Hello everyone, I was not sure which forum to ask this question in, so this was my best guess. Apologies in advance if this isn't the right spot.
I have some FedRAMP related questions.
1. Are there statutes, regulations, etc. governing FedRAMP? If so, what are they called?
2. I am dealing with a company that may have been selling FedRAMP certified products (IL2 in this case) to customers who are not Federal Agencies. These customers include "purely commercial" customers, state and local governments, and various other entities that subcontract for the Government or perhaps take grants from them. What are the laws/regs around whether FedRAMP can be offered to non-Fed entities? Are there any drawbacks to selling them to non-Fed entities if this company so pleased? The company has a policy of requiring a "sponsorship letter" if a non-Fed entity wants to purchase FedRAMP offerings, but no one recalls where that policy came from, and I certainly don't see it anywhere online.
Thanks in advance for your guidance!