketplace eligibility, the PMO is creating a de facto procurement prerequisite.

If a CSP is placed into 'indefinite Remediation' for withholding proprietary pricing data—data that they are legally protected from disclosing under FAR Part 12—then the FedRAMP PMO is effectively penalizing a provider for exercising their rights under federal law. We should keep the Marketplace focused on security validation (K.I.S.S.) and leave pricing transparency to the individual agency contracting officers who are already empowered by the FAR to conduct price reasonableness determinations."

[mhahnfirstinfotech]

MKT-GEN-DOD requires information to be included in the Ongoing Authorization Reports from Collaborative Continuous Monitoring in CCM-OAR-AVL. However, Collaborative Continuous Monitoring is currently optional as a Balance Improvement Release for Rev5 authorizations. Thus the requirement for MKT-GEN-DOD appears to make the optional CCM now required for Rev5 authorizations to be listed on the Marketplace (that is, if RFC-0021 were to be published and effective prior to CCM being required broadly). This should be adjusted or clarified to avoid any ambiguity, i.e., is CCM in fact a requirement (and not optional) in order to demonstrate ongoing demand to be listed on the Marketplace per MKT-GEN-DOD?

[cb-axon]

Overall, I strongly support inclusion of the Indirect classification (MKT-GEN-SOF Scope of FedRAMP). This has been needed since the program’s inception and better reflects how cloud ecosystems actually operate.

• Today, many FedRAMP-authorized CSPs are restricted from using otherwise capable commercial SaaS products simply because those providers do not yet hold a FedRAMP authorization. In many cases, those commercial providers are fully committed to meeting FedRAMP requirements but have not secured a sponsoring agency. It is often easier for them to demonstrate demand through commercial CSP relationships first. They should not be effectively blocked from market participation solely because they have not yet obtained a direct federal customer. Recognizing indirect use allows ecosystem adoption to drive authorization progress rather than requiring agencies to go first.
• To reinforce this model, the ongoing demand requirement (MKT-GEN-DOD) should include not only agencies using the product, but also FedRAMP CSPs that utilize the service. That would more accurately reflect real adoption and preserve the value of the Indirect pathway.

On MKT-ADV-ATT, the attestation requirement should allow limited public anonymity.

• Some CSPs contractually prohibit public disclosure of advisory relationships, particularly for sensitive systems (as defined by the CSP).
• Attestations could be anonymized in public listings while still being fully disclosed to the PMO for verification as needed.

Finally, I have significant concerns about mandatory CSP pricing disclosures.

• Cloud pricing is highly dependent on configuration, usage tiers, feature sets, and negotiated discounts. Publishing generalized pricing risks misleading agencies and oversimplifying complex offerings.
• At minimum, strong disclaimers and flexibility are required; ideally, this requirement should be reconsidered.

[pete-gov]

The following public comment was received via email from CoreWeave on Wed Feb 11 @ 2:45pm.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

RFC	Requirement	Current Text	Comment	Proposal
0021	MKT-GEN-PKO	A path for Rev5 Certified cloud service offerings to transition to 20x Validated will be available in the future.	If a provider opts to go Rev5 initially and then wants to switch over to 20x, is there a delay period? Or can that be a quick turnaround?	No proposal, but interested in learning more about what this transition pathway looks like.
0021	MKT-FRX-TRT	2. Submission for FedRAMP Validated Level 1	The "Validated Level 1" language makes it seem like Preparation is only for 20x services. However, in RFC-0020, it seemed like both Rev5 and 20x services go through the Preparation stage.	Change the text to read more like "2. Submission for FedRAMP Validated Level 1 or FedRAMP Certified Level 1".
0021	MKT-PRE-DLA	Providers MUST meet the requirements for FedRAMP Certified or FedRAMP Validated within 12 months of initial listing in the Preparation phase.	The amount of effort (and associated timelines) to achieve validation or certification is commensurate with the level being pursued. Instead of making this requirement be a flat 12 months across all levels, could we make it be based on level?	Level 1 & 2 - 8 months Level 3 & 4 - 12 months Level 5 & 6 - 18 months
0021	MKT-ADV-WEB	Advisors MUST publicly maintain positive attestations from at least 3 cloud service providers that have used the consultant within the past 12 months and include them with the information required by MKT-ADV-WEB.	Additional details could include the following to help providers filter on aspects that are unique to their business: - Specialization in Rev5 certifications and/or 20x validations - Specialization in IaaS, PaaS, and/or SaaS - Specialization in Level 1, Level 2, Level 3, Level 4, Level 5, and/or Level 6 - Any conflicts of interest (binary yes/no if the advisory body is also a 3PAO, for context)	Additional details could include the following to help providers filter on aspects that are unique to their business: - Specialization in Rev5 certifications and/or 20x validations - Specialization in IaaS, PaaS, and/or SaaS - Specialization in Level 1, Level 2, Level 3, Level 4, Level 5, and/or Level 6 - Any conflicts of interest (binary yes/no if the advisory body is also a 3PAO, for context)
0021	MKT-GEN-DOD	Providers MUST demonstrate ongoing demand and utility by including the following additional information as part of each Ongoing Authorization Report as required by FRR-CCM-01: 1. A list of all agencies that are directly using the product 2. A list of all agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report	1. makes sense, as its similar to the current metadata on the existing FedRAMP marketplace regarding Authorizing Entities. However, for 2., is it sufficient for a provider to just give the number of unique agencies that have requested access to the authorization data (rather than agency names)? This should show demand without giving up any sort of competitive market information as more and more small startups enter the FedRAMP arena.	Proposing changing the text to "2. The number of unique agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report".

[wisecryptic]

Section MKT‑GEN‑SOF

After reviewing this section, I recommend removing all content except the final note. Instead of listing specific use cases, it would be more effective to simply include a tag identifying CSPs that support direct agency use.

The rationale is straightforward:
Within relatively short time, nearly every CSP becomes both a Direct‑Use and Indirect‑Use provider.
CSPs that begin by supporting contractors naturally expand into broader public‑sector markets to maximize their investment. Conversely, once contractors learn that a FedRAMP‑authorized option exists, they adopt it directly—even when the CSP originally targeted only agencies. (Notably, CSPs themselves often suffer from TAM myopia, focusing narrowly on either government customers or their current customer set, which ultimately limits their growth and the value they can bring to the ecosystem.)
Only niche providers will remain confined to a single category.
This dual‑use reality was foundational to the original vision for FedRAMP. Fifteen years ago, agencies were expecting higher‑quality cloud services, while CSPs depended on cloud providers to build a network effect of FedRAMP‑authorized components they could incorporate into their end‑to‑end offerings. In practice, the absence of direct use is usually temporary and resolves quickly if the CSP is committed to broadening its service applicability.
Regarding the note at the end of the section, it is notable that products outside the statutory FedRAMP scope are not listed. This omission actually helps clarify whether a company falls inside or outside the statutory boundary. However, it is important to acknowledge that these non‑statutory offerings will inevitably intermingle with FedRAMP environments. Nearly every long-term CSO, in my estimation, serves a mix of direct, indirect, and non‑statutory customers.
(For clarity, this intermingling is not a drawback to me. The fact that a single government framework can support such a wide spectrum of use cases—including novel scenarios beyond the intent of its original designers—is a strength.)

Section: MKT‑GEN‑DOD

I recommend removing this section entirely.
If a CSP serves more than three agencies, there will inherently be continuing demand. This raises key questions about the purpose of the section: What is the intended outcome? Who benefits from collecting this information? Who is expected to use it? My assumption is that the goal may be to replicate data that currently lives in the centralized FedRAMP repository by pulling it from private CSP documentation systems. However, this type of information should be displayed in the FedRAMP Marketplace, not in an authorization package.
In practice, agencies are the most appropriate parties to disclose their own use of a product. I have encountered situations where one agency was uncomfortable learning that another agency had contacted them due to unexpected or unclear information sharing. For that reason, agencies should remain the authoritative source for reporting their usage.
Additionally, agencies often use a CSP’s services in varied ways—experimental workloads, contractor collaboration, or incidental low‑sensitivity tasks. These nuances matter. It is far better for the agencies themselves to declare their usage context to avoid confusion about how they categorize or treat a CSP’s service.
In summary:

Agencies using the product
Agencies should report their own usage, and this information should be reflected in the FedRAMP Marketplace, with CSP‑submitted data serving only as a fallback. The appropriate validation artifact is an active ATO (or equivalent agency-use documentation).

Agencies requesting access to authorization data
I don't understand the meaningful value in collecting this information, particularly since it reflects only a short 1–3‑month window before being updated again.

If FedRAMP’s intent is to maintain an accurate and high‑quality Marketplace, a cleaner approach could be as follows:
If a CSP maintains at least one active ATO on file with FedRAMP, they remain in good standing. When an ATO expires, FedRAMP could issue a long‑lead notification requiring the CSP to upload updated authorization evidence. Failure to do so could simply result in the removal of any Marketplace tag indicating direct agency use.

Section MKT‑GEN‑SPI – Service Pricing Information

I’m pleased to see that the guidance allows for significant flexibility in how pricing can be represented. This accommodates the wide range of models used across CSPs. Some providers rely on highly customized pricing structures, while others may prefer simply linking to their existing GSA or marketplace listings. Still others will welcome the ability to present standardized, easily consumable package pricing tailored for agency customers.

Section MKT‑PRE‑DLA – Deadline for Authorization

Clarification: If a provider satisfies the requirements for the next phase during the 6‑month removal period, they should be reinstated immediately at that new phase (e.g., Agency Authorization or Prioritized) rather than waiting for the full 6‑month window to elapse.
For example:
If an assessment extends one month into month 13, the CSP would initially be removed. However, if the SAR is completed in month 13 and submitted to the agency—who then begins its review—the CSP should promptly be reflected as being in the Agency Authorization phase. There is no need for additional delay once the prerequisite milestone is met.

Section: Advisory Service Listings (General)

I am very encouraged by the introduction of advisory service listings. This change has the potential to broaden the advisory ecosystem significantly and enable agencies and CSPs to access a wider range of expertise and better‑aligned solutions.
A previous comment raised the idea of incorporating quality indicators—such as A2LA status—for advisors. While I agree with the underlying goal, I would propose a different approach. When launching a FedRAMP effort, I typically work with three to five external partners in addition to the 3PAO. These may include:

The 3PAO itself
Assessment and authorization advisors (closest to traditional consulting)
Architecture or implementation advisors
Public cloud advisory
Documentation specialists
Managed service providers
Leveraged‑system FedRAMP advisors (similar to public cloud advisors but broad enough to warrant separate treatment)

Given this diversity, I recommend that FedRAMP maintains a unified advisor/3PAO list but adding optional labels or tags such as:

Assessment Services Available – for advisors who actively seek or meet criteria to become a 3PAO
A2LA Accredited – for advisors who hold A2LA accreditation
(no tag) - all other advisors

Callout on the note describing a JSON schema to be provided: this will be useful.

Within 3–6 months of launch, FedRAMP should consider running an AI‑based clustering or classification exercise to identify natural advisory categories emerging from real‑world service descriptions. These could then be added as tags (one‑to‑many), similar to how CSPs currently categorize their business offerings. Repeating this analysis annually would help FedRAMP stay aligned with the evolution of the advisory landscape.
Some categories that I anticipate will surface include:

Documentation
Telemetry automation (e.g., 20x automation initiatives)
System build and hardening
Gap assessments
Program management
General advisory
Assessment preparation
Go‑to‑market / agency‑relations support

Advisors may also differentiate themselves through thought leadership. As a best practice, advisory firms should highlight on their websites:

Open‑source projects they own or contribute to
Articles, talks, or other intellectual contributions they have produced

While these are strong indicators of expertise and investment in the FedRAMP community, they should not be required or ranked. Formalizing such criteria would risk Goodhart’s law—where the metric becomes the target and loses value.

Section: MKT‑ADV‑ATT – Attestation Requirements

I understand the intent to ensure that only active advisors are listed; however, it’s important to consider the long tail of highly specialized advisory providers. Many niche advisors offer deep, targeted expertise that can be extremely valuable to certain CSPs. In addition, some advisors—particularly boutique firms—may work with a single client for extended periods rather than supporting multiple CSPs simultaneously. This does not diminish their value or capability.
To accommodate this reality, FedRAMP should consider my above suggested approach of applying tags to advisors according to their certification, and providing general categories of advisory that advisors can identify as being their expertise. This can all be done from a single unified list with filtering capability.

While this may initially appear less orderly, it would broaden the advisory landscape and expose the community to more innovative, best‑of‑breed providers rather than only long‑established or dominant firms.
To reiterate: a diverse and expansive advisory ecosystem strengthens FedRAMP as a whole. It fosters innovation, prevents stagnation, and ensures that the ecosystem does not become dominated solely by the largest players—who may prioritize their own perspectives over the broader benefit to the marketplace.

[wisecryptic]

apologies for the length; The size and impact of changes warrant an in-depth review

[SaaSThinking876123]

Comment on MKT-GEN-PKO

We are strong supporters of the FedRAMP 20x program. We believe 20x will produce better security outcomes while significantly reducing the work required to achieve and maintain FedRAMP authorization. The combination of stronger security with lower administrative burden is exactly what the ecosystem needs. We want to see both industry and agencies move toward 20x as quickly as possible.

That’s why we’re concerned about requiring CSPs to choose between 20x and Rev5 at this stage, while 20x remains in pilot and agencies have not clearly signaled when or how they will adopt it. Even though the PMO has stated that new Rev5 authorizations will be phased out in 2027, it is unclear whether agencies also intend to phase out Rev5 on a similar timeline.

Today, agencies broadly accept Rev5. There is not yet comparable clarity around 20x acceptance timelines or processes from federal agencies. In that environment, asking a CSP to pursue only 20x and forgo Rev5 creates meaningful commercial risk for any provider serving the federal market.

The structure of MKT-GEN-PKO reinforces this dynamic. As written, CSPs that pursue Rev5 retain a future path to transition to 20x (“a path for Rev5 Certified cloud service offerings to transition to 20x Validated will be available in the future”). However, CSPs that pursue 20x do not retain a pathway back to Rev5. This would be particularly harmful if a CSP receives procurement interest and sponsorship from an agency buyer that requires Rev5, but is prevented from proceeding due its existing 20x authorization. In effect, Rev5 offers optionality; 20x does not.

This leaves CSPs with a hard choice:

• Pursue Rev5, which agencies accept today, and retain the option to transition to 20x later; or
• Pursue 20x, with uncertain agency adoption timelines and no pathway back to Rev5 if required by agency buyers—

Given this choice, it’s very likely CSPs will choose Rev5 as the lower-risk option. That outcome would likely reduce near-term 20x participation and, as a result, slow agency adoption as well.

We understand that resource constraints may be driving the desire to require CSPs to choose a single path. That is a reasonable operational concern, and the PMO deserves sufficient resources to execute an initiative of this importance. At the same time, allowing CSPs to pursue 20x, in parallel with Rev5, should not be viewed as duplicative or wasteful. Broader 20x participation will accelerate ecosystem maturity, validate the security model in real-world deployments, and ultimately drive long-term time and cost efficiencies for FedRAMP overall.

Our comments come from a place of wanting 20x to succeed and succeed quickly. More CSPs are likely to invest in 20x, and help drive agency adoption, if doing so does not jeopardize their current or future Rev5 pathway and associated business. Preserving that flexibility may be one of the most effective ways to accelerate 20x adoption across both industry and government.

Thank you for the opportunity to provide input.

[jerome-miastkowski]

Comment in Support – MKT-GEN-PKO and Impact-Level Consistency

We support the concerns raised regarding MKT-GEN-PKO, particularly as they relate to perception and market dynamics during the transition to 20x.

20x and Rev5 support the same FIPS 199 Low, Moderate, and High impact baselines and align to the same NIST SP 800-53 control expectations, then they represent the same security outcome at each impact level. The distinction is in validation methodology - not in baseline requirements.

A Moderate must remain a Moderate. A Low must remain a Low. A High must remain a High.

Any structural requirement that forces providers to “pick a path” must be accompanied by explicit language in the Marketplace and guidance materials reinforcing that the two pathways are baseline-equivalent. Without that clarity, agencies and industry may interpret 20x as a different or riskier tier rather than an evolution in assurance model.

We strongly support modernization through 20x. Ensuring that 20x is clearly positioned as producing the same impact-level security outcome - while improving assurance mechanics - is essential to accelerating adoption and avoiding unnecessary hesitation across the ecosystem.

[Leah-GovRAMP]

We caution against any policy changes that would reduce the number of listed 3PAO providers. Maintaining a robust, diverse pool of 3PAOs is vital to the long‑term health of the FedRAMP marketplace. Limiting participation—intentionally or unintentionally—could disadvantage firms that are new entrants or that conduct only a small number of assessments per year, despite their capability and value. These organizations help expand capacity, foster innovation, and prevent concentration risks. A broader, more competitive 3PAO marketplace also directly benefits CSPs by increasing choice and helping moderate pricing when seeking assessment quotes.

That said, we support the introduction of the Advisory Services Listings concept, as this is a constructive approach that preserves transparency and allows these firms to continue contributing expertise to the ecosystem.

[drewmk]

In both the current and proposed marketplace, MKT-GEN-DOD remains a significant barrier to entry that many companies, including MaintainX, find difficult to navigate.

Without a preexisting agency partnership, it appears that other agencies consistently prioritize offerings from entities that already have an agency in use. This trend continues to present challenges for organizations seeking to establish new footholds in this sector.

[fortetroy]

Posting Comments on Behalf of Fortreum, LLC

https://fortreum.com/

---

Comment 1

Section: Summary, first bullet

The RFC states that Cloud Service Providers may list a cloud service offering while preparing to obtain a FedRAMP Certification or Validation, but does not explain what Certification and Validation mean.

Please either:

• Define Certification and Validation within this RFC, or
• Explicitly reference the RFC that defines them (e.g., RFC-0020).

---

Comment 2

Section: Summary, first bullet

What about Agency Authorizations?

• Does this RFC apply to Agency ATOs?
• Or will Agency ATOs no longer be listed on the FedRAMP Marketplace?

This should be clarified.

---

Comment 3

Section: FedRAMP Marketplace Listings (MPL) Process, first paragraph

Despite the title, this section does not actually describe the process for:

• Getting listed
• Maintaining listing status

The section should clearly outline entry criteria, maintenance requirements, and removal conditions.

---

Comment 4

Section: MPL Process, Target Response Time in General

Define all possible Marketplace designations a CSP may hold, similar to how it was done in RFC-0020.

Consider consolidating RFC-0020 and this RFC to reduce fragmentation and improve clarity.

---

Comment 5

Section: MPL Process, Target Response Time in General, Item 1

Does “Preparation” apply to both:

• FedRAMP Program Certification
• Agency Authorization

If so, what distinguishes:

• Item 1 – Preparation
• Item 3 – Agency Authorization in Process

Clarification is needed.

---

Comment 6

Section: MPL Process, Target Response Time in General, Item 2

What does “FedRAMP Validated Level 1” mean?

Will submissions for other Validation levels also be listed?

---

Comment 7

Section: MPL Process, Target Response Time in General, Item 4

Can a CSP submit a Prioritization request for an Agency Authorization?

---

Comment 8

Section: MKT-FRX-TAT Target Authorization Time, first paragraph

Does this section apply to:

• FedRAMP Program Certifications
• Agency Authorizations
• FedRAMP 20x Validation

The language appears focused only on Program Certification or 20x. Agency authorizations seem omitted.

---

Comment 9

Section: MKT-FRX-TAT Target Authorization Time, first paragraph

What does “assessment” mean in this context?

Is it:

• A formal audit?
• A package completeness review?
• An authorization decision?

The term should be clearly defined.

---

Comment 10

Section: MKT-FRX-TAT Target Authorization Time, second bullet

The RFC states:

“A 1 month penalty means FedRAMP will close the application as ‘denied’ and will wait 3 months before considering a follow-up application.”

This effectively functions as a 3-month penalty, not a 1-month penalty. Consider renaming for accuracy.

---

Comment 11

Section: MKT-FRX-SUM Summary of Authorization Decision

The text states:

“FedRAMP MUST include a review summary with any authorization decision that explains why the decision was made.”

This suggests FedRAMP is the authorizing authority.

If this section applies only to FedRAMP Program Certification, clarify that.
If it applies to both Program and Agency paths, consider renaming it:

Summary of Listing Decision

---

Comment 12

Section: MKT-GEN-SOF Scope of FedRAMP

The RFC states that providers MUST demonstrate that a cloud service offering is intended for direct use by agencies.

How must this be demonstrated?

• Contracts?
• Active proposals?
• Letters of intent?

Clear evidence requirements should be specified.

---

Comment 13

Section: MKT-GEN-SOF Indirect Use

If a CSP has only Indirect Use, what type of listing or authorization would they receive?

Would this fall under FedRAMP Program Certification?

---

Comment 14

Section: MKT-GEN-DOD Demonstration of Ongoing Demand

Does this requirement apply only to Direct Use CSPs?

If Indirect Use CSPs are included, clarify how ongoing demand must be demonstrated.

---

Comment 15

Section: MKT-GEN-PKO Pick One: 20x or Rev 5

For transparency, FedRAMP should publish:

• The number of agencies approving the 20x path
• The number approving the Rev 5 path

This would allow CSPs to make informed decisions.

---

Comment 16

Section: MKT-PRE-SUR Subset of Requirements

How can a CSP:

• Perform collaborative ConMon
• Upload information to a Trust Center

…during the preparation phase, prior to initial 3PAO assessment?

This appears operationally infeasible.

---

Comment 17

Section: MKT-PRE-DCP Demonstrating Continuous Progress

How can CSPs provide quarterly reporting when:

• They have not deployed their FedRAMP environment
• They have not undergone initial assessment

The five listed reporting elements may not yet exist.

Suggested Alternative

Measure preparation progress using:

• Work Breakdown Structure milestones
• Deployment status
• Vulnerability scanning initiation
• Environment readiness indicators

It should also be acknowledged that due to NIST control requirements, CSPs cannot simply “FedRAMP” their commercial environments. Separate compliant environments must be built, which requires substantial time and cost.

---

Comment 18

Section: MKT-ADV-WEB Website Requirements

The RFC requires machine-readable and human-readable formats.

What constitutes “machine-readable”?

• JSON file?
• API endpoint?
• Structured metadata?

Clear examples should be provided.

---

Comment 19

Section: MKT-ADV-ATT Attestation Requirements

What if an advisor’s customers will not allow public attribution, even for positive feedback?

Can attestations be submitted privately to the PMO?

---

Comment 20

Section: MKT-ADV-ATT Attestation Requirements, note

The requirement states that at any given time there must be 3 attestations dated within the past 12 months.

Concerns

1. This disproportionately harms smaller advisory firms providing long-term services. Advisory firms cannot control:

   • Customer acquisition rate
   • Customer speed to authorization

2. MKT-ADV-WEB items 4 and 5 make customer comments optional, but this section effectively mandates them.

3. While MKT-RIA-ATT offers a grace period for independent assessors, no equivalent grace period is provided for advisory services.

4. If an advisory firm falls outside the timeline, no path back to recognition is defined.

Suggested Alternative

• Require 2 attestations within 24 months
• Allow private attestations to PMO
• Provide reinstatement criteria
• Align grace period logic with MKT-RIA-ATT

---

Comment 21

Section: MKT-RIA-ATT Attestation Requirements, Corrective Action

While a grace period is provided for independent assessors, no defined path back to FedRAMP recognition is included.

Additionally:

Should the same corrective action process apply to new advisory firms?

---

Comment 22

Section: MKT-ADV-ACI Attestant Contact Information

This requirement mandates information that MKT-ADV-WEB makes optional.

These two sections should be reconciled for consistency.

[jerome-miastkowski]

General Comment – MKT-GEN-PKO (Pick One: 20x or Rev5)

We understand the intent of requiring providers to select either the Rev5 Certification pathway or the 20x Validation pathway to avoid duplicative effort.

However, it is important to clearly state that Rev5 and 20x are intended to produce the same security outcome at each impact level. Both pathways align to the same FIPS 199 Low, Moderate, and High baselines and the same underlying NIST SP 800-53 control expectations, so the pathway is an implementation choice - not a different security tier.

A Moderate must remain a Moderate. A Low must remain a Low. A High must remain a High.

We recommend that the Marketplace explicitly clarify that the “Pick One” requirement is an administrative efficiency measure and does not represent a difference in impact-level control requirements or security outcomes.

The focus should remain on impact-level alignment and continuous compliance—not on pathway distinction.

[jerome-miastkowski]

We Disagree On MKT-GEN-SOF Scope of FedRAMP

We respectfully disagree with the categorical exclusion of services used to meet CMMC requirements from the statutory scope of FedRAMP.

The RFC states:

“Services used by private companies to meet other compliance requirements (such as CMMC) that do not also meet one of the above use cases are outside the scope of FedRAMP.”

This framing incorrectly treats CMMC-related services as inherently outside the statutory boundary, without examining the legal status of the information being processed.

Under 44 U.S.C. § 3506 and FISMA, federal information security requirements apply to information systems used or operated by an agency, or by a contractor on behalf of an agency. The statutory trigger is not whether a system is marketed to agencies or contractors. The trigger is whether the system processes federal information in support of a federal function.

Controlled Unclassified Information (CUI) is federal information. It originates from a federal agency, remains subject to federal regulation, and is provided to contractors strictly for performance of federal contracts. When a cloud service stores, processes, or transmits CUI in support of contract performance, that system is operating on behalf of a federal agency within the meaning of § 3506.

Describing a platform as “used for CMMC” does not alter the underlying legal status of the information. CMMC is a compliance framework established by DoD to safeguard CUI. It does not define whether a system falls within FISMA scope. The relevant question is whether federal information is being processed on behalf of an agency. Where CUI is involved, that condition is satisfied.

Moreover, many cloud services that host CUI for contractors function as part of the broader federal information ecosystem. They support contract deliverables, data exchange, and reporting that ultimately interface with agency systems. In substance, these systems operate as contractor-managed components of federal information systems, even if agency personnel do not directly access them.

FedRAMP’s statutory scope should therefore be determined by the nature of the information and the operational relationship to the agency—not by whether the service is described as supporting CMMC compliance. A categorical exclusion of CMMC-related services risks misapplying 44 U.S.C. § 3506 by focusing on customer type rather than federal information handling.

Where a cloud service processes CUI in performance of a federal contract, it falls within the statutory boundary that FedRAMP implements.

[jerome-miastkowski]

We Support MKT-GEN-SPI Service Pricing Information

For too long, the market has tolerated a “call for quote” default that limits transparency and slows acquisition. While complex enterprise pricing may require negotiation, the absence of publicly available baseline pricing creates unnecessary friction, disadvantages smaller agencies and contractors, and obscures meaningful comparison across offerings.

The Marketplace should function as an accessible and informative resource. Requiring general pricing information improves market efficiency by:

• Allowing agencies to conduct realistic early-stage budgeting
• Enabling small and mid-sized contractors to assess affordability
• Reducing unnecessary sales cycles for both providers and customers
• Promoting fair and transparent competition

The “call for quote” model often results in inconsistent pricing visibility, extended procurement timelines, and reduced accountability. While customized pricing remains a potential for large or highly specialized deployments, baseline pricing should not be treated as proprietary or opaque by default.

We support the flexibility built into the requirement, which allows providers to determine the most appropriate way to present general pricing information based on their business model. This preserves commercial flexibility while setting a clear expectation of transparency.

We also support the corrective action framework outlined in the proposal. Public notification and remediation status provide accountability while avoiding disproportionate consequences such as removal from the Marketplace or revocation of authorization.

Increased pricing transparency strengthens the integrity of the FedRAMP Marketplace, improves acquisition outcomes, and encourages a healthier, more competitive federal cloud ecosystem.

[TheVantaCat]

Public Comment on RFC-0021: Expanding the FedRAMP Marketplace

These comments are my own opinions and experiences - not of my employer(s).

Gap 1 - Summary of Authorization Decisions should not be free text - instead be requirements based with common categorial rating.

MKT-FRX-SUM Summary of Authorization Decision

Authorization decisions by PMO to be listed on Marketplace should be requirements based, not opinion based.

1. Requirement-Based Authorization: To support informed agency acquisition, authorization decisions must be strictly requirement-based and maintained under version control within the FedRAMP Marketplace.

2. Standardized Assessment Scale: The FedRAMP PMO should evaluate each requirement using a standardized tri-fold scale: Not Implemented, Partially Implemented, or Fully Implemented.

3. Legal & Acquisition Oversight: To mitigate litigation risks and ensure cross-government utility, all decision-making requirements should undergo a formal review by GSA Acquisitions.

Why?

Focusing on requirement-based agency assessments protects the FedRAMP PMO from legal disputes and FOIA sensitivities related to acquisition barriers. This shift also allows for simplified, categorical reporting for MKT-FRX-PAD activity data.

Gap 2 - Indirect use should remain only if another FedRAMP CSP uses another FedRAMP CSP as a dependency in its package

(MKT-GEN-SOF Scope of FedRAMP)

Providers MUST demonstrate that a cloud service offering is intended for one of the following use cases to be listed in the FedRAMP Marketplace:

• Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

The 'Indirect Use' designation should be clear language - Restricted to cases where a FedRAMP-authorized CSP utilizes another FedRAMP-authorized CSP as a functional dependency.

Why?
Historically, this standard was present in the early stages of the FedRAMP Marketplace but has since lapsed due to inconsistent enforcement. Reinstating this strict dependency model simplifies the ecosystem and ensures inherited security controls are verifiable.

Gap 3 - FedRAMP PMO, not CSPs, should be responsible for tracking demand data for agency requested access to packages

MKT-GEN-DOD Demonstration of Ongoing Demand

It is out of bounds for a CSP to be tracking request data by agencies, when its a PMO responsibility under current title and authorities.

Gap 4 - Conflict between MKT-GEN-SPI and FAR Part 12/15 regarding Commercial Product Pricing

1. Contradiction of FAR Part 12 Policy
   Under FAR 12.209, the government is strictly limited in its ability to require cost or pricing data for "Commercial Products" and "Commercial Services." Most Cloud Service Offerings (CSOs) in the FedRAMP Marketplace meet the definition of commercial items under FAR 2.101. By mandating the disclosure of general pricing as a prerequisite for Marketplace listing, the FedRAMP PMO is establishing a barrier to entry that bypasses the protections intended to streamline commercial federal procurement.

2. Infringement on Contracting Officer (CO) Authority
   The Federal Acquisition Regulation empowers the individual Agency Contracting Officer, not the FedRAMP PMO, to determine price reasonableness during a specific solicitation. Moving a CSP into "indefinite Remediation" for failing to provide public pricing data effectively penalizes the provider for withholding proprietary data that they are legally protected from disclosing under FAR 15.403-1(b)(3).

3. The "Indefinite Remediation" Risk
   While the PMO states that security "Certification or Validation" will not be revoked, the "Remediation" status functions as a de facto procurement blackball. This creates a legal vulnerability where a CSP could argue the PMO is acting in an "arbitrary and capricious" manner by tagging a secure, authorized system with a negative status based on a non-security business requirement that conflicts with established acquisition law.

4. Recommendation
   To maintain a "K.I.S.S." (Keep It Simple, Stupid) approach and avoid legal blowback, the FedRAMP Marketplace should remain focused exclusively on Security Validation. Pricing transparency is best handled at the point of contract—consistent with the FAR—rather than as a mandatory disclosure for a security listing.

CSPs should provide a link to how to obtain pricing information on their public page, or point of contact, for federal procurements.

Gap 5 - Pricing Information Corrective actions needs to be defined with better language and a time period

MKT-GEN-SPI Corrective Action

Corrective Action: Failure to meet this requirement will result in public notification and place the cloud service offering into indefinite Remediation until the requirement is addressed (but it will not be removed from the Marketplace or have Certification or Validation revoked).

If PMO is continuing to pursue the corrective action clause, the proposed corrective action places a Cloud Service Offering (CSO) into "indefinite Remediation" for failing to provide pricing data. However, the term "Remediation" traditionally signals a security vulnerability or a Plan of Action and Milestones (POA&M) deficiency. Using the same label for a missing URL as a critical security flaw may lead to "status fatigue" among Agency AOs, potentially causing them to overlook genuine security risks.

Furthermore, it is of my opinion it should not be "indefinite", but at least 1 year, then a further consequence of FedRAMP Authorization is now threatened if PMO is intimate of keeping this corrective action.

Why?

While the requirement correctly notes that Certification or Validation will not be revoked, the "Remediation" tag is a significant red flag in the Marketplace. This could inadvertently block a CSP from being selected for a new agency ATO (Authority to Operate) based on a procurement technicality rather than a security failure.

Instead of a generic "Remediation" status, suggest a distinct administrative flag, such as "Administrative Non-Compliance: Pricing Information Pending." This maintains the PMO’s goal of public notification without conflating business data with the security posture of the offering.

Furthermore, allowing "indefinite" does not make this a requirement - but instead as a may verse the intent of a shall.

Gap 6 - It should be optional on CSP Marketplace listing if a CSP supports 20x and/or Rev 5 until path from Rev 5 to 20x is clearly defined by PMO with an enforcement date.

MKT-GEN-PKO Pick One: 20x or Rev5

Similar to the recent Rev. 4 to Rev. 5 transition, this requirement begins with an optional 'early-mover' phase before shifting to a clear, enforceable cutoff date. This ensures the industry has a predictable roadmap for compliance.

This should include statuses such as Not Implemented, Partially Implemented, and Fully Implemented for Rev 5 vs. 20x, which Agencies are not required to accept at this time.

[Rene2mt]

Thank you for introducing the concept of advisory organizations in this RFC — this is a helpful addition and reflects how many CSPs actually navigate the authorization process today.

One concern, however, is that the term “advisory” could quickly become broad enough that it doesn’t meaningfully help CSPs or agencies distinguish between firms with deep FedRAMP lifecycle experience and those providing more general compliance consulting. I like the positive attestation requirements in this regard but would also encourage FedRAMP to consider additional ways to promote transparency signals that help the market differentiate advisory maturity.

For example, advisory organizations could be encouraged to disclose items such as:

• lifecycle stages supported (readiness, authorization, continuous monitoring, significant changes)
• prior authorization experience by baseline or system type
• outcomes-based performance metrics such as:
  • % of projects reaching authorization
  • Average time from readiness → ATO
  • Customer retention into continuous monitoring

These types of signals would give CSPs and agencies better insight into advisory depth without limiting participation.

Overall, I support recognizing advisory organizations in the ecosystem and believe a transparency-based approach would really help this new marketplace designation be useful in practice.

[TM-Microsoft]

MKT-FRX-TRT Target Response Time in General

To ensure consistent interpretation, FedRAMP should provide clear definitions for what constitutes “insufficient” and “non‑qualifying.”

[CSP-AB]

CSP-AB submits the following comments for RFC-0021

General RFC-0021 Expanding the FedRAMP Marketplace

• This RFC has moved away from the original intent of FedRAMP 20x i.e. automation, higher‑quality risk signals, and reduced time to authorization.

• There are mechanisms to obtain pricing for cloud services already in place in the government procurement processes.

Summary – This RFC proposes expanding the FedRAMP Marketplace to better serve the entire FedRAMP community by changing the following:

• How will FedRAMP balance transparency with the risk of exposing commercially sensitive information or creating competitive harm, particularly for providers operating in highly negotiated or enterprise‑scale pricing models? Clarity here is important to avoid discouraging early Marketplace participation—especially from CSPs “pre‑authorization,” which this RFC explicitly seeks to encourage.

• What specific agency or program decisions is the expanded Marketplace intended to inform, and how should agencies use this information differently than today? Clarifying the intended decision outcomes (market research, acquisition planning, risk assessment, sponsor selection, etc.) would help industry understand what information is truly valuable versus duplicative.

• How will FedRAMP balance transparency with the risk of exposing commercially sensitive information or creating competitive harm, particularly for providers operating in highly negotiated or enterprise‑scale pricing models? Clarity here is important to avoid discouraging early Marketplace participation—especially from CSPs “pre‑authorization,” which this RFC explicitly seeks to encourage.

• What comparability or normalization does FedRAMP expect when advisory companies and independent assessors disclose pricing structures, given differences in scope, complexity, and service maturity? Without context, pricing alone may incentivize selection based on cost rather than capability or fit.

• How does expanded Marketplace transparency—particularly pricing—directly support FedRAMP 20X goals such as automation, higher‑quality risk signals, and reduced time to authorization? Explicit linkage to 20X outcomes (speed, quality, scalability) would help industry align feedback constructively.

Summary – All cloud service providers will be required to share general pricing information.

• FedRAMP needs to clarify the specific problem this requirement is intended to address.

• From an industry perspective, federal pricing transparency for cloud services already exists through established mechanisms such as GSA schedules, contract vehicles, and publicly available government rate cards, which agencies routinely rely on during acquisition and market research.

• Given that context: What gap does FedRAMP believe currently exists that is not addressed by existing GSA pricing disclosures?

MKT-GEN-SOF Scope of FedRAMP Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

• This is a great addition and a welcome change.

MKT-GEN-DOD Demonstration of Ongoing Demand: Providers MUST demonstrate ongoing demand and utility by including the following additional information as part of each Ongoing Authorization Report as required by FRR-CCM-01:

• Include a bullet here for FedRAMP CSPs utilize that service, not just agencies. Indirect should be counted for ongoing use.

MKT-GEN-SPI Service Pricing Information - Providers MUST include general pricing information for the cloud service offering (or links to existing public pricing information) in their Marketplace data; this general pricing information should include the general price for services offered to agencies and to other customers if applicable.

General Comment:

• Requiring "Service Pricing Information" in the Marketplace will confuse, rather than help, agencies. Cloud services don't have a single "general price"—pricing depends heavily on each customer's specific configuration and usage patterns. Forcing providers to publish an over-simplified price could potentially mislead agencies into making inaccurate comparisons between services that aren't actually comparable.

Issues and Concerns:

• There is no such thing as a meaningful single “general price”: Total cost depends on usage metrics (compute, storage, transactions, API calls), making any “general” number arbitrary.

• Configuration drives cost: Region, tenancy, performance tier, redundancy choices, and feature selection can change pricing materially.

• Add-ons and packaging variability: Logging, premium support, managed services, and bundles differ across customers and materially affect price.

• False comparability in a catalog UI: A single Marketplace “price” invites apples-to-oranges comparisons across offerings with different inclusions, assumptions, and cost drivers.

• Incentive to provide non-actionable boilerplate: To manage risk, providers may respond with vague ranges or disclaimers (“pricing varies”), reducing Marketplace usefulness.

Recommendation:

• Make pricing optional so that companies who can easily provide this information will be able to market their services more effectively.

• Require a pricing model description instead, which would improve transparency without requiring CSPs to publish a misleading “general price.”

• If “general price” requirements are retained, disclaimers should be added to the Marketplace that costs are not reflective of any individual cloud configuration.

MKT-ADV-ATT Attestation Requirements - Advisors MUST publicly maintain positive attestations from at least 3 cloud service providers that have used the consultant within the past 12 months and include them with the information required by MKT-ADV-WEB.

• Suggest refining this requirement to allow some attestations to remain mostly anonymous publicly, but be revealed within the PMO as necessary. Some CSPs don't want to share publicly that they utilized advisors on some aspects of their product or authorization and explicitly write into contracts that it can't be shared publicly.

• On systems that also go to IL6, we recommend language that indicates that attestation letters can have the specific CSP unlisted in the public release, but signed/agreed upon directly with the PMO if necessary.

[PS-SEC-MSG]

RFC-0021: Expanding the FedRAMP Marketplace
Focus areas: assessor listing requirements and scope, attestations, machine-readable versus human-readable alignment, grace periods, enforcement sequencing, and interactions with Preparation listings, time targets, and the "pick one path" rule.

Perspective: Senior assessor, implementation-focused, seeking objective and consistently enforceable requirements.

1. Assessor listing scope and applicability

Comment
Several commenters have asked for clearer definitions of who must comply and how FedRAMP will distinguish advisors, independent assessors, and 3PAOs. I concur and recommend tightening scope language so requirements are objectively testable and do not unintentionally capture affiliates or subcontractors in inconsistent ways.

Key ambiguities include whether the listing obligation applies to the legal entity that holds recognition only, whether separately branded service lines require separate listings, and how FedRAMP will interpret "types of assessment services offered" (service categories, authorization designations, levels, and baselines).

Proposed clarifying language
Proposed clarifying language (add as a note under MKT-RIA-WEB and MKT-ADV-WEB):

• "Listing requirements apply to the FedRAMP-recognized legal entity and its publicly branded service lines used to deliver FedRAMP-related services. Subcontractors may be described as part of service delivery, but subcontractors are not required to maintain separate Marketplace listings unless they are separately recognized by FedRAMP."
• "If an organization offers both advisory and independent assessment services, separate webpages are required, and each listing must clearly identify which services are advisory versus independent assessment."
• "Types of services offered" must be expressed at the level of service category (for example, readiness assessments, independent assessments for program certification, independent validation activities), not by customer-specific statements.
• "Current" and "previous" client listings are optional and client-controlled. A statement of "client declined consent" satisfies the field where applicable and is neutral for compliance.

Questions:

1. Terminology: Does "FedRAMP-recognized independent assessor" map one-to-one to "3PAO" as used today, or will FedRAMP maintain distinct terms and scopes?

2. Entity scope: Is compliance assessed at the recognized legal entity level, or can subsidiaries, affiliates, and DBAs be listed separately?

3. Service granularity: Should services be listed separately for Rev5 program certification versus 20x validation, and if so, what minimum categories are expected?

4. Subcontractors: If subcontractors materially deliver assessment work, is disclosure required and at what granularity (named firm, role only, or optional)?

5. "Do not actually perform independent assessments": What objective criteria, lookback period, and due process will determine this condition to avoid inconsistent application?

6. Website contents and pricing structure expectations

Comment
Pricing structure is one of the most discussed elements of this RFC, and multiple commenters have requested examples and guardrails. I concur. Without objective guidance, providers, advisors, and assessors may either under-disclose (defeating transparency) or over-disclose (creating price-locking, procurement friction, and competitive sensitivity).

A workable approach is to require transparency about pricing model and bands, not negotiated deal terms.

Proposed clarifying language
Proposed clarifying language (add as a note under MKT-GEN-SPI, MKT-ADV-WEB, and MKT-RIA-WEB):

• "Pricing structure" means a public description of pricing model plus a price indication per service category (fixed fee, tiered fee, usage-based, or hourly), expressed as one or more of the following: (a) ranges, (b) starting-at prices, or (c) minimum fees. Exact bid pricing, discount schedules, and customer-specific pricing are not required.
• Pricing content must include: (1) currency, (2) unit basis (per month, per system boundary, per assessment event), (3) scope assumptions at a high level, and (4) a "last updated" date.
• Updates: Material changes to pricing model or bands should be reflected within 30 days; non-material edits may be updated on a normal website cadence.
• Allowable disclaimer: "Pricing varies by scope, system complexity, and procurement vehicle."

Questions:

1. Minimum specificity: For assessors and advisors, is FedRAMP expecting ranges by service category, packaged SKUs, a minimum fee, or other?

2. Public links: If pricing is published on a public pricing page, may the Marketplace listing link to it rather than duplicating content?

3. Update cadence: Does FedRAMP intend to enforce a specific update timeframe, and will "last updated" be required?

4. Procurement constraints: Will FedRAMP explicitly allow pricing statements that avoid implying a binding quote or commitment?

5. Enforcement: Is stale pricing treated like a listing noncompliance subject to notice and cure, or does it follow the MKT-GEN-SPI remediation model?

6. Machine-readable versus human-readable alignment

Comment
Several commenters requested publication details for the JSON schema and objective rules for "consistent" machine-readable and human-readable content. I concur. The practical implementation question is what FedRAMP will validate, how versioning will work, and which representation is authoritative when a mismatch occurs.

Without a canonical source of truth and a basic validator, this requirement will be difficult to enforce fairly.

Proposed clarifying language
Proposed clarifying language (add as a note under MKT-ADV-WEB and MKT-RIA-WEB):

• FedRAMP should designate the machine-readable JSON as the canonical source of truth for Marketplace ingestion. The human-readable webpage should be a rendering of the same data elements.
• "Consistent" means: service categories, pricing model and bands, contact information, client listings (if present), and attestation metadata match across formats.
• FedRAMP should publish (a) schema URL, (b) schema versioning policy, (c) example payloads, and (d) a lightweight validator or conformance checks.
• Conflict handling: if MR and HR differ, FedRAMP issues a private notice and allows a defined correction window before public notice.

Questions:

1. Schema publication: Where will the JSON schema live, how will versions be labeled, and will older versions be supported for a transition period?

2. Example payloads: Will FedRAMP provide sample JSON files for advisor and assessor listings, including attestations?

3. Validation: Will FedRAMP publish a validator or test suite so entities can self-check before posting?

4. Canonical field set: Which fields are required to match exactly versus allowed to be more verbose on the human-readable page?

5. Update timing: Is there an expected synchronization window between MR and HR updates after a change?

6. Attestation requirements and template request

Comment
Attestations are a high-impact compliance requirement with meaningful enforcement consequences. Multiple commenters raised concerns about privacy, procurement constraints, and how attestations are verified and counted over time. I concur and recommend FedRAMP standardize minimum elements and provide a short template to reduce ambiguity and burden.

This also reduces the risk that attestations are used as marketing testimonials rather than structured signals.

Proposed clarifying language
Proposed clarifying language (add as a note under MKT-ADV-ATT and MKT-RIA-ATT):

• Define "positive attestation" as a statement by the service consumer that (a) the advisor or assessor provided the described service, and (b) the service met expectations for professionalism and value. It should not imply FedRAMP endorsement or guarantee authorization outcomes.
• Required fields (minimum): attestation date, attester organization name, attester role/title, service provider name, service category, associated CSO Marketplace identifier (or link), and a short statement (1 to 3 sentences).
• Verification: allow public redaction of attester name only when necessary, provided FedRAMP receives private contact information for verification.
• Counting: attestations count based on attestation date within the lookback window, independent of later status labeling changes, unless the CSO is removed for cause related to fraud or misrepresentation.

Questions:

1. Format: Are narrative quotes acceptable, or will FedRAMP require a structured attestation format (recommended)?
2. Template: Will FedRAMP publish a standard template (human-readable and machine-readable) for attestations?
3. Redaction: When a client cannot be named publicly, will FedRAMP accept a redacted public attestation paired with private verification details?
4. Edge cases: If a CSO is renamed, acquired, changes designation (for example, Certified to Validated), or is delisted, does the attestation still count?
5. Client listing consent: Please confirm that client listings remain optional and that lack of consent does not trigger corrective action.

Example short attestation template structure (illustrative):

• Attestation date:
• Attester organization:
• Attester name and role/title:
• Service provider (advisor or assessor):
• Service category (for example, independent assessment, readiness support, evidence engineering support):
• Related CSO (Marketplace link or identifier):
• Attestation statement (1 to 3 sentences):

5. Grace period interpretation

Comment
Grace periods are central to predictable compliance. Multiple commenters requested clarification on when clocks start and how rebranding or organizational changes affect timing. I concur and suggest FedRAMP clarify that clocks are based on effective date and recognition date, and that resets are limited to prevent gaming while remaining fair.

Proposed clarifying language
Proposed clarifying language (add as a note under MKT-RIA-ATT corrective action):

• For newly recognized independent assessors, the 24-month clock begins on the later of (a) the effective date of the requirement or (b) the FedRAMP recognition date.
• If an assessor temporarily de-lists and later re-lists without a change in recognition status, the original clock continues.
• Corporate changes: if the recognized legal entity changes, FedRAMP should publish whether recognition transfers. If recognition transfers, the original clock continues; if recognition does not transfer, the new entity is treated as newly recognized.

Questions:

1. Start date: Does the 24-month grace period start on recognition date, requirement effective date, or listing date, especially for those recognized shortly before the effective date?

2. Pause or reset: Can grace periods pause during removal or voluntary de-listing, or do clocks continue to run?

3. Mergers/acquisitions: How will FedRAMP treat M&A events and rebranding where the service line is the same but the legal entity changes?

4. Separate pages: If an entity offers advisory and assessor services, are grace periods tracked separately by listing type?

5. Reinstatement: After withdrawal or removal, does a new grace period apply on reinstatement, or does prior history carry forward?

6. Enforcement sequence, timing, and recourse

Comment
Because listing noncompliance can lead to public notice, removal, and in some cases withdrawal of recognition, the enforcement flow must be transparent, consistent, and include basic due process. Several commenters asked for an enforcement flowchart and clearer calculations for the "minimum 6 months" period. I concur.

Proposed clarifying language
Proposed clarifying language (add as a general section or note for Marketplace corrective actions):

• Enforcement stages should be explicitly defined: (1) private notice of deficiency, (2) public notice if not corrected by a specified date, (3) cure window with clear end date, (4) removal or withdrawal decision, (5) reinstatement criteria.
• "Minimum of 6 months" should be calculated as six calendar months from the effective date of removal or withdrawal, not business days.
• Appeals: provide a documented method to contest factual errors (for example, proof of valid attestations) and clarify whether an appeal pauses removal timing.

Questions:

1. Sequence: Will FedRAMP issue a private notice before publishing a public notification for listing noncompliance?

2. Cure window: Are the 3- and 6-month grace windows fixed, and will interim progress reporting be required?

3. Calculation: When does the minimum 6-month removal or withdrawal period begin, and can it be shortened for prompt remediation or extended for repeat violations?

4. Recourse: Will there be an appeal or dispute mechanism, and does it pause the enforcement clock?

5. Reinstatement: What objective criteria will FedRAMP use to reinstate a removed listing or restore withdrawn recognition?

6. Preparation listings, time targets, and pick-one-path interactions

Comment
The Preparation listing, time targets, and pick-one-path rule interact operationally. Multiple commenters asked for transparency metrics and clearer definitions of qualifying submissions and resets. I concur and recommend FedRAMP explicitly distinguish FedRAMP processing targets from provider or assessor delivery timelines.

These clarifications will reduce confusion about who is responsible for delays and how attestations and listings are affected by provider status changes.

Proposed clarifying language
Proposed clarifying language (add as notes under MKT-FRX-TRT, MKT-FRX-TAT, and MKT-GEN-PKO):

• The 14-day and 30-day timeframes are internal FedRAMP processing targets for complete and qualifying requests, not service-level agreements for providers, advisors, or assessors.
• Define "qualifying submission package" with a checklist reference, and define what constitutes an "incomplete" submission that resets the clock.
• Pick-one-path enforcement should clarify whether a provider may switch paths, and if so, under what conditions (for example, after closure of the prior request).

Questions:

1. Time targets: Will FedRAMP publish criteria for a "qualifying request" and a standard list of conditions that reset the 14-day and 30-day targets?
2. Transparency metrics: Will FedRAMP publish monthly statistics for target attainment and common denial reasons (de-identified), as other commenters suggested?
3. Preparation removal effects: If a provider is removed from Preparation after 12 months, do assessor attestations tied to that provider still count for assessor listing requirements?
4. Verification expectations: Are assessors or advisors expected to attest to a provider's Preparation progress, and if so, in what format?
5. Provider status changes: How should listings and attestations be treated when a provider changes designation, re-lists, or switches paths?

Personal capacity note: This comment is submitted in an individual capacity and does not represent any employer or organization.

Matthew S. Graham, CISSP
https://www.linkedin.com/in/msgcyberassessments/

[rubrik-fedramp-team]

MKT-GEN-SPI Service Pricing Information
Cloud service pricing is dynamic and complex, relying heavily on consumption-based models, reserved capacity, and negotiated enterprise agreements. Attempting to force pricing transparency in this context is a dangerously slippery slope; publishing a static "general price" will be incredibly vague, potentially misleading to agency customers, and will not accurately reflect the actual cost of an authorized environment. Pricing is a contractual matter appropriately handled through established acquisition vehicles and is subject to specific Federal Acquisition Regulations (FAR) regarding "fair and reasonable" determinations.

Additionally, pricing strategies are proprietary business information. Mandating their public disclosure in a security compliance registry encourages anti-competitive behavior and undercutting. Furthermore, it could inadvertently create a price collusion situation between competing vendors, all without adding any value to the security posture of the service.

We respectfully request that the PMO reconsider this requirement.

MKT-FRX-TAT Target Authorization Time
Request that the PMO consider a "Remediation Dialogue" window (e.g. 10 business days), allowing the CSP and its 3PAO to correct administrative or documentation deficiencies identified by the PMO before a formal denial and subsequent three-month penalty are enacted.

MKT-GEN-DOD Demonstration of Ongoing Demand
Until the time that USDA Connect sunsets and CSPs must own and maintain their own Trust Centers, they will be unable to fully comply with the requirement to provide "A list of all agencies that have requested access to authorization data, covering the period since the previous Ongoing Authorization Report".

In addition, how does this requirement apply to Rev5 authorizations, given that it is implemented via the Collaborative ConMon BIR, which is optional at this time?

[Quzara]

The advisory/assessor boundary requires more than separate web pages — and this RFC needs to say so.
RFC-0021 permits firms to hold both an advisory listing and a FedRAMP-recognized independent assessor listing simultaneously, separated only by distinct pages under the same domain. Quzara's concern here is structural, not directed at any specific firm or practice. The framework as written simply does not define the boundary clearly enough for anyone to reliably navigate it.
Assessment independence is not just a matter of intent — it is a matter of structure. When advisory relationships and assessment engagements coexist in the same market, served by firms operating across both functions, the line between advisor and independent assessor becomes genuinely difficult to maintain — and more importantly, difficult for agencies and CSPs to read from the outside. This creates ambiguity that is not in anyone's interest, including the firms themselves.
The current RFC does not define what constitutes a disqualifying advisory relationship for assessment purposes. It does not establish a lookback period. It does not require disclosure of prior advisory engagements to FedRAMP before an assessment begins. It does not address partnership or referral arrangements between advisory and assessment firms that may create indirect relationships even where the entities are nominally separate.
Quzara recommends FedRAMP publish a dedicated companion RFC addressing assessor independence standards. This should define at minimum: what advisory activities preclude a firm from assessing a specific CSP, over what time horizon, and what disclosure obligations exist when any prior relationship between an assessor and a CSP is present. The financial audit profession and the CMMC ecosystem both have established frameworks for managing exactly this dynamic. FedRAMP does not need to invent from scratch — it needs to adapt what already exists and apply it to the cloud authorization market.
Adding advisory listings to the Marketplace without simultaneously clarifying the independence boundary for assessors makes the ecosystem more complex with the same unresolved structural ambiguity at its center. This should be treated as a companion requirement to RFC-0021, not a future consideration.

[Quzara]

Advisory track record should be measurable, not just attested. Three positive client attestations tells an agency nothing about scale, depth, or outcomes. What matters is how many CSPs a firm has guided through a completed authorization, across what impact levels, over what time period. FedRAMP should require advisory firms to disclose — in structured, machine-readable format — the number of engagements completed, authorization outcomes, and assessment levels involved. Firms that have done the real work will be distinguished from those that have done one engagement and collected three signatures. Positive sentiment is not a proxy for competence, and an unstructured attestation requirement produces a marketing directory, not a quality signal.

The advisory subcategory taxonomy is absent and agencies will suffer for it. "Advisory services" in the FedRAMP context covers meaningfully different capabilities that should not share a single Marketplace label. At minimum, FedRAMP should distinguish between managed security service providers delivering ongoing operational functions, compliance engineering and acceleration firms building authorization packages and driving CSPs through the process, and strategic advisors helping CSPs make program-level decisions without delivering technical implementation. An agency or CSP searching for help cannot tell from the current framework whether they are hiring a firm that will build their Boundary or one that will write their policies. These require different capabilities, different vetting criteria, and should carry different listing requirements.

[nicole-gov]

The following public comment was received via email from Coalfire on Thu Feb 19 @ 5:25PM.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

RFC-0021

Public Pricing Challenges

Publicizing pricing structures for services is not something that FedRAMP should require and could be perceived as anti-competitive. Public pricing requirements often result in manipulative pricing structures that don’t reflect the actual costs of services. Providers already have contact information and there should be consideration for additional contact information related to quotes/pricing requests.

Unnecessary External Influence

FedRAMP should not dictate how a commercial company market themselves on their own websites. Most other standards bodies have rules against logos and what accredited organizations cannot do but they do not dictate how they manage their websites or marketing details provided on their website. Any requirements should be limited to the firms listing on the FedRAMP marketplace.

[nicole-gov]

The following public comment was received via email from Salesforce on Thu Feb 19 @ 5:36PM.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

Requirement_ID	Title/Section	Salesforce Comment
MKT-FRX-TRT	Target Response Time in General	Regarding the summary section that states: "All cloud service providers will be required to share general pricing information.": 1. Scope of pricing disclosure for large and complex CSPs Concern: The requirement that “all cloud service providers will be required to share general pricing information” does not define scope. For large CSPs (e.g., Salesforce, AWS) with many products, SKUs, and à la carte add-ons, it is unclear whether they must list every SKU and add-on in the Marketplace. Doing so could be operationally complex, hard to maintain, and difficult for agencies to use, while a high-level summary might not meet the goal of “general pricing information.” Without clarity, large CSPs may over- or under-disclose, and agencies may have inconsistent expectations. Recommendation: Define in the RFC or implementing guidance what “general pricing information” means in terms of scope and granularity. For example: specify whether CSPs must list every SKU/add-on, or may provide tiered or representative pricing (e.g., by product family, impact level, or deployment model), and whether there is a cap or alternative format for CSPs with very large catalogs. Clarify how the requirement should scale so it is feasible for large CSPs while still useful for agencies. 2. Binding effect and currency of marketplace pricing Concern: If a CSP publishes pricing on the Marketplace but later changes a SKU or add-on price and does not update the listing, it is unclear whether the Marketplace price is binding (e.g., for contracting or audit). Agencies may rely on listed prices for planning or procurement; CSPs need to know their obligations and liability. Without a clear rule, there is risk of contract disputes, inconsistent behavior, and uncertainty about how often listings must be updated. Recommendation: State explicitly in the RFC or related policy (1) whether Marketplace-listed prices are indicative only or contractually binding (and under what conditions), and (2) how often or under what circumstances CSPs must update pricing (e.g., within X days of a change, or at least annually). If prices are not binding, state that clearly and recommend that agencies obtain current pricing through normal procurement channels. Publish this in the same place as the pricing requirement so CSPs and agencies share a single understanding. Summary: 1. Scope of pricing disclosure: Define what “general pricing information” includes (e.g., per-SKU vs. tiered/representative pricing, and how it applies to CSPs with very large catalogs) so large CSPs and agencies have a shared expectation. 2. Binding effect and currency: State clearly whether Marketplace prices are binding or indicative, how often CSPs must update them, and that agencies should get current pricing through normal procurement.
MKT-GEN-SPI	Service Pricing Information	Concern: Requiring CSPs to publish “general pricing information” for services offered to agencies may create uncertainty about whether that information is contractually or legally binding. If agencies or contracting officers treat Marketplace pricing as an offer or a committed rate, CSPs could face binding obligations they did not intend. If the policy does not clarify this, providers may hesitate to disclose federal pricing or may limit what they publish to avoid unintended liability. Recommendation: Clarify in the policy or implementing guidance that Marketplace pricing is indicative only (or “for informational purposes only”) and is not a contractual offer or binding commitment unless otherwise agreed in a separate contract. State that actual pricing for federal customers is determined through the normal procurement/contracting process. Optionally, allow or encourage CSPs to link to existing public pricing pages and to include a short disclaimer (e.g., “Pricing is subject to change; contact for current terms”) so the non-binding nature is explicit for both CSPs and agencies. Summary: Clarify in policy or guidance that Marketplace pricing is for informational purposes only and not contractually binding, and that actual federal pricing is set through normal procurement; optionally allow links to public pricing and a short “subject to change” disclaimer so CSPs and agencies share one understanding.

[nicole-gov]

The following public comment was received via email from The Alliance for Digital Innovation (ADI) on Thu Feb 19 @ 11:34PM.

I am copy/pasting into the public comment record on their behalf as required by the FedRAMP public comment process. This is not an endorsement of the commenter or the content within the comment. I have adjusted the formatting so that the email displays properly with the bullets and bolded text included in the original (copy/paste into github strips this out) but have not changed any content. Any remaining oddities in the formatting may be a result of my missing a specific header/etc.

---

RFC 0021

The Alliance for Digital Innovation (ADI) appreciates the opportunity to comment on RFC-0021, Expanding the FedRAMP Marketplace, and support efforts to enhance transparency and usability for agency customers.

One requirement of this RFC is, “all cloud service providers will be required to share general pricing information,” accompanied by the statement that providers may determine the most effective way to meet this requirement given varied pricing models. While the intent of enhancing convenience for potential customers is understandable, the inclusion of general pricing information appears outside the core scope of a government cloud security authorization program. Neither the published RFC, the FedRAMP Authorization Act, nor OMB Memorandum M-24-15 explicitly require the FedRAMP PMO to collect and publish general pricing information in any form.

Moreover, we are concerned that there is not a stated process for determining whether published pricing information is accurate. Agencies already have access to pricing information directly from vendors, through publicly available sources, or via established government procurement channels. We recommend formally working with GSA procurement teams to make that pricing data easily available through the FedRAMP marketplace to security professionals, mission owners, and information technology leaders. Without working across GSA to provide consistent, vetted pricing information, the FedRAMP PMO may introduce administrative burden (through duplicative validation processes) and potential confusion across the acquisition community.

We commend that the RFC establishes a 12-month limit for cloud service providers listed in “Preparation” status. However, additional clarity regarding the objective criteria required to enter “Preparation,” as well as measurable milestones that demonstrate sufficient progress within that 12-month window, would strengthen confidence in Marketplace designations. Clearly defined entry and progression standards would enable agencies to distinguish between early-stage intent and demonstrable security maturity, thereby reducing the risk of premature adoption decisions while preserving the integrity and credibility of the Marketplace.

Finally, ADI is concerned that the “Choose One” requirement (MKT-GEN-PKO) may artificially hinder the move towards FedRAMP 20x. We understand and support the idea that the FedRAMP PMO should not have to maintain multiple authorizations for one CSP, especially in the current fiscally constrained environment. That said, given that there is a pathway to move from Rev 5 to 20x and not the other direction, many people will choose Rev 5 as the less risky path to market if forced. In the short run, the more pathways available to new market entrants or even new products from current market participants would provide more rapid adoption of FedRAMP 20x. Additionally, we believe that agencies will determine - whether a CSP chooses one pathway or another - what requirements they need from CSPs in order to authorize them to operate within their organizations. A CSP decision to go with the 20x pathway may still result in that CSP being required to participate in a Rev 5 process if the agency decides that is how they want to manage their risk. We recommend that FedRAMP strike this requirement from this RFC.

Thank you for your consideration on this matter.