FedRAMP 20x Public Notices: What CSPs and Assessors Need to Know

Show Notes

FedRAMP modernization is moving quickly, and one of the newest developments is the introduction of FedRAMP Public Notices. In this episode of Behind the Shield, the team explains what these notices are, why the FedRAMP PMO created them, and what they reveal about the future direction of FedRAMP 20x.

Public Notices serve as a formal communication channel that provides transparency and a chronological record of key program updates. Instead of relying on blogs or scattered announcements, the FedRAMP Public Notices page offers a centralized place where industry stakeholders can track developments, including outcomes from Requests for Comment (RFCs), operational updates, and emergency directives.

During the conversation, the team walks through the first seven FedRAMP Public Notices and discusses what they mean for Cloud Service Providers (CSPs), assessors, and advisors navigating the evolving FedRAMP ecosystem. They highlight outcomes from recent RFCs, including updates to authorization terminology, changes to the FedRAMP Marketplace, and how the program is responding to industry feedback.

The episode also explores operational updates such as quarterly security inbox testing requirements and the role of emergency directives that may require CSPs to respond quickly to vulnerabilities.

The conversation also touches on the broader FedRAMP 20x modernization effort, including the push toward automation, machine-readable evidence, and reducing barriers to entry for cloud providers supporting federal customers.

Chapters:
00:08 Understanding FedRAMP Notices and Their Importance
03:09 Navigating FedRAMP Notices
05:55 Understanding Security Assessments
08:12 Changes in Authorization Designations
10:59 Marketplace Updates and CSP Pathways
13:50 Emergency Directives and Testing Procedures
17:24 Leveraging External Frameworks for Certification
28:35 Conclusion and Future Outlook
30:09 Update: RFC-0023 Notice added
34:14 Alternate Intro Outtake


What You’ll Learn:

• What FedRAMP Public Notices are and why the FedRAMP PMO introduced them
• Key updates and initial outcomes from RFC 19, RFC 20, RFC 21, and RFC 22
• The shift toward FedRAMP Certified designations and new class-based certification levels (A–D)
• New security inbox monitoring and quarterly testing expectations for Cloud Service Providers (CSPs)
• How FedRAMP may begin leveraging external frameworks like SOC 2 Type II
• What these changes signal about the future direction of FedRAMP 20x and cloud authorization modernization

Links to visit: 
https://www.fedramp.gov/notices/

InfusionPoints Links: 

Jason Shropshire, COO- https://www.linkedin.com/in/shrop/
Mike Strohecker, VP of Engineering and Operations: https://www.linkedin.com/in/michael-strohecker-238326172/
Tanner Bailey, Senior Consultant/FedRAMP 20x Lead: https://www.linkedin.com/in/tanner-b-37a50a132/

https://www.linkedin.com/company/infusionpoints/
https://www.InfusionPoints.com
https://infusionpoints.com/contact-us

About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.

Transcript

SPEAKER_02 0:08

Welcome back to Behind the Shield. Jason, Mike, welcome. Uh, we're here to talk about some FedRamp notices. So who are you? I'm Tanner Bailey. Awesome.

SPEAKER_03 0:16

Wait a minute. FedRamp Notices. What are FedRamp notices?

SPEAKER_02 0:20

FedRamp Notices are the new communication channel that FedRamp has set up for things that they don't, you know, they're a big deal, but they're not quite big enough to do like a blog post or a dedicated FedRamp video or a YouTube video.

SPEAKER_03 0:33

Well, the way I understand it, it's more of a these are like the like a kind of a formal record of announcements, right? And blogs give more of a bigger picture kind of view of what's going on, right? With probably some commentary in there. But the public notices are more of that like, you know, here's here's public record. It's chronological, so you can kind of go back in time and see the history um of how things stack up. And how many times have we had to re-recreate like when did that happen? And right, you know, you know, in the in the 10 years of Fed. Who said what? When yeah, yeah, exactly. Yeah, and and what happened to that document? But uh I think this is their way of getting a little bit better at communication.

SPEAKER_00 1:14

Communicating.

SPEAKER_03 1:15

Yeah. Well, and and it gives them sort of a way to report out results from like, well, like, well, what happened with the RFCs? Should we just revise the RFC to say what happened to that RFC, or do we need some other medium to do that?

SPEAKER_00 1:30

Yeah, do we need to go to each individual RFC, or can we just go to one location, find the outcome, and move on?

SPEAKER_03 1:37

Yeah, yeah. So where to begin? There's been like like uh seven of these so far.

SPEAKER_00 1:43

So which one makes the most sense to start with, Tanner? Probably the first one.

SPEAKER_02 1:48

The first one's pretty straightforward. Um, it's really an introduction of the Federal notices page, what you know, what its purpose is, basically what Jason was just saying. Uh, and we definitely agree that um it's a beneficial change uh for that paper trail uh and a history to be able to see where things have happened. Um there's also you know that public record for Federamp for things like the um the CISA emergency directive that came out last week. Um that's another one, I believe that's uh notice four, if I remember correctly. Um but it's just a way where FedRAMP can keep track of like these are all the things that we've been reporting on to the public um for transparency and also for you know that accountability in the industry. So um, but more interestingly, and the things that I've been really interested in seeing are the initial outcomes to the RFCs. So what FedReb has done is, you know, in the past with RFCs, there was it seemed to go into a black hole after the comment period for however long it took the you know the PMO to you know go through the comments and feel like they had got to their their happy place with where it ends up in its final form. Uh, but what the PMO's done with this, which has been great, is saying um for four of the RFCs that have closed so far, um, RFCs 19, 20, 21, and 22, they've announced like initial outcomes, like their initial thoughts on what's happening and getting a little bit of insight into their future plans for when the RFCs go into their final form, uh, to let you know, industry personnel start like planning accordingly.

SPEAKER_03 3:14

So that brings us to like notice number two.

SPEAKER_00 3:18

Notice number two. But it also is like that one stop. Not only does it give the information about what their initial thoughts are and things like that, but it's also are they gonna move forward with that RFC? Like, and to me, that's rather than clicking and trying to find which RFC was that, well, you know, going to this notices page to find that super helpful. I think it's a move in the right direction.

SPEAKER_03 3:38

Um, I think it it's gonna make it more searchable because all of this is unstructured doc documentation.

SPEAKER_00 3:44

So I am sharing the notices page right now. Um, I know you two can't see my screen, but so we're gonna try to narrate, right? Yeah, we're gonna try to narrate as best we can. Um the as Tanner has already stated, the the first notice was introducing the notices page. Makes a whole lot of sense. Um so we've already talked about that. We've already spoken about that. We don't need to say anymore unless anyone has any questions. Let's move on to number two. Number two, reporting assessment costs, RFC 19. I believe you already touched on this one as well.

SPEAKER_03 4:18

Um that this one was was really I think it generated a lot of comments, right? A lot of comments. Yeah, um and a lot of feedback uh from the public. And uh, you know, I remember thinking, and I think that our comments reflected this, that it would be very difficult for the PMO to manage that information, but also to take to really get meaningful insights because it's it's there's a lot of apples and oranges, yeah, you don't have full context. And I think that they, you know, they realize that. And that's what I love about FedRAMP and this PMO and and um you know what that what they've done with just soliciting feedback, yeah, and then absorbing it and and acting on it, you know, and and uh in some cases it might mean this this is just not something that we can do that it makes sense to put the time and energy into. Yeah. This was this was one of those. So I think that's a good thing.

SPEAKER_00 5:11

I think that's it's really smart as well, right? To to put it out for that public comment. Hey, we have this idea, does it make sense to do? And then no, it doesn't. Yeah, coming back with that response, nope, based on the feedback.

SPEAKER_03 5:22

Do we want people spending the time and energy to strategize about oh, what information are we gonna put in the public? And you know, it's gotta be the low, low price, the small t-shirt size, and you know, but then yeah, yeah. So yeah, nobody got time for that.

SPEAKER_00 5:37

No one got time. Yeah, perfect. Okay, what's the next one, Tanner? What's the next notice?

SPEAKER_02 5:42

Do you the next notice should be RFC 20?

SPEAKER_00 5:45

No, it's number three. It's number three, but this is like the count. Golly, Dan. It's like the count. Count just just one each time it's one. Yes, exactly. No thunderstorms inside. Okay. Yeah, it is. Um so number three is actually the security inbox test.

SPEAKER_02 6:01

Oh, yes. Yeah. So this would be uh the FedRamp security inbox, one of the balance improvements that FedRAMP has released. Um, what this notice is doing is it's formally putting that paper trail for the notification that the PMO put out that they are um going to be doing a test of all the CSP, FedRamp CSP's FedRAMP security inbox requirements um between March 2nd, so this past Monday, and through March 13th is that testing period. Uh, and that's just a formal uh documentation of that announcement for the paper trail.

SPEAKER_00 6:31

Well, it says that, and it says a little bit more than that, right? Because it also says, you know, they're starting their first test, their first of planned quarterly tests. So they're gonna be doing this every quarter. Yep. Um, I don't want that to be lost on anybody because I think a lot of people just kind of focused in on, oh, when do I have to be watching the security inbox? Well, the answer is all the time. All the time. Yep. You need to have a process in place. This is that this isn't a oh, Federal's going to test it once and then forget about it. Um, you know, I kind of view it as they're treating and as that quarterly access review. Um, who who's paying attention, who's watching out there. Um, so yeah.

SPEAKER_02 7:06

Yeah, well, and it's uh it there's there's some important details in that notice too about what they're looking for in your response, trying to give some insight specifically about secure configuration guide, uh, because that was the other balance improvement um that was mandatory for all the Rev5 and for 20X uh CSPs, so that they're looking for insight into your secure configuration guide, uh a link if it's publicly available, uh, or you know, acknowledgement that you're aware of the requirements. You know, it seems like simple stuff, but wait, have we done ours yet? Yeah, we have done ours. Okay, good. Yeah, shout out to Rachel on the team for leading that effort. So awesome.

SPEAKER_00 7:43

Okay. What's next, Tanner? RFC. You already said what number four was, but that was actually not correct. Oh, it was not. It was not. It was not the CISO piece. It was the uh this is the authorization designations. This is RSC. This is RFC 20. This is the the You got them memorized. Yeah, that is amazing, by the way.

SPEAKER_02 8:03

Done a lot of reading on these RFCs. I think Jackson, uh Jackson made a joke that he read the uh the like DOD SRG for light reading. For light reading. Yeah. Oh, that's become me with the you know, all the 20x RFCs and whatnot. So uh but yeah, RSC20, I think this one's really interesting. Again, this is another example of you know the PMO taking feedback from the industry and you know applying it. Um it's it it's pretty interesting. You know, they're completely removing the FedRamp validated term moving forward. You know, initially RFC 20 introduced FedRamp validated for your 20th century.

SPEAKER_03 8:36

I mean, what we're all used to is FedRamp authorized. Yeah, right, right. But the but the real issue with that was, you know, well, that kind of gets conflated with the agency, you know, process. So so um the desire was really to get away from that authorized term, right?

SPEAKER_00 8:55

It's confusing, right? And and the the there's a lot of CSPs is like, oh, I have a FedRamp authorization. It's like, well, you have a P ATO, especially for the jab authorizations, right? Um you need an ATO from an agency, and it was just very confusing. Uh so yeah.

SPEAKER_02 9:15

Yeah, so they've and they you know they've consolidated all that down the FedRAMP certified with the initial comments from the RFC. They had initially said, hey, we're gonna do validated for 20x, certified for red five, and they've just decided, hey, let's just do certified, whether you go down the rev five path or you need to go down the 20x path.

SPEAKER_03 9:30

Uh and then they've also they've introduced because there was there was fear there that that having the two different terms might get conflated as having some special meaning value.

SPEAKER_02 9:41

You know, is certified better than validated, is validated better than certified. Yeah. I I think I think it's it's cleaner. Uh, it'd be easier for maintaining. They'll still have some sort of designation, I'm sure, to say that like this was the path you went down to get certified, but you're the um the level of your certification, if you will, it's not, you know, it's no better than the other. So um they've also there was comments about the FedRAMP levels that they introduced. You know, they talked about the levels one through six. So um instead of doing low, moderate, high, they initially for RSC20 introduced levels, and then folks were asking, how is that gonna work with the DOD impact levels?

SPEAKER_00 10:19

DOD and CMMC.

SPEAKER_02 10:20

Yeah, CMMC level one, two, three. And there's just a lot, you know, there's levels flying everywhere at that point. So the PMO is they've they've changed course on that, and they're gonna designate you as Federamp certified under one of four classes. Uh clout those classes being A, B, C, D, uh, so alphabetic, and then A would be your pilot certification, B would be LI SAS, LISAS slash low, C would be moderate, and then D would be high.

SPEAKER_03 10:47

So we're continuing on the sesame tree theme.

unknown 10:50

Yeah.

SPEAKER_02 10:51

Yeah, we went from the count to letters. Letters, so letters.

SPEAKER_03 10:54

Yeah.

SPEAKER_02 10:54

Today's letter is the letter C. The letter C. But yeah, so that uh it would be interesting to see how that shakes up. Um, curious to see how like the you know, the marketplace will obviously be, you know, updated to reflect all this. And uh the PMO is also stated in uh that throughout the notices and in this one included, that they're gonna be doing um, they'll be like finalizing what the final form for each of these RFC guidance looks like in the uh consolidated rules for 2026, where um, you know, and the PMO and their and the all of the the working groups that we've been having, um, they've been talking about they they want to get past the, you know, get over this modernization hill where they're they've acknowledged that a lot of people are they're showing you know either concerns or just confusion because there's a lot of changes coming out really quickly. Fatigue. And it's hard to hard to keep up with, right? Yeah, it's hard to keep up with. And so, you know, they've stated you know, this consolidated rules that they're targeting uh end of June to release, um, those will be applicable. You can if you become certified under the consolidated rules framework, you'll have that until end of 2028. So it's a lot longer process to then you know update to CR 2027 in 2027 and have that through 2029. Um so they they've acknowledged that you know the plan moving forward is not to continue modernizing at the same pace. Uh they want to get to a a stop point. And we were talking about this internally the other day, you know, FedRAM has been, what is it, 2017's been around since? I mean, it's it's longer than longer than it's longer than 22nd. 2012. 2012, yeah, not 2017. I was that oh, 2017 would have been the introduction maybe of Rev 5, like before it got adopted.

SPEAKER_03 12:33

Uh sounds about right.

SPEAKER_02 12:34

There there's a there's a there's a date there somewhere. But FedRim's been around.

SPEAKER_03 12:38

Rev 5 came a little later, I think. But yeah.

SPEAKER_02 12:40

But yeah, f all that to say FedRim's been around long enough that yeah, a big facelift like this, it it was due. And this is just the learning curve that comes with it.

SPEAKER_00 12:49

So what's the next RFC? Do you remember?

SPEAKER_03 12:52

We didn't talk about what the letters meant. I mean, some folks.

SPEAKER_00 12:54

Well we did. We said we said low L I S spray.

SPEAKER_03 12:58

Oh, I missed that.

SPEAKER_00 12:59

Yeah. Low, moderate, high, B, C, D. B, C, D, but what about A? C stands for moderate.

SPEAKER_02 13:05

A is pilot. A is pilot. We do sound like Sesame Street. A is for pilot.

SPEAKER_00 13:11

A A stands for pilot. B stands for low. Or L I S. Or L I S. C stands for moderate. And D stands for high. Not Sesame Street.

SPEAKER_01 13:26

Elmo would not be proud.

SPEAKER_02 13:27

No. All right. I believe the next one is the CISA emergency directive, right? Am I off again?

SPEAKER_03 13:35

You know. That'd be pretty awesome if you just memorize it. It would be pretty awesome. It's actually not RC21 and uh it is 21.

SPEAKER_01 13:46

It is. Wow. Impressive.

SPEAKER_00 13:49

It is. Because it comes after 20. So maybe not so impressive.

SPEAKER_02 13:56

Yeah. Um, so this one's talking about the updates that the PMO has introduced for the marketplace. Um, you know, RC21 initially announced this push to include not just assessors on the marketplace, but also advisors. And then it also updates some of the requirements that CSPs had to have um for their marketplace listing. Um, so there's some, there's some connection between the comments on RC19 and the outcomes from RC19 with 21. Uh, they had, you know, PMO had announced that, you know, all of the CSPs, they're gonna have to include their pricing structure on the marketplace. Due to the, you know, genuine genuinely the pushback from the community and just the disagreement with that requirement from the industry, uh, the PMO has decided that they're gonna remove that requirement for advisors, assessors, CSPs in the final version of the you know, outcome from RFC 21. They're still putting some more tweaks together. Um, one thing that was interesting was the PMO had initially said that you would have to pick a pathway to getting your FedRAM certification, so either Rev5 or 20X. Um and at this point, PMO said, you know, there was some pushback that they didn't really expect on that, because they expected most folks would want to pick one or the other. Um, and you know, on upon further consideration, they said we don't really have a reason to require you only go down one path. Um they don't recommend it just because of the the lift and you know the requirements. There is some diff in the requirements for the actual authorization submission process, and they just say might not be worth it. But if it is worth it in your circumstance, we don't have any reason to stop it. So I thought that was pretty interesting. Uh, we've actually expected.

SPEAKER_03 15:36

I mean, I could I could actually see a lot of scenarios actually where there may be interest in both paths that you know it's it's good to hear that there's there was consideration there. Um just some examples like folks that are going through the DOD process, um, that process takes a lot longer, right? They could be getting 20x while they're going through DOD and then end up with a Rev5 as well from the DoD process, right? Um, and uh, you know, that's one of the things that I saw as well in the roadmap, uh, an update that that in effect that it was one of Pete's notes in the roadmap, there's a roadmap item for DoD reciprocity. And he was basically saying, in effect, this is this is in place now. Um, you know, you can have your uh your your authorizing official on the DOD side um submit the documentation to the FedRAMP PMO and they would review it and uh incorporate it into the marketplace within uh you know a few weeks. So that's a really positive thing. That that that's always been a pathway, yeah, but it's it's not always been um clear to the DOD side that that they should um follow through on that, right? But now now that you know the PMO is saying, hey, this is here, we can do this, uh it gives CSPs more of an opportunity to get that get that in place. But they could be working on 20x and have that ahead of time.

SPEAKER_01 17:05

Yeah.

SPEAKER_00 17:07

So let's start back. Which is next, Tanner.

SPEAKER_02 17:12

Next RFC would or next, excuse me, next notice would be notice number six on the CISA emergency directive.

SPEAKER_00 17:18

You only know that because I already told you. Yeah, we're getting good at this. We sure are. I'm so glad. Eventually, eventually, one of the notices was going to be the CISA emergency notice notification.

SPEAKER_02 17:31

Yeah. Yeah. So this one, um, like Jason was saying, you know, the the paper trail that the notice is gonna have is gonna have, you know, in the future as new emergency directives or emergency messages that are sent to your FSI inbox. Um, like this one, this was actually it came out just like any other security emergency directive. And the PML was like, hey, you guys are gonna get a uh kind of a dry run test before our official FSI test. Uh next week, this uh emergency directive actually came out um last week. We're filming this on March the 5th. So um it came out a couple days before the planned FSI test time period. Um so it was a it was a good dry run for everybody before the official one. So um this is just a you know, again, as future emergency directives from CISA come out or future emergency messages that FedRamp needs to send out are um posted, they'll post a copy of that to paper trail. So um I believe this one was on uh Cisco SD WAN devices, um and you just had to you know reach back out to FedRAMP, confirm whether you were affected or not uh with any applicable inventory details.

SPEAKER_00 18:34

So yeah, I mean and um in in your response to the FSI email. Yeah. Yeah.

SPEAKER_03 18:40

Yeah, we got to exercise our FSI.

SPEAKER_00 18:43

Exercise the FSI? Awesome. And last but not least, so far as of today's publication.

SPEAKER_02 18:52

As of today's publication, notice number seven.

SPEAKER_00 18:54

Notice number seven.

SPEAKER_02 18:55

Yep. What is that about? This one's about RFC twenty or the initial outcomes from RFC twenty-two. Um notes here.

SPEAKER_00 19:04

Yeah, this is leveraging external frameworks, right? Mm-hmm.

SPEAKER_02 19:07

Yeah. Yeah, this one was uh it was pretty interesting seeing this one. I think this one came out last of all of them, um, or coming came out fairly recently for recording this. So um, you know, they were talking about the class A certification. So again, you know, they're taking into account details that released from previous notices. They're removing the uh validation frame pathway, like we talked about with RFC 20. They are removing the levels, so class A certification, whether you go Rev5 or 20X, um, they have noted that that's only going to be available through a program certification. Uh so the program certification path was this idea that was introduced by FedRAMP for um in RFC 23. And the idea is that you're getting the full certification directly from the PMO. Um, so that pathway is, I think we talked about in our last RFC episode. It's the um it's part of that new way to get listed on the marketplace with a certification or with like what we're doing with the pilot program. It's sort of it's similar to that. Um, without having to put as much investment as you would previously for like a FedRAM ready assessment, um, or being blocked by sponsorship concerns like you would have had to have been on the FedRM in process.

SPEAKER_03 20:22

So um that's been a big barrier to growth for the the whole industry. I mean, a lot of folks want to do federal work, but it's a chicken and egg problem. Right. That you can't get the sort of you know, you you can't get authorized without the sponsor, or you can't get a sponsor without being being or you can't get customers that are interested without without the authorization. So it's hard to get that that sponsor initially without the right mix of events.

SPEAKER_00 20:48

I mean, it's so easy for CSPs to get stuck there at that that Fed ramp ready. Oh, yeah, right. Like, I mean, how many times have we seen that? Yep. Over and over. Over and over. So I think this is this is definitely a step in the right direction as well. Um, I know it's just, I mean, that this was just released two days ago, this notice. So I'm sure there's still there's gonna be some to follow on this one. Um, but I honestly I think they're all very important and all very intriguing. But this is the the the kind of feedback on me or from me on this one is you know, this is gonna be an interesting one to watch as it unfolds. Um, I think it's really going to open the door for a lot of CSPs to get that authorization.

SPEAKER_02 21:28

Um Yeah, and I think it one thing that they've changed or in the initial outcomes, they noted that previously for that, um, once you get that program certification.

SPEAKER_00 21:38

So sorry, I said authorization. My bad. Uh certification.

SPEAKER_02 21:42

Yeah. Um, once you get that program certification, one of the updates in this notice is that they're actually gonna you have a two year period of being listed uh in like FedRAMP in preparation. So with that class A certification level, what was previously denoted as level one, you actually have two years. To get up to class B, class C, class D, uh, which I I think is a positive change. Like you said, you know, we've seen a lot of CSPs get stuck at the FedEM ready stage. So it makes sense to extend that period of time that once you, you know, you do the your I mean, it's a business experiment. At the end of the day, getting that information or getting it listed on the marketplace in that way will be a big, big, big, big benefit and it will last longer. That that investment in the experiment will last longer.

SPEAKER_03 22:29

I mean, the the whole purpose of Ready to begin with was to prov to provide a way that a CSP could self-actualize their entry into the marketplace, right, without requiring um a federal sponsor, right? So they could they could pay for an assessment um and they could get into the marketplace. But ultimately, it was um not that successful just because the crite the the um the criteria at the time that the PMO applied to FedRamp Ready required the system to be fully developed, required um full maturity of the security process.

SPEAKER_00 23:07

Full dog package, yeah.

SPEAKER_03 23:08

Yeah, I mean, it's a significant amount of investment just to you'd have to you'd basically have to have to invest all the way. Yeah. Plus your assessment costs would be more because there would be a readiness step and a full assessment.

SPEAKER_01 23:22

Yeah.

SPEAKER_03 23:22

Um, so it it really uh struggled to get traction. I mean, I think it was interesting for a a small subset of CSPs, but didn't have the broad adoption that that um would have driven more um more entrance into the marketplace.

SPEAKER_00 23:38

I mean, and I get I I get the the reasoning behind the initial readiness assessment, right? It was to give that that kind of confidence for the federal agencies to do this sponsorship. Like, yes, I'm not just gonna throw a bunch of ton of time and resources at the CSP that may not be mature enough to do it, like that might fail. Um, because at the end of the day, this I mean, the whole reason for the Federant program is for um federal agencies to have that marketplace to go to for products they can use to solve for problems that they have.

SPEAKER_03 24:09

Right. And um but that I mean, you know, the the A uh category. Yeah, what's it called? The cla Class A. Class A. Sorry. Sorry. Um, you know this will let CSPs enter more easily. Absolutely, right? Because they can leverage SOC2 type two. Um environments they already have, which a lot of CSPs have, yeah, right. And then it lets agencies try that service, right, with as a pilot, as a um a really low risk, you know, beyond the low categorization, right? But it's just a pilot, right? Or something like that. Test data, right? Yeah. Um, so it lets them try it, right? So there's a signal to federal that, hey, we want to do federal work. There, there's a path for agencies to try it.

SPEAKER_02 24:56

Um and then you avoid the assessment costs. Or I I guess if you do the 20x path, again, it's the validation and verification costs.

SPEAKER_03 25:05

That's a beyond sock to type two. Yeah. Right.

SPEAKER_00 25:08

Um, and I you know, well, you're avoiding that readiness assessment cost, right? Which which could be pretty substantial.

SPEAKER_02 25:14

Yeah. We I mean when you were talking about the the readiness uh requirements kind of growing beyond the scope of you know of initial design. I I can't remember it was one of our I think we had a customer, I can't remember who it was, but he mentioned that you know it felt like FedRamp Ready became FedRamp Perfect. And yeah, and I can't I can't remember exactly who it was, but um it really was.

SPEAKER_03 25:35

It was it was in a way it was almost harder than an agency authorization, right?

SPEAKER_02 25:40

Yeah, and we and and you know we saw that you with our you know advisory and you know our our platform, you know, accelerator and XP40 platforms. We saw customers go through it and we we saw the evolution of ready FedREP ready get harder over time because you know to where we didn't recommend it.

SPEAKER_00 25:55

Yeah, right. Exactly. Right. Yeah, yeah. Just a money sink, so to speak.

SPEAKER_02 26:01

Yeah, it's uh it definitely encouraging. You know, like you said, you being in you know, a lot of folks have SOC 2 type 2, and so yeah.

SPEAKER_03 26:10

Did they mention any other frameworks that that could they that they would leverage?

SPEAKER_02 26:14

In the initial outcomes, um, I believe if correct me if I'm wrong, Mike, looking at the notice, the moving forward, they're gonna use SOC 2 type 2 as the test case to get started. And then they're they're not against introducing other frameworks, but they just know it sounds like based off of industry feedback, SOC 2 type 2 is the um the most desired, the most highly desired or most uh commonly applicable.

SPEAKER_03 26:36

Yeah, I think I think it's the one that is most ubiqu ubiquitously required, right?

SPEAKER_00 26:42

Yeah, and I mean I'm I'm I'm I just drilled in for everybody that's actually watching the podcast, you're able to see that I'm screen sharing. I just drilled into this this notice. Um, and it you know, it it it says that the most frequently leveraged external framework is SOC2 type two for these pilot authorizations. Um, so that's where FedRAMP will start for 20x class A FedRAMP certifications. So I don't I don't know if they're handcuffing themselves to type two SOC2. I just think that since that's the most frequent one that they've seen, that's kind of the industry standard and commercial, um, that that's where they're gonna focus a lot of their time and energy right now. I don't think that's excluding other frameworks, the way I read it. Right. Um I'm sure someone from FedRamp is listening to me and going to be like, yes, we're excluding everyone, Mike. Or maybe they could agree with me. Please let us know.

SPEAKER_03 27:32

Leave a comment.

SPEAKER_02 27:34

Comment below.

SPEAKER_03 27:35

Leave a comment on our YouTube. Yeah.

SPEAKER_02 27:39

Yeah. Um I know with that being the, you know, don't want to shut down discussion, but with that being the last notice, I did want to make it clear for all of our listeners at home that um RFC 22 that we just talked about um and 23 both closed on at the same time. So last Thursday at midnight, um, Eastern Standard Time, uh the P Pete's already made a public post, uh, I believe it's through LinkedIn to say that RFC 23, they've got a lot to chew on with that. That's the actual program certification path RFC.

SPEAKER_03 28:10

Um it's gonna take a little bit of time.

SPEAKER_02 28:11

Yeah, it's gonna take a little bit of time. And you know, that that was one of the ones that intrigued us the most as well. So that's not surprising, but um, you know, we're gonna we're gonna keep an eye out for it.

SPEAKER_03 28:19

This one's in the slow cooker.

SPEAKER_02 28:20

Yeah, it's in the slow cooker. It deserves time, you know, it's definitely a a positive move uh in the right direction to you know have that release valve for, like you said, CSPs that are stuck in the ready phase uh for the remainder of the year or so. Um but yeah, uh you'll be on the lookout for another post from us about those notices and check out the Federal Notices page as well, um, because it's getting consistently updated.

SPEAKER_01 28:44

So anything else, guys?

SPEAKER_03 28:46

Anyone have a good dad dad joke?

SPEAKER_01 28:49

A dad joke?

SPEAKER_00 28:53

I always I come up with them just off the cuff every day because you know, being a dad, they're just kind of rolling. But when I'm put on the spot, Jason, no, I don't. Golly. I always get made fun of for my dad jokes. But I have one. Oh geez, who's that oh golly.

SPEAKER_03 29:08

We haven't even Caitlin's off cam. We need a Caitlin cam. We need a Caitlin Cam.

SPEAKER_02 29:12

We need a producer cam, yeah.

SPEAKER_03 29:14

Producer Caitlin.

SPEAKER_01 29:15

What is the dentist favorite time? The dentist's favorite time. Tooth time. Hold on. I was gonna say tooth day, but that's a day. No, that that's not time. I mean, you can't say tooth o'clock. I don't know. Okay. I don't know. We're stunning. I give up. 2 30. Oh 2 30.

SPEAKER_00 29:39

We were right with the two.

SPEAKER_02 29:41

Yeah.

SPEAKER_00 29:42

230. 2 30.

SPEAKER_02 29:44

And everybody groaned in unison. Ha ha ha.

SPEAKER_03 29:48

Me failhorn.

SPEAKER_00 29:51

It was a it was a dad joke from the only lady in the room.

SPEAKER_03 29:58

How ironic. Uh the irony. All right. Close this thing out.

SPEAKER_02 30:03

Yeah. Thanks for joining us, everybody, and uh be on the lookout for the next episode.

SPEAKER_01 30:06

Talk to you soon. Thanks, everyone. Bye-bye. Awesome. Okay, so welcome.

SPEAKER_02 30:16

Uh welcome back to the episode. Sorry to interject here. Um, during editing of our latest episode, we realized that FedRIMP had released their initial outcomes for uh the Red Five program certification RFC, as you'll see on the screen here. So uh just wanted to get our our initial thoughts out there for the pleasure of our viewers. So as we're scrolling through here, um, Federal has included a quick recap um based off of what they've released in the previous notices, so all the notices we were talking about in the office, uh Jason, Mike, and I. Uh, but they've also uh followed up on some of the notes they had initially in RFC 23. Uh so you'll see here uh they still are planning to retire Federant Ready uh towards the end of July that was previously proposed in RFC 23. Um they are planning to provide a path for all CSPs currently stuck in Federal Ready to transition to uh Federant Class A certification. We're talking about the transit the initial outcomes to RFC 20, the fact they're getting rid of that validated pathway and all the levels, so they're not gonna be classed as A, B, C, D. So initially, RFC 23 said that you could transition from Federamp Ready to Federant validated level one. Uh it's the same thing from a baseline perspective, just a different name. Now it's gonna be a transition from Federamp Ready to FederAmp Class A certification. Um, and then additionally, they have noted that the uh consolidated rules for 2026 up here. Yep, we'll see this here. Uh the consolidated rules for 2026 will include uh all of the details for the retirement of Federant Ready, as well as they're gonna be publishing all the full criteria for implementing and achieving program certification. So they've added a little bit more details here, where they're gonna be diving into stages one and two. So during stage one, you'll be able to transition from Federant Ready to FedRAP certified class A as a class A certification. Um, and then likewise you're gonna be able to transition during stage two from a Federap ready to class A, either to from Federap Ready to Class A or from Federate Ready to Class B slash class C certification. So again, class B and Class C or lobe slash LISS and Federate Moderate. Um but in order to transition to or to achieve a program certification of either class B or C, you do have to met one of the following criteria between the beginning of January and the end of or beginning of March of 2026. So January 1st, 2025, and March 1st, 2026. So within the last 13 months, you have to follow into one of these four criteria. Those four being uh either being listed as FedRAMP ready during that period, being listed as FedRAMP in process during that period, completing a readiness assessment during that period, or completing a full security assessment that includes the SAT and the SAR security assessment plan, security assessment report. Um, so this helps give a little bit more clarification as to what criteria CSPs need to meet in order to um have reached the standards required in order for RFC 23 to be a path, that program certification to be a path. Additionally, cloud services that want to pursue program certification need to be willing to adopt the required balance improvement releases. That's an important call out that the required balance improvement releases are still going to be in scope for these CSPs. Um towards the end of the notice, there's additional notes on uh some of the specific requirements and how those are changing, some of those proposed requirements from RFC 23. Um there's uh there's a lot of details here that we suggest our listeners go in and uh view as well, uh, but nothing um too major that we wanted to call it specifically for the sake of the episode.

SPEAKER_01 34:08

So um possibly thank you, and thank you for your patience and your flexibility. We could do it together.

SPEAKER_00 34:20

Would you like us to all do it together? Yeah. You want us to each take take a line? Actually, why don't we introduce ourselves?

SPEAKER_03 34:26

How about we just do one word, like welcome.

SPEAKER_01 34:28

Why do one word to trick? Okay, welcome back.

SPEAKER_03 34:36

Mike screwed it up on here. Welcome back to two. You screwed it up.

SPEAKER_00 34:44

We're not gonna do that. I'm channeling you.

SPEAKER_01 34:45

Yeah, welcome back to behind the SHIELD podcast with infusion points. I'm Tanner, Mike, Jason Bailey Jason Bailey?

SPEAKER_02 35:03

Jason Bailey. I'm Tanner Bailey. So my next word was Bailey for my last name.

SPEAKER_03 35:08

We're trying to make coherent sentences, not individually.

SPEAKER_00 35:11

Holy smokes. Okay. That was if you're still listening after that start. Gary's gonna kill us.

SPEAKER_01 35:20

Gary's gonna kill us. Thank you for being here.