FedRAMP sales to non-Federal Entities

[Benny Lava]

Hello everyone, I was not sure which forum to ask this question in, so this was my best guess. Apologies in advance if this isn't the right spot.

 

I have some FedRAMP related questions.

1. Are there statutes, regulations, etc. governing FedRAMP? If so, what are they called?

2. I am dealing with a company that may have been selling FedRAMP certified products (IL2 in this case) to customers who are not Federal Agencies. These customers include "purely commercial" customers, state and local governments, and various other entities that subcontract for the Government or perhaps take grants from them. What are the laws/regs around whether FedRAMP can be offered to non-Fed entities? Are there any drawbacks to selling them to non-Fed entities if this company so pleased? The company has a policy of requiring a "sponsorship letter" if a non-Fed entity wants to purchase FedRAMP offerings, but no one recalls where that policy came from, and I certainly don't see it anywhere online.

 

Thanks in advance for your guidance!

[C Culham]

I always enjoy researching something that I have never heard of.

Does this help - https://www.fedramp.gov/Guidance-on-FedRAMPs-Applicability-to-State-and-Local-Entities/#:~:text=Cloud Service Providers (CSPs) must,service offering for FedRAMP Authorization.&text=Some cloud service deployments are,some Government-Only Community Clouds.

https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf

[formerfed]

The “sponsorship letter” doesn’t apply in the instance you mention.  Sponsorship is when a company wants to becomes certified.  
 

To be safe I would ask someone in the government FedRAMP program office.  What this means is sharing government approved security requirements to a commercial company.  The government may not want this to happen