FedRAMP Change Notification Policy

FedRAMP Change Notification Policy#

FedRAMP (Federal Risk and Authorization Management Program) is one of the significant platforms that Melissa makes available for our governmental end users. We undergo strict testing and maintenance procedures to ensure that this environment is fully secure and adhering to all FedRAMP standards.

To make sure the right people receive change notifications:

  • Make sure your email is registered as a contact with Melissa. Your customer sales representative can assist with that.

  • Subscribe to opt in to release note update emails:

    https://releasenotes.melissa.com/subscribe/

FedRAMP mandated updates#

Melissa must adhere to all FedRAMP mandated timelines and procedures. They include:

  • Patches for high-severity vulnerabilities within 30 days (immediately if possible)

  • Patches for medium-severity vulnerabilities within 90 days

  • Patches for low-severity vulnerabilities within 180 days

  • Regular and timely updates to all underlying components

These are expected and normal for everyone within the FedRAMP environment. Notification will depend on the severity of the vulnerability.

Notification Period: None

Notification Channel: Release Notes, Email Advisory when deemed appropriate

Non-Breaking and Return Value Changes#

These are changes that we would reasonably expect not to break any client implementation. They can include things such as:

  • Adding a response field

  • Adding new features and options

  • Regular data or engine updates

  • Removal of personal information at user request

Occasionally, there could be changes in the values depending on the topic of data being returned and the availability of data.

Notification Period: Immediate to 3 months

Notification Channel: Release Notes, Email Advisory when deemed appropriate

Breaking Changes#

As a last resort, we may need to make a change that would break code compatibility. They may include:

  • Removing or renaming a response field

  • Changing the URL

  • Removal of functionality

We realize our users rely on our services and cannot make changes quickly or easily. This is a last resort for us and we have not pushed out any backwards compatible breaking changes to a major service for the life of our company. It would not be in our interest to do so.

Notification Period: 6 months minimum, 12 months likely

Notification Channel: Release Notes, Email Advisory, Telephone communication

Contents