FedRAMP modernization is moving quickly, and one of the newest developments is the introduction of FedRAMP Public Notices. In this episode of Behind the Shield, the team explains what these notices are, why the FedRAMP PMO created them, and what they reveal about the future direction of FedRAMP 20x.
Public Notices serve as a formal communication channel that provides transparency and a chronological record of key program updates. Instead of relying on blogs or scattered announcements, the FedRAMP Public Notices page offers a centralized place where industry stakeholders can track developments, including outcomes from Requests for Comment (RFCs), operational updates, and emergency directives.
During the conversation, the team walks through the first seven FedRAMP Public Notices and discusses what they mean for Cloud Service Providers (CSPs), assessors, and advisors navigating the evolving FedRAMP ecosystem. They highlight outcomes from recent RFCs, including updates to authorization terminology, changes to the FedRAMP Marketplace, and how the program is responding to industry feedback.
The episode also explores operational updates such as quarterly security inbox testing requirements and the role of emergency directives that may require CSPs to respond quickly to vulnerabilities.
The conversation also touches on the broader FedRAMP 20x modernization effort, including the push toward automation, machine-readable evidence, and reducing barriers to entry for cloud providers supporting federal customers.
Chapters:
00:08 Understanding FedRAMP Notices and Their Importance
03:09 Navigating FedRAMP Notices
05:55 Understanding Security Assessments
08:12 Changes in Authorization Designations
10:59 Marketplace Updates and CSP Pathways
13:50 Emergency Directives and Testing Procedures
17:24 Leveraging External Frameworks for Certification
28:35 Conclusion and Future Outlook
30:09 Update: RFC-0023 Notice added
34:14 Alternate Intro Outtake
What You’ll Learn:
• What FedRAMP Public Notices are and why the FedRAMP PMO introduced them
• Key updates and initial outcomes from RFC 19, RFC 20, RFC 21, and RFC 22
• The shift toward FedRAMP Certified designations and new class-based certification levels (A–D)
• New security inbox monitoring and quarterly testing expectations for Cloud Service Providers (CSPs)
• How FedRAMP may begin leveraging external frameworks like SOC 2 Type II
• What these changes signal about the future direction of FedRAMP 20x and cloud authorization modernization
Links to visit:
https://www.fedramp.gov/notices/
InfusionPoints Links:
Jason Shropshire, COO- https://www.linkedin.com/in/shrop/
Mike Strohecker, VP of Engineering and Operations: https://www.linkedin.com/in/michael-strohecker-238326172/
Tanner Bailey, Senior Consultant/FedRAMP 20x Lead: https://www.linkedin.com/in/tanner-b-37a50a132/
https://www.linkedin.com/company/infusionpoints/
https://www.InfusionPoints.com
https://infusionpoints.com/contact-us
About Us:
InfusionPoints is a trusted cybersecurity, cloud engineering, and compliance partner helping organizations Build, Manage, and Defend secure, mission-ready environments in highly regulated markets.
We specialize in FedRAMP, FedRAMP 20x, DoD, and enterprise security frameworks, supporting organizations from initial authorization through continuous monitoring and optimization. Our team brings deep technical expertise and real-world operational insight to every engagement.
Through our independent, security-first approach, we integrate people, processes, and technology to deliver scalable, compliant, and resilient solutions. From strategy and architecture to operations and defense, we help customers move faster without sacrificing security.
