If a cloud patch management software scans your computer for missing patches and deploys patches, does that need to be FedRAMP? It may get your computer name and software list, but it's not directly accessing your CUI files.

From what I know, services need FedRAMP if you're storing or accessing CUI data which a patch management service does not.