diff --git a/FRMR.ADS.authorization-data-sharing.json b/FRMR.ADS.authorization-data-sharing.json deleted file mode 100644 index c23b5dd..0000000 --- a/FRMR.ADS.authorization-data-sharing.json +++ /dev/null @@ -1,474 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Authorization Data Sharing", - "short_name": "ADS", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSdOH7qeJ9uPlb3zYN35qDPNOm_pXQ8sHanAZIIh5tdgjnubVw/viewform", - "current_status": "Open Beta", - "start_date": "2026-02-02", - "end_date": "2026-05-22", - "comments": [ - "**Providers MUST notify FedRAMP of intent to participate in the Authorization Data Sharing Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", - "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 if they are also participating in the Significant Change Notification and Vulnerability Detection and Response betas.", - "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", - "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.ADS.authorization-data-sharing.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.ADS.authorization-data-sharing.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Updates for the FedRAMP 20x Phase Two pilot, including minor clarifications and improvements based on pilot feedback.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e8c82f51ab77d760f5df340022a0ae1ab18f31ad/data/FRMR.ADS.authorization-data-sharing.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "Minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e5a72fc4b1602e56a145b73e44a822e9ee2aa8bd/FRMR.ADS.authorization-data-sharing.json" - }, - { - "id": "25.08A", - "published_date": "2025-08-24", - "description": "Initial release of the Authorization Data Sharing Standard", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-05-23", - "end_date": "2025-06-22", - "id": "0012", - "url": "https://www.fedramp.gov/rfcs/0012/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/8", - "short_name": "rfc-0011-standard-for-storing-and-sharing", - "full_name": "FedRAMP RFC-0011: FedRAMP Pilot Standard for Storing and Sharing Authorization Data" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/b75d46bdb77d7d3a555be6e5c0fdf31f86edcdb1/FRMR.ADS.authorization-data-sharing.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "44 USC \u00a7 3609 (a)(8)", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "The FedRAMP Authorization Act directs the Administrator of the General Services Administration to \"provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies...\"", - "delegation": "This responsibility is delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - }, - { - "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", - "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", - "description": "Section 6 states that \"In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs' commercial customer base.\"" - } - ], - "purpose": "Modern cloud services store and share security and compliance information in convenient repositories that allow customers to rapidly review security information and gain access to additional information as needed. These services often include automated integration with cloud service infrastructure to remove manual burden and ensure information is accurate and up to date.\n\nThis security and compliance information (including FedRAMP authorization data) is the intellectual property of the cloud service provider and is not _federal customer data_ in most cases.* The federal government benefits when the same security information is shared among all customers and even the public to ensure maximum transparency and accountability of cloud service providers.\n\nFedRAMP's Authorization Data Sharing process provides a process or mechanism for cloud service providers to store and share authorization data on their preferred platform of choice if it meets certain FedRAMP requirements.\n\nAt the initial release of this process there will not be many platforms that directly support the requirements in this process. FedRAMP anticipates this will change rapidly in response to market demand as platforms work to provide innovative solutions to these requirements.\n\n_* Providers with questions about this should consult with a lawyer who specializes in procurement law. Typically a contract with the government granting ownership of information is required to transfer ownership to the government._", - "expected_outcomes": [ - "Cloud service providers will be able to manage authorization data in the same platforms used for commercial customers, reusing data as appropriate", - "Federal agencies will be able to access necessary authorization data via API or other automated mechanisms integrated into agency authorization systems to simplify the burden of review and continuous monitoring", - "Trust center providers and GRC automation tool providers will develop innovative solutions and improvements to ensure standardized automated data sharing and validation within the FedRAMP ecosystem" - ] - } - }, - "FRR": { - "ADS": { - "base": { - "id": "FRR-ADS", - "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-ADS-01", - "statement": "Providers MUST publicly share up-to-date information about the _cloud service offering_ in both human-readable and _machine-readable_ formats, including at least:", - "affects": [ - "Providers" - ], - "name": "Public Information", - "primary_key_word": "MUST", - "following_information": [ - "Direct link to the FedRAMP Marketplace for the offering", - "Service Model", - "Deployment Model", - "Business Category", - "UEI Number", - "Contact Information", - "Overall Service Description", - "Detailed list of specific services and their impact levels (see FRR-ADS-03)", - "Summary of customer responsibilities and secure configuration guidance", - "Process for accessing information in the _trust center_ (if applicable)", - "Availability status and recent disruptions for the _trust center_ (if applicable)", - "Customer support information for the _trust center_ (if applicable)" - ], - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-02", - "statement": "Providers MUST use automation to ensure information remains consistent between human-readable and _machine-readable_ formats when _authorization data_ is provided in both formats; Providers SHOULD generate human-readable and _machine-readable_ data from the same source at the same time OR generate human-readable formats directly from _machine-readable_ data.", - "affects": [ - "Providers" - ], - "name": "Consistency Between Formats", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-03", - "statement": "Providers MUST share a detailed list of specific services and their impact levels that are included in the _cloud service offering_ using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP authorization without requesting access to underlying _authorization data_.", - "affects": [ - "Providers" - ], - "name": "Detailed Service List", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-04", - "statement": "Providers MUST share _authorization data_ with all necessary parties without interruption, including at least FedRAMP, CISA, and agency customers. ", - "affects": [ - "Providers" - ], - "name": "Uninterrupted Sharing", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-05", - "statement": "Providers MUST provide sufficient information in _authorization data_ to support authorization decisions but SHOULD NOT include sensitive information that would _likely_ enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the _cloud service offering_. ", - "affects": [ - "Providers" - ], - "name": "Responsible Information Sharing", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-06", - "statement": "Providers of FedRAMP Rev5 Authorized _cloud service offerings_ MUST share _authorization data_ via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible _trust center_.", - "affects": [ - "Providers" - ], - "name": "USDA Connect Community Portal", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-07", - "statement": "Providers of FedRAMP 20x Authorized _cloud service offerings_ MUST use a FedRAMP-compatible _trust center_ to store and share _authorization data_ with all necessary parties.", - "affects": [ - "Providers" - ], - "name": "FedRAMP-Compatible Trust Centers", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-08", - "statement": "Providers MUST notify all necessary parties when migrating to a _trust center_ and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the _trust center_ to obtain _authorization data_.", - "affects": [ - "Providers" - ], - "name": "Trust Center Migration Notification", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-09", - "statement": "Providers MUST make historical versions of _authorization data_ available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly.", - "affects": [ - "Providers" - ], - "name": "Historical Authorization Data", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-10", - "statement": "Providers SHOULD follow FedRAMP\u2019s best practices and technical assistance for sharing _authorization data_ where applicable.", - "affects": [ - "Providers" - ], - "name": "Best Practices and Technical Assistance", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "access_control": { - "application": "These requirements for managing access apply to cloud service providers who establish FedRAMP-compatible _trust centers_ for storing and sharing _authorization data_.", - "id": "FRR-ADS-AC", - "name": "Access Control", - "requirements": [ - { - "id": "FRR-ADS-AC-01", - "statement": "Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to _authorization data_ stored in the _trust center_.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "name": "Public Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-AC-02", - "statement": "Providers SHOULD share at least the _authorization package_ with prospective agency customers upon request and MUST notify FedRAMP within five business days if a prospective agency customer request is denied. ", - "affects": [ - "Providers" - ], - "name": "Prospective Customer Access", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "trust_center": { - "application": "These requirements apply to FedRAMP-compatible _trust centers_ used to store and share _authorization data_.", - "id": "FRR-ADS-TC", - "name": "Trust Centers", - "requirements": [ - { - "id": "FRR-ADS-TC-01", - "statement": "_Trust centers_ MUST be included as an _information resource_ included in the _cloud service offering_ for assessment if FRR-MAS-01 applies. ", - "affects": [ - "Providers" - ], - "name": "Trust Center Assessment", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-02", - "statement": "_Trust centers_ SHOULD make _authorization data_ available to view and download in both human-readable and _machine-readable_ formats", - "affects": [ - "Providers" - ], - "name": "Human and Machine-Readable", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-03", - "statement": "_Trust centers_ MUST provide documented programmatic access to all _authorization data_, including programmatic access to human-readable materials.", - "affects": [ - "Providers" - ], - "name": "Programmatic Access", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-04", - "statement": "_Trust centers_ SHOULD include features that encourage all necessary parties to provision and manage access to _authorization data_ for their users and services directly.", - "affects": [ - "Providers" - ], - "name": "Self-Service Access Management", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-05", - "statement": "_Trust centers_ MUST maintain an inventory and history of federal agency users or systems with access to _authorization data_ and MUST make this information available to FedRAMP without interruption. ", - "affects": [ - "Providers" - ], - "name": "Access Inventory", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-06", - "statement": "_Trust centers_ MUST log access to _authorization data_ and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.", - "affects": [ - "Providers" - ], - "name": "Access Logging", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-ADS-TC-07", - "statement": "_Trust centers_ SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions.", - "affects": [ - "Providers" - ], - "name": "Responsive Performance", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "exceptions": { - "application": "These exceptions MAY override some or all of the FedRAMP requirements for this standard.", - "id": "FRR-ADS-EX", - "name": "Exceptions", - "requirements": [ - { - "id": "FRR-ADS-EX-01", - "statement": "Providers of FedRAMP Rev5 Authorized _cloud service offerings_ at FedRAMP High using a legacy self-managed repository for _authorization data_ MAY ignore the requirements in this Authorization Data Sharing document until future notice.", - "affects": [ - "Providers" - ], - "name": "Legacy Self-Managed Repository Exception", - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - } - } - }, - "FRA": { - "ADS": { - "id": "FRA-ADS", - "disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.", - "purpose": "This Technical Assistance helps stakeholders understand the intent behind the requirements in the FedRAMP Authorization Data Sharing process.", - "requirements": [ - { - "id": "FRA-ADS-04", - "applies_to": "FRR-ADS-04", - "statement": "\"Without interruption\" means that parties should not have to request manual approval each time they need to access _authorization data_ or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning.", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRA-ADS-05", - "applies_to": "FRR-ADS-05", - "statement": "This is not a license to exclude accurate risk information, but specifics that would _likely_ lead to compromise should be abstracted. A breach of confidentiality with _authorization data_ should be anticipated by a secure cloud service provider.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "examples": [ - { - "id": "Examples of unnecessary sensitive information in _authorization data_", - "key_tests": [ - "Passwords, API keys, access credentials, etc.", - "Excessive detail about methodology that exposes weaknesses", - "Personally identifiable information about employees" - ], - "examples": [ - "DON'T: \"In an emergency, an administrator with physical access to a system can log in using \"secretadmin\" with the password \"pleasewutno\"\" DO: \"In an emergency, administrators with physical access can log in directly.\"", - "DON'T: \"All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office.\" DO: \"All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access.\"", - "DON'T: \"During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)...\" DO: \"During an incident, the incident response team will coordinate over secure channels.\"" - ] - } - ] - } - ] - } - } -} \ No newline at end of file diff --git a/FRMR.CCM.collaborative-continuous-monitoring.json b/FRMR.CCM.collaborative-continuous-monitoring.json deleted file mode 100644 index 555937d..0000000 --- a/FRMR.CCM.collaborative-continuous-monitoring.json +++ /dev/null @@ -1,471 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Collaborative Continuous Monitoring", - "short_name": "CCM", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSeFTHtUjXCmAUprCGrMLpgaN2kmL08EluzHvnTzAC4lTCfEVg/viewform", - "current_status": "Open Beta", - "start_date": "2026-02-02", - "end_date": "2026-05-22", - "comments": [ - "**Providers MUST notify FedRAMP of intent to participate in the Collaborative Continuous Monitoring Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", - "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 as part of the Open Beta.", - "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", - "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta.", - "FedRAMP recommends that participants in the Collaborative Continuous Mounting beta also adopt the Vulnerability Detection and Response process and the Significant Change Notifications process." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.CCM.collaborative-continuous-monitoring.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.CCM.collaborative-continuous-monitoring.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial release of the Collaborative Continuous Monitoring Standard (CCM) for the FedRAMP 20x Phase Two pilot.", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-09-15", - "end_date": "1900-01-01", - "id": "0016", - "url": "https://www.fedramp.gov/rfcs/0016/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/87", - "short_name": "rfc-0016-collaborative-continuous-monitoring", - "full_name": "FedRAMP RFC-0016: Collaborative Continuous Monitoring Standard" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e8c82f51ab77d760f5df340022a0ae1ab18f31ad/data/FRMR.CCM.collaborative-continuous-monitoring.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", - "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", - "description": "section 4 (c) states that agencies SHALL \"conduct and document security and privacy control assessments prior to the operation of an information system, and periodically thereafter, consistent with the frequency defined in the agency information security continuous monitoring (ISCM) and privacy continuous monitoring (PCM) strategies and the agency risk tolerance\"" - }, - { - "reference": "The FedRAMP Authorization Act (44 USC \u00a7 3609 (a)(1))", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "directs the Administrator of the General Services Administration to \"develop, coordinate, and implement a process \u2026 including, as appropriate, oversight of continuous monitoring of cloud computing products and services\"" - } - ], - "purpose": "Agencies are required to continuously monitor all of their information systems following a documented process integrated into their Information Security Continuous Monitoring (ISCM) strategy. These strategies are specific to each agency and may even vary at the bureau, component, or information system levels.\n\nThe concept behind collaborative continuous monitoring is unique to government customers and creates a burden for commercial cloud service providers. This process attempts to minimize this burden by encouraging the use of automated monitoring and review of authorization data required by other FedRAMP standards and limiting the expected human interaction costs for cloud service providers and agencies. Agencies are expected to use information from the cloud service provider collaboratively in accordance with their agency ISCM strategy without blocking other agencies from making their own risk-based decisions about ongoing authorization.", - "expected_outcomes": [ - "Cloud service providers will operate their services and share additional information with agency customers to ensure they can meet their responsibilities and obligations for safely and securely operating the service", - "Federal agencies will have streamlined access to the information they actually need to make ongoing security and authorization decisions while having support from government-wide policies that demonstrate the different responsibilities and obligations for operating cloud services" - ] - } - }, - "FRR": { - "CCM": { - "base": { - "id": "FRR-CCM", - "application": "These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-CCM-01", - "statement": "Providers MUST make an _Ongoing Authorization Report_ available to _all necessary parties_ every 3 months, in a consistent format that is human readable, covering the entire period since the previous summary; this report MUST include high-level summaries of at least the following information:", - "name": "Ongoing Authorization Reports", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "following_information": [ - "Changes to _authorization data_", - "Planned changes to _authorization data_ during at least the next 3 months", - "_Accepted vulnerabilities_", - "_Transformative_ changes", - "Updated recommendations or best practices for security, configuration, usage, or similar aspects of the _cloud service offering_" - ] - }, - { - "id": "FRR-CCM-02", - "statement": "Providers SHOULD establish a regular 3 month cycle for _Ongoing Authorization Reports_ that is spread out from the beginning, middle, or end of each quarter.", - "name": "Avoiding Simultaneous Reports", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD", - "note": "This recommendation is intended to discourage hundreds of cloud service providers from releasing their _Ongoing Authorization Reports_ during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle." - }, - { - "id": "FRR-CCM-03", - "statement": "Providers MUST publicly include the target date for their next _Ongoing Authorization Report_ with the _authorization data_ required by FRR-ADS-01.", - "name": "Public Next Report Date", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-CCM-04", - "statement": "Providers MUST establish and share an asynchronous mechanism for _all necessary parties_ to provide feedback or ask questions about each _Ongoing Authorization Report_.", - "name": "Feedback Mechanism", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-CCM-05", - "statement": "Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each _Ongoing Authorization Report_ as an addendum to the _Ongoing Authorization Report_.", - "name": "Anonymized Feedback Summary", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "note": "This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from _agencies_ and ensure FedRAMP has access to this information. It is generally in the provider\u2019s interest to update this addendum frequently throughout the quarter." - }, - { - "id": "FRR-CCM-06", - "statement": "Providers MUST NOT irresponsibly disclose sensitive information in an _Ongoing Authorization Report_ that would _likely_ have an adverse effect on the _cloud service offering_.", - "name": "Protect Sensitive Information", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "MUST NOT" - }, - { - "id": "FRR-CCM-07", - "statement": "Providers MAY responsibly share some or all of the information an _Ongoing Authorization Report_ publicly or with other parties if the provider determines doing so will NOT _likely_ have an adverse effect on the _cloud service offering_.", - "name": "Responsible Public Sharing", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "MAY" - } - ] - }, - "quarterly_reviews": { - "application": "These requirements and recommendations apply to providers hosting synchronous _Quarterly Reviews_ with all agencies.", - "id": "FRR-CCM-QR", - "name": "Quarterly Reviews", - "requirements": [ - { - "id": "FRR-CCM-QR-01", - "statement": "Providers SHOULD host a synchronous _Quarterly Review_ every 3 months, open to _all necessary parties_, to review aspects of the most recent _Ongoing Authorization Reports_ that the provider determines are of the most relevance to _agencies_; providers who do not host _Quarterly Reviews_ MUST clearly state this and explain this decision in the _authorization data_ available to all _necessary parties_ required by FRR-ADS-06 and FRR-ADS-07", - "name": "Quarterly Review Hosting", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-QR-02", - "statement": "Providers MUST host a synchronous _Quarterly Review_ every 3 months, open to _all necessary parties_, to review aspects of the most recent _Ongoing Authorization Reports_ that the provider determines are of the most relevance to _agencies_.", - "name": "Quarterly Review", - "impact": { - "low": false, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-CCM-QR-03", - "statement": "Providers SHOULD regularly schedule _Quarterly Reviews_ to occur at least 3 business days after releasing an _Ongoing Authorization Report_ AND within 10 business days of such release.", - "name": "Review Scheduling Window", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-QR-04", - "statement": "Providers MUST NOT irresponsibly disclose sensitive information in a _Quarterly Review_ that would _likely_ have an adverse effect on the _cloud service offering_.", - "name": "No Irresponsible Disclosure", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST NOT" - }, - { - "id": "FRR-CCM-QR-05", - "statement": "Providers MUST include either a registration link or a downloadable calendar file with meeting information for _Quarterly Reviews_ in the _authorization data_ available to all _necessary parties_ required by FRR-ADS-06 and FRR-ADS-07.", - "name": "Meeting Registration Info", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-CCM-QR-06", - "statement": "Providers MUST publicly include the target date for their next _Quarterly Review_ with the _authorization data_ required by FRR-ADS-01.", - "name": "Next Review Date", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-CCM-QR-07", - "statement": "Providers SHOULD include additional information in _Quarterly Reviews_ that the provider determines is of interest, use, or otherwise relevant to _agencies_.", - "name": "Additional Content", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-QR-08", - "statement": "Providers SHOULD NOT invite third parties to attend _Quarterly Reviews_ intended for _agencies_ unless they have specific relevance.", - "name": "Restrict Third Parties", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD NOT", - "note": "This is because _agencies_ are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default." - }, - { - "id": "FRR-CCM-QR-09", - "statement": "Providers SHOULD record or transcribe _Quarterly Reviews_ and make such available to _all necessary parties_ with other _authorization data_ required by FRR-ADS-06 and FRR-ADS07.", - "name": "Record/Transcribe Reviews", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-QR-10", - "statement": "Providers MAY responsibly share recordings or transcriptions of _Quarterly Reviews_ with the public or other parties ONLY if the provider removes all _agency_ information (comments, questions, names, etc.) AND determines sharing will NOT _likely_ have an adverse effect on the _cloud service offering_.", - "name": "Share Recordings Responsibly", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MAY" - }, - { - "id": "FRR-CCM-QR-11", - "statement": "Providers MAY responsibly share content prepared for a _Quarterly Review_ with the public or other parties if the provider determines doing so will NOT _likely_ have an adverse effect on the _cloud service offering_.", - "name": "Share Content Responsibly", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MAY" - } - ] - }, - "agencies": { - "application": "This section includes requirements and recommendations for _agencies_ who are using FedRAMP Authorized cloud services based on statute and policy directives from OMB that apply to _agencies_.", - "id": "FRR-CCM-AG", - "name": "Agency Guidance", - "requirements": [ - { - "id": "FRR-CCM-AG-01", - "statement": "Agencies MUST review each _Ongoing Authorization Report_ to understand how changes to the _cloud service offering_ may impact the previously agreed-upon risk tolerance documented in the _agency's_ Authorization to Operate of a federal information system that includes the _cloud service offering_ in its boundary.", - "name": "Review Ongoing Reports", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "MUST", - "note": "This is required by 44 USC \u00a7 35, OMB A-130, FIPS-200, and M-24-15." - }, - { - "id": "FRR-CCM-AG-02", - "statement": "Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the _cloud service offering_ in its boundary and assign appropriate information security resources for reviewing _Ongoing Authorization Reports_, attending _Quarterly Reviews_, and other ongoing _authorization data_.", - "name": "Consider Security Category", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-AG-03", - "statement": "Agencies SHOULD designate a senior information security official to review _Ongoing Authorization Reports_ and represent the agency at _Quarterly Reviews_ for _cloud service offerings_ included in agency information systems with a Security Category of High.", - "name": "Senior Security Reviewer", - "impact": { - "low": false, - "moderate": false, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-AG-04", - "statement": "Agencies SHOULD formally notify the provider if the information presented in an _Ongoing Authorization Report_, _Quarterly Review_, or other ongoing _authorization data_ causes significant concerns that may lead the _agency_ to remove the _cloud service offering_ from operation.", - "name": "Notify Provider of Concerns", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-CCM-AG-05", - "statement": "Agencies MUST notify FedRAMP by sending a notification to info@fedramp.gov if the information presented in an _Ongoing Authorization Report_, _Quarterly Review_, or other ongoing _authorization data_ causes significant concerns that may lead the _agency_ to stop operation of the _cloud service offering_.", - "name": "Notify FedRAMP of Concerns", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "MUST", - "note": "Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)." - }, - { - "id": "FRR-CCM-AG-06", - "statement": "Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about _authorization data_.", - "name": "No Additional Requirements", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Agencies"], - "primary_key_word": "MUST NOT", - "note": "This is a statutory requirement in 44 USC \u00a7 3613 (e) related to the Presumption of Adequacy for a FedRAMP authorization." - }, - { - "id": "FRR-CCM-AG-07", - "statement": "Agencies MUST inform FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov.", - "name": "Notify FedRAMP After Requests", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Agencies" - ], - "primary_key_word": "MUST", - "note": "Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)." - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.FRD.fedramp-definitions.json b/FRMR.FRD.fedramp-definitions.json deleted file mode 100644 index 31918c4..0000000 --- a/FRMR.FRD.fedramp-definitions.json +++ /dev/null @@ -1,586 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "FedRAMP Definitions", - "short_name": "FRD", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "", - "current_status": "Wide Release", - "start_date": "2025-09-01", - "end_date": "2027-12-22", - "comments": [ - "Rev5 Authorized providers MUST apply these definitions for Rev5 Balance Improvement Release materials; these definitions do not always apply in legacy Rev5 materials." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "FedRAMP 20x pilot participants MUST apply these definitions to all FedRAMP 20x requirements and recommendations." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.FRD.fedramp-definitions.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.FRD.fedramp-definitions.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Updates and new definitions added for the FedRAMP 20x Phase Two pilot.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/f10df15d0dfb152cb736a26a7ddda8927011696e/FRMR.FRD.fedramp-definitions.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "Minor updates to improve clarity; switch from federal information to federal customer data; no substantive changes.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/f87a80592cd744b9d3459b5f24c2b7592ddf844b/FRMR.FRD.fedramp-definitions.json" - }, - { - "id": "25.09A", - "published_date": "2025-09-10", - "description": "Added FRD-ALL-18 through FRD-ALL-39 aligned with the Vulnerability Detection and Response process.", - "public_comment": true, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/b896bbb8bded38e118320d3c442fd2f1e531514c/FRMR.FRD.fedramp-definitions.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "FedRAMP Authorization Act (44 USC \u00a7 3608)", - "reference_url": "http://fedramp.gov/docs/authority/law/#sec-3608-federal-risk-and-authorization-management-program", - "description": "requires that the Administrator of the General Services Administration shall \"establish a Government- wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies\"", - "delegation": "These responsibilities are delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - } - ], - "purpose": "This document consolidates formal FedRAMP definitions for terms used in FedRAMP 20x processes and documentation.", - "expected_outcomes": [ - "All stakeholders will have a common understanding of key terms used in FedRAMP 20x processes." - ] - } - }, - "FRD": { - "ALL": [ - { - "id": "FRD-ALL-01", - "term": "Federal Customer Data", - "alts": [ - "federal customer data" - ], - "definition": "All electronic information, content, and materials that an _agency_ or its authorized users upload, store, or otherwise provide to a cloud service for processing or storage. This does NOT include account information, service metadata, analytics, telemetry, or other similar metadata generated by the cloud service provider.", - "note": "In the context of FedRAMP authorization, \"federal customer data\" ONLY ever refers to data owned by federal agency customers. Agreements and contracts with specific _agencies_ may require providers to protect additional data or even transfer ownshership of telemetry or usage data to the _agency_; always consult a lawyer that is familiar with company agreements and contracts when determining the scope of federal customer data." - }, - { - "id": "FRD-ALL-02", - "term": "Information Resource", - "alts": [ - "information resource", - "information resources" - ], - "definition": "Has the meaning from 44 USC \u00a7 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\" This includes any aspect of the _cloud service offering_, both technical and managerial, including everything that makes up the business of the offering from non-_machine-based_ _information resources_ like organizational policies, procedures, employees, etc. to _machine-based_ _information resources_ like hardware, software, cloud services, code, etc.", - "note": "_Information resources_ are either _machine-based_ or non-_machine-based_; any requirement or recommendation that references _information resources_ without specifying a type is inclusive of all _information resources_.", - "reference": "44 USC \u00a7 3502 (6)", - "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" - }, - { - "id": "FRD-ALL-03", - "term": "Handle", - "alts": [ - "handle", - "handles", - "handled", - "handling" - ], - "definition": "Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc." - }, - { - "id": "FRD-ALL-04", - "term": "Likely", - "alts": [ - "likely", - "likelihood" - ], - "definition": "A reasonable degree of probability based on context." - }, - { - "id": "FRD-ALL-05", - "term": "Third-party Information Resource", - "alts": [ - "third-party information resource", - "third-party information resources" - ], - "definition": "Any _information resource_ that is not entirely included in the assessment for the _cloud service offering_ seeking authorization." - }, - { - "id": "FRD-ALL-06", - "term": "Cloud Service Offering", - "alts": [ - "cloud service offering", - "cloud service offerings" - ], - "definition": "A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Scope." - }, - { - "id": "FRD-ALL-07", - "term": "Regularly", - "alts": [ - "regularly", - "regular" - ], - "definition": "Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements." - }, - { - "id": "FRD-ALL-08", - "term": "Significant change", - "alts": [ - "significant change", - "significant changes" - ], - "definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is _likely_ to substantively affect the security or privacy posture of a system.\"", - "reference": "NIST SP 800-37 Rev. 2", - "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final" - }, - { - "id": "FRD-ALL-09", - "term": "Routine Recurring", - "alts": [ - "routine recurring" - ], - "definition": "The type of _significant change_ that _regularly_ and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation." - }, - { - "id": "FRD-ALL-10", - "term": "Adaptive", - "alts": [ - "adaptive" - ], - "definition": "The type of _significant change_ that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.", - "note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation." - }, - { - "id": "FRD-ALL-11", - "term": "Transformative", - "alts": [ - "transformative" - ], - "definition": "The type of _significant change_ that introduces substantive potential security risks that are _likely_ to affect existing risk determinations and must be assessed in depth.", - "note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation." - }, - { - "id": "FRD-ALL-12", - "term": "Impact Categorization", - "alts": [ - "impact categorization" - ], - "definition": "The type of _significant change_ that is _likely_ to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate)." - }, - { - "id": "FRD-ALL-13", - "term": "Interim Requirement", - "definition": "A temporary requirement included as part of a FedRAMP Pilot or Beta Test that will _likely_ be replaced, updated, or removed prior to the formal wide release of the requirement." - }, - { - "id": "FRD-ALL-14", - "term": "Authorization Package", - "alts": ["authorization package", "authorization packages"], - "definition": "Has meaning from 44 USC \u00a7 3607 (b)(8) which is \"the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.\"", - "reference": "44 USC \u00a7 3607 (b)(8)", - "reference_url": "https://fedramp.gov/docs/authority/law/#b-additional-definitions", - "note": "In FedRAMP documentation, _authorization package_ always refers to a FedRAMP _authorization package_ unless otherwise specified." - }, - { - "id": "FRD-ALL-15", - "term": "Authorization data", - "alts": [ - "authorization data" - ], - "definition": "The collective information required by FedRAMP for initial and ongoing assessment and authorization of a _cloud service offering_, including the _authorization package_. ", - "note": "In FedRAMP documentation, _authorization data_ always refers to FedRAMP _authorization data_ unless otherwise specified." - }, - { - "id": "FRD-ALL-16", - "term": "Trust Center", - "alts": [ - "trust center", - "trust centers" - ], - "definition": "A secure repository or service used by cloud service providers to store and share _authorization data_. _Trust centers_ are the complete and definitive source for _authorization data_ and must meet the requirements outlined in the FedRAMP Authorization Data Sharing process to be FedRAMP-compatible.", - "note": "In FedRAMP documentation, all references to _trust centers_ indicate FedRAMP-compatible _trust centers_ unless otherwise specified." - }, - { - "id": "FRD-ALL-17", - "term": "Machine-Readable", - "alts": [ - "machine-readable" - ], - "definition": "Has the meaning from 44 U.S. Code \u00a7 3502 (18) which is \"the term \"_machine-readable_\", when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost\"", - "reference": "44 U.S. Code \u00a7 3502 (18)", - "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" - }, - { - "id": "FRD-ALL-18", - "term": "All Necessary Parties", - "alts": [ - "all necessary parties" - ], - "definition": "All entities whose interests are affected directly by activity related to a specific _cloud service offering_ in the context of a FedRAMP authorization. This always includes FedRAMP and any _agency_ customer who is operating the _cloud service offering_, but may include additional parties depending on agreements made by the cloud service provider (such as consultants or third-party assessors). Potential _agency_ customers or third-party cloud service providers should also be included in most cases but this is not a mandatory requirement under FedRAMP as ultimately the cloud service provider may choose who they wish to do business with." - }, - { - "id": "FRD-ALL-19", - "term": "Agency", - "alts": [ - "agency", - "agencies" - ], - "definition": "Has the meaning given in 44 U.S. Code \u00a7 3502 (1), which is \"any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include\u2014(A) the Government Accountability Office; (B) Federal Election Commission; (C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.\"", - "reference": "44 U.S. Code \u00a7 3502 (1)", - "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" - }, - { - "id": "FRD-ALL-20", - "term": "Vulnerability", - "alts": [ - "vulnerability", - "vulnerabilities" - ], - "definition": "Has the meaning given to \"security vulnerability\" in 6 USC \u00a7 650 (25), which is \"any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of [...] management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.\" This includes gaps in Rev5 controls and 20x Key Security Indicators, software vulnerabilities, misconfigurations, exposures, weak credentials, insecure services, and all other such potential weaknesses in protection (intentional or unintentional).", - "reference": "6 USC \u00a7 650 (25)", - "reference_url": "https://www.govinfo.gov/app/details/USCODE-2024-title6/USCODE-2024-title6-chap1-subchapXVIII-sec650" - }, - { - "id": "FRD-ALL-21", - "term": "Vulnerability Detection", - "alts": [ - "vulnerability detection", - "detect vulnerabilities", - "detect", - "detection", - "detected" - ], - "definition": "The systematic process of discovering and identifying security vulnerabilities in _information resources_ through assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other capabilities. This process includes the initial discovery of a _vulnerability's_ existence and the determination of affected _information resources_ within a _cloud service offering._", - "note": "This definition applies to other forms such as \"detect vulnerabilities\" or simply \"detection\" / \"detected\" used in FedRAMP materials." - }, - { - "id": "FRD-ALL-22", - "term": "Vulnerability Response", - "alts": [ - "vulnerability response", - "respond to vulnerabilities", - "respond", - "response", - "responded" - ], - "definition": "The systematic process of tracking, evaluating, mitigating, monitoring, remediating, assessing exploitation, reporting, and otherwise managing _detected vulnerabilities_.", - "note": "This definition applies to other forms such as \"respond to vulnerabilities\" or simply \"response\" / \"responded\" used in FedRAMP materials." - }, - { - "id": "FRD-ALL-23", - "term": "Likely Exploitable Vulnerability (LEV)", - "alts": [ - "likely exploitable vulnerability", - "likely exploitable vulnerabilities", - "LEV", - "LEVs", - "NLEV", - "NLEVs" - ], - "definition": "A vulnerability that is not _fully mitigated_, AND is reachable by a _likely_ threat actor, AND a _likely_ threat actor with knowledge of the _vulnerability_ would likely be able to gain unauthorized access, cause harm, disrupt operations, or otherwise have an undesired adverse impact within the _cloud service offering_ by exploiting the _vulnerability_.", - "notes": [ - "The opposite of this is a \"Not Likely Exploitable Vulnerability\" (NLEV).", - "At the absolute minimum, any _vulnerability_ that an automated unauthenticated system can exploit over the internet is a _likely exploitable vulnerability_." - ] - }, - { - "id": "FRD-ALL-24", - "term": "Internet-Reachable Vulnerability (IRV)", - "alts": [ - "internet-reachable vulnerability", - "internet-reachable vulnerabilities", - "IRV", - "IRVs", - "NIRV", - "NIRVs" - ], - "definition": "A _vulnerability_ in a machine-based _information resource_ that might be exploited or otherwise triggered by a payload originating from a source on the public internet; this includes machine-based _information resources_ that have no direct route to/from the internet but receive payloads or otherwise take action triggered by internet activity.", - "notes": [ - "The opposite of this is a \"Not Internet-reachable Vulnerability\" (NIRV).", - "Internet-reachability applies only to the specific vulnerable machine-based _information resources_ processing the payload; please review the relevant FedRAMP technical assistance on _internet-reachable vulnerabilities_ for examples." - ] - }, - { - "id": "FRD-ALL-25", - "term": "Known Exploited Vulnerability (KEV)", - "alts": [ - "known exploited vulnerability", - "known exploited vulnerabilities", - "KEV", - "KEVs" - ], - "definition": "Has the meaning given in CISA Binding Operational Directive 22-01, which is any _vulnerability_ identified in CISA's Known Exploited Vulnerabilities catalog.", - "reference": "CISA BOD 22-01", - "reference_url": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities" - }, - { - "id": "FRD-ALL-26", - "term": "Remediated Vulnerability", - "alts": [ - "remediated vulnerability", - "remediated vulnerabilities" - ], - "definition": "A _vulnerability_ that has been neutralized or eliminated and is no longer _detected_." - }, - { - "id": "FRD-ALL-27", - "term": "Partially Mitigated Vulnerability", - "alts": [ - "partially mitigated vulnerability", - "partially mitigated vulnerabilities" - ], - "definition": "A _vulnerability_ where the likelihood or _potential adverse impact_ of exploitation has been reduced from the original evaluation but the risk of exploitation still exists and the _vulnerability_ is still _detected_." - }, - { - "id": "FRD-ALL-28", - "term": "Fully Mitigated Vulnerability", - "alts": [ - "fully mitigated vulnerability", - "fully mitigated vulnerabilities" - ], - "definition": "A _vulnerability_ where the likelihood of exploitation or _potential adverse impact_ of exploitation has been reduced from the original evaluation until either are negligible, but the _vulnerability_ is still _detected_." - }, - { - "id": "FRD-ALL-29", - "term": "False Positive Vulnerability", - "alts": [ - "false positive vulnerability", - "false positive vulnerabilities" - ], - "definition": "A _detected vulnerability_ that is not actually present in an exploitable state in the _information resource_; this includes situations where vulnerable software or code exist on an machine-based _information resource_ but are not loaded, running, or otherwise in an operating state required for exploitation.", - "note": "This only applies if the _vulnerability_ is not and was not present; a _remediated vulnerability_ or a _fully mitigated vulnerability_ cannot also be a _false positive vulnerability_." - }, - { - "id": "FRD-ALL-30", - "term": "Overdue Vulnerability", - "alts": [ - "overdue vulnerability", - "overdue vulnerabilities" - ], - "definition": "A _vulnerability_ that the provider intends to _fully mitigate_ or _remediate_ but has not or will not do so within the time frames recommended or required by FedRAMP.", - "note": "" - }, - { - "id": "FRD-ALL-31", - "term": "Accepted Vulnerability", - "alts": [ - "accepted vulnerability", - "accepted vulnerabilities" - ], - "definition": "A _vulnerability_ that the provider does not intend to _fully mitigate_ or _remediate_, OR that has not or will not be _fully mitigated_ or _remediated_ within the maximum overdue period recommended or required by FedRAMP." - }, - { - "id": "FRD-ALL-32", - "term": "Catastrophic Adverse Effect", - "alts": [ - "catastrophic adverse effect", - "catastrophic adverse effects" - ], - "definition": "A severe negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would _likely_: (i) result in a severe degradation in the availability or performance of services within the _cloud service offering_ for 24+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a majority of the _federal customer data_ stored within the _cloud service offering_." - }, - { - "id": "FRD-ALL-33", - "term": "Serious Adverse Effect", - "alts": [ - "serious adverse effect", - "serious adverse effects" - ], - "definition": "A significant negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in intermittent or ongoing degradation in the availability or performance of services within the _cloud service offering_, causing unpredictable interruptions to operations for 12+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a minority of the _federal customer data_ stored within the _cloud service offering_." - }, - { - "id": "FRD-ALL-34", - "term": "Limited Adverse Effect", - "alts": [ - "limited adverse effect", - "limited adverse effects" - ], - "definition": "A minor negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in degradation of the availability or performance of services within the _cloud service offering_ for a minority of relevant users; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a small amount of the _federal customer data_ stored within the _cloud service offering_ by only a few relevant users." - }, - { - "id": "FRD-ALL-35", - "term": "Negligible Adverse Effect", - "alts": [ - "negligible adverse effect", - "negligible adverse effects" - ], - "definition": "A small negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in minor inconvenience when accessing or using services within the _cloud service offering_; OR (ii) result in degradation of the availability or performance of services within the _cloud service offering_ for only a few relevant users." - }, - { - "id": "FRD-ALL-36", - "term": "Potential Adverse Impact (of vulnerability exploitation)", - "alts": [ - "potential adverse impact", - "potential adverse impacts" - ], - "definition": "The estimated cumulative effect of unauthorized access, disruption, harm, or other adverse impact to agencies that _likely_ could result if a threat actor exploits a _vulnerability_ in the _cloud service offering_; as estimated following FedRAMP recommendations and requirements." - }, - { - "id": "FRD-ALL-37", - "term": "Promptly", - "alts": [ - "promptly", - "prompt" - ], - "definition": "Without Unnecessary Delay.", - "note": "The use of _promptly_ in FedRAMP materials frames conveys a need for urgent action where the expected time frame will vary by circumstance but earlier action is more likely to improve security outcomes and increase the security posture of a _cloud service offering_." - }, - { - "id": "FRD-ALL-38", - "term": "Persistently", - "alts": [ - "persistently", - "persistent" - ], - "definition": "Occurring in a firm, steady way that is repeated over a long period of time in spite of obstacles or difficulties. Persistent activities may vary between actors, may occur irregularly, and may include interruptions or waiting periods between cycles. These attributes of persistent activities should be intentional, understood, and documented; the status of persistent activities will always be known. ", - "note": "The use of _persistently_ indicates a process that may not always occur continuously (without interruption or gaps) or regularly (on a consistent, predictable basis) but will repeat frequently in cycles. It aligns generally with historical misuse of \"continuous\" in federal information security policies." - }, - { - "id": "FRD-ALL-39", - "term": "Drift", - "alts": [ - "drift", - "drifts", - "drifting" - ], - "definition": "Changes to _information resources_ that cause deviations from the intended and assessed state; common forms of drift include changes to configurations, deployed software, privileges, running processes, and availability." - }, - { - "id": "FRD-ALL-40", - "term": "Incident", - "alts": [ - "incident", - "incidents" - ], - "definition": "Has the meaning given in 44 USC \u00a7 3552 (b)(2) applied to federal customer data, which is \"an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of [federal customer data]; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies [related to federal customer data].\"", - "reference": "44 USC \u00a7 3552 (b)(2)", - "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapII-sec3552" - }, - { - "id": "FRD-ALL-41", - "term": "Top-level administrative account", - "alts": [ - "top-level administrative account", - "top-level administrative accounts" - ], - "definition": "The most privileged account with the highest level of access within a _cloud service offering_ for a customer organization, typically with complete control over all aspects of the _cloud service offering_, including managing resources, users, access, privileges, and the account itself.", - "note": "Any references to _top-level administrative accounts_ in FedRAMP materials should be presumed to apply to top-level administrative roles or other similar capabilities that are used to assign _top-level administrative account_ privileges." - }, - { - "id": "FRD-ALL-42", - "term": "Privileged account", - "alts": [ - "privileged account", - "privileged accounts" - ], - "definition": "An account with elevated privileges that enables administrative functions over some aspect of the _cloud service offering_ that may affect the confidentiality, integrity, or availability of information beyond those given to normal users; levels of privilege may vary wildly.", - "note": "Any references to _privileged accounts_ in FedRAMP materials should be presumed to apply to privileged roles or other similar capabilities that are used to assign privileges to _privileged accounts_." - }, - { - "id": "FRD-ALL-43", - "term": "Ongoing Authorization Report (OAR)", - "alts": [ - "ongoing authorization report", - "OAR", - "OARs" - ], - "definition": "A _regular_ report that is supplied by FedRAMP Authorized cloud service providers to agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process." - }, - { - "id": "FRD-ALL-44", - "term": "Quarterly Review", - "alts": [ - "quarterly review", - "quarterly reviews" - ], - "definition": "A _regular_ synchronous meeting hosted by a FedRAMP Authorized cloud service provider for agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process." - }, - { - "id": "FRD-ALL-45", - "term": "FedRAMP Security Inbox", - "alts": [ - "security inbox", - "security inboxes", - "FSI" - ], - "definition": "An email address that meets the requirements outlined in the FedRAMP Security Inbox requirements." - }, - { - "id": "FRD-ALL-46", - "term": "All Necessary Assessors", - "alts": [ - "all necessary assessors" - ], - "definition": "All entities who participate in the FedRAMP assessment of a _cloud service offering_ in the context of a FedRAMP program authorization. This always includes FedRAMP and any FedRAMP recognized independent assessor contracted by the provider to perform a FedRAMP assessment.", - "note": "This process identifies the requirements for an assessment and authorization performed by FedRAMP prior to any _agency_ use of the _cloud service offering_, therefore _agency_ assessment teams are not included in the FedRAMP assessment and authorization. The resulting FedRAMP authorization package will include all the materials _agency_ authorization teams need to assess the _cloud service offering_ for _agency_ use, including evidence. Program authorization is an authorization path defined in Section IV (c) of OMB Memorandum M-24-15." - }, - { - "id": "FRD-ALL-47", - "term": "Persistent Validation", - "alts": [ - "persistent validation", - "persistently validate", - "persistently validated", - "validate", - "validated", - "validation" - ], - "definition": "The systematic and persistent process of validating that _information resources_ within a _cloud service offering_ are operating in a secure manner as expected by the goals and objectives outlined by the provider against FedRAMP Key Security Indicators." - }, - { - "id": "FRD-ALL-48", - "term": "Initial FedRAMP Assessment", - "alts": [ - "initial FedRAMP assessment", - "IFRA" - ], - "definition": "The first full assessment of a _cloud service offering_ seeking FedRAMP authorization, coordinated by the provider with _all necessary assessors_, that results in a FedRAMP authorization." - }, - { - "id": "FRD-ALL-49", - "term": "Persistent FedRAMP Assessment", - "alts": [ - "persistent FedRAMP assessment", - "PFRA" - ], - "definition": "Follow-on assessments of a _cloud service offering_ focused on Key Security Indicators, coordinated by the provider with _all necessary assessors_, to maintain a FedRAMP authorization or change its _impact categorization_." - }, - { - "id": "FRD-ALL-50", - "term": "Machine-Based (information resources)", - "alts": [ - "machine-based", - "machine based" - ], - "definition": "Any information technology _information resource_\u2014including systems, processes, software, hardware, services, cloud-native capabilities, and any other such capability, component, or resource\u2014that relies primarily on mechanical or electronic devices (i.e. computers) for operation.", - "note": "All other _information resources_ that do not rely on computers are non-_machine-based_ _information resources_." - } - ] - } -} \ No newline at end of file diff --git a/FRMR.FSI.fedramp-security-inbox.json b/FRMR.FSI.fedramp-security-inbox.json deleted file mode 100644 index a324a0b..0000000 --- a/FRMR.FSI.fedramp-security-inbox.json +++ /dev/null @@ -1,330 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "FedRAMP Security Inbox", - "short_name": "FSI", - "effective": { - "rev5": { - "is": "required", - "signup_url": "", - "current_status": "Wide Release", - "start_date": "2026-01-05", - "end_date": "2027-12-22", - "comments": [ - "These requirements apply after January 5, 2026, to all FedRAMP Rev5 cloud services that are listed in the FedRAMP Marketplace." - ], - "warnings": [ - "**FedRAMP will begin enforcement of this process after January 5, 2026 with an Emergency Test.**", - "Beginning 2026-03-01, corrective action will include public notification that the provider is not meeting the expectations of this process.", - "Beginning 2026-05-01, corrective action will include complete removal from the FedRAMP Marketplace.", - "Beginning 2026-07-01, corrective action will include complete removal from the FedRAMP Marketplace and a ban on FedRAMP authorization for three months." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "Fixed a typo in FRR-FSI-13; no changes to requirements/etc.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/f9ab33eb6457f6035b6e20cb13d900bdfb671d1d/data/FRMR.FSI.fedramp-security-inbox.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial Release of the FedRAMP Security Inbox requirements for both 20x and Rev5.", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-09-29", - "end_date": "2025-11-14", - "id": "0018", - "url": "https://www.fedramp.gov/rfcs/0018/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/92", - "short_name": "rfc-0018-fedramp-security-inbox", - "full_name": "FedRAMP RFC-0018: Security Inbox Requirements" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a64c08e2aab10c1cc9b0076e5e773297e01ea59c/data/FRMR.FSI.fedramp-security-inbox.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", - "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", - "description": "section VII (a) (17) states that GSA must \"position FedRAMP as a central point of contact to the commercial cloud sector for Government-wide communications or requests for risk management information concerning commercial cloud providers used by Federal agencies.\"" - } - ], - "purpose": "FedRAMP must have a reliable way to directly contact security and compliance staff operating all FedRAMP Authorized cloud service offerings without tracking individual contacts or maintaining provider-specific logins to customer support portals. These requirements for a FedRAMP Security Inbox apply to all cloud service providers to ensure this direct reliable path remains open, especially in the event of critical security issues.\n\nThis set of requirements focus specifically on communication that comes from FedRAMP and includes three categories of communication:\n\n1. Emergency communications that will only be used during an emergency where response times are critical to protecting the confidentiality, integrity, and availability of federal customer data; this communication path will occasionally be tested by FedRAMP.\n\n2. Important communications that may require an elevated response due to a sensitive or potentially disruptive situation, typically related to ongoing authorization or other concerns.\n\n3. General communications that include all other messages from FedRAMP that may be managed by a cloud service provider following their standard operational process.\n\nAll Emergency and Important messages sent by FedRAMP will include specific actions, timeframes expected for action, and an explanation of the corrective actions that FedRAMP will take if the timeframes are not met. Failure to take timely action as required by Emergency communications will result in corrective action from FedRAMP.\n\nFedRAMP will conduct strictly controlled tests of response to emergency communications regularly and provide public notice of these tests in advance. The response times for these tests will be tracked by FedRAMP and made publicly available.\n\nThis set of requirements and recommendations include explicit requirements that FedRAMP will follow to ensure important communications or those sent during emergencies can be routed by cloud service providers separately from general communications.", - "expected_outcomes": [ - "FedRAMP will follow a consistent and repeatable process to communicate with cloud service providers, especially when sending important or emergency messages.", - "Cloud service providers will always receive messages from FedRAMP and prioritize the review and response to important or emergency messages." - ] - } - }, - "FRR": { - "FSI": { - "base": { - "id": "FRR-FSI", - "name": "Requirements & Recommendations", - "application": "These requirements apply ALWAYS to FedRAMP and ALL cloud services listed in the FedRAMP Marketplace based on the current Effective Date(s) and Overall Applicability of this document.", - "requirements": [ - { - "id": "FRR-FSI-01", - "statement": "FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication.", - "name": "Verified Emails", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "note": "Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have \"FedRAMP\" or \"Q20B\" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers. ", - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-02", - "statement": "FedRAMP MUST convey the criticality of the message in the subject line using one of the following designators if the message requires an elevated response:", - "name": "Criticality Designators", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST", - "following_information": [ - "**Emergency:** There is a potential incident or crisis such that FedRAMP requires an extremely urgent response; emergency messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.", - "**Emergency Test:** FedRAMP requires an extremely urgent response to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.", - "**Important:** There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for response and failure to meet these timeframes may result in corrective action." - ], - "note": "Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated response; these may be resolved in the normal course of business by the cloud service provider." - }, - { - "id": "FRR-FSI-03", - "statement": "FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov.", - "name": "Sender Addresses", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-04", - "statement": "FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the _likely_ expected actions and timeframes for the Emergency Test message.", - "name": "Public Notice of Emergency Tests", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-05", - "statement": "FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated response.", - "name": "Required Actions", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-06", - "statement": "FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated response; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:", - "name": "Response Timeframes", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST", - "following_information": [ - "**High Impact:** within 12 hours", - "**Moderate Impact:** by 3:00 p.m. Eastern Time on the 2nd business day", - "**Low Impact:** by 3:00 p.m. Eastern Time on the 3rd business day" - ], - "note": "Note: High impact cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a response time appropriate to operating a service where failure to respond rapidly might have a severe or catastrophic adverse effect on the U.S. Government; some Emergency messages may require faster responses and all such messages should be addressed as quickly as possible." - }, - { - "id": "FRR-FSI-07", - "statement": "FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated response; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP authorization depending on the severity of the event.", - "name": "Corrective Actions", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-08", - "statement": "FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated response.", - "name": "Response Metrics", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "FedRAMP" - ], - "primary_key_word": "MAY" - }, - { - "id": "FRR-FSI-09", - "statement": "Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a _FedRAMP Security Inbox_ (FSI).", - "name": "FedRAMP Security Inbox", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "notes": [ - "Unless otherwise notified, FedRAMP will use the listed Security E-mail on the Marketplace for these notifications.", - "If a provider establishes a new inbox in response to this guidance that is different from the Security E-Mail then they must follow the requirements in FRR-FSI-12 to notify FedRAMP." - ] - }, - { - "id": "FRR-FSI-10", - "statement": "Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then _FedRAMP Security Inbox_ requirements no longer apply.", - "name": "Receiving Messages", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-11", - "statement": "Providers MUST receive and respond to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.", - "name": "Response", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "MUST", - "note": "This requirement is intended to prevent cloud service providers from requiring FedRAMP to respond to a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message." - }, - { - "id": "FRR-FSI-12", - "statement": "Providers MUST immediately notify FedRAMP of any changes in addressing for their _FedRAMP Security Inbox_ by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address.", - "name": "Notification of Changes", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-FSI-13", - "statement": "Providers SHOULD _promptly_ and automatically acknowledge the receipt of messages received from FedRAMP in their _FedRAMP Security Inbox_.", - "name": "Acknowledgment of Receipt", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-FSI-14", - "statement": "Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.", - "name": "Required Response for Emergency Messages", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "note": "Timeframes may vary by impact level of the _cloud service offering_." - }, - { - "id": "FRR-FSI-15", - "statement": "Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.", - "name": "Routing", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "note": "Senior security officials are determined by the provider." - }, - { - "id": "FRR-FSI-16", - "statement": "Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.", - "name": "Recommended Response for Important Messages", - "note": "Timeframes may vary by impact level of the _cloud service offering_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.ICP.incident-communications-procedures.json b/FRMR.ICP.incident-communications-procedures.json deleted file mode 100644 index 936fae8..0000000 --- a/FRMR.ICP.incident-communications-procedures.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Incident Communications Procedures", - "short_name": "ICP", - "effective": { - "rev5": { - "is": "no" - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.ICP.incident-communications-procedures.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial release of simplified 20x version of this existing FedRAMP policy.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/f10df15d0dfb152cb736a26a7ddda8927011696e/FRMR.ICP.incident-communications-procedures.json" - } - ], - "front_matter": { - "purpose": "This set of requirements and recommendations converts the existing FedRAMP Incident Communications Procedures (https://www.fedramp.gov/docs/rev5/csp/continuous-monitoring/intro) to the simpler FedRAMP 20x style and clarifies the expectations for FedRAMP 20x.\n\nThe only notable change from the default Rev5 Incident Communications Procedures for 20x is the addition of a recommendation that incident information be made available in both human-readable and machine-readable formats." - } - }, - "FRR": { - "ICP": { - "base": { - "id": "FRR-ICP", - "application": "These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-ICP-01", - "statement": "Providers MUST responsibly report _incidents_ to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov.", - "name": "Incident Reporting to FedRAMP", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-ICP-02", - "statement": "Providers MUST responsibly report _incidents_ to all _agency_ customers within 1 hour of identification using the _incident_ communications points of contact provided by each _agency_ customer.", - "name": "Incident Reporting to Agencies", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-ICP-03", - "statement": "Providers MUST responsibly report _incidents_ to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf. ", - "name": "Incident Reporting to CISA", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-ICP-04", - "statement": "Providers MUST update _all necessary parties_, including at least FedRAMP, CISA (if applicable), and all _agency_ customers, at least once per calendar day until the _incident_ is resolved and recovery is complete.", - "name": "Incident Updates", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-ICP-05", - "statement": "Providers MUST make _incident_ report information available in their secure FedRAMP repository (such as USDA Connect) or _trust center_.", - "name": "Incident Report Availability", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-ICP-06", - "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about _incidents_ that would _likely_ increase the impact of the _incident_, but MUST disclose sufficient information for informed risk-based decision-making to _all necessary parties_.", - "name": "Responsible Disclosure", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "MUST NOT" - }, - { - "id": "FRR-ICP-07", - "statement": "Providers MUST provide a final report once the _incident_ is resolved and recovery is complete that describes at least:", - "name": "Final Incident Report", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "following_information": [ - "What occurred", - "Root cause", - "Response", - "Lessons learned", - "Changes needed" - ] - }, - { - "id": "FRR-ICP-08", - "statement": "Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA).", - "name": "Automated Reporting", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-ICP-09", - "statement": "Providers SHOULD make _incident_ report information available in consistent human-readable and _machine-readable_ formats.", - "name": "Human-Readable and Machine-Readable Formats", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.KSI.key-security-indicators.json b/FRMR.KSI.key-security-indicators.json deleted file mode 100644 index 1d7f8f7..0000000 --- a/FRMR.KSI.key-security-indicators.json +++ /dev/null @@ -1,2949 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Key Security Indicators", - "short_name": "KSI", - "effective": { - "rev5": { - "is": "no" - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.12A", - "published_date": "2025-12-29", - "description": "This release updates a significant number of KSIs to improve clarity and expectations; in general the measures required to meet each KSI remain unchanged but these updates should make it easier to address them. In additional, some KSIs have been retired.", - "public_comment": false - }, - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No effective/material changes; adjusted some KSI-AFR indcators to reference \"process\" instead of \"standard\" and added a note to KSI-AFR-02 addressing the potential infinite loop.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.KSI.key-security-indicators.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.KSI.key-security-indicators.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Updates Key Security Indicators for the FedRAMP 20x Phase Two pilot, including underlying structural changes to machine-readable docs; Renamed KSI \"indicator\" property to \"theme\" and KSI \"requirements\" property to \"indicators\" to match current naming conventions..", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-09-10", - "end_date": "2025-11-17", - "id": "0015", - "url": "https://www.fedramp.gov/rfcs/0015/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/84", - "short_name": "rfc-0015-recommended-secure-configuration", - "full_name": "FedRAMP RFC-0015: Recommended Secure Configuration Standard" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/3291fa1952f5b68eaf1a815a8ef1846ae8ca9e2f/data/FRMR.KSI.key-security-indicators.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "Minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.05D", - "published_date": "2025-08-24", - "description": "Minor non-breaking updates to align term definitions and highlighted terms across updated materials (no changes to KSIs, definitions are now in FRD-ALL).", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.05C", - "published_date": "2025-06-28", - "description": "Key Security Indicators in this release are unchanged from previously releases. 25.05C adds references for each KSI to underlying SP 800-53 controls.", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.05B", - "published_date": "2025-06-18", - "description": "Initial release of Key Security Indicators from 25.05; the previous 25.05A release contained errors during conversion to JSON that are fixed in this release, the KSIs should now be identical to the original 25.05 paper release of the KSIs released on 2025-05-30. FRR-KSI-AY rules were converted to FRR-KSI rules, but otherwise unchanged.", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.05A", - "published_date": "2025-05-30", - "description": "Initial release of Key Security Indicators", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-04-24", - "end_date": "2025-05-24", - "id": "0006", - "url": "https://www.fedramp.gov/rfcs/0006/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/3", - "short_name": "rfc-0006-key-security-indicators", - "full_name": "FedRAMP RFC-0006: 20x Phase One Key Security Indicators" - } - ], - "machine_readable_link": null - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Circular A-130", - "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", - "description": "Appendix I states \"Agencies may also develop overlays for specific types of information or communities of interest (e.g., all web-based applications, all health care-related systems) as part of the security control selection process. Overlays provide a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple information systems.\"" - }, - { - "reference": "NIST SP 800-53B", - "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final", - "description": "Section 2.5 states \"As the number of controls in [SP 800-53] grows in response to an increasingly sophisticated threat space, it is important for organizations to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that\u2014if properly designed, developed, and implemented\u2014produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective.\" This section later states \"Ultimately, authorization decisions (i.e., risk acceptance decisions) are made based on the degree to which the desired capabilities have been effectively achieved.\"" - }, - { - "reference": "NIST SP 800-53A", - "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/a/r5/final", - "description": "Section 3.5 states \"When organizations employ the concept of capabilities, automated and manual assessments account for all security and privacy controls that comprise the security and privacy capabilities. Assessors are aware of how the controls work together to provide such capabilities.\"" - }, - { - "reference": "FedRAMP Authorization Act (44 USC \u00a7 3609 (a) (1))", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "requires that the Administrator of the General Services Administration shall \"in consultation with the [DHS] Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services...\" 44 USC \u00a7 3609 (c) (2) further states that \"the [GSA] Administrator shall establish a means for the automation of security assessments and reviews.\"", - "delegation": "These responsibilities are delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - } - ], - "purpose": "Modern cloud services use automated or code-driven configuration management and control planes to ensure predictable, repeatable, reliable, and secure outcomes during deployment and operation. The majority of a service security assessment can take place continuously via automated validation for simple cloud-native services if the need for a traditional control-by-control narrative approach is removed.", - "expected_outcomes": [ - "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with the application of simple changes and automated capabilities", - "Third-party independent assessors will have a simpler framework to assess security and implementation decisions based on engineering decisions in context", - "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorization to operate decisions based on their planned use case" - ] - } - }, - "FRR": { - "KSI": { - "base": { - "application": "These requirements apply ALWAYS to ALL FedRAMP 20x authorizations based on the Effective Date(s) and Overall Applicability.", - "id": "FRR-KSI", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-KSI-01", - "statement": "Cloud service providers SHOULD apply ALL Key Security Indicators to ALL aspects of their _cloud service offering_ that are within the FedRAMP Minimum Assessment Scope.", - "name": "Application of Key Security Indicators", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true - } - }, - { - "id": "FRR-KSI-02", - "statement": "Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:", - "following_information": [ - "Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability", - "The consolidated _information resources_ that will be validated (this should include consolidated summaries such as \"all employees with privileged access that are members of the Admin group\")", - "The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", - "The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", - "Current implementation status", - "Any clarifications or responses to the assessment summary" - ], - "name": "Implementation Summaries", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true - } - } - ] - } - } - }, - "KSI": { - "AFR": { - "id": "KSI-AFR", - "name": "Authorization by FedRAMP", - "theme": "A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.", - "indicators": [ - { - "id": "KSI-AFR-01", - "name": "Minimum Assessment Scope", - "statement": "Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ac-21", - "title": "Information Sharing" - }, - { - "control_id": "at-1", - "title": "Policy and Procedures" - }, - { - "control_id": "au-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ca-1", - "title": "Policy and Procedures" - }, - { - "control_id": "cm-1", - "title": "Policy and Procedures" - }, - { - "control_id": "cp-1", - "title": "Policy and Procedures" - }, - { - "control_id": "cp-2.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-2.8", - "title": "Identify Critical Assets" - }, - { - "control_id": "cp-4.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "ia-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ir-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ma-1", - "title": "Policy and Procedures" - }, - { - "control_id": "mp-1", - "title": "Policy and Procedures" - }, - { - "control_id": "pe-1", - "title": "Policy and Procedures" - }, - { - "control_id": "pl-1", - "title": "Policy and Procedures" - }, - { - "control_id": "pl-2", - "title": "System Security and Privacy Plans" - }, - { - "control_id": "pl-4", - "title": "Rules of Behavior" - }, - { - "control_id": "pl-4.1", - "title": "Social Media and External Site/Application Usage Restrictions" - }, - { - "control_id": "ps-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ra-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ra-9", - "title": "Criticality Analysis" - }, - { - "control_id": "sa-1", - "title": "Policy and Procedures" - }, - { - "control_id": "sc-1", - "title": "Policy and Procedures" - }, - { - "control_id": "si-1", - "title": "Policy and Procedures" - }, - { - "control_id": "sr-1", - "title": "Policy and Procedures" - }, - { - "control_id": "sr-2", - "title": "Supply Chain Risk Management Plan" - }, - { - "control_id": "sr-3", - "title": "Supply Chain Controls and Processes" - }, - { - "control_id": "sr-11", - "title": "Component Authenticity" - } - ], - "reference": "Minimum Assessment Scope", - "reference_url": "https://fedramp.gov/docs/20x/minimum-assessment-scope" - }, - { - "id": "KSI-AFR-02", - "name": "Key Security Indicators", - "statement": "Set security goals for the cloud service offering based on FedRAMP 20x Phase Two Key Security Indicators (KSIs - you are here), develop automated validation of status and progress to the greatest extent possible, and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Key Security Indicators", - "reference_url": "https://fedramp.gov/docs/20x/key-security-indicators", - "note": "This KSI is not intended to create an infinite loop; unlike other KSI-AFR themed indicators, this KSI is addressed by otherwise addressing all the KSIs. Providers and assessors may use this KSI to summarize the approach, coverage, status, etc. but are not expected to include all KSIs within this KSI in an infinite loop." - }, - { - "id": "KSI-AFR-03", - "name": "Authorization Data Sharing", - "statement": "Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Authorization Data Sharing", - "reference_url": "https://fedramp.gov/docs/20x/authorization-data-sharing", - "controls": [ - { - "control_id": "ac-3", - "title": "Access Enforcement" - }, - { - "control_id": "ac-4", - "title": "Information Flow Enforcement" - }, - { - "control_id": "au-2", - "title": "Event Logging" - }, - { - "control_id": "au-3", - "title": "Content of Audit Records" - }, - { - "control_id": "au-6", - "title": "Audit Record Review, Analysis, and Reporting" - }, - { - "control_id": "ca-2", - "title": "Control Assessments" - }, - { - "control_id": "ir-4", - "title": "Incident Handling" - }, - { - "control_id": "ra-5", - "title": "Vulnerability Monitoring and Scanning" - }, - { - "control_id": "sc-8", - "title": "Transmission Confidentiality and Integrity" - } - ] - }, - { - "id": "KSI-AFR-04", - "name": "Vulnerability Detection and Response", - "statement": "Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Vulnerability Detection and Response", - "reference_url": "https://fedramp.gov/docs/20x/vulnerability-detection-and-response", - "controls": [ - { - "control_id": "ca-2", - "title": "Control Assessments" - }, - { - "control_id": "ca-7", - "title": "Continuous Monitoring" - }, - { - "control_id": "ca-7.6", - "title": "Automation Support for Monitoring" - }, - { - "control_id": "ir-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ir-4", - "title": "Incident Handling" - }, - { - "control_id": "ir-4.1", - "title": "Automated Incident Handling Processes" - }, - { - "control_id": "ir-5", - "title": "Incident Monitoring" - }, - { - "control_id": "ir-5.1", - "title": "Automated Tracking, Data Collection, and Analysis" - }, - { - "control_id": "ir-6", - "title": "Incident Reporting" - }, - { - "control_id": "ir-6.1", - "title": "Automated Reporting" - }, - { - "control_id": "ir-6.2", - "title": "Vulnerabilities Related to Incidents" - }, - { - "control_id": "pm-3", - "title": "Information Security and Privacy Resources" - }, - { - "control_id": "pm-5", - "title": "System Inventory" - }, - { - "control_id": "pm-31", - "title": "Continuous Monitoring Strategy" - }, - { - "control_id": "ra-2", - "title": "Security Categorization" - }, - { - "control_id": "ra-2.1", - "title": "Impact-level Prioritization" - }, - { - "control_id": "ra-3", - "title": "Risk Assessment" - }, - { - "control_id": "ra-3.3", - "title": "Dynamic Threat Awareness" - }, - { - "control_id": "ra-5", - "title": "Vulnerability Monitoring and Scanning" - }, - { - "control_id": "ra-5.2", - "title": "Update Vulnerabilities to Be Scanned" - }, - { - "control_id": "ra-5.3", - "title": "Breadth and Depth of Coverage" - }, - { - "control_id": "ra-5.4", - "title": "Discoverable Information" - }, - { - "control_id": "ra-5.5", - "title": "Privileged Access" - }, - { - "control_id": "ra-5.6", - "title": "Automated Trend Analyses" - }, - { - "control_id": "ra-5.7", - "title": "Automated Detection and Notification of Unauthorized Components" - }, - { - "control_id": "ra-5.11", - "title": "Public Disclosure Program" - }, - { - "control_id": "ra-9", - "title": "Criticality Analysis" - }, - { - "control_id": "ra-10", - "title": "Threat Hunting" - }, - { - "control_id": "si-2", - "title": "Flaw Remediation" - }, - { - "control_id": "si-2.1", - "title": "Central Management" - }, - { - "control_id": "si-2.2", - "title": "Automated Flaw Remediation Status" - }, - { - "control_id": "si-2.4", - "title": "Automated Patch Management Tools" - }, - { - "control_id": "si-2.5", - "title": "Automatic Software and Firmware Updates" - }, - { - "control_id": "si-3", - "title": "Malicious Code Protection" - }, - { - "control_id": "si-3.1", - "title": "Central Management" - }, - { - "control_id": "si-3.2", - "title": "Automatic Updates" - }, - { - "control_id": "si-4", - "title": "System Monitoring" - }, - { - "control_id": "si-4.2", - "title": "Automated Tools and Mechanisms for Real-time Analysis" - }, - { - "control_id": "si-4.3", - "title": "Automated Tool and Mechanism Integration" - }, - { - "control_id": "si-4.7", - "title": "Automated Response to Suspicious Events" - }, - { - "control_id": "ca-7.4", - "title": "Risk Monitoring" - }, - { - "control_id": "ra-5", - "title": "Vulnerability Monitoring and Scanning" - }, - { - "control_id": "ra-7", - "title": "Risk Response" - } - ] - }, - { - "id": "KSI-AFR-05", - "name": "Significant Change Notifications", - "statement": "Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Significant Change Notifications", - "reference_url": "https://fedramp.gov/docs/20x/significant-change-notifications", - "controls": [ - { - "control_id": "ca-7.4", - "title": "Risk Monitoring" - }, - { - "control_id": "cm-3.4", - "title": "Security and Privacy Representatives" - }, - { - "control_id": "cm-4", - "title": "Impact Analyses" - }, - { - "control_id": "cm-7.1", - "title": "Periodic Review" - }, - { - "control_id": "au-5", - "title": "Response to Audit Logging Process Failures" - }, - { - "control_id": "ca-5", - "title": "Plan of Action and Milestones" - }, - { - "control_id": "ca-7", - "title": "Continuous Monitoring" - }, - { - "control_id": "ra-5", - "title": "Vulnerability Monitoring and Scanning" - }, - { - "control_id": "ra-5.2", - "title": "Update Vulnerabilities to Be Scanned" - }, - { - "control_id": "sa-22", - "title": "Unsupported System Components" - }, - { - "control_id": "si-2", - "title": "Flaw Remediation" - }, - { - "control_id": "si-2.2", - "title": "Automated Flaw Remediation Status" - }, - { - "control_id": "si-3", - "title": "Malicious Code Protection" - }, - { - "control_id": "si-5", - "title": "Security Alerts, Advisories, and Directives" - }, - { - "control_id": "si-7.7", - "title": "Integration of Detection and Response" - }, - { - "control_id": "si-10", - "title": "Information Input Validation" - }, - { - "control_id": "si-11", - "title": "Error Handling" - } - ] - }, - { - "id": "KSI-AFR-06", - "name": "Collaborative Continuous Monitoring", - "statement": "Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Collaborative Continuous Monitoring", - "reference_url": "https://fedramp.gov/docs/20x/collaborative-continuous-monitoring" - }, - { - "id": "KSI-AFR-07", - "name": "Recommended Secure Configuration", - "statement": "Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Recommended Secure Configuration (RSC) guidance process and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Recommended Secure Configuration", - "reference_url": "https://fedramp.gov/docs/20x/recommended-secure-configuration" - }, - { - "id": "KSI-AFR-08", - "name": "FedRAMP Security Inbox", - "statement": "Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "FedRAMP Security Inbox", - "reference_url": "https://fedramp.gov/docs/20x/fedramp-security-inbox" - }, - { - "id": "KSI-AFR-09", - "name": "Persistent Validation and Assessment", - "statement": "Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Persistent Validation and Assessment", - "reference_url": "https://fedramp.gov/docs/20x/persistent-validation-and-assessment" - }, - { - "id": "KSI-AFR-10", - "name": "Incident Communications Procedures", - "statement": "Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Incident Communications Procedures", - "reference_url": "https://fedramp.gov/docs/20x/incident-communications-procedures" - }, - { - "id": "KSI-AFR-11", - "name": "Using Cryptographic Modules", - "statement": "Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.", - "impact": { - "low": true, - "moderate": true - }, - "reference": "Using Cryptographic Modules", - "reference_url": "https://fedramp.gov/docs/20x/using-cryptographic-modules" - } - ] - }, - "CED": { - "id": "KSI-CED", - "name": "Cybersecurity Education", - "theme": "A secure cloud service provider will educate their employees on cybersecurity measures, testing them _persistently_ to ensure their knowledge is satisfactory.", - "indicators": [ - { - "id": "KSI-CED-01", - "name": "General Training", - "statement": "_Persistently_ review the effectiveness of training given to all employees on policies, procedures, and security-related topics.", - "controls": [ - { - "control_id": "at-2", - "title": "Literacy Training and Awareness" - }, - { - "control_id": "at-2.2", - "title": "Insider Threat" - }, - { - "control_id": "at-2.3", - "title": "Social Engineering and Mining" - }, - { - "control_id": "at-3.5", - "title": "Processing Personally Identifiable Information" - }, - { - "control_id": "at-4", - "title": "Training Records" - }, - { - "control_id": "ir-2.3", - "title": "Breach" - } - ], - "impact": { - "low": true, - "moderate": true - } - }, - { - "id": "KSI-CED-02", - "name": "Role-Specific Training", - "statement": "_Persistently_ review the effectiveness of role-specific training given to employees in high risk roles, including at least roles with privileged access.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "at-2", - "title": "Literacy Training and Awareness" - }, - { - "control_id": "at-2.3", - "title": "Social Engineering and Mining" - }, - { - "control_id": "at-3", - "title": "Role-based Training" - }, - { - "control_id": "sr-11.1", - "title": "Anti-counterfeit Training" - } - ] - }, - { - "id": "KSI-CED-03", - "name": "Development and Engineering Training", - "statement": "_Persistently_ review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cp-3", - "title": "Contingency Training" - }, - { - "control_id": "ir-2", - "title": "Incident Response Training" - }, - { - "control_id": "ps-6", - "title": "Access Agreements" - } - ] - }, - { - "id": "KSI-CED-04", - "name": "Incident Response and Disaster Recovery Training", - "statement": "_Persistently_ review the effectiveness of role-specific training given to staff involved with incident response or disaster recovery.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [] - } - ] - }, - "CMT": { - "id": "KSI-CMT", - "name": "Change Management", - "theme": "A secure cloud service provider will ensure that all changes are properly documented and configuration baselines are updated accordingly.", - "indicators": [ - { - "id": "KSI-CMT-01", - "name": "Log and Monitor Changes", - "statement": "Log and monitor modifications to the cloud service offering.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "au-2", - "title": "Event Logging" - }, - { - "control_id": "cm-3", - "title": "Configuration Change Control" - }, - { - "control_id": "cm-3.2", - "title": "Testing, Validation, and Documentation of Changes" - }, - { - "control_id": "cm-4.2", - "title": "Verification of Controls" - }, - { - "control_id": "cm-6", - "title": "Configuration Settings" - }, - { - "control_id": "cm-8.3", - "title": "Automated Unauthorized Component Detection" - }, - { - "control_id": "ma-2", - "title": "Controlled Maintenance" - } - ] - }, - { - "id": "KSI-CMT-02", - "name": "Redeployment", - "statement": "Execute changes to _machine-based_ _information resources_ through redeployment of version controlled immutable resources rather than direct modification wherever possible.", - "controls": [ - { - "control_id": "cm-2", - "title": "Baseline Configuration" - }, - { - "control_id": "cm-3", - "title": "Configuration Change Control" - }, - { - "control_id": "cm-5", - "title": "Access Restrictions for Change" - }, - { - "control_id": "cm-6", - "title": "Configuration Settings" - }, - { - "control_id": "cm-7", - "title": "Least Functionality" - }, - { - "control_id": "cm-8.1", - "title": "Updates During Installation and Removal" - }, - { - "control_id": "si-3", - "title": "Malicious Code Protection" - } - ], - "impact": { - "low": true, - "moderate": true - } - }, - { - "id": "KSI-CMT-03", - "name": "Automated Testing and Validation", - "statement": "Automate persistent testing and validation of changes throughout deployment.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-3", - "title": "Configuration Change Control" - }, - { - "control_id": "cm-3.2", - "title": "Testing, Validation, and Documentation of Changes" - }, - { - "control_id": "cm-4.2", - "title": "Verification of Controls" - }, - { - "control_id": "si-2", - "title": "Flaw Remediation" - } - ] - }, - { - "id": "KSI-CMT-04", - "name": "Change Management Procedures", - "statement": "_Persistently_ review the effectiveness of documented change management procedures.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-3", - "title": "Configuration Change Control" - }, - { - "control_id": "cm-3.2", - "title": "Testing, Validation, and Documentation of Changes" - }, - { - "control_id": "cm-3.4", - "title": "Security and Privacy Representatives" - }, - { - "control_id": "cm-5", - "title": "Access Restrictions for Change" - }, - { - "control_id": "cm-7.1", - "title": "Periodic Review" - }, - { - "control_id": "cm-9", - "title": "Configuration Management Plan" - } - ] - }, - { - "id": "KSI-CMT-05", - "statement": "", - "note": "Superseded by KSI-AFR-05 (SCN)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - } - ] - }, - "CNA": { - "id": "KSI-CNA", - "name": "Cloud Native Architecture", - "theme": "A secure _cloud service offering_ will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.", - "indicators": [ - { - "id": "KSI-CNA-01", - "name": "Restrict Network Traffic", - "statement": "_Persistently_ ensure all _machine-based_ _information resources_ are configured to limit inbound and outbound network traffic.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-17.3", - "title": "Managed Access Control Points" - }, - { - "control_id": "ca-9", - "title": "Internal System Connections" - }, - { - "control_id": "cm-7.1", - "title": "Periodic Review" - }, - { - "control_id": "sc-7.5", - "title": "Deny by Default \u2014 Allow by Exception" - }, - { - "control_id": "si-8", - "title": "Spam Protection" - } - ] - }, - { - "id": "KSI-CNA-02", - "name": "Attack Surface", - "statement": "_Persistently_ ensure _machine-based_ _information resources_ have a minimal attack surface and that lateral movement is minimized if compromised.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-17.3", - "title": "Managed Access Control Points" - }, - { - "control_id": "ac-18.1", - "title": "Authentication and Encryption" - }, - { - "control_id": "ac-18.3", - "title": "Disable Wireless Networking" - }, - { - "control_id": "ac-20.1", - "title": "Limits on Authorized Use" - }, - { - "control_id": "ca-9", - "title": "Internal System Connections" - }, - { - "control_id": "sc-7.3", - "title": "Access Points" - }, - { - "control_id": "sc-7.4", - "title": "External Telecommunications Services" - }, - { - "control_id": "sc-7.5", - "title": "Deny by Default \u2014 Allow by Exception" - }, - { - "control_id": "sc-7.8", - "title": "Route Traffic to Authenticated Proxy Servers" - }, - { - "control_id": "sc-8", - "title": "Transmission Confidentiality and Integrity" - }, - { - "control_id": "sc-10", - "title": "Network Disconnect" - }, - { - "control_id": "si-10", - "title": "Information Input Validation" - }, - { - "control_id": "si-11", - "title": "Error Handling" - }, - { - "control_id": "si-16", - "title": "Memory Protection" - } - ] - }, - { - "id": "KSI-CNA-03", - "name": "Enforce Traffic Flow", - "statement": "Use logical networking and related capabilities to enforce traffic flow controls.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-12", - "title": "Session Termination" - }, - { - "control_id": "ac-17.3", - "title": "Managed Access Control Points" - }, - { - "control_id": "ca-9", - "title": "Internal System Connections" - }, - { - "control_id": "sc-4", - "title": "Information in Shared System Resources" - }, - { - "control_id": "sc-7", - "title": "Boundary Protection" - }, - { - "control_id": "sc-7.7", - "title": "Split Tunneling for Remote Devices" - }, - { - "control_id": "sc-8", - "title": "Transmission Confidentiality and Integrity" - }, - { - "control_id": "sc-10", - "title": "Network Disconnect" - } - ] - }, - { - "id": "KSI-CNA-04", - "name": "Immutable Infrastructure", - "statement": "Use immutable infrastructure with strictly defined functionality and privileges by default.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-2", - "title": "Baseline Configuration" - }, - { - "control_id": "si-3", - "title": "Malicious Code Protection" - } - ] - }, - { - "id": "KSI-CNA-05", - "name": "Unwanted Activity", - "statement": "_Persistently_ review the effectiveness of protection against denial of service attacks and other unwanted activity.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "sc-5", - "title": "Denial-of-service Protection" - }, - { - "control_id": "si-8", - "title": "Spam Protection" - }, - { - "control_id": "si-8.2", - "title": "Automatic Updates" - } - ] - }, - { - "id": "KSI-CNA-06", - "name": "High Availability", - "statement": "Appropriately optimize _machine-based_ _information resources_ for high availability and rapid recovery.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [] - }, - { - "id": "KSI-CNA-07", - "name": "Best Practices", - "statement": "_Persistently_ ensure cloud-native _machine-based_ _information resources_ are implemented based on the host provider's best practices and documented guidance.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-17.3", - "title": "Managed Access Control Points" - }, - { - "control_id": "cm-2", - "title": "Baseline Configuration" - }, - { - "control_id": "pl-10", - "title": "Baseline Selection" - } - ] - }, - { - "id": "KSI-CNA-08", - "name": "Automated Enforcement", - "statement": "Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state.", - "impact": { - "low": false, - "moderate": true - }, - "controls": [ - { - "control_id": "ca-2.1", - "title": "Independent Assessors" - }, - { - "control_id": "ca-7.1", - "title": "Independent Assessment" - } - ] - } - ] - }, - "IAM": { - "id": "KSI-IAM", - "name": "Identity and Access Management", - "theme": "A secure _cloud service offering_ will protect user data, control access, and apply zero trust principles.", - "indicators": [ - { - "id": "KSI-IAM-01", - "name": "Phishing-Resistant MFA", - "statement": "Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2", - "title": "Account Management" - }, - { - "control_id": "ia-2", - "title": "Identification and Authentication (Organizational Users)" - }, - { - "control_id": "ia-2.1", - "title": "Multi-factor Authentication to Privileged Accounts" - }, - { - "control_id": "ia-2.2", - "title": "Multi-factor Authentication to Non-privileged Accounts" - }, - { - "control_id": "ia-2.8", - "title": "Access to Accounts \u2014 Replay Resistant" - }, - { - "control_id": "ia-5", - "title": "Authenticator Management" - }, - { - "control_id": "ia-8", - "title": "Identification and Authentication (Non-organizational Users)" - }, - { - "control_id": "sc-23", - "title": "Session Authenticity" - } - ] - }, - { - "id": "KSI-IAM-02", - "name": "Passwordless Authentication", - "statement": "Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2", - "title": "Account Management" - }, - { - "control_id": "ac-3", - "title": "Access Enforcement" - }, - { - "control_id": "ia-2.1", - "title": "Multi-factor Authentication to Privileged Accounts" - }, - { - "control_id": "ia-2.2", - "title": "Multi-factor Authentication to Non-privileged Accounts" - }, - { - "control_id": "ia-2.8", - "title": "Access to Accounts \u2014 Replay Resistant" - }, - { - "control_id": "ia-5.1", - "title": "Password-based Authentication" - }, - { - "control_id": "ia-5.2", - "title": "Public Key-based Authentication" - }, - { - "control_id": "ia-5.6", - "title": "Protection of Authenticators" - }, - { - "control_id": "ia-6", - "title": "Authentication Feedback" - } - ] - }, - { - "id": "KSI-IAM-03", - "name": "Non-User Accounts", - "statement": "Enforce appropriately secure authentication methods for non-user accounts and services.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2", - "title": "Account Management" - }, - { - "control_id": "ac-2.2", - "title": "Automated Temporary and Emergency Account Management" - }, - { - "control_id": "ac-4", - "title": "Information Flow Enforcement" - }, - { - "control_id": "ac-6.5", - "title": "Privileged Accounts" - }, - { - "control_id": "ia-3", - "title": "Device Identification and Authentication" - }, - { - "control_id": "ia-5.2", - "title": "Public Key-based Authentication" - }, - { - "control_id": "ra-5.5", - "title": "Privileged Access" - } - ] - }, - { - "id": "KSI-IAM-04", - "name": "Just-in-Time Authorization", - "statement": "Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2", - "title": "Account Management" - }, - { - "control_id": "ac-2.1", - "title": "Automated System Account Management" - }, - { - "control_id": "ac-2.2", - "title": "Automated Temporary and Emergency Account Management" - }, - { - "control_id": "ac-2.3", - "title": "Disable Accounts" - }, - { - "control_id": "ac-2.4", - "title": "Automated Audit Actions" - }, - { - "control_id": "ac-2.6", - "title": "Dynamic Privilege Management" - }, - { - "control_id": "ac-3", - "title": "Access Enforcement" - }, - { - "control_id": "ac-4", - "title": "Information Flow Enforcement" - }, - { - "control_id": "ac-5", - "title": "Separation of Duties" - }, - { - "control_id": "ac-6", - "title": "Least Privilege" - }, - { - "control_id": "ac-6.1", - "title": "Authorize Access to Security Functions" - }, - { - "control_id": "ac-6.2", - "title": "Non-privileged Access for Nonsecurity Functions" - }, - { - "control_id": "ac-6.5", - "title": "Privileged Accounts" - }, - { - "control_id": "ac-6.7", - "title": "Review of User Privileges" - }, - { - "control_id": "ac-6.9", - "title": "Log Use of Privileged Functions" - }, - { - "control_id": "ac-6.10", - "title": "Prohibit Non-privileged Users from Executing Privileged Functions" - }, - { - "control_id": "ac-7", - "title": "Unsuccessful Logon Attempts" - }, - { - "control_id": "ac-20.1", - "title": "Limits on Authorized Use" - }, - { - "control_id": "ac-17", - "title": "Remote Access" - }, - { - "control_id": "au-9.4", - "title": "Access by Subset of Privileged Users" - }, - { - "control_id": "cm-5", - "title": "Access Restrictions for Change" - }, - { - "control_id": "cm-7", - "title": "Least Functionality" - }, - { - "control_id": "cm-7.2", - "title": "Prevent Program Execution" - }, - { - "control_id": "cm-7.5", - "title": "Authorized Software \u2014 Allow-by-exception" - }, - { - "control_id": "cm-9", - "title": "Configuration Management Plan" - }, - { - "control_id": "ia-4", - "title": "Identifier Management" - }, - { - "control_id": "ia-4.4", - "title": "Identify User Status" - }, - { - "control_id": "ia-7", - "title": "Cryptographic Module Authentication" - }, - { - "control_id": "ps-2", - "title": "Position Risk Designation" - }, - { - "control_id": "ps-3", - "title": "Personnel Screening" - }, - { - "control_id": "ps-4", - "title": "Personnel Termination" - }, - { - "control_id": "ps-5", - "title": "Personnel Transfer" - }, - { - "control_id": "ps-6", - "title": "Access Agreements" - }, - { - "control_id": "ps-9", - "title": "Position Descriptions" - }, - { - "control_id": "ra-5.5", - "title": "Privileged Access" - }, - { - "control_id": "sc-2", - "title": "Separation of System and User Functionality" - }, - { - "control_id": "sc-23", - "title": "Session Authenticity" - }, - { - "control_id": "sc-39", - "title": "Process Isolation" - } - ] - }, - { - "id": "KSI-IAM-05", - "name": "Least Privilege", - "statement": "_Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2.5", - "title": "Inactivity Logout" - }, - { - "control_id": "ac-2.6", - "title": "Dynamic Privilege Management" - }, - { - "control_id": "ac-3", - "title": "Access Enforcement" - }, - { - "control_id": "ac-4", - "title": "Information Flow Enforcement" - }, - { - "control_id": "ac-6", - "title": "Least Privilege" - }, - { - "control_id": "ac-12", - "title": "Session Termination" - }, - { - "control_id": "ac-14", - "title": "Permitted Actions Without Identification or Authentication" - }, - { - "control_id": "ac-17", - "title": "Remote Access" - }, - { - "control_id": "ac-17.1", - "title": "Monitoring and Control" - }, - { - "control_id": "ac-17.2", - "title": "Protection of Confidentiality and Integrity Using Encryption" - }, - { - "control_id": "ac-17.3", - "title": "Managed Access Control Points" - }, - { - "control_id": "ac-20", - "title": "Use of External Systems" - }, - { - "control_id": "ac-20.1", - "title": "Limits on Authorized Use" - }, - { - "control_id": "cm-2.7", - "title": "Configure Systems and Components for High-risk Areas" - }, - { - "control_id": "cm-9", - "title": "Configuration Management Plan" - }, - { - "control_id": "ia-2", - "title": "Identification and Authentication (Organizational Users)" - }, - { - "control_id": "ia-3", - "title": "Device Identification and Authentication" - }, - { - "control_id": "ia-4", - "title": "Identifier Management" - }, - { - "control_id": "ia-4.4", - "title": "Identify User Status" - }, - { - "control_id": "ia-5.2", - "title": "Public Key-based Authentication" - }, - { - "control_id": "ia-5.6", - "title": "Protection of Authenticators" - }, - { - "control_id": "ia-11", - "title": "Re-authentication" - }, - { - "control_id": "ps-2", - "title": "Position Risk Designation" - }, - { - "control_id": "ps-3", - "title": "Personnel Screening" - }, - { - "control_id": "ps-4", - "title": "Personnel Termination" - }, - { - "control_id": "ps-5", - "title": "Personnel Transfer" - }, - { - "control_id": "ps-6", - "title": "Access Agreements" - }, - { - "control_id": "sc-4", - "title": "Information in Shared System Resources" - }, - { - "control_id": "sc-20", - "title": "Secure Name/Address Resolution Service (Authoritative Source)" - }, - { - "control_id": "sc-21", - "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" - }, - { - "control_id": "sc-22", - "title": "Architecture and Provisioning for Name/Address Resolution Service" - }, - { - "control_id": "sc-23", - "title": "Session Authenticity" - }, - { - "control_id": "sc-39", - "title": "Process Isolation" - }, - { - "control_id": "si-3", - "title": "Malicious Code Protection" - } - ] - }, - { - "id": "KSI-IAM-06", - "name": "Suspicious Activity", - "statement": "Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity", - "controls": [ - { - "control_id": "ac-2", - "title": "Account Management" - }, - { - "control_id": "ac-2.1", - "title": "Automated System Account Management" - }, - { - "control_id": "ac-2.3", - "title": "Disable Accounts" - }, - { - "control_id": "ac-2.13", - "title": "Disable Accounts for High-risk Individuals" - }, - { - "control_id": "ac-7", - "title": "Unsuccessful Logon Attempts" - }, - { - "control_id": "ps-4", - "title": "Personnel Termination" - }, - { - "control_id": "ps-8", - "title": "Personnel Sanctions" - } - ], - "impact": { - "low": true, - "moderate": true - } - }, - { - "id": "KSI-IAM-07", - "name": "Automated Account Management", - "statement": "Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2.2", - "title": "Automated Temporary and Emergency Account Management" - }, - { - "control_id": "ac-2.3", - "title": "Disable Accounts" - }, - { - "control_id": "ac-2.13", - "title": "Disable Accounts for High-risk Individuals" - }, - { - "control_id": "ac-6.7", - "title": "Review of User Privileges" - }, - { - "control_id": "ia-4.4", - "title": "Identify User Status" - }, - { - "control_id": "ia-12", - "title": "Identity Proofing" - }, - { - "control_id": "ia-12.2", - "title": "Identity Evidence" - }, - { - "control_id": "ia-12.3", - "title": "Identity Evidence Validation and Verification" - }, - { - "control_id": "ia-12.5", - "title": "Address Confirmation" - } - ] - } - ] - }, - "INR": { - "id": "KSI-INR", - "name": "Incident Response", - "theme": "A secure _cloud service offering_ will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement.", - "indicators": [ - { - "id": "KSI-INR-01", - "name": "Incident Response Procedures", - "statement": "_Persistently_ review the effectiveness of documented incident response procedures.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ir-4", - "title": "Incident Handling" - }, - { - "control_id": "ir-4.1", - "title": "Automated Incident Handling Processes" - }, - { - "control_id": "ir-6", - "title": "Incident Reporting" - }, - { - "control_id": "ir-6.1", - "title": "Automated Reporting" - }, - { - "control_id": "ir-6.3", - "title": "Supply Chain Coordination" - }, - { - "control_id": "ir-7", - "title": "Incident Response Assistance" - }, - { - "control_id": "ir-7.1", - "title": "Automation Support for Availability of Information and Support" - }, - { - "control_id": "ir-8", - "title": "Incident Response Plan" - }, - { - "control_id": "ir-8.1", - "title": "Breaches" - }, - { - "control_id": "si-4.5", - "title": "System-generated Alerts" - } - ] - }, - { - "id": "KSI-INR-02", - "name": "Incident Review", - "statement": "_Persistently_ review past incidents for patterns or _vulnerabilities_.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ir-3", - "title": "Incident Response Testing" - }, - { - "control_id": "ir-4", - "title": "Incident Handling" - }, - { - "control_id": "ir-4.1", - "title": "Automated Incident Handling Processes" - }, - { - "control_id": "ir-5", - "title": "Incident Monitoring" - }, - { - "control_id": "ir-8", - "title": "Incident Response Plan" - } - ] - }, - { - "id": "KSI-INR-03", - "name": "Incident After Action Reports", - "statement": "Generate incident after action reports and _persistently_ incorporate lessons learned.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ir-3", - "title": "Incident Response Testing" - }, - { - "control_id": "ir-4", - "title": "Incident Handling" - }, - { - "control_id": "ir-4.1", - "title": "Automated Incident Handling Processes" - }, - { - "control_id": "ir-8", - "title": "Incident Response Plan" - } - ] - } - ] - }, - "MLA": { - "id": "KSI-MLA", - "name": "Monitoring, Logging, and Auditing", - "theme": "A secure _cloud service offering_ will monitor, log, and audit all important events, activity, and changes.", - "indicators": [ - { - "id": "KSI-MLA-01", - "name": "Security Information and Event Management (SIEM)", - "statement": "Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-17.1", - "title": "Monitoring and Control" - }, - { - "control_id": "ac-20.1", - "title": "Limits on Authorized Use" - }, - { - "control_id": "au-2", - "title": "Event Logging" - }, - { - "control_id": "au-3", - "title": "Content of Audit Records" - }, - { - "control_id": "au-3.1", - "title": "Additional Audit Information" - }, - { - "control_id": "au-4", - "title": "Audit Log Storage Capacity" - }, - { - "control_id": "au-5", - "title": "Response to Audit Logging Process Failures" - }, - { - "control_id": "au-6.1", - "title": "Automated Process Integration" - }, - { - "control_id": "au-6.3", - "title": "Correlate Audit Record Repositories" - }, - { - "control_id": "au-7", - "title": "Audit Record Reduction and Report Generation" - }, - { - "control_id": "au-7.1", - "title": "Automatic Processing" - }, - { - "control_id": "au-8", - "title": "Time Stamps" - }, - { - "control_id": "au-9", - "title": "Protection of Audit Information" - }, - { - "control_id": "au-11", - "title": "Audit Record Retention" - }, - { - "control_id": "ir-4.1", - "title": "Automated Incident Handling Processes" - }, - { - "control_id": "si-4.2", - "title": "Automated Tools and Mechanisms for Real-time Analysis" - }, - { - "control_id": "si-4.4", - "title": "Inbound and Outbound Communications Traffic" - }, - { - "control_id": "si-7.7", - "title": "Integration of Detection and Response" - } - ] - }, - { - "id": "KSI-MLA-02", - "name": "Audit Logging", - "statement": "_Persistently_ review and audit logs.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2.4", - "title": "Automated Audit Actions" - }, - { - "control_id": "ac-6.9", - "title": "Log Use of Privileged Functions" - }, - { - "control_id": "au-2", - "title": "Event Logging" - }, - { - "control_id": "au-6", - "title": "Audit Record Review, Analysis, and Reporting" - }, - { - "control_id": "au-6.1", - "title": "Automated Process Integration" - }, - { - "control_id": "si-4", - "title": "System Monitoring" - }, - { - "control_id": "si-4.4", - "title": "Inbound and Outbound Communications Traffic" - } - ] - }, - { - "id": "KSI-MLA-03", - "statement": "", - "note": "Superseded by KSI-AFR-04 (VDR)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-MLA-04", - "statement": "", - "note": "Superseded by KSI-AFR-04 (VDR)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-MLA-05", - "name": "Evaluate Configuration", - "statement": "_Persistently_ evaluate and test the configuration of _machine-based_ _information resources_, especially infrastructure as code.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ca-7", - "title": "Continuous Monitoring" - }, - { - "control_id": "cm-2", - "title": "Baseline Configuration" - }, - { - "control_id": "cm-6", - "title": "Configuration Settings" - }, - { - "control_id": "si-7.7", - "title": "Integration of Detection and Response" - } - ] - }, - { - "id": "KSI-MLA-06", - "statement": "", - "note": "Superseded by KSI-AFR-04 (VDR)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-MLA-07", - "name": "Event Types", - "statement": "Maintain a list of information resources and event types that will be monitored, logged, and audited, then do so.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2.4", - "title": "Automated Audit Actions" - }, - { - "control_id": "ac-6.9", - "title": "Log Use of Privileged Functions" - }, - { - "control_id": "ac-17.1", - "title": "Monitoring and Control" - }, - { - "control_id": "ac-20.1", - "title": "Limits on Authorized Use" - }, - { - "control_id": "au-2", - "title": "Event Logging" - }, - { - "control_id": "au-7.1", - "title": "Automatic Processing" - }, - { - "control_id": "au-12", - "title": "Audit Record Generation" - }, - { - "control_id": "si-4.4", - "title": "Inbound and Outbound Communications Traffic" - }, - { - "control_id": "si-4.5", - "title": "System-generated Alerts" - }, - { - "control_id": "si-7.7", - "title": "Integration of Detection and Response" - } - ] - }, - { - "id": "KSI-MLA-08", - "name": "Log Data Access", - "statement": "Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity.", - "impact": { - "low": false, - "moderate": true - }, - "controls": [ - { - "control_id": "si-11", - "title": "Error Handling" - } - ] - } - ] - }, - "PIY": { - "id": "KSI-PIY", - "name": "Policy and Inventory", - "theme": "A secure _cloud service offering_ will have intentional, organized, universal guidance for how every _information resource_, including personnel, is secured.", - "indicators": [ - { - "id": "KSI-PIY-01", - "name": "Automated Inventory", - "statement": "Use authoritative sources to automatically generate real-time inventories of all information resources when needed.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-2.2", - "title": "Automation Support for Accuracy and Currency" - }, - { - "control_id": "cm-7.5", - "title": "Authorized Software \u2014 Allow-by-exception" - }, - { - "control_id": "cm-8", - "title": "System Component Inventory" - }, - { - "control_id": "cm-8.1", - "title": "Updates During Installation and Removal" - }, - { - "control_id": "cm-12", - "title": "Information Location" - }, - { - "control_id": "cm-12.1", - "title": "Automated Tools to Support Information Location" - }, - { - "control_id": "cp-2.8", - "title": "Identify Critical Assets" - } - ] - }, - { - "id": "KSI-PIY-02", - "statement": "", - "note": "Superseded by KSI-AFR-01 (MAS)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-PIY-03", - "name": "Vulnerability Disclosure Program", - "statement": "_Persistently_ review the effectiveness of the provider's vulnerability disclosure program.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ra-5.11", - "title": "Public Disclosure Program" - } - ] - }, - { - "id": "KSI-PIY-04", - "name": "CISA Secure By Design", - "statement": "_Persistently_ review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-5", - "title": "Separation of Duties" - }, - { - "control_id": "au-3.3", - "title": "Limit Personally Identifiable Information Elements" - }, - { - "control_id": "cm-3.4", - "title": "Security and Privacy Representatives" - }, - { - "control_id": "pl-8", - "title": "Security and Privacy Architectures" - }, - { - "control_id": "pm-7", - "title": "Enterprise Architecture" - }, - { - "control_id": "sa-3", - "title": "System Development Life Cycle" - }, - { - "control_id": "sa-8", - "title": "Security and Privacy Engineering Principles" - }, - { - "control_id": "sc-4", - "title": "Information in Shared System Resources" - }, - { - "control_id": "sc-18", - "title": "Mobile Code" - }, - { - "control_id": "si-10", - "title": "Information Input Validation" - }, - { - "control_id": "si-11", - "title": "Error Handling" - }, - { - "control_id": "si-16", - "title": "Memory Protection" - } - ] - }, - { - "id": "KSI-PIY-05", - "statement": "", - "note": "Superseded by KSI-AFR-04 (VDR)", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-PIY-06", - "name": "Security Investment Effectiveness", - "statement": "_Persistently_ review the effectiveness of the organization's investments in achieving security objectives.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-5", - "title": "Separation of Duties" - }, - { - "control_id": "ca-2", - "title": "Control Assessments" - }, - { - "control_id": "cp-2.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-4.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "ir-3.2", - "title": "Coordination with Related Plans" - }, - { - "control_id": "pm-3", - "title": "Information Security and Privacy Resources" - }, - { - "control_id": "sa-2", - "title": "Allocation of Resources" - }, - { - "control_id": "sa-3", - "title": "System Development Life Cycle" - }, - { - "control_id": "sr-2.1", - "title": "Establish SCRM Team" - } - ] - }, - { - "id": "KSI-PIY-07", - "statement": "", - "note": "Superseded by KSI-TRP-03", - "retired": true, - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-PIY-08", - "name": "Executive Support", - "statement": "_Persistently_ review executive support for achieving the organization's security objectives.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [] - } - ] - }, - "RPL": { - "id": "KSI-RPL", - "name": "Recovery Planning", - "theme": "A secure _cloud service offering_ will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies.", - "indicators": [ - { - "id": "KSI-RPL-01", - "name": "Recovery Objectives", - "statement": "_Persistently_ review desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cp-2.3", - "title": "Resume Mission and Business Functions" - }, - { - "control_id": "cp-10", - "title": "System Recovery and Reconstitution" - } - ] - }, - { - "id": "KSI-RPL-02", - "name": "Recovery Plan", - "statement": "_Persistently_ review the alignment of recovery plans with defined recovery objectives.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cp-2", - "title": "Contingency Plan" - }, - { - "control_id": "cp-2.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-2.3", - "title": "Resume Mission and Business Functions" - }, - { - "control_id": "cp-4.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-6", - "title": "Alternate Storage Site" - }, - { - "control_id": "cp-6.1", - "title": "Separation from Primary Site" - }, - { - "control_id": "cp-6.3", - "title": "Accessibility" - }, - { - "control_id": "cp-7", - "title": "Alternate Processing Site" - }, - { - "control_id": "cp-7.1", - "title": "Separation from Primary Site" - }, - { - "control_id": "cp-7.2", - "title": "Accessibility" - }, - { - "control_id": "cp-7.3", - "title": "Priority of Service" - }, - { - "control_id": "cp-8", - "title": "Telecommunications Services" - }, - { - "control_id": "cp-8.1", - "title": "Priority of Service Provisions" - }, - { - "control_id": "cp-8.2", - "title": "Single Points of Failure" - }, - { - "control_id": "cp-10", - "title": "System Recovery and Reconstitution" - }, - { - "control_id": "cp-10.2", - "title": "Transaction Recovery" - } - ] - }, - { - "id": "KSI-RPL-03", - "name": "System Backups", - "statement": "_Persistently_ review the alignment of machine-based information resource backups with defined recovery objectives.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-2.3", - "title": "Retention of Previous Configurations" - }, - { - "control_id": "cp-6", - "title": "Alternate Storage Site" - }, - { - "control_id": "cp-9", - "title": "System Backup" - }, - { - "control_id": "cp-10", - "title": "System Recovery and Reconstitution" - }, - { - "control_id": "cp-10.2", - "title": "Transaction Recovery" - }, - { - "control_id": "si-12", - "title": "Information Management and Retention" - } - ] - }, - { - "id": "KSI-RPL-04", - "name": "Recovery Testing", - "statement": "_Persistently_ test the capability to recover from incidents and contingencies, including alignment with defined recovery objectives.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cp-2.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-2.3", - "title": "Resume Mission and Business Functions" - }, - { - "control_id": "cp-4", - "title": "Contingency Plan Testing" - }, - { - "control_id": "cp-4.1", - "title": "Coordinate with Related Plans" - }, - { - "control_id": "cp-6", - "title": "Alternate Storage Site" - }, - { - "control_id": "cp-6.1", - "title": "Separation from Primary Site" - }, - { - "control_id": "cp-9.1", - "title": "Testing for Reliability and Integrity" - }, - { - "control_id": "cp-10", - "title": "System Recovery and Reconstitution" - }, - { - "control_id": "ir-3", - "title": "Incident Response Testing" - }, - { - "control_id": "ir-3.2", - "title": "Coordination with Related Plans" - } - ] - } - ] - }, - "SVC": { - "id": "KSI-SVC", - "name": "Service Configuration", - "theme": "A secure _cloud service offering_ will follow FedRAMP encryption policies, continuously verify _information resource_ integrity, and restrict access to _third-party information resources_.", - "indicators": [ - { - "id": "KSI-SVC-01", - "name": "Continuous Improvement", - "statement": "Implement improvements based on persistent evaluation of information resources for opportunities to improve security.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-7.1", - "title": "Periodic Review" - }, - { - "control_id": "cm-12.1", - "title": "Automated Tools to Support Information Location" - }, - { - "control_id": "ma-2", - "title": "Controlled Maintenance" - }, - { - "control_id": "pl-8", - "title": "Security and Privacy Architectures" - }, - { - "control_id": "sc-7", - "title": "Boundary Protection" - }, - { - "control_id": "sc-39", - "title": "Process Isolation" - }, - { - "control_id": "si-2.2", - "title": "Automated Flaw Remediation Status" - }, - { - "control_id": "si-4", - "title": "System Monitoring" - }, - { - "control_id": "sr-10", - "title": "Inspection of Systems or Components" - } - ] - }, - { - "id": "KSI-SVC-02", - "name": "Network Encryption", - "statement": "Encrypt or otherwise secure network traffic.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-1", - "title": "Policy and Procedures" - }, - { - "control_id": "ac-17.2", - "title": "Protection of Confidentiality and Integrity Using Encryption" - }, - { - "control_id": "cp-9.8", - "title": "Cryptographic Protection" - }, - { - "control_id": "sc-8", - "title": "Transmission Confidentiality and Integrity" - }, - { - "control_id": "sc-8.1", - "title": "Cryptographic Protection" - }, - { - "control_id": "sc-13", - "title": "Cryptographic Protection" - }, - { - "control_id": "sc-20", - "title": "Secure Name/Address Resolution Service (Authoritative Source)" - }, - { - "control_id": "sc-21", - "title": "Secure Name/Address Resolution Service (Recursive or Caching Resolver)" - }, - { - "control_id": "sc-22", - "title": "Architecture and Provisioning for Name/Address Resolution Service" - }, - { - "control_id": "sc-23", - "title": "Session Authenticity" - } - ] - }, - { - "id": "KSI-SVC-03", - "retired": true, - "statement": "", - "note": "Superseded by KSI-AFR-11 (UCM)", - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-SVC-04", - "name": "Configuration Automation", - "statement": "Manage configuration of machine-based information resources using automation.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-2.4", - "title": "Automated Audit Actions" - }, - { - "control_id": "cm-2", - "title": "Baseline Configuration" - }, - { - "control_id": "cm-2.2", - "title": "Automation Support for Accuracy and Currency" - }, - { - "control_id": "cm-2.3", - "title": "Retention of Previous Configurations" - }, - { - "control_id": "cm-6", - "title": "Configuration Settings" - }, - { - "control_id": "cm-7.1", - "title": "Periodic Review" - }, - { - "control_id": "pl-9", - "title": "Central Management" - }, - { - "control_id": "pl-10", - "title": "Baseline Selection" - }, - { - "control_id": "sa-5", - "title": "System Documentation" - }, - { - "control_id": "si-5", - "title": "Security Alerts, Advisories, and Directives" - }, - { - "control_id": "sr-10", - "title": "Inspection of Systems or Components" - } - ] - }, - { - "id": "KSI-SVC-05", - "name": "Resource Integrity", - "statement": "Use cryptographic methods to validate the integrity of machine-based information resources.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "cm-2.2", - "title": "Automation Support for Accuracy and Currency" - }, - { - "control_id": "cm-8.3", - "title": "Automated Unauthorized Component Detection" - }, - { - "control_id": "sc-13", - "title": "Cryptographic Protection" - }, - { - "control_id": "sc-23", - "title": "Session Authenticity" - }, - { - "control_id": "si-7", - "title": "Software, Firmware, and Information Integrity" - }, - { - "control_id": "si-7.1", - "title": "Integrity Checks" - }, - { - "control_id": "sr-10", - "title": "Inspection of Systems or Components" - } - ] - }, - { - "id": "KSI-SVC-06", - "name": "Secret Management", - "statement": "Automate management, protection, and regular rotation of digital keys, certificates, and other secrets.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-17.2", - "title": "Protection of Confidentiality and Integrity Using Encryption" - }, - { - "control_id": "ia-5.2", - "title": "Public Key-based Authentication" - }, - { - "control_id": "ia-5.6", - "title": "Protection of Authenticators" - }, - { - "control_id": "sc-12", - "title": "Cryptographic Key Establishment and Management" - }, - { - "control_id": "sc-17", - "title": "Public Key Infrastructure Certificates" - } - ] - }, - { - "id": "KSI-SVC-07", - "retired": true, - "statement": "", - "note": "Superseded by KSI-AFR-04 (VDR)", - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-SVC-08", - "name": "Prevent Residual Risk", - "statement": "_Persistently_ review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would _likely_ negatively affect the confidentiality, integrity, or availability of _federal customer data_.", - "impact": { - "low": false, - "moderate": true - }, - "controls": [ - { - "control_id": "sc-4", - "title": "Information in Shared System Resources" - } - ] - }, - { - "id": "KSI-SVC-09", - "name": "Communication Integrity", - "statement": "Persistently validate the authenticity and integrity of communications between _machine-based_ _information resources_ using automation.", - "impact": { - "low": false, - "moderate": true - }, - "controls": [ - { - "control_id": "sc-23", - "title": "Session Authenticity" - }, - { - "control_id": "si-7.1", - "title": "Integrity Checks" - } - ] - }, - { - "id": "KSI-SVC-10", - "name": "Unwanted Data Removal", - "statement": "Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage.", - "impact": { - "low": false, - "moderate": true - }, - "controls": [ - { - "control_id": "si-12.3", - "title": "Information Disposal" - }, - { - "control_id": "si-18.4", - "title": "Individual Requests" - } - ] - } - ] - }, - "TPR": { - "id": "KSI-TPR", - "name": "Third-Party Information Resources", - "theme": "A secure _cloud service offering_ will understand, monitor, and manage supply chain risks from _third-party information resources_.", - "indicators": [ - { - "id": "KSI-TPR-01", - "retired": true, - "statement": "", - "note": "Superseded by KSI-AFR-01 (MAS)", - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-TPR-02", - "retired": true, - "statement": "", - "note": "Superseded by KSI-AFR-01 (MAS)", - "impact": { - "low": false, - "moderate": false - } - }, - { - "id": "KSI-TPR-03", - "name": "Supply Chain Risk Management", - "statement": "_Persistently_ identify, review, and mitigate potential supply chain risks.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-20", - "title": "Use of External Systems" - }, - { - "control_id": "ra-3.1", - "title": "Supply Chain Risk Assessment" - }, - { - "control_id": "sa-9", - "title": "External System Services" - }, - { - "control_id": "sa-10", - "title": "Developer Configuration Management" - }, - { - "control_id": "sa-11", - "title": "Developer Testing and Evaluation" - }, - { - "control_id": "sa-15.3", - "title": "Criticality Analysis" - }, - { - "control_id": "sa-22", - "title": "Unsupported System Components" - }, - { - "control_id": "si-7.1", - "title": "Integrity Checks" - }, - { - "control_id": "sr-5", - "title": "Acquisition Strategies, Tools, and Methods" - }, - { - "control_id": "sr-6", - "title": "Supplier Assessments and Reviews" - }, - { - "control_id": "ca-7.4", - "title": "Risk Monitoring" - }, - { - "control_id": "sc-18", - "title": "Mobile Code" - } - ] - }, - { - "id": "KSI-TPR-04", - "name": "Supply Chain Risk Monitoring", - "statement": "Automatically monitor third party software _information resources_ for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.", - "impact": { - "low": true, - "moderate": true - }, - "controls": [ - { - "control_id": "ac-20", - "title": "Use of External Systems" - }, - { - "control_id": "ca-3", - "title": "Information Exchange" - }, - { - "control_id": "ir-6.3", - "title": "Supply Chain Coordination" - }, - { - "control_id": "ps-7", - "title": "External Personnel Security" - }, - { - "control_id": "ra-5", - "title": "Vulnerability Monitoring and Scanning" - }, - { - "control_id": "sa-9", - "title": "External System Services" - }, - { - "control_id": "si-5", - "title": "Security Alerts, Advisories, and Directives" - }, - { - "control_id": "sr-5", - "title": "Acquisition Strategies, Tools, and Methods" - }, - { - "control_id": "sr-6", - "title": "Supplier Assessments and Reviews" - }, - { - "control_id": "sr-8", - "title": "Notification Agreements" - } - ] - } - ] - } - } -} diff --git a/FRMR.MAS.minimum-assessment-scope.json b/FRMR.MAS.minimum-assessment-scope.json deleted file mode 100644 index bd79b5b..0000000 --- a/FRMR.MAS.minimum-assessment-scope.json +++ /dev/null @@ -1,348 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Minimum Assessment Scope", - "short_name": "MAS", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "", - "current_status": "Wide Release", - "start_date": "2026-01-12", - "end_date": "2027-12-22", - "comments": [ - "Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP boundary after January 12, 2026.", - "Providers MUST follow the Significant Change Request process (or Significant Change Notification if applicable) to transition from the traditional boundary to the MAS, and this change must be assessed by a FedRAMP recognized assessor.", - "Providers adopting this process MUST comply with ALL requirements and recommendations, including documentation. Templates are not provided for Rev5 MAS adoption so it is up to the provider to minimize confusion.", - "Rev5 Authorized providers who switch from a traditional FedRAMP boundary to the MAS MUST notify FedRAMP by sending an email to info@fedramp.gov.", - "All new Rev5 authorizations in progress that use the MAS must clearly mark all authorization data to indicate adoption of the MAS.", - "The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/6463c839204df61ce80e40daa98b18e3cf95f17b/data/FRMR.MAS.minimum-assessment-scope.json" - }, - { - "id": "25.11C", - "published_date": "2025-11-26", - "description": "No material changes to content; underlying JSON replaced the \"All\" option for \"affects\" with a breakout of all affected entities.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/6463c839204df61ce80e40daa98b18e3cf95f17b/data/FRMR.MAS.minimum-assessment-scope.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.MAS.minimum-assessment-scope.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Minor updates for the FedRAMP 20x Phase Two pilot and Rev5 Open Beta.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e8c82f51ab77d760f5df340022a0ae1ab18f31ad/data/FRMR.MAS.minimum-assessment-scope.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.06B", - "published_date": "2025-08-24", - "description": "Minor non-breaking updates to align term definitions and highlighted terms across updated materials (definitions are now in FRD-ALL).", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.06A", - "published_date": "2025-06-17", - "description": "Minor non-breaking updates for clarity and formatting; renamed to Minimum Assessment Scope to avoid confusion with the Scope of FedRAMP as defined by M-24-15;reframed FRR-MAS-01 to explicitly note that this identifies the cloud service offering", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.05A", - "published_date": "2025-05-30", - "description": "Initial release of the Minimum Assessment Scope Standard.", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-04-24", - "end_date": "2025-05-25", - "id": "0007", - "url": "https://www.fedramp.gov/rfcs/0007/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/2", - "short_name": "rfc-0005-minimum-assessment-scope", - "full_name": "FedRAMP RFC-0005: Minimum Assessment Scope Standard" - } - ], - "machine_readable_link": null - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", - "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", - "description": "Section 10 states that an \"Authorization boundary\" includes \"all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.\" and further adds in footnote 64 that \"Agencies have significant flexibility in determining what constitutes an information system and its associated boundary.\"" - }, - { - "reference": "NIST SP 800-37 Rev. 2", - "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final", - "description": "Chapter 2.4 footnote 36 similarly states that \"the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization).\"" - }, - { - "reference": "FedRAMP Authorization Act (44 USC \u00a7 3609 (a) (4))", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "Requires the General Services Administration to \"establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization.\"", - "delegation": "This responsibility is delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - } - ], - "purpose": "Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.", - "expected_outcomes": [ - "Boundaries will include the minimum number of components to make authorization and assessment easier", - "Cloud service providers will define clear boundaries for security and assessment of offerings based on the direct risk to federal customer data", - "Third-party independent assessors will have a simple well documented approach to assess security and implementation decisions", - "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based Authorization to Operate decisions based on their planned use case" - ] - } - }, - "FRR": { - "MAS": { - "base": { - "application": "These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability.", - "id": "FRR-MAS", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-MAS-01", - "statement": "Providers MUST identify a set of _information resources_ to assess for FedRAMP authorization that includes all _information resources_ that are _likely_ to _handle_ _federal customer data_ or _likely_ to impact the confidentiality, integrity, or availability of _federal customer data_ _handled_ by the _cloud service offering_.", - "affects": [ - "Providers" - ], - "name": "Cloud Service Offering Identification", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-02", - "statement": "Providers MUST include the configuration and usage of _third-party information resources_, ONLY IF _FRR-MAS-01_ APPLIES.", - "affects": [ - "Providers" - ], - "name": "Third-Party Information Resources", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-03", - "statement": "Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to _federal customer data_ from the configuration and usage of non-FedRAMP authorized _third-party information resources_, ONLY IF _FRR-MAS-01_ APPLIES.", - "affects": [ - "Providers" - ], - "name": "Non-FedRAMP Authorized Third-Party Information Resources", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-04", - "statement": "Providers MUST include metadata (including metadata about _federal customer data_), ONLY IF _FRR-MAS-01_ APPLIES.", - "affects": [ - "Providers" - ], - "name": "Metadata Inclusion", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-05", - "statement": "Providers MUST clearly identify, document, and explain information flows and impact levels for ALL _information resources_, ONLY IF _FRR-MAS-01_ APPLIES.", - "affects": [ - "Providers" - ], - "name": "Information Flows and Impact Levels", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "application": { - "application": "This section provides general guidance on the application of this process.", - "name": "Application", - "id": "FRR-MAS-AY", - "requirements": [ - { - "id": "FRR-MAS-AY-01", - "statement": "Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the _cloud service offering_ for FedRAMP. For more, see https://fedramp.gov/scope.", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Scope of FedRAMP", - "primary_key_word": "", - "reference": "Overall Scope of FedRAMP", - "reference_url": "http://fedramp.gov/scope", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-AY-02", - "statement": "Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the _cloud service offering_ for FedRAMP. For more, see fedramp.gov/scope.", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Non-Cloud-Based Software", - "primary_key_word": "", - "reference": "Overall Scope of FedRAMP", - "reference_url": "http://fedramp.gov/scope", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-AY-03", - "statement": "_Information resources_ (including _third-party information resources_) that do not meet the conditions in FRR-MAS-01 are not included in the _cloud service offering_ for FedRAMP (_FRR-MAS-02_).", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Exclusion of Non-Impacting Information Resources", - "primary_key_word": "", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-AY-04", - "statement": "_Information resources_ (including _third-party information resources_) MAY vary by impact level as appropriate to the level of information _handled_ or impacted by the information resource (_FRR-MAS-05_).", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Impact Level Variations", - "primary_key_word": "", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-AY-05", - "statement": "All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed.", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Review of Best Practices", - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-MAS-AY-06", - "statement": "All aspects of the _cloud service offering_ are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials.", - "affects": [ - "Providers", - "Agencies", - "Assessors", - "FedRAMP" - ], - "name": "Cloud Service Offering Determination", - "primary_key_word": "", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "exceptions": { - "application": "These exceptions MAY override some or all of the FedRAMP requirements for this process.", - "id": "FRR-MAS-EX", - "name": "Exceptions", - "requirements": [ - { - "id": "FRR-MAS-EX-01", - "statement": "Providers MAY include documentation of _information resources_ beyond the _cloud service offering_, or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and _authorization package_ supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the _cloud service offering_.", - "affects": [ - "Providers" - ], - "name": "Supplemental Information", - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.PVA.persistent-validation-and-assessment.json b/FRMR.PVA.persistent-validation-and-assessment.json deleted file mode 100644 index cb95156..0000000 --- a/FRMR.PVA.persistent-validation-and-assessment.json +++ /dev/null @@ -1,424 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Persistent Validation and Assessment", - "short_name": "PVA", - "effective": { - "rev5": { - "is": "no" - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate and removed incorrect Rev5 effective information from JSON.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.PVA.persistent-validation-and-assessment.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.PVA.persistent-validation-and-assessment.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial release of the Persistent Validation and Assessment process for the FedRAMP 20x Phase Two pilot.", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-09-15", - "end_date": "2025-11-14", - "id": "0017", - "url": "https://www.fedramp.gov/rfcs/0017/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/88", - "short_name": "rfc-0017-persistent-validation", - "full_name": "FedRAMP RFC-0017: Persistent Validation and Assessment Standard" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/8cd28d23d75ace6ff14785d6ac54ed521cf46a8c/data/FRMR.PVA.persistent-validation-and-assessment.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", - "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", - "description": "defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\"" - }, - { - "reference": "The FedRAMP Authorization Act (44 USC \u00a7 3609 (a) (7))", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\"" - } - ], - "purpose": "FedRAMP 20x is built around the core concept that secure cloud service providers will persistently and automatically validate that their security decisions and policies are being implemented as expected within their cloud service offering. The activities of a secure service should be intentional, documented, and in a state that is always known and understood by the provider.\n\nSecure providers will design their business processes and technical procedures to maximize the use of automation, persistent validation, and reporting across the entirety of their cloud service offering. This reduces cost by increasing efficiency, enables fast agile delivery of new capabilities and prevents unintended drift between the deployed cloud service offering and the business goals for the offering. Secure providers leverage automated and independent audits to evaluate the validity and effectiveness of their secure practices.\n\nAll FedRAMP 20x Authorized providers are expected to implement persistent validation programs as part of their core engineering workflow. These programs should be optimized to deliver value to the provider and their engineering teams first and foremost, though agencies and other customers will benefit from the improved security and insight resulting from high quality persistent validation programs.\n\nTo obtain and maintain a FedRAMP 20x authorization, providers will be required to have their persistent validation programs assessed regularly for effectiveness and completeness.", - "expected_outcomes": [ - "Cloud service providers will operate effective persistent validation programs to always understand the state of their services.", - "Assessors will prioritize technical review of validation programs to ensure the quality and effectiveness of a cloud service provider\u2019s security programs are documented accurately.", - "Federal agencies will have significantly increased confidence in the quality and effectiveness of cloud service provider\u2019s security programs." - ] - } - }, - "FRR": { - "PVA": { - "base": { - "id": "FRR-PVA", - "name": "Requirements & Recommendations", - "application": "These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services and those seeking authorization based on the current Effective Date(s) and Overall Applicability of this document.", - "requirements": [ - { - "id": "FRR-PVA-01", - "name": "Persistent Validation", - "statement": "Providers MUST _persistently_ perform validation of their Key Security Indicators following the processes and cycles documented for their _cloud service offering_ per FRR-KSI-02; this process is called _persistent validation_ and is part of _vulnerability detection_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-02", - "name": "Failures As Vulnerabilities", - "statement": "Providers MUST treat failures detected during _persistent validation_ and failures of the _persistent validation_ process as _vulnerabilities_, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-03", - "statement": "Providers MUST include _persistent validation_ activity in the reports on _vulnerability detection_ and _response_ activity required by the FedRAMP Vulnerability Detection and Response process.", - "name": "Report Persistent Validation", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-04", - "name": "Track Significant Changes", - "statement": "Providers MUST track _significant changes_ that impact their Key Security Indicator goals and _validation_ processes while following the requirements and recommendations in the FedRAMP Significant Change Notification process; if such _significant changes_ are not properly tracked and supplied to _all necessary assessors_ then a full _Initial FedRAMP Assessment_ may be required in place of the expected _Persistent FedRAMP Assessment_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-05", - "name": "Independent Assessment", - "statement": "Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their _authorization data_ without modification.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "notes": [ - "The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.", - "FedRAMP recognized assessors are listed on the FedRAMP Marketplace." - ] - }, - { - "id": "FRR-PVA-06", - "name": "Complete Validation Assessment", - "statement": "Providers MUST ensure a complete assessment of _validation_ procedures (including underlying code, pipelines, configurations, automation tools, etc.) for the _cloud service offering_ by _all necessary assessors_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "note": "" - }, - { - "id": "FRR-PVA-07", - "name": "Provide Technical Evidence", - "statement": "Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to _all necessary assessors_ for the technical capabilities they employ to meet Key Security Indicators and to provide _validation_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-PVA-08", - "name": "Receiving Assessor Advice", - "statement": "Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their _validation_ and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-09).", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MAY", - "note": "The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments." - }, - { - "id": "FRR-PVA-09", - "name": "Assessors May Advise", - "statement": "Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their _validation_ and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-08).", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MAY" - }, - { - "id": "FRR-PVA-10", - "name": "Evaluate Validation Processes", - "statement": "Assessors MUST evaluate the underlying processes (both _machine-based_ and non-_machine-based_) that providers use to _validate_ Key Security Indicators; this evaluation should include at least:", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST", - "following_information": [ - "The effectiveness, completeness, and integrity of the automated processes that perform validation of the _cloud service offering's_ security posture.", - "The effectiveness, completeness, and integrity of the human processes that perform _validation_ of the _cloud service offering's_ security posture", - "The coverage of these processes within the _cloud service offering_, including if all of the consolidated _information resources_ listed are being _validated_." - ] - }, - { - "id": "FRR-PVA-11", - "name": "Assess Process Implementation", - "statement": "Assessors MUST evaluate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-12", - "name": "Assess Outcome Consistency", - "statement": "Assessors MUST evaluate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-13", - "name": "Mixed Methods Evaluation", - "statement": "Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-14", - "name": "Engage Provider Experts", - "statement": "Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-PVA-15", - "name": "Avoid Static Evidence", - "statement": "Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST NOT" - }, - { - "id": "FRR-PVA-16", - "name": "Verify Procedure Adherence", - "statement": "Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place.", - "note": "Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-17", - "name": "Deliver Assessment Summary", - "statement": "Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the _authorization data_ for the _cloud service offering_.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-18", - "name": "No Overall Recommendation", - "statement": "Assessors MUST NOT deliver an overall recommendation on whether or not the _cloud service offering_ meets the requirements for FedRAMP authorization.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Assessors" - ], - "primary_key_word": "MUST NOT", - "note": "FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information." - } - ] - }, - "timeframe-low": { - "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Low authorizations for activities required or recommended in this document; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-PVA-TF-LO", - "name": "Timeframes - Low", - "requirements": [ - { - "id": "FRR-PVA-TF-LO-01", - "statement": "Providers MUST complete the _validation_ processes for Key Security Indicators of non-_machine-based_ _information resources_ at least once every 3 months.", - "name": "Quarterly Non-Machine Validation", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-TF-LO-02", - "statement": "Providers MUST complete the _validation_ processes for Key Security Indicators of _machine-based_ _information resources_ at least once every 7 days.", - "name": "Weekly Machine Validation", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - } - ] - }, - "timeframe-moderate": { - "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this document; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-PVA-TF-MO", - "name": "Timeframes - Moderate", - "requirements": [ - { - "id": "FRR-PVA-TF-MO-01", - "statement": "Providers MUST complete the _validation_ processes for Key Security Indicators of non-_machine-based_ _information resources_ at least once every 3 months.", - "name": "Quarterly Non-Machine Validation", - "impact": { - "low": false, - "moderate": true, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-PVA-TF-LM-02", - "statement": "Providers MUST complete the _validation_ processes for Key Security Indicators of _machine-based_ _information resources_ at least once every 3 days.", - "name": "3-Day Machine Validation", - "impact": { - "low": false, - "moderate": true, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.RSC.recommended-secure-configuration.json b/FRMR.RSC.recommended-secure-configuration.json deleted file mode 100644 index 8d5ad26..0000000 --- a/FRMR.RSC.recommended-secure-configuration.json +++ /dev/null @@ -1,222 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Recommended Secure Configuration", - "short_name": "RSC", - "effective": { - "rev5": { - "is": "required", - "signup_url": "", - "current_status": "Wide Release", - "start_date": "2026-03-01", - "end_date": "2027-12-22", - "comments": [ - "These requirements apply after March 1, 2026, to all FedRAMP Rev5 cloud services that are listed in the FedRAMP Marketplace.", - "This process supplements the Customer Responsibilities Matrix and other existing materials - all existing Rev5 materials are still required to be maintained.", - "FedRAMP does not provide a specific template for the information required in this guidance to enable cloud service providers to share innovative solutions. As long as all requirements and recommendations in this document are addressed, providers are encouraged to share their Recommended Secure Configuration information in a way that makes the most sense for them and their customers." - ], - "warnings": [ - "**FedRAMP will begin enforcement of this process after March 1, 2026. Providers who do not have Recommended Secure Configuration guidance that meets the requirements and recommendations in this document will receive corrective action.**", - "Beginning 2026-03-01, corrective action will include public notification that the provider does not meet this requirement.", - "Beginning 2026-05-01, corrective action will include revocation of FedRAMP authorization and downgrade to FedRAMP Ready.", - "Beginning 2026-07-01, corrective action will include complete removal from the FedRAMP Marketplace and a ban on FedRAMP authorization for three months." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.RSC.recommended-secure-configuration.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial release of the Recommended Secure Configuration (RSC) process for the FedRAMP 20x Phase Two pilot.", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-09-10", - "end_date": "1900-01-01", - "id": "0015", - "url": "https://www.fedramp.gov/rfcs/0015/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/84", - "short_name": "rfc-0015-recommended-secure-configuration", - "full_name": "FedRAMP RFC-0015: Recommended Secure Configuration Standard" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e8c82f51ab77d760f5df340022a0ae1ab18f31ad/data/FRMR.RSC.recommended-secure-configuration.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "Executive Order 14144 Strengthening and Promoting Innovation in the Nation\u2019s Cybersecurity Section 3 (d), as amended by Executive Order 14306 Sustaining Select Efforts to Strengthen the Nation\u2019s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144", - "reference_url": "https://www.federalregister.gov/documents/2025/06/11/2025-10804/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694", - "description": " to Section 3 (b), states \"the Administrator of General Services, acting through the Director of the Federal Risk and Authorization Management Program (FedRAMP), in coordination with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.\"" - } - ], - "purpose": "All customers benefit from simple, easy to follow, easy to understand instructions for securely configuring a cloud service offering. Cloud service providers often provide a wide range of configuration options to allow individual customers to pick and choose their security posture based on their individual customer needs and are best positioned to provide instructions about the overall security impacts of many of these choices.\n\nThis process outlines simple requirements for FedRAMP authorized cloud service providers to effectively communicate the security impact of common settings to new and current agency customers." - } - }, - "FRR": { - "RSC": { - "base": { - "id": "FRR-RSC", - "application": "These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-RSC-01", - "statement": "Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission _top-level administrative accounts_ that control enterprise access to the entire _cloud service offering_.", - "name": "Top-Level Administrative Accounts Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "note": "This guidance should explain how _top-level administrative accounts_ are named and referred to in the _cloud service offering_." - }, - { - "id": "FRR-RSC-02", - "statement": "Providers MUST create and maintain guidance that explains security-related settings that can be operated only by _top-level administrative accounts_ and their security implications.", - "name": "Top-Level Administrative Accounts Security Settings Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-RSC-03", - "statement": "Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by _privileged accounts_ and their security implications.", - "name": "Privileged Accounts Security Settings Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-04", - "statement": "Providers SHOULD set all settings to their recommended secure defaults for _top-level administrative accounts_ and _privileged accounts_ when initially provisioned.", - "name": "Secure Defaults on Provisioning", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-05", - "statement": "Providers SHOULD offer the capability to compare all current settings for _top-level administrative accounts_ and _privileged accounts_ to the recommended secure defaults.", - "name": "Comparison Capability", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-06", - "statement": "Providers SHOULD offer the capability to export all security settings in a _machine-readable_ format.", - "name": "Export Capability", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-07", - "statement": "Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.", - "name": "API Capability", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-08", - "statement": "Providers SHOULD provide recommended secure configuration guidance in a _machine-readable_ format that can be used by customers or third-party tools to compare against current settings.", - "name": "Machine-Readable Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-09", - "statement": "Providers SHOULD make recommended secure configuration guidance available publicly.", - "name": "Publish Guidance", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-RSC-10", - "statement": "Providers SHOULD provide versioning and a release history for recommended secure default settings for _top-level administrative accounts_ and _privileged accounts_ as they are adjusted over time.", - "name": "Versioning and Release History", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.SCN.significant-change-notifications.json b/FRMR.SCN.significant-change-notifications.json deleted file mode 100644 index 84bf701..0000000 --- a/FRMR.SCN.significant-change-notifications.json +++ /dev/null @@ -1,594 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Significant Change Notifications", - "short_name": "SCN", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "", - "current_status": "Wide Release", - "start_date": "2026-02-27", - "end_date": "2027-12-22", - "comments": [ - "Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP Significant Change Request process after February 27, 2026.", - "Providers MUST address all requirements and recommendations in this process prior to full adoption.", - "Rev5 Authorized Providers who switch to the Significant Change Notification process MUST notify FedRAMP by sending an email to info@fedramp.gov.", - "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's adoption of this process.", - "Providers seeking FedRAMP authorization who plan to follow the Significant Change Notification process must clearly note this in their authorization package", - "The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.SCN.significant-change-notifications.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.SCN.significant-change-notifications.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Updates for the FedRAMP 20x Phase Two pilot; renames FRR-SCN-TF section to FRR-SCN-TR to avoid confusion with \"timeframe\" rulesets in other FedRAMP standards", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/3291fa1952f5b68eaf1a815a8ef1846ae8ca9e2f/data/FRMR.SCN.significant-change-notifications.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.06B", - "published_date": "2025-08-24", - "description": "Minor non-breaking updates to align term definitions and highlighted terms across updated materials (definitions are now in FRD-ALL).", - "public_comment": false, - "machine_readable_link": null - }, - { - "id": "25.06A", - "published_date": "2025-06-17", - "description": "Initial release of Significant Change Notification Requirements", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-04-24", - "end_date": "2025-05-25", - "id": "0007", - "url": "https://www.fedramp.gov/rfcs/0007/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/4", - "short_name": "rfc-0007-significant-change-notification", - "full_name": "FedRAMP RFC-0007: Significant Change Notification Standard" - }, - { - "start_date": "2025-05-15", - "end_date": "2025-06-15", - "id": "0009", - "url": "https://www.fedramp.gov/rfcs/0009/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/6", - "short_name": "rfc-0009-scn-technical-assistance", - "full_name": "FedRAMP RFC-0009: Significant Change Notification Technical Assistance" - } - ], - "machine_readable_link": null - } - ], - "front_matter": { - "authority": [ - { - "reference": "FedRAMP Authorization Act (44 USC \u00a7 3609 (a) (7))", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the [OMB] Director and the [DHS] Secretary, to establish and regularly update a framework for continuous monitoring...\"", - "delegation": "This responsibility is delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - }, - { - "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", - "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", - "description": "section VI states \"FedRAMP should seek input from CSPs and develop processes that enable CSPs to maintain an agile deployment lifecycle that does not require advance Government approval, while giving the Government the visibility and information it needs to maintain ongoing confidence in the FedRAMP-authorized system and to respond timely and appropriately to incidents.\"" - } - ], - "purpose": "The Significant Change Notification (SCN) process establishes conditions for FedRAMP authorized cloud service providers to make most significant changes without requiring advance government approval. Agency authorizing officials who authorize the use of FedRAMP authorized cloud services are expected to account for the risk of cloud service providers making changes to improve the service.\n\nThis process broadly identifies four types of significant changes, from least impactful to most impactful:\n1. Routine Recurring\n2. Adaptive\n3. Transformative\n4. Impact Categorization\n\nThese categories, and the resulting requirements, apply only to significant changes.", - "expected_outcomes": [ - "Cloud service providers will securely deliver new features and capabilities for government customers at the same speed and pace of delivery for commercial customers, without needing advance government approval", - "Federal agencies will have equal access to features and capabilities as commercial customers without sacrificing the visibility and information they need to maintain ongoing confidence in the service" - ] - } - }, - "FRR": { - "SCN": { - "base": { - "id": "FRR-SCN", - "application": "These requirements apply ALWAYS to ALL _significant changes_ based on current Effective Date(s) and Overall Applicability", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-SCN-01", - "statement": "Providers MUST notify all necessary parties when Significant Change Notifications are required, including at least FedRAMP and all agency customers. Providers MAY share Significant Change Notifications publicly or with other parties.", - "name": "Notifications", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-02", - "statement": "Providers MUST follow the procedures documented in their security plan to plan, evaluate, test, perform, assess, and document changes.", - "name": "Procedures and Documentation", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-03", - "statement": "Providers MUST evaluate and type label all _significant changes_, then follow FedRAMP requirements for the type.", - "name": "Evaluate Changes", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-04", - "statement": "Providers MUST maintain auditable records of these activities and make them available to all necessary parties.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-05", - "statement": "Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-06", - "statement": "All parties SHOULD follow FedRAMP's best practices and technical assistance on _significant change_ assessment and notification where applicable.", - "affects": [ - "Providers", - "Agencies", - "Assessors" - ], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-07", - "statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.", - "affects": [ - "Providers" - ], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-08", - "statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible _machine-readable_ formats.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-09", - "statement": "Providers MUST include at least the following information in Significant Change Notifications:", - "following_information": [ - "Service Offering FedRAMP ID", - "Assessor Name (if applicable)", - "Related POA&M (if applicable)", - "Significant Change type and explanation of categorization", - "Short description of change", - "Reason for change", - "Summary of customer impact, including changes to services and customer configuration responsibilities", - "Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls", - "Copy of the business or security impact analysis", - "Name and title of approver" - ], - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-10", - "statement": "Providers MAY include additional relevant information in Significant Change Notifications.", - "affects": [ - "Providers" - ], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "routine_recurring": { - "application": "These requirements apply ONLY to _significant changes_ of type _routine recurring_.", - "id": "FRR-SCN-RR", - "name": "Routine Recurring", - "requirements": [ - { - "id": "FRR-SCN-RR-01", - "statement": "Providers SHOULD NOT make formal Significant Change Notifications for _routine recurring_ changes; this type of change is exempted from the notification requirements of this process.", - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD NOT", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "adaptive": { - "application": "These requirements apply ONLY to _significant changes_ of type _adaptive_.", - "id": "FRR-SCN-AD", - "name": "Adaptive", - "requirements": [ - { - "id": "FRR-SCN-AD-01", - "statement": "Providers MUST notify all necessary parties within ten business days after finishing _adaptive_ changes, also including the following information:", - "following_information": [ - "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)" - ], - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "transformative": { - "application": "These requirements apply ONLY to _significant changes_ of type _transformative_.", - "id": "FRR-SCN-TR", - "name": "Transformative", - "requirements": [ - { - "id": "FRR-SCN-TR-01", - "statement": "Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting _transformative_ changes if human validation is necessary. This review SHOULD be limited to security decisions that require human validation. Providers MUST document this decision and justification.", - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-02", - "statement": "Providers MUST notify all necessary parties of initial plans for _transformative_ changes at least 30 business days before starting _transformative_ changes.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-03", - "statement": "Providers MUST notify all necessary parties of final plans for _transformative_ changes at least 10 business days before starting _transformative_ changes.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-04", - "statement": "Providers MUST notify all necessary parties within 5 business days after finishing _transformative_ changes, also including the following information:", - "following_information": [ - "Updates to all previously sent information" - ], - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-05", - "statement": "Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of _transformative_ changes, also including the following information:", - "following_information": [ - "Updates to all previously sent information", - "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)", - "Copy of the security assessment report (if applicable)" - ], - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-06", - "statement": "Providers MUST publish updated service documentation and other materials to reflect _transformative_ changes within 30 business days after finishing _transformative_ changes.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-TR-07", - "statement": "Providers MUST allow agency customers to OPT OUT of _transformative_ changes whenever feasible.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "impact": { - "application": "These requirements apply ONLY to _significant changes_ of type _impact categorization_.", - "id": "FRR-SCN-IM", - "name": "Impact Categorization", - "requirements": [ - { - "id": "FRR-SCN-IM-01", - "statement": "Providers MUST follow the legacy Significant Change Request process or full re-authorization for _impact categorization_ changes, with advance approval from an identified lead agency, until further notice.", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "exceptions": { - "application": "These exceptions MAY override some or all of the FedRAMP requirements for this process.", - "id": "FRR-SCN-EX", - "name": "Exceptions", - "requirements": [ - { - "id": "FRR-SCN-EX-01", - "statement": "Providers MAY be required to delay _significant changes_ beyond the standard Significant Change Notification period and/or submit _significant changes_ for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement.", - "affects": [ - "Providers" - ], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-SCN-EX-02", - "statement": "Providers MAY execute _significant changes_ (including _transformative_ changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.", - "affects": [ - "Providers" - ], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - } - } - }, - "FRA": { - "SCN": { - "id": "FRA-SCN", - "disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.", - "purpose": "This Technical Assistance helps stakeholders evaluate and label _significant changes_ by type as required by _FRR-SCN-03_. This assistance is designed for the 20x Phase One Pilot and Rev5 Closed Beta Balance Improvement Test. The Significant Change Notification Requirements will be tested, evaluated, and improved in partnership with stakeholders based on real-world experience.", - "requirements": [ - { - "id": "FRA-SCN-03", - "applies_to": "FRR-SCN-03", - "statement": "Once a change has been identified as a _significant change_ in general, FedRAMP recommends next determining if a change is of the type _routine recurring_. If it is not, work down from the highest impact to lowest to identify the type of change.\n\n1. Is it a _significant change_?\n2. If it is, is it a _routine recurring_ change?\n3. If it is not, is it an _impact categorization_ change?\n4. If it is not, is it a _transformative_ change?\n5. If it is not, then it is an _adaptive_ change.", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRA-SCN-RR", - "applies_to": "FRR-SCN-RR", - "statement": "Activities that match the _routine recurring_ _significant change_ type are performed _regularly_ and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.\n\nThese changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.\n\nIf the activity does not occur _regularly_ and routinely then it cannot be a _significant change_ of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine).", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "examples": [ - { - "id": "Ongoing operations", - "key_tests": [ - "Routine care and feeding by staff during normal duties", - "No major impact to service availability", - "Does not require executive approval" - ], - "examples": [ - "Provisioning or deprovisioning capacity to support service elasticity", - "Changing or tuning performance configurations for instances or services", - "Updating and maintaining operational handling of information flows and protection across physical and logical networks (e.g., updating firewall rules)", - "Generating or refreshing API or access tokens" - ] - }, - { - "id": "Vulnerability Management", - "key_tests": [ - "Minor, incremental patching or updates", - "Significant refactoring or migration process NOT required", - "No breaking changes" - ], - "examples": [ - "Updating security service or endpoint signatures", - "Routine patching of devices, operating systems, software or libraries", - "Updating and deploying code that applies normal fixes and improvements as part of a regular development cycle", - "Vulnerability remediation activity that simply replaces a known-bad component(s) with a better version of the exact same thing, running in the exact same way with no changes to processes" - ] - } - ] - }, - { - "id": "FRA-SCN-TR", - "applies_to": "FRR-SCN-TR", - "statement": "Activities that match the _transformative_ _significant change_ type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without _transformative_ changes, while hyperscale providers may release multiple _transformative_ changes per year.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "examples": [ - { - "id": "Transformative changes", - "key_tests": [ - "Alters the service risk profile or require new or significantly different actions to address customer responsibilities", - "Requires significant new design, development and testing with discrete associated project planning, budget, marketing, etc.", - "Requires extensive updates to security assessments, documentation, and how a large number of security requirements are met and validated" - ], - "examples": [ - "The addition, removal, or replacement of a critical third party service that handles a significant portion of information (e.g., IaaS change)", - "Increasing the security categorization of a service within the offering that actively handles _federal customer data_ (does NOT include impact change of entire offering - see impact categorization change)", - "Replacement of underlying management planes or paradigm shift in workload orchestration (e.g., bare-metal servers or virtual machines to containers, migration to kubernetes)", - "Datacenter migration where large amounts of _federal customer data_ is moved across boundaries different from normal day-to-day operations", - "Adding a new AI-based capability that impacts _federal customer data_ in a different way than existing services or capabilities (such as integrating a new third-party service or training on _federal customer data_)" - ] - } - ] - }, - { - "id": "FRA-SCN-AD", - "applies_to": "FRR-SCN-AD", - "statement": "Activities that match the _adaptive_ _significant change_ type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.\n\nIn general, most changes that do not happen _regularly_ will be _adaptive_ changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration.", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "examples": [ - { - "id": "Service adjustments", - "key_tests": [ - "Requires minimal changes to security plans or procedures", - "Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes", - "Requires verification of existing functionality and secure configuration after implementation" - ], - "examples": [ - "Updates to operating systems, containers, virtual machines, software or libraries with known breaking changes, complex steps, or service disruption", - "Deploying larger than normal incremental feature improvements in code or libraries that are the work of multiple weeks of development efforts but are not considered a major new service", - "Changing cryptographic modules where the new module meets the same standards and characteristics of the former", - "Replacing a like-for-like component where some security plan or procedure adjustments are required (e.g., scanning tool or managed database swap)", - "Adding models to existing approved AI services without exposing _federal customer data_ to new services" - ] - } - ] - } - ] - } - } -} \ No newline at end of file diff --git a/FRMR.UCM.using-cryptographic-modules.json b/FRMR.UCM.using-cryptographic-modules.json deleted file mode 100644 index 4378d8a..0000000 --- a/FRMR.UCM.using-cryptographic-modules.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Using Cryptographic Modules", - "short_name": "UCM", - "effective": { - "rev5": { - "is": "no" - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.UCM.using-cryptographic-modules.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.UCM.using-cryptographic-modules.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Initial release of simplified 20x version of this existing FedRAMP policy.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/f10df15d0dfb152cb736a26a7ddda8927011696e/FRMR.UCM.using-cryptographic-modules.json" - } - ], - "front_matter": { - "purpose": "This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x style and clarifies the implementation expectations for FedRAMP 20x.\n\nThe notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered \u201csensitive\u201d and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.\n\nFedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider." - } - }, - "FRR": { - "UCM": { - "base": { - "id": "FRR-UCM", - "application": "These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "name": "Requirements & Recommendations", - "requirements": [ - { - "id": "FRR-UCM-01", - "statement": "Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect _federal customer data_, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.", - "name": "Cryptographic Module Documentation", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - }, - { - "id": "FRR-UCM-02", - "statement": "Providers SHOULD configure _agency_ tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.", - "name": "Use of Validated Cryptographic Modules", - "impact": { - "low": true, - "moderate": true, - "high": true - }, - "affects": ["Providers"], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-UCM-03", - "statement": "Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect _federal customer data_.", - "name": "Update Streams (Moderate)", - "impact": { - "low": false, - "moderate": true, - "high": false - }, - "affects": [ - "Providers" - ], - "primary_key_word": "SHOULD" - }, - { - "id": "FRR-UCM-04", - "statement": "Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect _federal customer data_.", - "impact": { - "low": false, - "moderate": false, - "high": true - }, - "name": "Update Streams (High)", - "affects": [ - "Providers" - ], - "primary_key_word": "MUST" - } - ] - } - } - } -} \ No newline at end of file diff --git a/FRMR.VDR.vulnerability-detection-and-response.json b/FRMR.VDR.vulnerability-detection-and-response.json deleted file mode 100644 index bdee634..0000000 --- a/FRMR.VDR.vulnerability-detection-and-response.json +++ /dev/null @@ -1,1031 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "FedRAMP.schema.json", - "info": { - "name": "Vulnerability Detection and Response", - "short_name": "VDR", - "effective": { - "rev5": { - "is": "optional", - "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSePkNZNzB3hke39KwT1c7aGhAcsNLm_xz4NZuPcqUfq01rDgg/viewform", - "current_status": "Open Beta", - "start_date": "2026-02-02", - "end_date": "2026-05-22", - "comments": [ - "**Providers MUST notify FedRAMP of intent to participate in the Vulnerability Detection and Response Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", - "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 as part of the Open Beta.", - "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", - "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta.", - "FedRAMP recommends that participants in the Vulnerability Detection and Response beta also adopt the Authorization Data Sharing process and the Significant Change Notifications process." - ] - }, - "20x": { - "is": "required", - "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", - "current_status": "Phase 2 Pilot", - "start_date": "2025-11-18", - "end_date": "2026-03-31", - "comments": [ - "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", - "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." - ] - } - }, - "releases": [ - { - "id": "25.11C", - "published_date": "2025-12-01", - "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/ced2160b22455ed26a11bf697be8f0ae3e1e5dff/data/FRMR.VDR.vulnerability-detection-and-response.json" - }, - { - "id": "25.11B", - "published_date": "2025-11-24", - "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/a37618fccf49d6b3406d90edf2125dc6cfcba140/data/FRMR.VDR.vulnerability-detection-and-response.json" - }, - { - "id": "25.11A", - "published_date": "2025-11-18", - "description": "Updates for the FedRAMP 20x Phase Two pilot, including minor clarifications and improvements based on pilot feedback.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e8c82f51ab77d760f5df340022a0ae1ab18f31ad/data/FRMR.VDR.vulnerability-detection-and-response.json" - }, - { - "id": "25.10A", - "published_date": "2025-10-17", - "description": "Minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/e5a72fc4b1602e56a145b73e44a822e9ee2aa8bd/FRMR.VDR.vulnerability-detection-and-response.json" - }, - { - "id": "25.09B", - "published_date": "2025-09-11", - "description": "This update moves the remediation table from FRR-VDR-TF-HI-07 to FRR-VDR-TF-HI-08, adds a clarification on application to Rev5, and fixes a few minor typos. No actual breaking/modifying changes were made to content.", - "public_comment": false, - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/34a080e3d2dae0841677fc1c9cfa4b1b69f6ee43/FRMR.VDR.vulnerability-detection-and-response.json" - }, - { - "id": "25.09A", - "published_date": "2025-09-10", - "description": "Initial release of the Vulnerability Detection and Response Standard", - "public_comment": true, - "related_rfcs": [ - { - "start_date": "2025-07-15", - "end_date": "2025-08-21", - "id": "0012", - "url": "https://www.fedramp.gov/rfcs/0012/", - "discussion_url": "https://github.com/FedRAMP/community/discussions/59", - "short_name": "rfc-0012-vulnerability-management", - "full_name": "FedRAMP RFC-0012: Continuous Vulnerability Management Standard" - } - ], - "machine_readable_link": "https://raw.githubusercontent.com/FedRAMP/docs/b896bbb8bded38e118320d3c442fd2f1e531514c/FRMR.VDR.vulnerability-detection-and-response.json" - } - ], - "front_matter": { - "authority": [ - { - "reference": "OMB Circular A-130, Managing Information as a Strategic Resource", - "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", - "description": "OMB Circular A-130 defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\"" - }, - { - "reference": "44 USC \u00a7 3609 (a)(7)", - "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", - "description": "The FedRAMP Authorization Act (44 USC \u00a7 3609 (a)(7)) directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\"", - "delegation": "This responsibility is delegated to the FedRAMP Director", - "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" - } - ], - "purpose": "The FedRAMP Vulnerability Detection and Response process ensures FedRAMP Authorized cloud service offerings use automated systems to effectively and continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures to threats; and that information related to these activities are effectively and continuously reported to federal agencies for the purposes of ongoing authorization.\n\nThe Vulnerability Detection and Response process defines minimum security requirements that cloud service providers must meet to be FedRAMP Authorized while allowing them flexibility in how they implement and adopt the majority of FedRAMP's requirements and recommendations. This creates a marketplace where cloud service providers can compete based on their individual approach and prioritization of security and agencies can choose to adopt cloud services with less effective security programs for less sensitive use cases while prioritizing cloud services with high performing security programs when needed.\n\nOver time, FedRAMP will automatically review the machine-readable authorization data shared by participating cloud service providers to begin scoring cloud service offerings based on how effectively they meet or exceed the requirements and recommendations in this and other FedRAMP 20x processes.\n\nAll existing FedRAMP requirements, including control statements, standards, and other guidelines that reference vulnerability scanning or formal Plans of Action and Milestones (POA&Ms) are superseded by this process and MAY be ignored by providers of cloud service offerings that have met the requirements to adopt this process with approval by FedRAMP.", - "expected_outcomes": [ - "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with simple changes and automated capabilities", - "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorizations based on their use cases" - ] - } - }, - "FRR": { - "VDR": { - "base": { - "id": "FRR-VDR", - "name": "Requirements & Recommendations", - "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", - "requirements": [ - { - "id": "FRR-VDR-01", - "statement": "Providers MUST systematically, _persistently_, and _promptly_ discover and identify _vulnerabilities_ within their _cloud service offering_ using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called _vulnerability detection_.", - "affects": ["Providers"], - "name": "Vulnerability Detection", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-02", - "statement": "Providers MUST systematically, _persistently_, and _promptly_ track, evaluate, monitor, _mitigate_, _remediate_, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their _cloud service offering_; this process is called _vulnerability response_.", - "affects": ["Providers"], - "name": "Vulnerability Response", - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-03", - "statement": "Providers MUST follow the requirements and recommendations outlined in FRR-VDR-TF regarding timeframes for _vulnerability detection_ and _response_.", - "name": "Timeframe Requirements", - "note": "Providers are strongly encouraged to build programs that consistently exceed these thresholds. Performance will be measured by FedRAMP for comparison between providers and scoring within the FedRAMP Marketplace.", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-04", - "statement": "Providers MAY sample effectively identical _information resources_, especially _machine-based_ _information resources_, when performing _vulnerability detection_ UNLESS doing so would decrease the efficiency or effectiveness of _vulnerability detection_.", - "name": "Sampling Identical Resources", - "affects": ["Providers"], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-05", - "statement": "Providers SHOULD evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to identify logical groupings of affected _information resources_ that may improve the efficiency and effectiveness of _vulnerability response_ by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of _vulnerabilities_ instead of each individual detected instance.", - "name": "Grouping Vulnerabilities", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-06", - "statement": "Providers SHOULD evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _false positive vulnerabilities_.", - "name": "Evaluate False Positives", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-07", - "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _likely exploitable vulnerabilities_.", - "name": "Evaluate Exploitability", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-08", - "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to determine if they are _internet-reachable vulnerabilities_.", - "name": "Evaluate Internet-Reachability", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-09", - "statement": "Providers MUST evaluate _detected vulnerabilities_, considering the context of the _cloud service offering_, to estimate the _potential adverse impact_ of exploitation on government customers AND assign one of the following _potential adverse impact_ ratings:", - "name": "Estimate Potential Adverse Impact", - "affects": ["Providers"], - "primary_key_word": "MUST", - "following_information_bullets": [ - "**N1**: Exploitation could be expected to have _negligible adverse effects_ on one or more _agencies_ that use the _cloud service offering_.", - "**N2**: Exploitation could be expected to have _limited adverse effects_ on one or more _agencies_ that use the _cloud service offering_.", - "**N3**: Exploitation could be expected to have a _serious adverse effect_ on one _agency_ that uses the _cloud service offering_.", - "**N4**: Exploitation could be expected to have a _catastrophic adverse effect_ on one _agency_ that uses the _cloud service offering_ OR a _serious adverse effect_ on more than one federal agency that uses the _cloud service offering_.", - "**N5**: Exploitation could be expected to have a _catastrophic adverse effect_ on more than one _agency_ that uses the _cloud service offering_." - ], - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-10", - "statement": "Providers SHOULD consider at least the following factors when considering the context of the _cloud service offering_ to evaluate _detected vulnerabilities_:", - "name": "Evaluation Factors", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "following_information": [ - "**Criticality**: How important are the systems or information that might be impacted by the _vulnerability_?", - "**Reachability**: How might a threat actor reach the _vulnerability_ and how _likely_ is that?", - "**Exploitability**: How easy is it for a threat actor to exploit the _vulnerability_ and how _likely_ is that?", - "**Detectability**: How easy is it for a threat actor to become aware of the _vulnerability_ and how _likely_ is that?", - "**Prevalence**: How much of the _cloud service offering_ is affected by the _vulnerability_?", - "**Privilege**: How much privileged authority or access is granted or can be gained from exploiting the _vulnerability_?", - "**Proximate Vulnerabilities**: How does this _vulnerability_ interact with previously _detected vulnerabilities_, especially _partially_ or _fully mitigated vulnerabilities?_", - "**Known Threats**: How might already known threats leverage the _vulnerability_ and how _likely_ is that?" - ], - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-11", - "statement": "Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the _authorization data_ for the _cloud service offering_.", - "name": "Documenting Reasons", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "apply": { - "application": "This section provides guidance on the application of this process, including recommendations for implementing high quality _vulnerability detection_ and _response_ programs; providers who follow some or all of these will be better positioned to meet future FedRAMP authorization requirements.", - "id": "FRR-VDR-AY", - "name": "Application", - "requirements": [ - { - "id": "FRR-VDR-AY-01", - "statement": "If it is not possible to _fully mitigate_ or _remediate_ _detected vulnerabilities_, providers SHOULD instead _partially mitigate vulnerabilities_ _promptly_, progressively, and _persistently_.", - "name": "Partial Mitigation", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AY-02", - "statement": "Providers SHOULD make design and architecture decisions for their _cloud service offering_ that mitigate the risk of _vulnerabilities_ by default AND decrease the risk and complexity of _vulnerability_ _detection_ and _response_.", - "name": "Design For Resilience", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AY-03", - "statement": "Providers SHOULD use automated services to improve and streamline _vulnerability detection_ and _response_.", - "name": "Automate Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AY-04", - "statement": "Providers SHOULD automatically perform _vulnerability detection_ on representative samples of new or _significantly_ _changed_ _information resources_.", - "name": "Detection on Changes", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AY-05", - "statement": "Providers SHOULD NOT weaken the security of _information resources_ to facilitate vulnerability scanning or assessment activities.", - "name": "Maintain Security Postures", - "affects": ["Providers"], - "primary_key_word": "SHOULD NOT", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AY-06", - "statement": "Providers SHOULD NOT deploy or otherwise activate new _machine-based_ _information resources_ with _Known Exploited Vulnerabilities_.", - "name": "Avoid Known Exploited Vulnerabilities", - "affects": ["Providers"], - "primary_key_word": "SHOULD NOT", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "reporting": { - "application": "This section identifies FedRAMP-specific reporting requirements and recommendations for _vulnerabilities_.", - "name": "Reporting", - "id": "FRR-VDR-RP", - "requirements": [ - { - "id": "FRR-VDR-RP-01", - "statement": "Providers MUST report _vulnerability detection_ and _response_ activity to all necessary parties _persistently_, summarizing ALL activity since the previous report; these reports are _authorization data_ and are subject to the FedRAMP Authorization Data Sharing (ADS) process.", - "name": "Monthly Reporting", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-RP-02", - "statement": "Providers SHOULD include high-level overviews of ALL _vulnerability detection_ and _response_ activities conducted during this period for the _cloud service offering;_ this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.", - "name": "High-Level Overviews", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-RP-03", - "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about _vulnerabilities_ that would _likely_ lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.", - "name": "No Irresponsible Disclosure", - "affects": ["Providers"], - "primary_key_word": "MUST NOT", - "note": "See FRR-VDR-EX for exceptions to this requirement.", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-RP-04", - "statement": "Providers MAY responsibly disclose _vulnerabilities_ publicly or with other parties if the provider determines doing so will NOT _likely_ lead to exploitation.", - "name": "Responsible Public Disclosure", - "affects": ["Providers"], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-RP-05", - "statement": "Providers MUST include the following information (if applicable) on _detected vulnerabilities_ when reporting on _vulnerability detection_ and _response_ activity, UNLESS it is an _accepted vulnerability_:", - "name": "Vulnerability Details", - "following_information": [ - "Provider's internally assigned tracking identifier", - "Time and source of the detection", - "Time of completed evaluation", - "Is it an _internet-reachable vulnerability_ or not?", - "Is it a _likely exploitable vulnerability_ or not?", - "Historically and currently estimated _potential adverse impact_ of exploitation", - "Time and level of each completed and evaluated reduction in _potential adverse impact_", - "Estimated time and target level of next reduction in _potential adverse impact_", - "Is it currently or is it likely to become an _overdue vulnerability_ or not? If so, explain.", - "Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their _federal customer data_ within the _cloud service offering_ resulting from the _vulnerability_", - "Final disposition of the _vulnerability_" - ], - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-RP-06", - "statement": "Providers MUST include the following information on _accepted vulnerabilities_ when reporting on _vulnerability detection_ and _response_ activity:", - "name": "Accepted Vulnerability Info", - "following_information": [ - "Provider's internally assigned tracking identifier", - "Time and source of the detection", - "Time of completed evaluation", - "Is it an _internet-reachable vulnerability_ or not?", - "Is it a _likely exploitable vulnerability_ or not?", - "Currently estimated _potential adverse impact_ of exploitation", - "Explanation of why this is an _accepted vulnerability_", - "Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their _federal customer data_ within the _cloud service offering_ resulting from the _accepted vulnerability_" - ], - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "exceptions": { - "application": "These exceptions MAY override some or all of the FedRAMP requirements and recommendations in this document.", - "id": "FRR-VDR-EX", - "name": "Exceptions", - "requirements": [ - { - "id": "FRR-VDR-EX-01", - "statement": "Providers MAY be required to share additional _vulnerability_ information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.", - "name": "Additional Reporting Requirements", - "affects": ["Providers"], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-EX-02", - "statement": "Providers MAY be required to provide additional information or details about _vulnerabilities_, including sensitive information that would _likely_ lead to exploitation, as part of review, response or investigation by necessary parties.", - "name": "Additional Details", - "affects": ["Providers"], - "primary_key_word": "MAY", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-EX-03", - "statement": "Providers MUST NOT use this process to reject requests for additional information from necessary parties which also include law enforcement, Congress, and Inspectors General.", - "name": "Do Not Reject Requests", - "affects": ["Providers"], - "primary_key_word": "MUST NOT", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "timeframes": { - "application": "This section provides guidance on timeframes that apply to all impact levels of FedRAMP authorization for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-VDR-TF", - "name": "Timeframes - All", - "requirements": [ - { - "id": "FRR-VDR-TF-01", - "statement": "Providers MUST report _vulnerability detection_ and _response_ activity to all necessary parties in a consistent format that is human readable at least monthly.", - "name": "Monthly Human-Readable", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-TF-02", - "statement": "Providers SHOULD _remediate Known Exploited Vulnerabilities_ according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been _fully mitigated_) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.", - "name": "Remediate KEVs", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "reference": "CISA BOD 22-01", - "reference_url": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-TF-03", - "statement": "Providers MUST categorize any vulnerability that is not or will not be _fully mitigated_ or _remediated_ within 192 days of evaluation as an _accepted vulnerability_.", - "name": "Mark Accepted Vulnerabilities", - "affects": ["Providers"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - }, - "timeframe-low": { - "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Low authorizations for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-VDR-TF-LO", - "name": "Timeframes - Low", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "requirements": [ - { - "id": "FRR-VDR-TF-LO-01", - "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every month.", - "name": "Machine-Readable History", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-02", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar _machine-based_ _information resources_, at least once every week.", - "name": "Weekly Sample Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-03", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every month.", - "name": "Monthly Drift Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-04", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once every six months.", - "name": "Six-Month Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-05", - "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 7 days of _detection_.", - "name": "Evaluate Within 7 Days", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-06", - "statement": "Providers SHOULD _partially mitigate, fully mitigate,_ or _remediate vulnerabilities_ to a lower _potential adverse impact_ within the timeframes from evaluation shown below (in days), factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", - "name": "Mitigate Per Timeframes", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "pain_timeframes": [ - { - "pain": 5, - "max_days_irv_lev": 4, - "max_days_nirv_lev": 8, - "max_days_nlev": 32 - }, - { - "pain": 4, - "max_days_irv_lev": 8, - "max_days_nirv_lev": 32, - "max_days_nlev": 64 - }, - { - "pain": 3, - "max_days_irv_lev": 32, - "max_days_nirv_lev": 64, - "max_days_nlev": 192 - }, - { - "pain": 2, - "max_days_irv_lev": 96, - "max_days_nirv_lev": 160, - "max_days_nlev": 192 - } - ], - "impact": { - "low": true, - "moderate": false, - "high": false - } - }, - { - "id": "FRR-VDR-TF-LO-07", - "statement": "Providers SHOULD _mitigate_ or _remediate_ remaining _vulnerabilities_ during routine operations as determined necessary by the provider.", - "name": "Mitigate During Operations", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": false, - "high": false - } - } - ] - }, - "timeframe-moderate": { - "application": "This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-VDR-TF-MO", - "name": "Timeframes - Moderate", - "impact": { - "low": false, - "moderate": true, - "high": false - }, - "requirements": [ - { - "id": "FRR-VDR-TF-MO-01", - "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every 14 days.", - "name": "14-Day History", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-02", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar _machine-based_ _information resources_, at least once every 3 days.", - "name": "3-Day Sampling", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-03", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every 14 days.", - "name": "14-Day Drift Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-04", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once per month.", - "name": "Monthly Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-05", - "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 5 days of _detection_.", - "name": "Evaluate Within 5 Days", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-06", - "statement": "Providers SHOULD treat _internet-reachable likely exploitable vulnerabilities_ with a _potential adverse impact_ of N4 or N5 as a security _incident_ until they are _partially mitigated_ to N3 or below.", - "name": "Incidents", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-07", - "statement": "Providers SHOULD _partially mitigate, fully mitigate,_ or _remediate vulnerabilities_ to a lower _potential adverse impact_ within the timeframes from evaluation shown below, factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", - "name": "Mitigate Per Timeframes", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "pain_timeframes": [ - { - "pain": 5, - "max_days_irv_lev": 2, - "max_days_nirv_lev": 4, - "max_days_nlev": 16 - }, - { - "pain": 4, - "max_days_irv_lev": 4, - "max_days_nirv_lev": 8, - "max_days_nlev": 64 - }, - { - "pain": 3, - "max_days_irv_lev": 16, - "max_days_nirv_lev": 32, - "max_days_nlev": 128 - }, - { - "pain": 2, - "max_days_irv_lev": 48, - "max_days_nirv_lev": 128, - "max_days_nlev": 192 - } - ], - "impact": { - "low": false, - "moderate": true, - "high": false - } - }, - { - "id": "FRR-VDR-TF-MO-08", - "statement": "Providers SHOULD _mitigate_ or _remediate_ remaining _vulnerabilities_ during routine operations as determined necessary by the provider.", - "name": "Mitigate During Operations", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": true, - "high": false - } - } - ] - }, - "timeframe-high": { - "application": "This section provides guidance on timeframes that apply specifically to FedRAMP High authorizations for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.", - "id": "FRR-VDR-TF-HI", - "name": "Timeframes - High", - "impact": { - "low": false, - "moderate": false, - "high": true - }, - "requirements": [ - { - "id": "FRR-VDR-TF-HI-01", - "statement": "Providers SHOULD make all recent historical _vulnerability detection_ and _response_ activity available in a _machine-readable_ format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated _persistently_, at least once every 7 days.", - "name": "7-Day History", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-02", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on representative samples of similar _machine-based_ _information resources_, at least once per day.", - "name": "Daily Sampling", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-03", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are _likely_ to _drift_, at least once every 7 days.", - "name": "7-Day Drift Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-04", - "statement": "Providers SHOULD _persistently_ perform _vulnerability detection_ on all _information resources_ that are NOT _likely_ to _drift_, at least once every month.", - "name": "Monthly Detection", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-05", - "statement": "Providers SHOULD evaluate ALL _vulnerabilities_ as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 2 days of _detection_.", - "name": "Evaluate Within 2 Days", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-06", - "statement": "Providers SHOULD treat _internet-reachable likely exploitable vulnerabilities_ with a _potential adverse impact_ of N4 or N5 as a security _incident_ until they are _partially mitigated_ to N3 or below.", - "name": "Treat N4/N5 As Incident", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-07", - "statement": "Providers SHOULD treat _likely exploitable vulnerabilities_ that are NOT _internet-reachable_ with a _potential adverse impact_ of N5 as a security _incident_ until they are partially mitigated to N4 or below.", - "name": "Treat N5 Non-Internet as Incident", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-08", - "statement": "Providers SHOULD _partially mitigate_ _vulnerabilities_ to a lower _potential adverse impact_ within the maximum time-frames from evaluation shown below, factoring for the current _potential adverse impact_, _internet reachability,_ and _likely exploitability_:", - "name": "Partial Mitigation Timeframes", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "pain_timeframes": [ - { - "pain": 5, - "max_days_irv_lev": ".5", - "max_days_nirv_lev": 1, - "max_days_nlev": 8 - }, - { - "pain": 4, - "max_days_irv_lev": 2, - "max_days_nirv_lev": 8, - "max_days_nlev": 32 - }, - { - "pain": 3, - "max_days_irv_lev": 8, - "max_days_nirv_lev": 16, - "max_days_nlev": 64 - }, - { - "pain": 2, - "max_days_irv_lev": 24, - "max_days_nirv_lev": 96, - "max_days_nlev": 192 - } - ], - "impact": { - "low": false, - "moderate": false, - "high": true - } - }, - { - "id": "FRR-VDR-TF-HI-09", - "statement": "Providers SHOULD _mitigate_ or _remediate_ remaining _vulnerabilities_ during routine operations as determined necessary by the provider.", - "name": "Mitigate During Operations", - "affects": ["Providers"], - "primary_key_word": "SHOULD", - "impact": { - "low": false, - "moderate": false, - "high": true - } - } - ] - }, - "agencies": { - "application": "The section provides guidance for agencies that apply under 44 USC \u00a7 3613 (e) which states that the assessment and materials within a FedRAMP authorization package \u201cshall be presumed adequate for use in an agency authorization to operate cloud computing products and services.\u201d", - "id": "FRR-VDR-AG", - "name": "Agency Guidance", - "requirements": [ - { - "id": "FRR-VDR-AG-01", - "statement": "Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.", - "name": "Review Vulnerability Reports", - "note": "FedRAMP recommends that agencies only review _overdue_ and _accepted vulnerabilities_ with a _potential adverse impact_ of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, _accepted vulnerabilities_ generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency\u2019s use or authorization.", - "affects": ["Agencies"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AG-02", - "statement": "Agencies SHOULD use _vulnerability_ information reported by the Provider to maintain Plans of Action & Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with _accepted vulnerabilities_ that put agency information systems at risk).", - "name": "Maintain Agency POA&M", - "affects": ["Agencies"], - "primary_key_word": "SHOULD", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AG-03", - "statement": "Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP process UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.", - "name": "Do Not Request Extra Info", - "note": "This is related to the Presumption of Adequacy directed by 44 USC \u00a7 3613 (e).", - "affects": ["Agencies"], - "primary_key_word": "SHOULD NOT", - "impact": { - "low": true, - "moderate": true, - "high": true - } - }, - { - "id": "FRR-VDR-AG-04", - "statement": "Agencies MUST inform FedRAMP after requesting any additional _vulnerability_ information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov).", - "name": "Notify FedRAMP", - "note": "This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).", - "affects": ["Agencies"], - "primary_key_word": "MUST", - "impact": { - "low": true, - "moderate": true, - "high": true - } - } - ] - } - } - }, - "FRA": { - "VDR": { - "id": "FRA-VDR", - "disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.", - "purpose": "This Technical Assistance provides additional context behind the intent and goals of certain aspects of this process that have caused significant confusion or requests for clarification during public comment. This assistance is initially designed for 20x Phase Two/Three and the Rev5 Closed Beta Balance Improvement Test.", - "requirements": [ - { - "id": "FRA-VDR-01", - "applies_to": "FRR-VDR-08", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "statement": "FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload. The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability.\n\nA classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is SQL injection (https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network.\n\nAnother simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves." - }, - { - "id": "FRA-VDR-02", - "applies_to": "FRR-VDR-07", - "impact": { - "low": true, - "moderate": false, - "high": false - }, - "statement": "The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond the recommendations and requirements in this document.\n\nThe proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a potential adverse impact on a provider's FedRAMP authorization." - } - ] - } - } -} \ No newline at end of file diff --git a/FRMR.documentation.json b/FRMR.documentation.json new file mode 100644 index 0000000..2bac3c0 --- /dev/null +++ b/FRMR.documentation.json @@ -0,0 +1,6523 @@ +{ + "info": { + "title": "FedRAMP Machine-Readable Documentation", + "description": "This datafile contains FedRAMP documentation for cloud service providers seeking FedRAMP Authorization. This includes definitions, requirements, recommendations, and key security indicators.", + "version": "0.9.0-beta", + "last_updated": "2025-01-19" + }, + "FRD": { + "info": { + "name": "FedRAMP Definitions", + "short_name": "FRD", + "web_name": "fedramp-definitions", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "", + "current_status": "Wide Release", + "start_date": "2025-09-01", + "end_date": "2027-12-22", + "comments": [ + "Rev5 Authorized providers MUST apply these definitions for Rev5 Balance Improvement Release materials; these definitions do not always apply in legacy Rev5 materials." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "FedRAMP 20x pilot participants MUST apply these definitions to all FedRAMP 20x requirements and recommendations." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "FedRAMP Authorization Act (44 USC § 3608)", + "reference_url": "http://fedramp.gov/docs/authority/law/#sec-3608-federal-risk-and-authorization-management-program", + "description": "requires that the Administrator of the General Services Administration shall \"establish a Government- wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies\"", + "delegation": "These responsibilities are delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + } + ], + "purpose": "This document consolidates formal FedRAMP definitions for terms used in FedRAMP 20x processes and documentation.", + "expected_outcomes": [ + "All stakeholders will have a common understanding of key terms used in FedRAMP 20x processes." + ] + } + }, + "data": { + "both": { + "FRD-ACV": { + "fka": "FRD-ALL-31", + "term": "Accepted Vulnerability", + "alts": [ + "accepted vulnerability", + "accepted vulnerabilities" + ], + "definition": "A vulnerability that the provider does not intend to fully mitigate or remediate, OR that has not or will not be fully mitigated or remediated within the maximum overdue period recommended or required by FedRAMP.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-ADP": { + "fka": "FRD-ALL-10", + "term": "Adaptive", + "alts": [ + "adaptive" + ], + "definition": "The type of significant change that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.", + "note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-AGY": { + "fka": "FRD-ALL-19", + "term": "Agency", + "alts": [ + "agency", + "agencies" + ], + "definition": "Has the meaning given in 44 U.S. Code § 3502 (1), which is \"any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include—(A) the Government Accountability Office; (B) Federal Election Commission; (C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.\"", + "reference": "44 U.S. Code § 3502 (1)", + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-ANA": { + "fka": "FRD-ALL-46", + "term": "All Necessary Assessors", + "alts": [ + "all necessary assessors" + ], + "definition": "All entities who participate in the FedRAMP assessment of a cloud service offering in the context of a FedRAMP program authorization. This always includes FedRAMP and any FedRAMP recognized independent assessor contracted by the provider to perform a FedRAMP assessment.", + "note": "This process identifies the requirements for an assessment and authorization performed by FedRAMP prior to any agency use of the cloud service offering, therefore agency assessment teams are not included in the FedRAMP assessment and authorization. The resulting FedRAMP authorization package will include all the materials agency authorization teams need to assess the cloud service offering for agency use, including evidence. Program authorization is an authorization path defined in Section IV (c) of OMB Memorandum M-24-15.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-ANP": { + "fka": "FRD-ALL-18", + "term": "All Necessary Parties", + "alts": [ + "all necessary parties" + ], + "definition": "All entities whose interests are affected directly by activity related to a specific cloud service offering in the context of a FedRAMP authorization. This always includes FedRAMP and any agency customer who is operating the cloud service offering, but may include additional parties depending on agreements made by the cloud service provider (such as consultants or third-party assessors). Potential agency customers or third-party cloud service providers should also be included in most cases but this is not a mandatory requirement under FedRAMP as ultimately the cloud service provider may choose who they wish to do business with.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-AUP": { + "fka": "FRD-ALL-14", + "term": "Authorization Package", + "alts": [ + "authorization package", + "authorization packages" + ], + "definition": "Has meaning from 44 USC § 3607 (b)(8) which is \"the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.\"", + "reference": "44 USC § 3607 (b)(8)", + "reference_url": "https://fedramp.gov/docs/authority/law/#b-additional-definitions", + "note": "In FedRAMP documentation, authorization package always refers to a FedRAMP authorization package unless otherwise specified.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-AUD": { + "fka": "FRD-ALL-15", + "term": "Authorization data", + "alts": [ + "authorization data" + ], + "definition": "The collective information required by FedRAMP for initial and ongoing assessment and authorization of a cloud service offering, including the authorization package. ", + "note": "In FedRAMP documentation, authorization data always refers to FedRAMP authorization data unless otherwise specified.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-CAE": { + "fka": "FRD-ALL-32", + "term": "Catastrophic Adverse Effect", + "alts": [ + "catastrophic adverse effect", + "catastrophic adverse effects" + ], + "definition": "A severe negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in a severe degradation in the availability or performance of services within the cloud service offering for 24+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a majority of the federal customer data stored within the cloud service offering.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-CSO": { + "fka": "FRD-ALL-06", + "term": "Cloud Service Offering", + "alts": [ + "cloud service offering", + "cloud service offerings" + ], + "definition": "A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Scope.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-DFT": { + "fka": "FRD-ALL-39", + "term": "Drift", + "alts": [ + "drift", + "drifts", + "drifting" + ], + "definition": "Changes to information resources that cause deviations from the intended and assessed state; common forms of drift include changes to configurations, deployed software, privileges, running processes, and availability.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-FPV": { + "fka": "FRD-ALL-29", + "term": "False Positive Vulnerability", + "alts": [ + "false positive vulnerability", + "false positive vulnerabilities" + ], + "definition": "A detected vulnerability that is not actually present in an exploitable state in the information resource; this includes situations where vulnerable software or code exist on an machine-based information resource but are not loaded, running, or otherwise in an operating state required for exploitation.", + "note": "This only applies if the vulnerability is not and was not present; a remediated vulnerability or a fully mitigated vulnerability cannot also be a false positive vulnerability.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-FSI": { + "fka": "FRD-ALL-45", + "term": "FedRAMP Security Inbox", + "alts": [ + "security inbox", + "security inboxes", + "FSI" + ], + "definition": "An email address that meets the requirements outlined in the FedRAMP Security Inbox requirements.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-FCD": { + "fka": "FRD-ALL-01", + "term": "Federal Customer Data", + "alts": [ + "federal customer data" + ], + "definition": "All electronic information, content, and materials that an agency or its authorized users upload, store, or otherwise provide to a cloud service for processing or storage. This does NOT include account information, service metadata, analytics, telemetry, or other similar metadata generated by the cloud service provider.", + "note": "In the context of FedRAMP authorization, \"federal customer data\" ONLY ever refers to data owned by federal agency customers. Agreements and contracts with specific agencies may require providers to protect additional data or even transfer ownshership of telemetry or usage data to the agency; always consult a lawyer that is familiar with company agreements and contracts when determining the scope of federal customer data.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-FMV": { + "fka": "FRD-ALL-28", + "term": "Fully Mitigated Vulnerability", + "alts": [ + "fully mitigated vulnerability", + "fully mitigated vulnerabilities" + ], + "definition": "A vulnerability where the likelihood of exploitation or potential adverse impact of exploitation has been reduced from the original evaluation until either are negligible, but the vulnerability is still detected.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-HAN": { + "fka": "FRD-ALL-03", + "term": "Handle", + "alts": [ + "handle", + "handles", + "handled", + "handling" + ], + "definition": "Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-IPC": { + "fka": "FRD-ALL-12", + "term": "Impact Categorization", + "alts": [ + "impact categorization" + ], + "definition": "The type of significant change that is likely to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate).", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-INT": { + "fka": "FRD-ALL-40", + "term": "Incident", + "alts": [ + "incident", + "incidents" + ], + "definition": "Has the meaning given in 44 USC § 3552 (b)(2) applied to federal customer data, which is \"an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of [federal customer data]; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies [related to federal customer data].\"", + "reference": "44 USC § 3552 (b)(2)", + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapII-sec3552", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-IRS": { + "fka": "FRD-ALL-02", + "term": "Information Resource", + "alts": [ + "information resource", + "information resources" + ], + "definition": "Has the meaning from 44 USC § 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\" This includes any aspect of the cloud service offering, both technical and managerial, including everything that makes up the business of the offering from non-machine-based information resources like organizational policies, procedures, employees, etc. to machine-based information resources like hardware, software, cloud services, code, etc.", + "note": "Information resources are either machine-based or non-machine-based; any requirement or recommendation that references information resources without specifying a type is inclusive of all information resources.", + "reference": "44 USC § 3502 (6)", + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-IFA": { + "fka": "FRD-ALL-48", + "term": "Initial FedRAMP Assessment", + "alts": [ + "initial FedRAMP assessment", + "IFRA" + ], + "definition": "The first full assessment of a cloud service offering seeking FedRAMP authorization, coordinated by the provider with all necessary assessors, that results in a FedRAMP authorization.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-IRV": { + "fka": "FRD-ALL-24", + "term": "Internet-Reachable Vulnerability (IRV)", + "alts": [ + "internet-reachable vulnerability", + "internet-reachable vulnerabilities", + "IRV", + "IRVs", + "NIRV", + "NIRVs" + ], + "definition": "A vulnerability in a machine-based information resource that might be exploited or otherwise triggered by a payload originating from a source on the public internet; this includes machine-based information resources that have no direct route to/from the internet but receive payloads or otherwise take action triggered by internet activity.", + "notes": [ + "The opposite of this is a \"Not Internet-reachable Vulnerability\" (NIRV).", + "Internet-reachability applies only to the specific vulnerable machine-based information resources processing the payload; please review the relevant FedRAMP technical assistance on internet-reachable vulnerabilities for examples." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-KEV": { + "fka": "FRD-ALL-25", + "term": "Known Exploited Vulnerability (KEV)", + "alts": [ + "known exploited vulnerability", + "known exploited vulnerabilities", + "KEV", + "KEVs" + ], + "definition": "Has the meaning given in CISA Binding Operational Directive 22-01, which is any vulnerability identified in CISA's Known Exploited Vulnerabilities catalog.", + "reference": "CISA BOD 22-01", + "referenceurl": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-LKY": { + "fka": "FRD-ALL-04", + "term": "Likely", + "alts": [ + "likely", + "likelihood" + ], + "definition": "A reasonable degree of probability based on context.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-LEV": { + "fka": "FRD-ALL-23", + "term": "Likely Exploitable Vulnerability (LEV)", + "alts": [ + "likely exploitable vulnerability", + "likely exploitable vulnerabilities", + "LEV", + "LEVs", + "NLEV", + "NLEVs" + ], + "definition": "A vulnerability that is not fully mitigated, AND is reachable by a likely threat actor, AND a likely threat actor with knowledge of the vulnerability would likely be able to gain unauthorized access, cause harm, disrupt operations, or otherwise have an undesired adverse impact within the cloud service offering by exploiting the vulnerability.", + "notes": [ + "The opposite of this is a \"Not Likely Exploitable Vulnerability\" (NLEV).", + "At the absolute minimum, any vulnerability that an automated unauthenticated system can exploit over the internet is a likely exploitable vulnerability." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-LAE": { + "fka": "FRD-ALL-34", + "term": "Limited Adverse Effect", + "alts": [ + "limited adverse effect", + "limited adverse effects" + ], + "definition": "A minor negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in degradation of the availability or performance of services within the cloud service offering for a minority of relevant users; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a small amount of the federal customer data stored within the cloud service offering by only a few relevant users.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-MBI": { + "fka": "FRD-ALL-50", + "term": "Machine-Based (information resources)", + "alts": [ + "machine-based", + "machine based" + ], + "definition": "Any information technology information resource—including systems, processes, software, hardware, services, cloud-native capabilities, and any other such capability, component, or resource—that relies primarily on mechanical or electronic devices (i.e. computers) for operation.", + "note": "All other information resources that do not rely on computers are non-machine-based information resources.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-MRD": { + "fka": "FRD-ALL-17", + "term": "Machine-Readable", + "alts": [ + "machine-readable" + ], + "definition": "Has the meaning from 44 U.S. Code § 3502 (18) which is \"the term \"machine-readable\", when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost\"", + "reference": "44 U.S. Code § 3502 (18)", + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-NAE": { + "fka": "FRD-ALL-35", + "term": "Negligible Adverse Effect", + "alts": [ + "negligible adverse effect", + "negligible adverse effects" + ], + "definition": "A small negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in minor inconvenience when accessing or using services within the cloud service offering; OR (ii) result in degradation of the availability or performance of services within the cloud service offering for only a few relevant users.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-OAR": { + "fka": "FRD-ALL-43", + "term": "Ongoing Authorization Report (OAR)", + "alts": [ + "ongoing authorization report", + "OAR", + "OARs" + ], + "definition": "A regular report that is supplied by FedRAMP Authorized cloud service providers to agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-ODV": { + "fka": "FRD-ALL-30", + "term": "Overdue Vulnerability", + "alts": [ + "overdue vulnerability", + "overdue vulnerabilities" + ], + "definition": "A vulnerability that the provider intends to fully mitigate or remediate but has not or will not do so within the time frames recommended or required by FedRAMP.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PMV": { + "fka": "FRD-ALL-27", + "term": "Partially Mitigated Vulnerability", + "alts": [ + "partially mitigated vulnerability", + "partially mitigated vulnerabilities" + ], + "definition": "A vulnerability where the likelihood or potential adverse impact of exploitation has been reduced from the original evaluation but the risk of exploitation still exists and the vulnerability is still detected.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PFA": { + "fka": "FRD-ALL-49", + "term": "Persistent FedRAMP Assessment", + "alts": [ + "persistent FedRAMP assessment", + "PFRA" + ], + "definition": "Follow-on assessments of a cloud service offering focused on Key Security Indicators, coordinated by the provider with all necessary assessors, to maintain a FedRAMP authorization or change its impact categorization.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PVL": { + "fka": "FRD-ALL-47", + "term": "Persistent Validation", + "alts": [ + "persistent validation", + "persistently validate", + "persistently validated", + "validate", + "validated", + "validation" + ], + "definition": "The systematic and persistent process of validating that information resources within a cloud service offering are operating in a secure manner as expected by the goals and objectives outlined by the provider against FedRAMP Key Security Indicators.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PER": { + "fka": "FRD-ALL-38", + "term": "Persistently", + "alts": [ + "persistently", + "persistent" + ], + "definition": "Occurring in a firm, steady way that is repeated over a long period of time in spite of obstacles or difficulties. Persistent activities may vary between actors, may occur irregularly, and may include interruptions or waiting periods between cycles. These attributes of persistent activities should be intentional, understood, and documented; the status of persistent activities will always be known. ", + "note": "The use of persistently indicates a process that may not always occur continuously (without interruption or gaps) or regularly (on a consistent, predictable basis) but will repeat frequently in cycles. It aligns generally with historical misuse of \"continuous\" in federal information security policies.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PAI": { + "fka": "FRD-ALL-36", + "term": "Potential Adverse Impact (of vulnerability exploitation)", + "alts": [ + "potential adverse impact", + "potential adverse impacts" + ], + "definition": "The estimated cumulative effect of unauthorized access, disruption, harm, or other adverse impact to agencies that _likely_ could result if a threat actor exploits a _vulnerability_ in the _cloud service offering_; as estimated following FedRAMP recommendations and requirements.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PAC": { + "fka": "FRD-ALL-42", + "term": "Privileged account", + "alts": [ + "privileged account", + "privileged accounts" + ], + "definition": "An account with elevated privileges that enables administrative functions over some aspect of the cloud service offering that may affect the confidentiality, integrity, or availability of information beyond those given to normal users; levels of privilege may vary wildly.", + "note": "Any references to privileged accounts in FedRAMP materials should be presumed to apply to privileged roles or other similar capabilities that are used to assign privileges to privileged accounts.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-PRO": { + "fka": "FRD-ALL-37", + "term": "Promptly", + "alts": [ + "promptly", + "prompt" + ], + "definition": "Without unnecessary delay.", + "note": "The use of promptly in FedRAMP materials frames conveys a need for urgent action where the expected time frame will vary by circumstance but earlier action is more likely to improve security outcomes and increase the security posture of a cloud service offering.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-QTR": { + "fka": "FRD-ALL-44", + "term": "Quarterly Review", + "alts": [ + "quarterly review", + "quarterly reviews" + ], + "definition": "A regular synchronous meeting hosted by a FedRAMP Authorized cloud service provider for agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-RGL": { + "fka": "FRD-ALL-07", + "term": "Regularly", + "alts": [ + "regularly", + "regular" + ], + "definition": "Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-RMV": { + "fka": "FRD-ALL-26", + "term": "Remediated Vulnerability", + "alts": [ + "remediated vulnerability", + "remediated vulnerabilities" + ], + "definition": "A vulnerability that has been neutralized or eliminated and is no longer detected.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-RTR": { + "fka": "FRD-ALL-09", + "term": "Routine Recurring", + "alts": [ + "routine recurring" + ], + "definition": "The type of significant change that regularly and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-SAE": { + "fka": "FRD-ALL-33", + "term": "Serious Adverse Effect", + "alts": [ + "serious adverse effect", + "serious adverse effects" + ], + "definition": "A significant negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in intermittent or ongoing degradation in the availability or performance of services within the cloud service offering, causing unpredictable interruptions to operations for 12+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a minority of the federal customer data stored within the cloud service offering.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-SGC": { + "fka": "FRD-ALL-08", + "term": "Significant change", + "alts": [ + "significant change", + "significant changes" + ], + "definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is likely to substantively affect the security or privacy posture of a system.\"", + "reference": "NIST SP 800-37 Rev. 2", + "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-TPR": { + "fka": "FRD-ALL-05", + "term": "Third-party Information Resource", + "alts": [ + "third-party information resource", + "third-party information resources" + ], + "definition": "Any information resource that is not entirely included in the assessment for the cloud service offering seeking authorization.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-TLA": { + "fka": "FRD-ALL-41", + "term": "Top-level administrative account", + "alts": [ + "top-level administrative account", + "top-level administrative accounts" + ], + "definition": "The most privileged account with the highest level of access within a cloud service offering for a customer organization, typically with complete control over all aspects of the cloud service offering, including managing resources, users, access, privileges, and the account itself.", + "note": "Any references to top-level administrative accounts in FedRAMP materials should be presumed to apply to top-level administrative roles or other similar capabilities that are used to assign top-level administrative account privileges.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-TRF": { + "fka": "FRD-ALL-11", + "term": "Transformative", + "alts": [ + "transformative" + ], + "definition": "The type of significant change that introduces substantive potential security risks that are likely to affect existing risk determinations and must be assessed in depth.", + "note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-TRC": { + "fka": "FRD-ALL-16", + "term": "Trust Center", + "alts": [ + "trust center", + "trust centers" + ], + "definition": "A secure repository or service used by cloud service providers to store and share authorization data. Trust centers are the complete and definitive source for authorization data and must meet the requirements outlined in the FedRAMP Authorization Data Sharing process to be FedRAMP-compatible.", + "note": "In FedRAMP documentation, all references to trust centers indicate FedRAMP-compatible trust centers unless otherwise specified.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-VUL": { + "fka": "FRD-ALL-20", + "term": "Vulnerability", + "alts": [ + "vulnerability", + "vulnerabilities" + ], + "definition": "Has the meaning given to \"security vulnerability\" in 6 USC § 650 (25), which is \"any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of [...] management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.\" This includes gaps in Rev5 controls and 20x Key Security Indicators, software vulnerabilities, misconfigurations, exposures, weak credentials, insecure services, and all other such potential weaknesses in protection (intentional or unintentional).", + "reference": "6 USC § 650 (25)", + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2024-title6/USCODE-2024-title6-chap1-subchapXVIII-sec650", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-VLD": { + "fka": "FRD-ALL-21", + "term": "Vulnerability Detection", + "alts": [ + "vulnerability detection", + "detect vulnerabilities", + "detect", + "detection", + "detected" + ], + "definition": "The systematic process of discovering and identifying security vulnerabilities in information resources through assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other capabilities. This process includes the initial discovery of a vulnerability's existence and the determination of affected information resources within a cloud service offering.", + "note": "This definition applies to other forms such as \"detect vulnerabilities\" or simply \"detection\" / \"detected\" used in FedRAMP materials.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FRD-VLR": { + "fka": "FRD-ALL-22", + "term": "Vulnerability Response", + "alts": [ + "vulnerability response", + "respond to vulnerabilities", + "respond", + "response", + "responded" + ], + "definition": "The systematic process of tracking, evaluating, mitigating, monitoring, remediating, assessing exploitation, reporting, and otherwise managing detected vulnerabilities.", + "note": "This definition applies to other forms such as \"respond to vulnerabilities\" or simply \"response\" / \"responded\" used in FedRAMP materials.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + } + } + }, + "FRR": { + "ADS": { + "info": { + "name": "Authorization Data Sharing", + "short_name": "ADS", + "web_name": "authorization-data-sharing", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSdOH7qeJ9uPlb3zYN35qDPNOm_pXQ8sHanAZIIh5tdgjnubVw/viewform", + "current_status": "Open Beta", + "start_date": "2026-02-02", + "end_date": "2026-05-22", + "comments": [ + "**Providers MUST notify FedRAMP of intent to participate in the Authorization Data Sharing Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", + "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 if they are also participating in the Significant Change Notification and Vulnerability Detection and Response betas.", + "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", + "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "44 USC § 3609 (a)(8)", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "The FedRAMP Authorization Act directs the Administrator of the General Services Administration to \"provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies...\"", + "delegation": "This responsibility is delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + }, + { + "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", + "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", + "description": "Section 6 states that \"In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs' commercial customer base.\"" + } + ], + "purpose": "Modern cloud services store and share security and compliance information in convenient repositories that allow customers to rapidly review security information and gain access to additional information as needed. These services often include automated integration with cloud service infrastructure to remove manual burden and ensure information is accurate and up to date.\n\nThis security and compliance information (including FedRAMP authorization data) is the intellectual property of the cloud service provider and is not federal customer data in most cases.* The federal government benefits when the same security information is shared among all customers and even the public to ensure maximum transparency and accountability of cloud service providers.\n\nFedRAMP's Authorization Data Sharing process provides a process or mechanism for cloud service providers to store and share authorization data on their preferred platform of choice if it meets certain FedRAMP requirements.\n\n_* Providers with questions about this should consult with a lawyer who specializes in procurement law. Typically a contract with the government granting ownership of information is required to transfer ownership to the government._", + "expected_outcomes": [ + "Cloud service providers will be able to manage authorization data in the same platforms used for commercial customers, reusing data as appropriate", + "Federal agencies will be able to access necessary authorization data via API or other automated mechanisms integrated into agency authorization systems to simplify the burden of review and continuous monitoring", + "Trust center providers and GRC automation tool providers will develop innovative solutions and improvements to ensure standardized automated data sharing and validation within the FedRAMP ecosystem" + ] + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to ALL cloud service offerings for FedRAMP Certification or Validation.", + "name": "General Provider Responsibilities" + }, + "CSX": { + "description": "These requirements and recommendations apply to ALL cloud service offerings following the FedRAMP 20x path.", + "name": "20x-Specific Provider Responsibilities" + }, + "CSL": { + "description": "These requirements and recommendations apply to ALL cloud service offerings following the FedRAMP Rev5 path.", + "name": "Rev5-Specific Provider Responsibilities" + }, + "UTC": { + "description": "These requirements and recommendations cloud services that are using a FedRAMP-compatible trust center instead of USDA Connect; they DO NOT apply to cloud services using USDA Connect.", + "name": "Using a Trust Center" + }, + "TRC": { + "description": "These requirements and recommendations apply to trust centers that are FedRAMP-compatible.", + "name": "FedRAMP-Compatible Trust Centers" + } + } + }, + "data": { + "20x": { + "CSX": { + "ADS-CSX-UTC": { + "fka": "FRR-ADS-07", + "statement": "Providers MUST use a FedRAMP-compatible trust center to store and share authorization data with all necessary parties.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Use Trust Centers", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Modified to must for 20x, clarified wider application; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notes": [ + "Requirements and recommendations for FedRAMP-compatible trust centers are explained in ADS-TRC.", + "This requirement only applies to FedRAMP 20x." + ] + } + } + }, + "rev5": { + "CSL": { + "ADS-CSL-LRE": { + "fka": "FRR-ADS-EX-01", + "statement": "Providers of FedRAMP Rev5 Authorized cloud service offerings at FedRAMP High using a legacy self-managed repository for authorization data MAY ignore the Authorization Data Sharing process until future notice.", + "terms": ["Authorization data", "Cloud Service Offering"], + "affects": ["Providers"], + "name": "Legacy Repository Exception", + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-CSX-UTC": { + "statement": "Providers SHOULD use a FedRAMP-compatible trust center to store and share authorization data with all necessary parties.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Use Trust Centers", + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Modified to should, clarified wider application; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notes": [ + "Requirements and recommendations for FedRAMP-compatible trust centers are explained in ADS-TRC.", + "This recommendation only applies to FedRAMP Rev5 (it is required for FedRAMP 20x)." + ] + }, + "ADS-CSL-UCP": { + "fka": "FRR-ADS-06", + "statement": "Providers MUST share authorization data via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible trust center.", + "terms": ["Authorization data", "Trust Center"], + "affects": ["Providers"], + "name": "USDA Connect", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-CSL-TCM": { + "fka": "FRR-ADS-08", + "statement": "Providers MUST notify all necessary parties when migrating to a trust center and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the trust center to obtain authorization data.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "affects": ["Providers"], + "name": "Trust Center Migration", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + } + }, + "both": { + "CSO": { + "ADS-CSO-PUB": { + "fka": "FRR-ADS-01", + "statement": "Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and machine-readable formats, including at least:", + "terms": [ + "Cloud Service Offering", + "Machine-Readable", + "Ongoing Authorization Report (OAR)", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Public Information", + "primary_key_word": "MUST", + "following_information": [ + "Direct link to the FedRAMP Marketplace for the offering", + "Service Model", + "Deployment Model", + "Business Category", + "UEI Number", + "Contact Information", + "Overall Service Description", + "Detailed list of specific services and their security objectives (see ADS-CSO-SVC)", + "Summary of customer responsibilities and secure configuration guidance (if applicable, see the FedRAMP Secure Configuration Guide process)", + "Process for accessing information in the trust center (if applicable)", + "Availability status and recent disruptions for the trust center (if applicable)", + "Customer support information for the trust center (if applicable)", + "Next Ongoing Authorization Report date (see CCM-OAR-NRD)" + ], + "note": "Generally, this information should be available on a public webpage.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Added requirements from other processes; removed italics and changed the ID as part of new standardization in v0.9.0-beta." + } + ] + }, + "ADS-CSO-SVC": { + "fka": "FRR-ADS-03", + "statement": "Providers MUST publicly share a detailed list of specific services and their security objectives that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying authorization data.", + "terms": ["Authorization data", "Cloud Service Offering"], + "affects": ["Providers"], + "name": "Service List", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed impact levels to security objectives; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-CSO-CBF": { + "fka": "FRR-ADS-02", + "statement": "Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when authorization data is provided in both formats.", + "affects": ["Providers"], + "terms": ["Authorization data", "Machine-Readable"], + "name": "Consistency Between Formats", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Simplified statement; removed italics and changed the ID as part of new standardization in v0.9.0-beta." + } + ] + }, + "ADS-CSO-RIS": { + "fka": "FRR-ADS-05", + "statement": "Providers MUST provide sufficient information in authorization data to support authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.", + "terms": [ + "Authorization data", + "Cloud Service Offering", + "Likely" + ], + "affects": ["Providers"], + "name": "Responsible Information Sharing", + "primary_key_word": "MUST", + "note": "This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with authorization data should be anticipated by a secure cloud service provider.", + "examples": [ + { + "id": "Tips on sensitive information in authorization data", + "key_tests": [ + "Passwords, API keys, access credentials, etc.", + "Excessive detail about methodology that exposes weaknesses", + "Personally identifiable information about employees" + ], + "examples": [ + "DON'T: \"In an emergency, an administrator with physical access to a system can log in using \"secretadmin\" with the password \"pleasewutno\"\"", + "DO: \"In an emergency, administrators with physical access can log in directly.\"", + "DON'T: \"All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office.\"", + "DO: \"All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access.\"", + "DON'T: \"During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)...\"", + "DO: \"During an incident, the incident response team will coordinate over secure channels.\"" + ] + } + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Added technical assistance; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-CSO-HAD": { + "fka": "FRR-ADS-09", + "statement": "Providers MUST make historical versions of authorization data available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly.", + "terms": ["All Necessary Parties", "Authorization data"], + "affects": ["Providers"], + "name": "Historical Authorization Data", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + }, + "UTC": { + "ADS-CSO-PGD": { + "fka": "FRR-ADS-AC-01", + "statement": "Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to authorization data stored in the trust center.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "name": "Public Guidance", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-CSO-AGA": { + "fka": "FRR-ADS-AC-02", + "statement": "Providers SHOULD share the authorization package with agencies upon request.", + "terms": ["Agency", "Authorization Package"], + "affects": ["Providers"], + "name": "Agency Access", + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Split into ADS-CSO-AGA and ADS-CSO-AAD; removed italics and changed the ID as part of new standardization in v0.9.0-beta." + } + ] + }, + "ADS-CSO-AAD": { + "statement": "Providers MUST notify FedRAMP by email to info@fedramp.gov within 5 business days of denying an agency access request for authorization data.", + "affects": ["Providers"], + "name": "Agency Access Denial", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Split from FRR-ADS-AC-02; removed italics and changed the ID as part of new standardization in v0.9.0-beta." + } + ], + "terms": ["Agency", "Authorization data"], + "timeframe_type": "bizdays", + "timeframe_num": 5, + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ] + } + }, + "TRC": { + "ADS-TRC-USH": { + "fka": "FRR-ADS-04", + "statement": "Trust centers MUST share authorization data with all necessary parties without interruption.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Uninterrupted Sharing", + "primary_key_word": "MUST", + "note": "\"Without interruption\" means that parties should not have to request manual approval each time they need to access authorization data or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed unnecessary specification of necessary parties; changed from provider to trust center responsibility; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-PAC": { + "fka": "FRR-ADS-TC-03", + "statement": "Trust centers MUST provide documented programmatic access to all authorization data, including programmatic access to human-readable materials.", + "terms": ["Authorization data", "Trust Center"], + "affects": ["Providers"], + "name": "Programmatic Access", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-AAI": { + "fka": "FRR-ADS-TC-05", + "statement": "Trust centers MUST maintain an inventory and history of federal agency users or systems with access to authorization data and MUST make this information available to FedRAMP without interruption.", + "terms": ["Agency", "Authorization data", "Trust Center"], + "affects": ["Providers"], + "name": "Agency Access Inventory", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-ACL": { + "fka": "FRR-ADS-TC-06", + "statement": "Trust centers MUST log access to authorization data and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.", + "terms": ["Authorization data", "Trust Center"], + "affects": ["Providers"], + "name": "Access Logging", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-HMR": { + "fka": "FRR-ADS-TC-02", + "statement": "Trust centers SHOULD make authorization data available to view and download in both human-readable and machine-readable formats.", + "terms": [ + "Authorization data", + "Machine-Readable", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Human and Machine-Readable", + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-SSM": { + "fka": "FRR-ADS-TC-04", + "statement": "Trust centers SHOULD include features that encourage all necessary parties to provision and manage access to authorization data for their users and services directly.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Trust Center" + ], + "affects": ["Providers"], + "name": "Self-Service Access Management", + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "ADS-TRC-RSP": { + "fka": "FRR-ADS-TC-07", + "statement": "Trust centers SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions.", + "terms": ["Trust Center"], + "affects": ["Providers"], + "name": "Responsive Performance", + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + } + } + } + }, + "CCM": { + "info": { + "name": "Collaborative Continuous Monitoring", + "short_name": "CCM", + "web_name": "collaborative-continuous-monitoring", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSeFTHtUjXCmAUprCGrMLpgaN2kmL08EluzHvnTzAC4lTCfEVg/viewform", + "current_status": "Open Beta", + "start_date": "2026-02-02", + "end_date": "2026-05-22", + "comments": [ + "**Providers MUST notify FedRAMP of intent to participate in the Collaborative Continuous Monitoring Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", + "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 as part of the Open Beta.", + "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", + "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta.", + "FedRAMP recommends that participants in the Collaborative Continuous Mounting beta also adopt the Vulnerability Detection and Response process and the Significant Change Notifications process." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf", + "description": "section 4 (c) states that agencies SHALL \"conduct and document security and privacy control assessments prior to the operation of an information system, and periodically thereafter, consistent with the frequency defined in the agency information security continuous monitoring (ISCM) and privacy continuous monitoring (PCM) strategies and the agency risk tolerance\"" + }, + { + "reference": "The FedRAMP Authorization Act (44 USC § 3609 (a)(1))", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "directs the Administrator of the General Services Administration to \"develop, coordinate, and implement a process … including, as appropriate, oversight of continuous monitoring of cloud computing products and services\"" + } + ], + "purpose": "Agencies are required to continuously monitor all of their information systems following a documented process integrated into their Information Security Continuous Monitoring (ISCM) strategy. These strategies are specific to each agency and may even vary at the bureau, component, or information system levels.\n\nThe concept behind collaborative continuous monitoring is unique to government customers and creates a burden for commercial cloud service providers. This process attempts to minimize this burden by encouraging the use of automated monitoring and review of authorization data required by other FedRAMP standards and limiting the expected human interaction costs for cloud service providers and agencies. Agencies are expected to use information from the cloud service provider collaboratively in accordance with their agency ISCM strategy without blocking other agencies from making their own risk-based decisions about ongoing authorization.", + "expected_outcomes": [ + "Cloud service providers will operate their services and share additional information with agency customers to ensure they can meet their responsibilities and obligations for safely and securely operating the service", + "Federal agencies will have streamlined access to the information they actually need to make ongoing security and authorization decisions while having support from government-wide policies that demonstrate the different responsibilities and obligations for operating cloud services" + ] + }, + "labels": { + "OAR": { + "description": "These requirements and recommendations for Ongoing Authorization Reports apply to all cloud service offerings following the CCM process.", + "name": "Ongoing Authorization Reports" + }, + "QTR": { + "description": "These requirements and recommendations for Quarterly Reviews apply to all cloud service offerings following the CCM process.", + "name": "Quarterly Reviews" + }, + "AGM": { + "description": "These requirements and recommends for agencies apply to all agencies reusing a FedRAMP Certification or Validation for a cloud service offering following the CCM process.", + "name": "Agency Guidance" + } + } + }, + "data": { + "both": { + "OAR": { + "CCM-OAR-AVL": { + "fka": "FRR-CCM-01", + "statement": "Providers MUST make an Ongoing Authorization Report available to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:", + "terms": [ + "Accepted Vulnerability", + "All Necessary Parties", + "Authorization data", + "Cloud Service Offering", + "Ongoing Authorization Report (OAR)", + "Transformative", + "Vulnerability" + ], + "name": "Report Availability", + "affects": ["Providers"], + "primary_key_word": "MUST", + "following_information": [ + "Changes to authorization data", + "Planned changes to authorization data during at least the next 3 months", + "Accepted vulnerabilities", + "Transformative changes", + "Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Re-ordered phrasing; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-NRD": { + "fka": "FRR-CCM-03", + "statement": "Providers MUST publicly include the target date for their next Ongoing Authorization Report with other public authorization data.", + "terms": [ + "Authorization data", + "Ongoing Authorization Report (OAR)" + ], + "name": "Next Report Date", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-FBM": { + "fka": "FRR-CCM-04", + "statement": "Providers MUST establish and share an asynchronous mechanism for all necessary parties to provide feedback or ask questions about each Ongoing Authorization Report.", + "terms": [ + "All Necessary Parties", + "Ongoing Authorization Report (OAR)" + ], + "name": "Feedback Mechanism", + "affects": ["Providers"], + "primary_key_word": "MUST", + "note": "This could be email by default but providers are encouraged to consider something more interactive as appropriate.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Added note; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-AFS": { + "fka": "FRR-CCM-05", + "statement": "Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each Ongoing Authorization Report as an addendum to the Ongoing Authorization Report.", + "terms": ["Agency", "Ongoing Authorization Report (OAR)"], + "name": "Anonymized Feedback Summary", + "affects": ["Providers"], + "primary_key_word": "MUST", + "note": "This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from agencies and ensure FedRAMP has access to this information. It is generally in the provider’s interest to update this addendum frequently throughout the quarter.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-LSI": { + "fka": "FRR-CCM-06", + "statement": "Providers MUST NOT irresponsibly disclose sensitive information in an Ongoing Authorization Report that would likely have an adverse effect on the cloud service offering.", + "terms": [ + "Cloud Service Offering", + "Likely", + "Ongoing Authorization Report (OAR)" + ], + "name": "Limit Sensitive Information", + "affects": ["Providers"], + "primary_key_word": "MUST NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-SOR": { + "fka": "FRR-CCM-02", + "statement": "Providers SHOULD establish a regular 3 month cycle for Ongoing Authorization Reports that is spread out from the beginning, middle, or end of each quarter.", + "terms": ["Agency", "Regularly"], + "name": "Spread Out Reports", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "note": "This recommendation is intended to discourage hundreds of cloud service providers from releasing their Ongoing Authorization Reports during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-OAR-RPS": { + "fka": "FRR-CCM-07", + "statement": "Providers MAY responsibly share some or all of the information an Ongoing Authorization Report publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.", + "terms": [ + "Cloud Service Offering", + "Likely", + "Ongoing Authorization Report (OAR)" + ], + "name": "Responsible Public Sharing", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + }, + "QTR": { + "CCM-QTR-MTG": { + "fkas": ["FRR-CCM-QR-01", "FRR-CCM-QR-02"], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies.", + "primary_key_word": "SHOULD", + "timeframe_type": "months", + "timeframe_num": 3 + }, + "moderate": { + "statement": "Providers MUST host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies.", + "primary_key_word": "MUST", + "timeframe_type": "months", + "timeframe_num": 3 + }, + "high": { + "statement": "Providers MUST host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies.", + "primary_key_word": "MUST", + "timeframe_type": "months", + "timeframe_num": 3 + } + }, + "terms": ["Agency", "All Necessary Parties", "Quarterly Review"], + "name": "Quarterly Review Meeting", + "affects": ["Providers"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Combined requirements and recommendations that varied by impact level into a single set with minor wording modification as appropriate." + } + ] + }, + "CCM-QTR-REG": { + "fka": "FRR-CCM-QR-05", + "statement": "Providers MUST include either a registration link or a downloadable calendar file with meeting information for Quarterly Reviews in the authorization data available to all necessary parties required by ADS-CSL-UCP and ADS-CSO-FCT.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Quarterly Review" + ], + "name": "Meeting Registration Info", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-NRD": { + "fka": "FRR-CCM-QR-06", + "statement": "Providers MUST publicly include the target date for their next Quarterly Review with other public authorization data.", + "terms": ["Authorization data", "Quarterly Review"], + "name": "Next Review Date", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-NID": { + "fka": "FRR-CCM-QR-04", + "statement": "Providers MUST NOT irresponsibly disclose sensitive information in a Quarterly Review that would likely have an adverse effect on the cloud service offering.", + "terms": ["Cloud Service Offering", "Likely", "Quarterly Review"], + "name": "No Irresponsible Disclosure", + "affects": ["Providers"], + "primary_key_word": "MUST NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-SAR": { + "fka": "FRR-CCM-QR-03", + "statement": "Providers SHOULD regularly schedule Quarterly Reviews to occur at least 3 business days after releasing an Ongoing Authorization Report AND within 10 business days of such release.", + "terms": [ + "Ongoing Authorization Report (OAR)", + "Quarterly Review", + "Regularly" + ], + "name": "Schedule Around Reports", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-ACT": { + "fka": "FRR-CCM-QR-07", + "statement": "Providers SHOULD include additional information in Quarterly Reviews that the provider determines is of interest, use, or otherwise relevant to agencies.", + "terms": ["Agency", "Quarterly Review"], + "name": "Additional Content", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-RTR": { + "fka": "FRR-CCM-QR-09", + "statement": "Providers SHOULD record or transcribe Quarterly Reviews and make such available to all necessary parties with other authorization data.", + "terms": [ + "All Necessary Parties", + "Authorization data", + "Quarterly Review" + ], + "name": "Record/Transcribe Reviews", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Simplified; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-RTP": { + "fka": "FRR-CCM-QR-08", + "statement": "Providers SHOULD NOT invite third parties to attend Quarterly Reviews intended for agencies unless they have specific relevance.", + "terms": ["Agency", "Likely", "Quarterly Review"], + "name": "Restrict Third Parties", + "affects": ["Providers"], + "primary_key_word": "SHOULD NOT", + "note": "This is because agencies are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-SRR": { + "fka": "FRR-CCM-QR-10", + "statement": "Providers MAY responsibly share recordings or transcriptions of Quarterly Reviews with the public or other parties ONLY if the provider removes all agency information (comments, questions, names, etc.) AND determines sharing will NOT likely have an adverse effect on the cloud service offering.", + "terms": [ + "Agency", + "Cloud Service Offering", + "Likely", + "Quarterly Review" + ], + "name": "Share Recordings Responsibly", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-QTR-SCR": { + "fka": "FRR-CCM-QR-11", + "statement": "Providers MAY responsibly share content prepared for a Quarterly Review with the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.", + "terms": ["Cloud Service Offering", "Likely", "Quarterly Review"], + "name": "Share Content Responsibly", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + }, + "AGM": { + "CCM-AGM-ROR": { + "fka": "FRR-CCM-AG-01", + "statement": "Agencies MUST review each Ongoing Authorization Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary.", + "terms": [ + "Agency", + "Cloud Service Offering", + "Ongoing Authorization Report (OAR)" + ], + "name": "Review Ongoing Reports", + "affects": ["Agencies"], + "primary_key_word": "MUST", + "note": "This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-NFR": { + "fka": "FRR-CCM-AG-05", + "statement": "Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to stop operation of the cloud service offering.", + "terms": [ + "Agency", + "Authorization data", + "Cloud Service Offering", + "Ongoing Authorization Report (OAR)", + "Quarterly Review" + ], + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ], + "name": "Notify FedRAMP of Concerns", + "affects": ["Agencies"], + "primary_key_word": "MUST", + "note": "Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-NFA": { + "fka": "FRR-CCM-AG-07", + "statement": "Agencies MUST notify FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending an email to info@fedramp.gov.", + "terms": ["Agency"], + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ], + "name": "Notify FedRAMP After Requests", + "affects": ["Agencies"], + "primary_key_word": "MUST", + "note": "Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a).", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified notification requirements; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-NAR": { + "fka": "FRR-CCM-AG-06", + "statement": "Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about authorization data.", + "terms": ["Agency", "Authorization data"], + "name": "No Additional Requirements", + "affects": ["Agencies"], + "primary_key_word": "MUST NOT", + "note": "This is a statutory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP authorization.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-CSC": { + "fka": "FRR-CCM-AG-02", + "statement": "Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Authorization Reports, attending Quarterly Reviews, and other ongoing authorization data.", + "terms": [ + "Agency", + "Authorization data", + "Cloud Service Offering", + "Quarterly Review" + ], + "name": "Consider Security Category", + "affects": ["Agencies"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-SSR": { + "fka": "FRR-CCM-AG-03", + "name": "Senior Security Reviewer", + "varies_by_level": { + "low": { + "statement": "Agencies MAY designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High.", + "primary_key_word": "MAY" + }, + "moderate": { + "statement": "Agencies MAY designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High.", + "primary_key_word": "MAY" + }, + "high": { + "statement": "Agencies SHOULD designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High.", + "primary_key_word": "SHOULD" + } + }, + "terms": ["Agency", "Cloud Service Offering", "Quarterly Review"], + "affects": ["Agencies"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "CCM-AGM-NPC": { + "fka": "FRR-CCM-AG-04", + "statement": "Agencies SHOULD formally notify the provider if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to remove the cloud service offering from operation.", + "terms": [ + "Agency", + "Authorization data", + "Cloud Service Offering", + "Ongoing Authorization Report (OAR)", + "Quarterly Review" + ], + "notification": [ + { + "party": "provider", + "method": "email", + "target": "security-email" + } + ], + "name": "Notify Provider of Concerns", + "affects": ["Agencies"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + } + } + } + }, + "FSI": { + "info": { + "name": "FedRAMP Security Inbox", + "short_name": "FSI", + "web_name": "fedramp-security-inbox", + "effective": { + "rev5": { + "is": "required", + "signup_url": "", + "current_status": "Wide Release", + "start_date": "2026-01-05", + "end_date": "2027-12-22", + "comments": [ + "These requirements apply after January 5, 2026, to all FedRAMP Rev5 cloud services that are listed in the FedRAMP Marketplace." + ], + "warnings": [ + "**FedRAMP will begin enforcement of this process after January 5, 2026 with an Emergency Test.**", + "Beginning 2026-03-01, corrective action will include public notification that the provider is not meeting the expectations of this process.", + "Beginning 2026-05-01, corrective action will include complete removal from the FedRAMP Marketplace.", + "Beginning 2026-07-01, corrective action will include complete removal from the FedRAMP Marketplace and a ban on FedRAMP authorization for three months." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", + "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", + "description": "section VII (a) (17) states that GSA must \"position FedRAMP as a central point of contact to the commercial cloud sector for Government-wide communications or requests for risk management information concerning commercial cloud providers used by Federal agencies.\"" + } + ], + "purpose": "FedRAMP must have a reliable way to directly contact security and compliance staff operating all FedRAMP Authorized cloud service offerings without tracking individual contacts or maintaining provider-specific logins to customer support portals. These requirements for a FedRAMP Security Inbox apply to all cloud service providers to ensure this direct reliable path remains open, especially in the event of critical security issues.\n\nAll Emergency and Important messages sent by FedRAMP will include specific actions, timeframes expected for action, and an explanation of the corrective actions that FedRAMP will take if the timeframes are not met. Failure to take timely action as required by Emergency communications will result in corrective action from FedRAMP.\n\nFedRAMP will conduct strictly controlled tests of reactions to emergency communications regularly and provide public notice of these tests in advance. The reaction times for these tests will be tracked by FedRAMP and made publicly available.\n\nThis set of requirements and recommendations include explicit requirements that FedRAMP will follow to ensure important communications or those sent during emergencies can be routed by cloud service providers separately from general communications.", + "expected_outcomes": [ + "FedRAMP will follow a consistent and repeatable process to communicate with cloud service providers, especially when sending important or emergency messages.", + "Cloud service providers will always receive messages from FedRAMP and prioritize the review and reaction to important or emergency messages." + ] + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to all cloud service offerings in the FedRAMP Marketplace.", + "name": "General Provider Responsibilities" + }, + "FRP": { + "description": "These requirements and recommendations apply to FedRAMP when communicating with cloud service providers.", + "name": "FedRAMP's Responsibilities" + } + } + }, + "data": { + "both": { + "FRP": { + "FSI-FRP-VRE": { + "fka": "FRR-FSI-01", + "statement": "FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication.", + "name": "Verified Emails", + "affects": ["FedRAMP"], + "note": "Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have \"FedRAMP\" or \"Q20B\" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers.", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-FRP-CDS": { + "fka": "FRR-FSI-02", + "statement": "FedRAMP MUST convey the criticality of the message in the subject line, IF the message requires an elevated reaction, using one of the following designators:", + "name": "Criticality Designators", + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "following_information": [ + "**Emergency:** There is a potential incident or crisis such that FedRAMP requires an extremely urgent reaction; emergency messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action.", + "**Emergency Test:** FedRAMP requires an extremely urgent reaction to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action.", + "**Important:** There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for reaction and failure to meet these timeframes may result in corrective action." + ], + "note": "Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated reaction; these may be resolved in the normal course of business by the cloud service provider.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Reframed for clarity; changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["FedRAMP Security Inbox", "Incident"] + }, + "FSI-FRP-UFS": { + "fka": "FRR-FSI-03", + "statement": "FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov.", + "name": "Use FedRAMP_Security Email in Emergencies", + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-FRP-PNT": { + "fka": "FRR-FSI-04", + "statement": "FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the likely expected actions and timeframes for the Emergency Test message.", + "name": "Public Notice of Emergency Tests", + "timeframe_type": "bizdays", + "timeframe_num": 10, + "notification": [ + { + "party": "public", + "method": "web", + "target": "fedramp.gov" + } + ], + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notes": [ + "Public notice may include blog posts, social media posts, announcements during Community Updates, or e-blasts.", + "As this process matures, additional confirmed options may become available." + ], + "terms": ["Likely"] + }, + "FSI-FRP-RQA": { + "fka": "FRR-FSI-05", + "statement": "FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated reaction.", + "name": "Required Actions", + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-FRP-ERT": { + "fka": "FRR-FSI-06", + "statement": "FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated reaction; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:", + "name": "Elevated Reaction Timeframes", + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "following_information": [ + "**High Impact:** within 12 hours", + "**Moderate Impact:** by 3:00 p.m. Eastern Time on the 2nd business day", + "**Low Impact:** by 3:00 p.m. Eastern Time on the 3rd business day" + ], + "note": "High impact cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a reaction time appropriate to operating a service where failure to react rapidly might have a severe or catastrophic adverse effect on the U.S. Government; some Emergency messages may require faster reaction and all such messages should be addressed as quickly as possible.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Catastrophic Adverse Effect"] + }, + "FSI-FRP-COR": { + "fka": "FRR-FSI-07", + "statement": "FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated reaction; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP authorization depending on the severity of the event.", + "name": "Explain Corrective Actions", + "affects": ["FedRAMP"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-FRP-RPM": { + "fka": "FRR-FSI-08", + "statement": "FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated reaction.", + "name": "Reaction Metrics", + "affects": ["FedRAMP"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + }, + "CSO": { + "FSI-CSO-INB": { + "fka": "FRR-FSI-09", + "statement": "Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).", + "name": "Maintain a FedRAMP Security Inbox", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.", + "If a provider establishes a new inbox in reaction to this guidance that is different from the Security EMail then they must follow the requirements in FSI-CSO-NOC to notify FedRAMP." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "danger": "Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!", + "terms": ["FedRAMP Security Inbox"] + }, + "FSI-CSO-NOC": { + "fka": "FRR-FSI-12", + "statement": "Providers MUST immediately notify FedRAMP of any changes in addressing for their FedRAMP Security Inbox by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address.", + "name": "Notification of Changes", + "affects": ["Providers"], + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering", "FedRAMP Security Inbox"] + }, + "FSI-CSO-TFG": { + "fka": "FRR-FSI-10", + "statement": "Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then FedRAMP Security Inbox requirements no longer apply.", + "name": "Trust @fedramp.gov and @gsa.gov", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["FedRAMP Security Inbox"] + }, + "FSI-CSO-RCV": { + "fka": "FRR-FSI-11", + "statement": "Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.", + "name": "Receive Email Without Disruption", + "affects": ["Providers"], + "primary_key_word": "MUST", + "note": "This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed response to reaction for clarity; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-CSO-CRA": { + "fka": "FRR-FSI-14", + "statement": "Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.", + "name": "Complete Required Actions", + "affects": ["Providers"], + "primary_key_word": "MUST", + "note": "Timeframes may vary by impact level of the cloud service offering.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering"] + }, + "FSI-CSO-EMR": { + "fka": "FRR-FSI-15", + "statement": "Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.", + "name": "Emergency Message Routing", + "affects": ["Providers"], + "primary_key_word": "MUST", + "note": "Senior security officials are determined by the provider.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "FSI-CSO-IMA": { + "fka": "FRR-FSI-16", + "statement": "Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.", + "name": "Important Message Actions", + "note": "Timeframes may vary by impact level of the cloud service offering.", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering"] + }, + "FSI-CSO-ACK": { + "fka": "FRR-FSI-13", + "statement": "Providers SHOULD promptly and automatically acknowledge the receipt of messages received from FedRAMP in their FedRAMP Security Inbox.", + "name": "Acknowledge Receipt", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["FedRAMP Security Inbox", "Promptly"] + } + } + } + } + }, + "ICP": { + "info": { + "name": "Incident Communications Procedures", + "short_name": "ICP", + "web_name": "incident-communications-procedures", + "effective": { + "rev5": { + "is": "no" + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "purpose": "This set of requirements and recommendations converts the existing FedRAMP Incident Communications Procedures to the simpler FedRAMP 20x style and clarifies the expectations for FedRAMP 20x.\n\nThe only notable change from the default Incident Communications Procedures for 20x is the addition of a recommendation that incident information be made available in both human-readable and machine-readable formats.", + "authority": [ + { + "reference": "FedRAMP Incident Communications Procedures", + "reference_url": "https://www.fedramp.gov/docs/rev5/playbook/csp/continuous-monitoring/incident-communication/", + "description": "" + } + ] + }, + "labels": { + "CSX": { + "description": "These requirements and recommendations apply to all cloud service offerings following the 20x path.", + "name": "20x-Specific Provider Responsibilities" + } + } + }, + "data": { + "20x": { + "CSX": { + "ICP-CSX-IRF": { + "fka": "FRR-ICP-01", + "statement": "Providers MUST responsibly report incidents to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov.", + "name": "Incident Reporting to FedRAMP", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ], + "timeframe_type": "hours", + "timeframe_num": 1, + "terms": ["Incident"] + }, + "ICP-CSX-IRA": { + "fka": "FRR-ICP-02", + "statement": "Providers MUST responsibly report incidents to all agency customers within 1 hour of identification using the incident communications points of contact provided by each agency customer.", + "name": "Incident Reporting to Agencies", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notification": [ + { + "party": "Agencies", + "method": "various", + "target": "various" + } + ], + "timeframe_type": "hours", + "timeframe_num": 1, + "terms": ["Agency", "Incident"] + }, + "ICP-CSX-IRC": { + "fka": "FRR-ICP-03", + "statement": "Providers MUST responsibly report incidents to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf. ", + "name": "Incident Reporting to CISA", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notification": [ + { + "party": "CISA", + "method": "web", + "target": "https://myservices.cisa.gov/irf" + } + ], + "timeframe_type": "hours", + "timeframe_num": 1, + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "reference": "CISA IRF Incident Reporting System", + "reference_url": "https://myservices.cisa.gov/irf", + "terms": ["Incident"] + }, + "ICP-CSX-ICU": { + "fka": "FRR-ICP-04", + "statement": "Providers MUST update all necessary parties, including at least FedRAMP, CISA (if applicable), and all agency customers, at least once per calendar day until the incident is resolved and recovery is complete.", + "name": "Incident Updates", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "notification": [ + { + "party": "all necessary parties", + "method": "various", + "target": "various" + } + ], + "terms": ["Agency", "All Necessary Parties", "Incident"] + }, + "ICP-CSX-RPT": { + "fka": "FRR-ICP-05", + "statement": "Providers MUST make incident report information available in their secure FedRAMP repository (such as USDA Connect) or trust center.", + "name": "Incident Report Availability", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Incident", "Trust Center"] + }, + "ICP-CSX-FIR": { + "fka": "FRR-ICP-07", + "statement": "Providers MUST provide a final report once the incident is resolved and recovery is complete that describes at least:", + "name": "Final Incident Report", + "affects": ["Providers"], + "primary_key_word": "MUST", + "following_information": [ + "What occurred", + "Root cause", + "Response", + "Lessons learned", + "Changes needed" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Incident", "Vulnerability Response"] + }, + "ICP-CSX-RSD": { + "fka": "FRR-ICP-06", + "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about incidents that would likely increase the impact of the incident, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.", + "name": "Responsible Disclosure", + "affects": ["Providers"], + "primary_key_word": "MUST NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Incident", "Likely"] + }, + "ICP-CSX-AUR": { + "fka": "FRR-ICP-08", + "statement": "Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA).", + "name": "Automated Reporting", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Incident"] + }, + "ICP-CSX-HRM": { + "fka": "FRR-ICP-09", + "statement": "Providers SHOULD make incident report information available in consistent human-readable and machine-readable formats.", + "name": "Human and Machine-Readable", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Incident", "Machine-Readable"] + } + } + } + } + }, + "MAS": { + "info": { + "name": "Minimum Assessment Scope", + "short_name": "MAS", + "web_name": "minimum-assessment-scope", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "", + "current_status": "Wide Release", + "start_date": "2026-01-12", + "end_date": "2027-12-22", + "comments": [ + "Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP boundary after January 12, 2026.", + "Providers MUST follow the Significant Change Request process (or Significant Change Notification if applicable) to transition from the traditional boundary to the MAS, and this change must be assessed by a FedRAMP recognized assessor.", + "Providers adopting this process MUST comply with ALL requirements and recommendations, including documentation. Templates are not provided for Rev5 MAS adoption so it is up to the provider to minimize confusion.", + "Rev5 Authorized providers who switch from a traditional FedRAMP boundary to the MAS MUST notify FedRAMP by sending an email to info@fedramp.gov.", + "All new Rev5 authorizations in progress that use the MAS must clearly mark all authorization data to indicate adoption of the MAS.", + "The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf", + "description": "Section 10 states that an \"Authorization boundary\" includes \"all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.\" and further adds in footnote 64 that \"Agencies have significant flexibility in determining what constitutes an information system and its associated boundary.\"" + }, + { + "reference": "NIST SP 800-37 Rev. 2", + "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final", + "description": "Chapter 2.4 footnote 36 similarly states that \"the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization).\"" + }, + { + "reference": "FedRAMP Authorization Act (44 USC § 3609 (a) (4))", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "Requires the General Services Administration to \"establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization.\"", + "delegation": "This responsibility is delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + } + ], + "purpose": "Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components.", + "expected_outcomes": [ + "Boundaries will include the minimum number of components to make authorization and assessment easier", + "Cloud service providers will define clear boundaries for security and assessment of offerings based on the direct risk to federal customer data", + "Third-party independent assessors will have a simple well documented approach to assess security and implementation decisions", + "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based Authorization to Operate decisions based on their planned use case" + ] + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to all cloud service offerings following the Minimum Assessment Scope process.", + "name": "General Provider Responsibilities" + } + } + }, + "data": { + "both": { + "CSO": { + "MAS-CSO-IIR": { + "fka": "FRR-MAS-01", + "statement": "Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.", + "affects": ["Providers"], + "name": "Identify Information Resources", + "primary_key_word": "MUST", + "notes": [ + "Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.", + "Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.", + "All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Added notes from former AY sections; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Federal Customer Data", + "Handle", + "Information Resource", + "Likely" + ] + }, + "MAS-CSO-FLO": { + "fka": "FRR-MAS-05", + "statement": "Providers MUST clearly identify, document, and explain information flows and security objectives for ALL information resources or sets of information resources in the cloud service offering.", + "affects": ["Providers"], + "name": "Information Flows and Security Objectives", + "primary_key_word": "MUST", + "note": "Information resources (including third-party information resources) MAY vary by security objectives as appropriate to the level of information handled or impacted by the information resource.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Updated wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Handle", + "Information Resource", + "Third-party Information Resource" + ] + }, + "MAS-CSO-TPR": { + "fkas": ["FRR-MAS-03", "FRR-MAS-02"], + "statement": "Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR APPLIES, by documenting the following information about each applicable third-party information resource:", + "following_information": [ + "General usage and configuration", + "Explanation or justification for use", + "Mitigation measures in place to reduce the potential impact to federal customer data", + "Compensating controls in place to reduce the potential impact to federal customer data" + ], + "affects": ["Providers"], + "name": "Third-Party Information Resources", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Rephrased w/ following information, updated application to all third-party resources and merged with former FRR-MAS-02; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Federal Customer Data", + "Information Resource", + "Third-party Information Resource" + ] + }, + "MAS-CSO-MDI": { + "fka": "FRR-MAS-04", + "statement": "Providers MUST include metadata (including metadata about federal customer data) in the Minimum Assessment Scope ONLY IF MAS-CSO-IIR APPLIES.", + "affects": ["Providers"], + "name": "Metadata Inclusion", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Federal Customer Data"] + }, + "MAS-CSO-SUP": { + "fka": "FRR-MAS-EX-01", + "statement": "Providers MAY include additional materials about other information resources that are not part of the cloud service offering in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the cloud service offering.", + "affects": ["Providers"], + "name": "Supplemental Information", + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Agency", + "Authorization Package", + "Cloud Service Offering", + "Information Resource" + ], + "note": "This is intended to allow inclusion of things like security materials for apps, supplemental marketing collateral, and other information that is not part of the cloud service offering but may be useful to agencies." + } + } + } + } + }, + "PVA": { + "info": { + "name": "Persistent Validation and Assessment", + "short_name": "PVA", + "web_name": "persistent-validation-and-assessment", + "effective": { + "rev5": { + "is": "no" + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Circular A-130: Managing Information as a Strategic Resource", + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf", + "description": "defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\"" + }, + { + "reference": "The FedRAMP Authorization Act (44 USC § 3609 (a) (7))", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\"" + } + ], + "purpose": "FedRAMP 20x is built around the core concept that secure cloud service providers will persistently and automatically validate that their security decisions and policies are being implemented as expected within their cloud service offering. The activities of a secure service should be intentional, documented, and in a state that is always known and understood by the provider.\n\nSecure providers will design their business processes and technical procedures to maximize the use of automation, persistent validation, and reporting across the entirety of their cloud service offering. This reduces cost by increasing efficiency, enables fast agile delivery of new capabilities and prevents unintended drift between the deployed cloud service offering and the business goals for the offering. Secure providers leverage automated and independent audits to evaluate the validity and effectiveness of their secure practices.\n\nAll FedRAMP 20x Authorized providers are expected to implement persistent validation programs as part of their core engineering workflow. These programs should be optimized to deliver value to the provider and their engineering teams first and foremost, though agencies and other customers will benefit from the improved security and insight resulting from high quality persistent validation programs.\n\nTo obtain and maintain a FedRAMP 20x authorization, providers will be required to have their persistent validation programs assessed regularly for effectiveness and completeness.", + "expected_outcomes": [ + "Cloud service providers will operate effective persistent validation programs to always understand the state of their services.", + "Assessors will prioritize technical review of validation programs to ensure the quality and effectiveness of a cloud service provider’s security programs are documented accurately.", + "Federal agencies will have significantly increased confidence in the quality and effectiveness of cloud service provider’s security programs." + ] + }, + "labels": { + "CSX": { + "description": "These requirements and recommendations apply to all cloud service offerings following the 20x path.", + "name": "20x-Specific Provider Responsibilities" + }, + "TPX": { + "description": "These requirements and recommendations apply to all assessors performing verification and validation for the 20x path.", + "name": "20x-Specific Assessor Responsibilities" + } + } + }, + "data": { + "20x": { + "CSX": { + "PVA-CSX-VAL": { + "fka": "FRR-PVA-01", + "name": "Persistent Validation", + "statement": "Providers MUST persistently perform validation of their Key Security Indicators; this process is called persistent validation and is part of vulnerability detection.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistent Validation", + "Persistently", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "PVA-CSX-FAV": { + "fka": "FRR-PVA-02", + "name": "Issues As Vulnerabilities", + "statement": "Providers MUST treat issues detected during persistent validation and failures of the persistent validation process as vulnerabilities, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistent Validation", + "Persistently", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "PVA-CSX-RPV": { + "fka": "FRR-PVA-03", + "statement": "Providers MUST include persistent validation activity in the reports on vulnerability detection and response activity required by the FedRAMP Vulnerability Detection and Response process.", + "name": "Report Persistent Validation", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistent Validation", + "Persistently", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "PVA-CSX-IVV": { + "fka": "FRR-PVA-05", + "name": "Independent Verification and Validation", + "statement": "Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their authorization data without modification.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.", + "FedRAMP recognized assessors are listed on the FedRAMP Marketplace." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Authorization data", "Persistent Validation"] + }, + "PVA-CSX-NMV": { + "fkas": ["FRR-PVA-TF-LO-01", "FRR-PVA-TF-MO-01"], + "statement": "Providers MUST complete the validation processes for Key Security Indicators of non-machine-based information resources at least once every 3 months.", + "name": "Non-Machine Validation", + "affects": ["Providers"], + "primary_key_word": "MUST", + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistent Validation" + ] + }, + "PVA-CSX-PMV": { + "fkas": ["FRR-PVA-TF-LO-02", "FRR-PVA-TF-MO-02"], + "varies_by_level": { + "low": { + "statement": "Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 7 days.", + "primary_key_word": "MUST", + "timeframe_type": "days", + "timeframe_num": 7 + }, + "moderate": { + "statement": "Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 3 days.", + "primary_key_word": "MUST", + "timeframe_type": "days", + "timeframe_num": 3 + }, + "high": { + "statement": "Providers SHOULD plan for this requirement to be more frequent at 20x High but the anticipated requirements for this FRR have not yet been established for 20x High.", + "primary_key_word": "SHOULD" + } + }, + "name": "Persistent Machine Validation", + "affects": ["Providers"], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistent Validation" + ] + }, + "PVA-CSX-PTE": { + "fka": "FRR-PVA-07", + "name": "Provide Technical Evidence", + "statement": "Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to all necessary assessors for the technical capabilities they employ to meet Key Security Indicators and to provide validation.", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Assessors", "Persistent Validation"] + }, + "PVA-CSX-RAD": { + "fka": "FRR-PVA-08", + "name": "Receiving Advice", + "statement": "Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also PVA-TPX-AMA).", + "affects": ["Providers"], + "primary_key_word": "MAY", + "note": "The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistent Validation"] + } + }, + "TPX": { + "PVA-TPX-UNP": { + "fka": "FRR-PVA-10", + "name": "Underlying Processes", + "statement": "Assessors MUST verify and validate the underlying processes (both machine-based and non-machine-based) that providers use to validate Key Security Indicators; this should include at least:", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "following_information": [ + "The effectiveness, completeness, and integrity of the automated processes that perform validation of the cloud service offering's security posture.", + "The effectiveness, completeness, and integrity of the human processes that perform validation of the cloud service offering's security posture", + "The coverage of these processes within the cloud service offering, including if all of the consolidated information resources listed are being validated." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Information Resource", + "Machine-Based (information resources)", + "Persistent Validation" + ] + }, + "PVA-TPX-PDK": { + "fka": "FRR-PVA-11", + "name": "Processes Derived from Key Security Indicators", + "statement": "Assessors MUST verify and validate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals.", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistent Validation"] + }, + "PVA-TPX-OUC": { + "fka": "FRR-PVA-12", + "name": "Outcome Consistency", + "statement": "Assessors MUST verify and validate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider.", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistent Validation"] + }, + "PVA-TPX-MME": { + "fka": "FRR-PVA-13", + "name": "Mixed Methods Evaluation", + "statement": "Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment.", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "PVA-TPX-PAD": { + "fka": "FRR-PVA-16", + "name": "Procedure Adherence", + "statement": "Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place.", + "note": "This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred.", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "PVA-TPX-SUM": { + "fka": "FRR-PVA-17", + "name": "Assessment Summary", + "statement": "Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the authorization data for the cloud service offering.", + "affects": ["Assessors"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Authorization data", "Cloud Service Offering"] + }, + "PVA-TPX-STE": { + "fka": "FRR-PVA-15", + "name": "Static Evidence", + "statement": "Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts.", + "affects": ["Assessors"], + "primary_key_word": "MUST NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "PVA-TPX-NOR": { + "fka": "FRR-PVA-18", + "name": "No Overall Recommendation", + "statement": "Assessors MUST NOT deliver an overall recommendation on whether or not the cloud service offering meets the requirements for FedRAMP authorization.", + "affects": ["Assessors"], + "primary_key_word": "MUST NOT", + "note": "FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering"] + }, + "PVA-TPX-PEX": { + "fka": "FRR-PVA-14", + "name": "Provider Experts", + "statement": "Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.", + "affects": ["Assessors"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "PVA-TPX-SHA": { + "fka": "FRR-PVA-09", + "name": "Sharing Advice", + "statement": "Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also PVA-CSX-RIA).", + "affects": ["Assessors"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistent Validation"] + } + } + } + } + }, + "SCG": { + "info": { + "name": "Secure Configuration Guide", + "short_name": "SCG", + "web_name": "secure-configuration-guide", + "effective": { + "rev5": { + "is": "required", + "signup_url": "", + "current_status": "Wide Release", + "start_date": "2026-03-01", + "end_date": "2027-12-22", + "comments": [ + "These requirements apply after March 1, 2026, to all FedRAMP Rev5 cloud services that are listed in the FedRAMP Marketplace.", + "This process supplements the Customer Responsibilities Matrix and other existing materials - all existing Rev5 materials are still required to be maintained.", + "FedRAMP does not provide a specific template for the information required in this guidance to enable cloud service providers to share innovative solutions. As long as all requirements and recommendations in this document are addressed, providers are encouraged to share their Secure Configuration Guide information in a way that makes the most sense for them and their customers." + ], + "warnings": [ + "**FedRAMP will begin enforcement of this process after March 1, 2026. Providers who do not have a Secure Configuration Guide that meets the requirements and recommendations in this document will receive corrective action.**", + "Beginning 2026-03-01, corrective action will include public notification that the provider does not meet this requirement.", + "Beginning 2026-05-01, corrective action will include revocation of FedRAMP authorization and downgrade to FedRAMP Ready.", + "Beginning 2026-07-01, corrective action will include complete removal from the FedRAMP Marketplace and a ban on FedRAMP authorization for three months." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "Executive Order 14144 Strengthening and Promoting Innovation in the Nation’s Cybersecurity Section 3 (d), as amended by Executive Order 14306 Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144", + "reference_url": "https://www.federalregister.gov/documents/2025/06/11/2025-10804/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694", + "description": " to Section 3 (b), states \"the Administrator of General Services, acting through the Director of the Federal Risk and Authorization Management Program (FedRAMP), in coordination with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.\"" + } + ], + "purpose": "All customers benefit from simple, easy to follow, easy to understand instructions for securely configuring a cloud service offering. Cloud service providers often provide a wide range of configuration options to allow individual customers to pick and choose their security posture based on their individual customer needs and are best positioned to provide instructions about the overall security impacts of many of these choices.\n\nThis process outlines simple requirements for FedRAMP authorized cloud service providers to effectively communicate the security impact of common settings to new and current agency customers." + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to all cloud service offerings in the FedRAMP Marketplace.", + "name": "General Provider Responsibilities" + }, + "ENH": { + "description": "These recommendations apply to all cloud service offerings in the FedRAMP Marketplace for enhanced capabilities related to the Secure Configuration Guide.", + "name": "Enhanced Capabilities" + } + } + }, + "data": { + "both": { + "CSO": { + "SCG-CSO-RSC": { + "fkas": ["FRR-RSC-01", "FRR-RSC-02", "FRR-RSC-03"], + "statement": "Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:", + "following_information": [ + "Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.", + "Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.", + "Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications." + ], + "name": "Recommended Secure Configuration", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "These requirements and recommendations refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.", + "This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Combined all required and recommended SCG information; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Privileged account", + "Top-level administrative account" + ] + }, + "SCG-CSO-AUP": { + "statement": "Providers MUST include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide.", + "name": "Use Instructions", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "This requirement is new in v-0.9.0 to clarify expectations." + } + ], + "note": "These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs.", + "terms": ["Authorization Package"] + }, + "SCG-CSO-PUB": { + "fka": "FRR-RSC-09", + "statement": "Providers SHOULD make the Secure Configuration Guide available publicly.", + "name": "Public Guidance", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "SCG-CSO-SDF": { + "fka": "FRR-RSC-04", + "statement": "Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.", + "name": "Secure Defaults", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Privileged account", + "Top-level administrative account" + ] + } + }, + "ENH": { + "SCG-ENH-CMP": { + "fka": "FRR-RSC-05", + "statement": "Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.", + "name": "Comparison Capability", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Privileged account", + "Top-level administrative account" + ] + }, + "SCG-ENH-EXP": { + "fka": "FRR-RSC-06", + "statement": "Providers SHOULD offer the capability to export all security settings in a machine-readable format.", + "name": "Export Capability", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Machine-Readable"] + }, + "SCG-ENH-API": { + "fka": "FRR-RSC-07", + "statement": "Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.", + "name": "API Capability", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "SCG-ENH-MRG": { + "fka": "FRR-RSC-08", + "statement": "Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings.", + "name": "Machine-Readable Guidance", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed unnecessary recommended; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Machine-Readable"] + }, + "SCG-ENH-VRH": { + "fka": "FRR-RSC-10", + "statement": "Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.", + "name": "Versioning and Release History", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Privileged account", + "Top-level administrative account" + ] + } + } + } + } + }, + "SCN": { + "info": { + "name": "Significant Change Notifications", + "short_name": "SCN", + "web_name": "significant-change-notifications", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "https://forms.gle/FRha8pVez6Ynngqq5", + "current_status": "Wide Release", + "start_date": "2026-02-27", + "end_date": "2027-12-22", + "comments": [ + "Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP Significant Change Request process after February 27, 2026.", + "Providers MUST address all requirements and recommendations in this process prior to full adoption.", + "Rev5 Authorized Providers who switch to the Significant Change Notification process MUST notify FedRAMP via the Sign-up Form.", + "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's adoption of this process.", + "Providers seeking FedRAMP authorization who plan to follow the Significant Change Notification process must clearly note this in their authorization package", + "The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "FedRAMP Authorization Act (44 USC § 3609 (a) (7))", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the [OMB] Director and the [DHS] Secretary, to establish and regularly update a framework for continuous monitoring...\"", + "delegation": "This responsibility is delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + }, + { + "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", + "reference_url": "https://www.fedramp.gov/docs/authority/m-24-15", + "description": "section VI states \"FedRAMP should seek input from CSPs and develop processes that enable CSPs to maintain an agile deployment lifecycle that does not require advance Government approval, while giving the Government the visibility and information it needs to maintain ongoing confidence in the FedRAMP-authorized system and to respond timely and appropriately to incidents.\"" + } + ], + "purpose": "The Significant Change Notification (SCN) process establishes conditions for FedRAMP authorized cloud service providers to make most significant changes without requiring advance government approval. Agency authorizing officials who authorize the use of FedRAMP authorized cloud services are expected to account for the risk of cloud service providers making changes to improve the service.\n\nThis process broadly identifies four types of significant changes, from least impactful to most impactful:\n1. Routine Recurring\n2. Adaptive\n3. Transformative\n4. Impact Categorization\n\nThese categories, and the resulting requirements, apply only to significant changes.", + "expected_outcomes": [ + "Cloud service providers will securely deliver new features and capabilities for government customers at the same speed and pace of delivery for commercial customers, without needing advance government approval", + "Federal agencies will have equal access to features and capabilities as commercial customers without sacrificing the visibility and information they need to maintain ongoing confidence in the service" + ] + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to all cloud service offerings following the Significant Change Notification process.", + "name": "General Provider Responsibilities" + }, + "RTR": { + "description": "These requirements and recommends apply to all routine recurring significant changes.", + "name": "Routine Recurring Changes" + }, + "ADP": { + "description": "These requirements and recommends apply to all adaptive significant changes.", + "name": "Adaptive Changes" + }, + "TRF": { + "description": "These requirements and recommends apply to all transformative significant changes.", + "name": "Transformative Changes" + }, + "FRP": { + "description": "These requirements and recommendations apply to FedRAMP and may result in indirect application to cloud service providers.", + "name": "FedRAMP's Responsibilities" + } + } + }, + "data": { + "both": { + "FRP": { + "SCN-FRP-CAP": { + "fka": "FRR-SCN-EX-01", + "name": "Corrective Action Plan Conditions", + "statement": "FedRAMP MAY require providers to delay significant changes beyond the standard Significant Change Notification period and/or submit significant changes for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement.", + "affects": ["FedRAMP"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Moved to FRP; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Significant change"] + } + }, + "CSO": { + "SCN-CSO-EVA": { + "fkas": ["FRR-SCN-01", "FRR-SCN-02", "FRR-SCN-03"], + "statement": "Providers MUST evaluate all potential significant changes to determine the type of significant change and apply the appropriate Significant Change Notification requirements and recommendations.", + "name": "Evaluate Changes", + "affects": ["Providers"], + "primary_key_word": "MUST", + "following_information": [ + "Is it a significant change? --> Continue evaluation and follow the Significant Change Notification process.", + "If it is, is it an impact categorization change? --> This requires a new assessment and cannot be done under the Significant Change Notification process.", + "If it is not, is it a routine recurring change? --> Follow the Routine Recurring Change process (SCN-CSO-RTR).", + "If it is not, is it a transformative change? --> Follow the Transformative Change process (SCN-CSO-TRF).", + "If it is not, then it is an adaptive change --> Follow the Adaptive Change process (SCN-CSO-ADP)." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Adaptive", + "Impact Categorization", + "Routine Recurring", + "Significant change", + "Transformative" + ] + }, + "SCN-CSO-MAR": { + "fka": "FRR-SCN-04", + "name": "Maintain Audit Records", + "statement": "Providers MUST maintain auditable records of significant change evaluation activities and make them available to all necessary parties.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Significant change"] + }, + "SCN-CSO-INF": { + "fka": "FRR-SCN-09", + "name": "Required Information", + "statement": "Providers MUST include at least the following information in Significant Change Notifications:", + "following_information": [ + "Service Offering FedRAMP ID", + "Assessor Name (if applicable)", + "Related POA&M (if applicable)", + "Significant Change type and explanation of categorization", + "Short description of change", + "Reason for change", + "Summary of customer impact, including changes to services and customer configuration responsibilities", + "Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls", + "Copy of the business or security impact analysis", + "Name and title of approver" + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistent Validation", "Significant change"] + }, + "SCN-CSO-HIS": { + "fka": "FRR-SCN-05", + "name": "Historical Notifications", + "statement": "Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Significant change"] + }, + "SCN-CSO-HRM": { + "fka": "FRR-SCN-08", + "name": "Human and Machine-Readable", + "statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible machine-readable formats.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Machine-Readable", "Significant change"] + }, + "SCN-CSO-ARI": { + "fka": "FRR-SCN-10", + "name": "Additional Relevant Information", + "statement": "Providers MAY include additional relevant information in Significant Change Notifications.", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Significant change"] + }, + "SCN-CSO-NOM": { + "fka": "FRR-SCN-07", + "name": "Notification Mechanisms", + "statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "SCN-CSO-EMG": { + "fka": "FRR-SCN-EX-02", + "name": "Emergency Changes", + "statement": "Providers MAY execute significant changes (including transformative changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Incident", + "Significant change", + "Transformative" + ] + } + }, + "RTR": { + "SCN-RTR-NNR": { + "fka": "FRR-SCN-RR-01", + "name": "No Notification Requirements", + "statement": "Providers SHOULD NOT make formal Significant Change Notifications for routine recurring changes; this type of change is exempted from the notification requirements of this process.", + "affects": ["Providers"], + "primary_key_word": "SHOULD NOT", + "notes": [ + "Activities that match the routine recurring significant change type are performed regularly and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.", + "These changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.", + "If the activity does not occur regularly and routinely then it cannot be a significant change of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine)." + ], + "examples": [ + { + "id": "Tips on ongoing operations", + "key_tests": [ + "Routine care and feeding by staff during normal duties", + "No major impact to service availability", + "Does not require executive approval" + ], + "examples": [ + "Provisioning or deprovisioning capacity to support service elasticity", + "Changing or tuning performance configurations for instances or services", + "Updating and maintaining operational handling of information flows and protection across physical and logical networks (e.g., updating firewall rules)", + "Generating or refreshing API or access tokens" + ] + }, + { + "id": "Tips on vulnerability management", + "key_tests": [ + "Minor, incremental patching or updates", + "Significant refactoring or migration process NOT required", + "No breaking changes" + ], + "examples": [ + "Updating security service or endpoint signatures", + "Routine patching of devices, operating systems, software or libraries", + "Updating and deploying code that applies normal fixes and improvements as part of a regular development cycle", + "Vulnerability remediation activity that simply replaces a known-bad component(s) with a better version of the exact same thing, running in the exact same way with no changes to processes" + ] + } + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Routine Recurring", "Significant change"] + } + }, + "ADP": { + "SCN-ADP-NTF": { + "fka": "FRR-SCN-AD-01", + "name": "Notification Requirements", + "statement": "Providers MUST notify all necessary parties within 10 business days after finishing adaptive changes, also including the following information:", + "following_information": [ + "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)" + ], + "timeframe_type": "bizdays", + "timeframe_num": 10, + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "Activities that match the adaptive significant change type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.", + "In general, most changes that do not happen regularly will be adaptive changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration." + ], + "examples": [ + { + "id": "Tips on adaptive changes", + "key_tests": [ + "Requires minimal changes to security plans or procedures", + "Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes", + "Requires verification of existing functionality and secure configuration after implementation" + ], + "examples": [ + "Updates to operating systems, containers, virtual machines, software or libraries with known breaking changes, complex steps, or service disruption", + "Deploying larger than normal incremental feature improvements in code or libraries that are the work of multiple weeks of development efforts but are not considered a major new service", + "Changing cryptographic modules where the new module meets the same standards and characteristics of the former", + "Replacing a like-for-like component where some security plan or procedure adjustments are required (e.g., scanning tool or managed database swap)", + "Adding models to existing approved AI services without exposing federal customer data to new services" + ] + } + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Adaptive", "All Necessary Parties"] + } + }, + "TRF": { + "SCN-TRF-OPT": { + "fka": "FRR-SCN-TR-07", + "name": "Option to Opt Out", + "statement": "Providers MUST allow agency customers to OPT OUT of transformative changes whenever feasible.", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Agency", "Transformative"] + }, + "SCN-TRF-NIP": { + "fka": "FRR-SCN-TR-02", + "name": "Notification of Initial Plans", + "statement": "Providers MUST notify all necessary parties of initial plans for transformative changes at least 30 business days before starting transformative changes.", + "affects": ["Providers"], + "timeframe_type": "bizdays", + "timeframe_num": 30, + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Transformative"] + }, + "SCN-TRF-NFP": { + "fka": "FRR-SCN-TR-03", + "name": "Notification of Final Plans", + "statement": "Providers MUST notify all necessary parties of final plans for transformative changes at least 10 business days before starting transformative changes.", + "affects": ["Providers"], + "timeframe_type": "bizdays", + "timeframe_num": 10, + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Transformative"] + }, + "SCN-TRF-NAF": { + "fka": "FRR-SCN-TR-04", + "name": "Notification After Finishing", + "statement": "Providers MUST notify all necessary parties within 5 business days after finishing transformative changes, also including the following information:", + "following_information": [ + "Updates to all previously sent information" + ], + "timeframe_type": "bizdays", + "timeframe_num": 5, + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Transformative"] + }, + "SCN-TRF-NAV": { + "fka": "FRR-SCN-TR-05", + "name": "Notification After Verification", + "statement": "Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of transformative changes, also including the following information:", + "following_information": [ + "Updates to all previously sent information", + "Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)", + "Copy of the security assessment report (if applicable)" + ], + "timeframe_type": "bizdays", + "timeframe_num": 5, + "notification": [ + { + "party": "all necessary parties", + "method": "update", + "target": "authorization data" + } + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Persistent Validation", + "Transformative" + ] + }, + "SCN-TRF-UPD": { + "fka": "FRR-SCN-TR-06", + "name": "Update Documentation", + "statement": "Providers MUST publish updated service documentation and other materials to reflect transformative changes within 30 business days after finishing transformative changes.", + "affects": ["Providers"], + "timeframe_type": "bizdays", + "timeframe_num": 30, + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Transformative"] + }, + "SCN-TRF-TPR": { + "fka": "FRR-SCN-TR-01", + "name": "Third-Party Review", + "statement": "Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting transformative changes if human validation is necessary; such reviews SHOULD be limited to security decisions that require human validation.", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "note": "Activities that match the transformative significant change type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without transformative changes, while hyperscale providers may release multiple transformative changes per year.", + "examples": [ + { + "id": "Tips on transformative changes", + "key_tests": [ + "Alters the service risk profile or require new or significantly different actions to address customer responsibilities", + "Requires significant new design, development and testing with discrete associated project planning, budget, marketing, etc.", + "Requires extensive updates to security assessments, documentation, and how a large number of security requirements are met and validated" + ], + "examples": [ + "The addition, removal, or replacement of a critical third party service that handles a significant portion of information (e.g., IaaS change)", + "Increasing the security categorization of a service within the offering that actively handles federal customer data (does NOT include impact change of entire offering - see impact categorization change)", + "Replacement of underlying management planes or paradigm shift in workload orchestration (e.g., bare-metal servers or virtual machines to containers, migration to kubernetes)", + "Datacenter migration where large amounts of federal customer data is moved across boundaries different from normal day-to-day operations", + "Adding a new AI-based capability that impacts federal customer data in a different way than existing services or capabilities (such as integrating a new third-party service or training on federal customer data)" + ] + } + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Persistent Validation", + "Significant change", + "Transformative" + ] + } + } + } + } + }, + "UCM": { + "info": { + "name": "Using Cryptographic Modules", + "short_name": "UCM", + "web_name": "using-cryptographic-modules", + "effective": { + "rev5": { + "is": "no" + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "purpose": "This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x style and clarifies the implementation expectations for FedRAMP 20x.\n\nThe notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered “sensitive” and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.\n\nFedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider." + }, + "labels": { + "CSX": { + "description": "These requirements and recommendations apply to all cloud service offerings following the 20x path.", + "name": "20x-Specific Provider Responsibilities" + } + } + }, + "data": { + "20x": { + "CSX": { + "UCM-CSX-CMD": { + "fka": "FRR-UCM-01", + "statement": "Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules.", + "name": "Cryptographic Module Documentation", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Federal Customer Data", "Persistent Validation"] + }, + "UCM-CSX-UVM": { + "fkas": ["FRR-UCM-03", "FRR-UCM-04"], + "varies_by_level": { + "low": { + "statement": "Providers MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.", + "primary_key_word": "MAY" + }, + "moderate": { + "statement": "Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.", + "primary_key_word": "SHOULD" + }, + "high": { + "statement": "Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data.", + "primary_key_word": "MUST" + } + }, + "name": "Using Validated Cryptographic Modules", + "affects": ["Providers"], + "terms": ["Federal Customer Data", "Persistent Validation"] + }, + "UCM-CSX-CAT": { + "fka": "FRR-UCM-02", + "statement": "Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available.", + "name": "Configuration of Agency Tenants", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Agency", "Persistent Validation"] + } + } + } + } + }, + "VDR": { + "info": { + "name": "Vulnerability Detection and Response", + "short_name": "VDR", + "web_name": "vulnerability-detection-and-response", + "effective": { + "rev5": { + "is": "optional", + "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSePkNZNzB3hke39KwT1c7aGhAcsNLm_xz4NZuPcqUfq01rDgg/viewform", + "current_status": "Open Beta", + "start_date": "2026-02-02", + "end_date": "2026-05-22", + "comments": [ + "**Providers MUST notify FedRAMP of intent to participate in the Vulnerability Detection and Response Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", + "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 as part of the Open Beta.", + "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", + "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta.", + "FedRAMP recommends that participants in the Vulnerability Detection and Response beta also adopt the Authorization Data Sharing process and the Significant Change Notifications process." + ] + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Circular A-130, Managing Information as a Strategic Resource", + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf", + "description": "OMB Circular A-130 defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\"" + }, + { + "reference": "44 USC § 3609 (a)(7)", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "The FedRAMP Authorization Act (44 USC § 3609 (a)(7)) directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\"", + "delegation": "This responsibility is delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + } + ], + "purpose": "The FedRAMP Vulnerability Detection and Response process ensures FedRAMP Authorized cloud service offerings use automated systems to effectively and continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures to threats; and that information related to these activities are effectively and continuously reported to federal agencies for the purposes of ongoing authorization.\n\nThe Vulnerability Detection and Response process defines minimum security requirements that cloud service providers must meet to be FedRAMP Authorized while allowing them flexibility in how they implement and adopt the majority of FedRAMP's requirements and recommendations. This creates a marketplace where cloud service providers can compete based on their individual approach and prioritization of security and agencies can choose to adopt cloud services with less effective security programs for less sensitive use cases while prioritizing cloud services with high performing security programs when needed.\n\nOver time, FedRAMP will automatically review the machine-readable authorization data shared by participating cloud service providers to begin scoring cloud service offerings based on how effectively they meet or exceed the requirements and recommendations in this and other FedRAMP 20x processes.\n\nAll existing FedRAMP requirements, including control statements, standards, and other guidelines that reference vulnerability scanning or formal Plans of Action and Milestones (POA&Ms) are superseded by this process and MAY be ignored by providers of cloud service offerings that have met the requirements to adopt this process with approval by FedRAMP.", + "expected_outcomes": [ + "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with simple changes and automated capabilities", + "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorizations based on their use cases" + ] + }, + "labels": { + "CSO": { + "description": "These requirements and recommendations apply to all cloud service offerings following the Vulnerability Detection and Response process.", + "name": "General Provider Responsibilities" + }, + "AGM": { + "description": "These requirements and recommendations for agencies apply to all agencies reusing a FedRAMP Certification or Validation for a cloud service offering following the Vulnerability Detection and Response process.", + "name": "Agency Guidance" + }, + "TFR": { + "description": "These requirements and recommendations apply to timeframes for vulnerability detection and response.", + "name": "Timeframes" + }, + "RPT": { + "description": "These requirements and recommendations apply to reporting related to vulnerability detection and response.", + "name": "Reporting" + }, + "EVA": { + "description": "These requirements and recommendations apply to the evaluation of vulnerabilities.", + "name": "Evaluation" + }, + "FRP": { + "description": "These requirements and recommendations apply to FedRAMP when setting expectations for specific cloud service providers.", + "name": "FedRAMP's Responsibilities" + }, + "BST": { + "description": "These recommendations for best practices apply to all cloud service providers.", + "name": "Best Practices" + } + } + }, + "data": { + "both": { + "FRP": { + "VDR-FRP-ARP": { + "fka": "FRR-VDR-EX-01", + "statement": "FedRAMP MAY require providers to share additional vulnerability information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies.", + "name": "Additional Requirements", + "affects": ["FedRAMP"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed to FedRAMP responsibility; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Agency", "Vulnerability"] + }, + "VDR-FRP-ADV": { + "fka": "FRR-VDR-EX-02", + "statement": "FedRAMP MAY required providers to share additional information or details about vulnerabilities, including sensitive information that would likely lead to exploitation, as part of review, response or investigation by necessary parties.", + "name": "Sensitive Details", + "affects": ["FedRAMP"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Changed to FedRAMP responsibility; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Likely", "Vulnerability", "Vulnerability Response"] + } + }, + "CSO": { + "VDR-CSO-DET": { + "fka": "FRR-VDR-01", + "statement": "Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection.", + "affects": ["Providers"], + "name": "Vulnerability Detection", + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Persistently", + "Promptly", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-CSO-RES": { + "fka": "FRR-VDR-02", + "statement": "Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response.", + "affects": ["Providers"], + "name": "Vulnerability Response", + "primary_key_word": "MUST", + "note": "If it is not possible to fully mitigate or remediate detected vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Persistently", + "Promptly", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-CSO-DOC": { + "fka": "FRR-VDR-11", + "statement": "Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the authorization data for the cloud service offering.", + "name": "Documentation for Recommendations", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Authorization data", "Cloud Service Offering"] + } + }, + "EVA": { + "VDR-EVA-ELX": { + "fka": "FRR-VDR-07", + "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities.", + "name": "Evaluate Exploitability", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond the recommendations and requirements in this document.", + "The proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a potential adverse impact on a provider's FedRAMP authorization." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Updated note from technical assistance; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Likely", + "Likely Exploitable Vulnerability (LEV)", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-EVA-EIR": { + "fka": "FRR-VDR-08", + "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are internet-reachable vulnerabilities.", + "name": "Evaluate Internet-Reachability", + "affects": ["Providers"], + "primary_key_word": "MUST", + "notes": [ + "FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload.", + "The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability.", + "A classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is [SQL injection](https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network.", + "Another simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Internet-Reachable Vulnerability (IRV)", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-EVA-EPA": { + "fka": "FRR-VDR-09", + "statement": "Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential adverse impact of exploitation on government customers AND assign one of the following potential adverse impact ratings:", + "name": "Estimate Potential Adverse Impact", + "affects": ["Providers"], + "primary_key_word": "MUST", + "following_information_bullets": [ + "**N1**: Exploitation could be expected to have negligible adverse effects on one or more agencies that use the cloud service offering.", + "**N2**: Exploitation could be expected to have limited adverse effects on one or more agencies that use the cloud service offering.", + "**N3**: Exploitation could be expected to have a serious adverse effect on one agency that uses the cloud service offering.", + "**N4**: Exploitation could be expected to have a catastrophic adverse effect on one agency that uses the cloud service offering OR a serious adverse effect on more than one federal agency that uses the cloud service offering.", + "**N5**: Exploitation could be expected to have a catastrophic adverse effect on more than one agency that uses the cloud service offering." + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Agency", + "Catastrophic Adverse Effect", + "Cloud Service Offering", + "Limited Adverse Effect", + "Negligible Adverse Effect", + "Potential Adverse Impact (of vulnerability exploitation)", + "Serious Adverse Effect", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-EVA-GRV": { + "fka": "FRR-VDR-05", + "statement": "Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance.", + "name": "Group Vulnerabilities", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Information Resource", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-EVA-EFP": { + "fka": "FRR-VDR-06", + "statement": "Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are false positive vulnerabilities.", + "name": "Evaluate False Positives", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "False Positive Vulnerability", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-EVA-EFA": { + "fka": "FRR-VDR-10", + "statement": "Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:", + "name": "Evaluation Factors", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "following_information": [ + "**Criticality**: How important are the systems or information that might be impacted by the vulnerability?", + "**Reachability**: How might a threat actor reach the vulnerability and how likely is that?", + "**Exploitability**: How easy is it for a threat actor to exploit the vulnerability and how likely is that?", + "**Detectability**: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?", + "**Prevalence**: How much of the cloud service offering is affected by the vulnerability?", + "**Privilege**: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?", + "**Proximate Vulnerabilities**: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?", + "**Known Threats**: How might already known threats leverage the vulnerability and how likely is that?" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Fully Mitigated Vulnerability", + "Likely", + "Vulnerability", + "Vulnerability Detection" + ] + } + }, + "BST": { + "VDR-BST-DFR": { + "fka": "FRR-VDR-AY-02", + "statement": "Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response.", + "name": "Design For Resilience", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-BST-ADT": { + "fka": "FRR-VDR-AY-03", + "statement": "Providers SHOULD use automated services to improve and streamline vulnerability detection and response.", + "name": "Automate Detection", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-BST-DAC": { + "fka": "FRR-VDR-AY-04", + "statement": "Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources.", + "name": "Detect After Changes", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-BST-MSP": { + "fka": "FRR-VDR-AY-05", + "statement": "Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning, detection, or assessment activities.", + "name": "Maintain Security", + "affects": ["Providers"], + "primary_key_word": "SHOULD NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-BST-AKE": { + "fka": "FRR-VDR-AY-06", + "statement": "Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities.", + "name": "Avoid KEVs", + "affects": ["Providers"], + "primary_key_word": "SHOULD NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Known Exploited Vulnerability (KEV)", + "Machine-Based (information resources)", + "Vulnerability" + ] + }, + "VDR-BST-SIR": { + "fka": "FRR-VDR-04", + "statement": "Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.", + "name": "Sampling", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Vulnerability", + "Vulnerability Detection" + ] + } + }, + "TFR": { + "VDR-TFR-MHR": { + "fka": "FRR-VDR-TF-01", + "statement": "Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly.", + "name": "Monthly Activity Report", + "affects": ["Providers"], + "primary_key_word": "MUST", + "timeframe_type": "month", + "timeframe_num": 1, + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-TFR-MAV": { + "fka": "FRR-VDR-TF-03", + "statement": "Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability.", + "timeframe_type": "days", + "timeframe_num": 192, + "name": "Mark Accepted Vulnerabilities", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Accepted Vulnerability", "Vulnerability"] + }, + "VDR-TFR-KEV": { + "fka": "FRR-VDR-TF-02", + "statement": "Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA.", + "name": "Remediate KEVs", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "reference": "CISA BOD 22-01", + "reference_url": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Known Exploited Vulnerability (KEV)", "Vulnerability"] + }, + "VDR-TFR-MRH": { + "fkas": [ + "FRR-VDR-TF-LO-01", + "FRR-VDR-TF-MO-01", + "FRR-VDR-TF-HI-01" + ], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every month.", + "primary_key_word": "SHOULD", + "timeframe_type": "month", + "timeframe_num": 1 + }, + "moderate": { + "statement": "Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 14 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 14 + }, + "high": { + "statement": "Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 7 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 7 + } + }, + "name": "Historical Activity", + "affects": ["Providers"], + "terms": [ + "All Necessary Parties", + "Machine-Readable", + "Persistently", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-TFR-PSD": { + "fkas": [ + "FRR-VDR-TF-LO-02", + "FRR-VDR-TF-MO-02", + "FRR-VDR-TF-HI-02" + ], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 7 + }, + "moderate": { + "statement": "Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 3 + }, + "high": { + "statement": "Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 1 + } + }, + "name": "Persistent Sample Detection", + "affects": ["Providers"], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-TFR-PDD": { + "fkas": [ + "FRR-VDR-TF-LO-03", + "FRR-VDR-TF-MO-03", + "FRR-VDR-TF-HI-03" + ], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month.", + "primary_key_word": "SHOULD", + "timeframe_type": "month", + "timeframe_num": 1 + }, + "moderate": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 14 + }, + "high": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 7 + } + }, + "name": "Persistent Drift Detection", + "affects": ["Providers"], + "terms": [ + "Drift", + "Information Resource", + "Likely", + "Persistently", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-TFR-PCD": { + "fka": "FRR-VDR-TF-LO-04", + "varies_by_level": { + "low": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every six months.", + "primary_key_word": "SHOULD", + "timeframe_type": "month", + "timeframe_num": 6 + }, + "moderate": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month.", + "primary_key_word": "SHOULD", + "timeframe_type": "month", + "timeframe_num": 1 + }, + "high": { + "statement": "Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month.", + "primary_key_word": "SHOULD", + "timeframe_type": "month", + "timeframe_num": 1 + } + }, + "name": "Persistent Complete Detection", + "affects": ["Providers"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Drift", + "Information Resource", + "Likely", + "Persistently", + "Vulnerability", + "Vulnerability Detection" + ] + }, + "VDR-TFR-EVU": { + "fkas": [ + "FRR-VDR-TF-LO-05", + "FRR-VDR-TF-MO-05", + "FRR-VDR-TF-HI-05" + ], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 7 days of detection.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 7 + }, + "moderate": { + "statement": "Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 5 days of detection.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 5 + }, + "high": { + "statement": "Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 2 days of detection.", + "primary_key_word": "SHOULD", + "timeframe_type": "days", + "timeframe_num": 2 + } + }, + "name": "Evaluate Vulnerabilities Quickly", + "affects": ["Providers"], + "terms": ["Vulnerability", "Vulnerability Detection"] + }, + "VDR-TFR-PVR": { + "fkas": [ + "FRR-VDR-TF-LO-06", + "FRR-VDR-TF-MO-07", + "FRR-VDR-TF-HI-08" + ], + "varies_by_level": { + "low": { + "statement": "Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:", + "primary_key_word": "SHOULD", + "pain_timeframes": [ + { + "pain": 5, + "max_days_irv_lev": 4, + "max_days_nirv_lev": 8, + "max_days_nlev": 32 + }, + { + "pain": 4, + "max_days_irv_lev": 8, + "max_days_nirv_lev": 32, + "max_days_nlev": 64 + }, + { + "pain": 3, + "max_days_irv_lev": 32, + "max_days_nirv_lev": 64, + "max_days_nlev": 192 + }, + { + "pain": 2, + "max_days_irv_lev": 96, + "max_days_nirv_lev": 160, + "max_days_nlev": 192 + } + ] + }, + "moderate": { + "statement": "Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:", + "primary_key_word": "SHOULD", + "pain_timeframes": [ + { + "pain": 5, + "max_days_irv_lev": 2, + "max_days_nirv_lev": 4, + "max_days_nlev": 16 + }, + { + "pain": 4, + "max_days_irv_lev": 4, + "max_days_nirv_lev": 8, + "max_days_nlev": 64 + }, + { + "pain": 3, + "max_days_irv_lev": 16, + "max_days_nirv_lev": 32, + "max_days_nlev": 128 + }, + { + "pain": 2, + "max_days_irv_lev": 48, + "max_days_nirv_lev": 128, + "max_days_nlev": 192 + } + ] + }, + "high": { + "statement": "Providers SHOULD partially mitigate vulnerabilities to a lower potential adverse impact within the maximum time-frames from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:", + "primary_key_word": "SHOULD", + "pain_timeframes": [ + { + "pain": 5, + "max_days_irv_lev": 0.5, + "max_days_nirv_lev": 1, + "max_days_nlev": 8 + }, + { + "pain": 4, + "max_days_irv_lev": 2, + "max_days_nirv_lev": 8, + "max_days_nlev": 32 + }, + { + "pain": 3, + "max_days_irv_lev": 8, + "max_days_nirv_lev": 16, + "max_days_nlev": 64 + }, + { + "pain": 2, + "max_days_irv_lev": 24, + "max_days_nirv_lev": 96, + "max_days_nlev": 192 + } + ] + } + }, + "name": "Mitigation and Remediation Expectations", + "affects": ["Providers"], + "terms": [ + "Likely", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability" + ] + }, + "VDR-TFR-RMN": { + "fkas": [ + "FRR-VDR-TF-LO-07", + "FRR-VDR-TF-MO-09", + "FRR-VDR-TF-HI-09" + ], + "statement": "Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.", + "primary_key_word": "SHOULD", + "name": "Remaining Vulnerabilities", + "affects": ["Providers"], + "terms": ["Vulnerability"] + }, + "VDR-TFR-IRI": { + "fkas": ["FRR-VDR-TF-MO-06", "FRR-VDR-TF-HI-06"], + "varies_by_level": { + "low": { + "statement": "Providers MAY treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below.", + "primary_key_word": "MAY" + }, + "moderate": { + "statement": "Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below.", + "primary_key_word": "SHOULD" + }, + "high": { + "statement": "Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below.", + "primary_key_word": "SHOULD" + } + }, + "name": "Internet-Reachable Incidents", + "affects": ["Providers"], + "terms": [ + "Incident", + "Likely", + "Likely Exploitable Vulnerability (LEV)", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability" + ] + }, + "VDR-TFR-NRI": { + "fkas": ["FRR-VDR-TF-HI-07"], + "varies_by_level": { + "low": { + "statement": "Providers MAY treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below.", + "primary_key_word": "MAY" + }, + "moderate": { + "statement": "Providers MAY treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below.", + "primary_key_word": "MAY" + }, + "high": { + "statement": "Providers SHOULD treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below.", + "primary_key_word": "SHOULD" + } + }, + "name": "Non-Internet-Reachable Incidents", + "affects": ["Providers"], + "terms": [ + "Incident", + "Likely", + "Likely Exploitable Vulnerability (LEV)", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability" + ] + } + }, + "RPT": { + "VDR-RPT-PER": { + "fka": "FRR-VDR-RP-01", + "statement": "Providers MUST report vulnerability detection and response activity to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are authorization data and are subject to the FedRAMP Authorization Data Sharing (ADS) process.", + "name": "Persistent Reporting", + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Authorization data", + "Persistently", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-RPT-NID": { + "fka": "FRR-VDR-RP-03", + "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.", + "name": "Responsible Disclosure", + "affects": ["Providers"], + "primary_key_word": "MUST NOT", + "note": "This requirement will be superseded in the event of formal action related to an investigation or corrective action plan.", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Likely", "Vulnerability"] + }, + "VDR-RPT-VDT": { + "fka": "FRR-VDR-RP-05", + "statement": "Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:", + "name": "Vulnerability Details", + "following_information": [ + "Provider's internally assigned tracking identifier", + "Time and source of the detection", + "Time of completed evaluation", + "Is it an internet-reachable vulnerability or not?", + "Is it a likely exploitable vulnerability or not?", + "Historically and currently estimated potential adverse impact of exploitation", + "Time and level of each completed and evaluated reduction in potential adverse impact", + "Estimated time and target level of next reduction in potential adverse impact", + "Is it currently or is it likely to become an overdue vulnerability or not? If so, explain.", + "Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability", + "Final disposition of the vulnerability" + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Accepted Vulnerability", + "Agency", + "Cloud Service Offering", + "Federal Customer Data", + "Internet-Reachable Vulnerability (IRV)", + "Likely", + "Likely Exploitable Vulnerability (LEV)", + "Overdue Vulnerability", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-RPT-AVI": { + "fka": "FRR-VDR-RP-06", + "statement": "Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:", + "name": "Accepted Vulnerability Info", + "following_information": [ + "Provider's internally assigned tracking identifier", + "Time and source of the detection", + "Time of completed evaluation", + "Is it an internet-reachable vulnerability or not?", + "Is it a likely exploitable vulnerability or not?", + "Currently estimated potential adverse impact of exploitation", + "Explanation of why this is an accepted vulnerability", + "Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability" + ], + "affects": ["Providers"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Accepted Vulnerability", + "Agency", + "Cloud Service Offering", + "Federal Customer Data", + "Internet-Reachable Vulnerability (IRV)", + "Likely", + "Likely Exploitable Vulnerability (LEV)", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-RPT-HLO": { + "fka": "FRR-VDR-RP-02", + "statement": "Providers SHOULD include high-level overviews of ALL vulnerability detection and response activities conducted during this period for the cloud service offering; this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc.", + "name": "High-Level Overviews", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + }, + "VDR-RPT-RPD": { + "fka": "FRR-VDR-RP-04", + "statement": "Providers MAY responsibly disclose vulnerabilities publicly or with other parties if the provider determines doing so will NOT likely lead to exploitation.", + "name": "Responsible Public Disclosure", + "affects": ["Providers"], + "primary_key_word": "MAY", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Likely", "Vulnerability"] + } + }, + "AGM": { + "VDR-AGM-RVR": { + "fka": "FRR-VDR-AG-01", + "statement": "Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers.", + "name": "Review Vulnerability Reports", + "note": "FedRAMP recommends that agencies only review overdue and accepted vulnerabilities with a potential adverse impact of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization.", + "affects": ["Agencies"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Accepted Vulnerability", + "Agency", + "Potential Adverse Impact (of vulnerability exploitation)", + "Vulnerability" + ] + }, + "VDR-AGM-MAP": { + "fka": "FRR-VDR-AG-02", + "statement": "Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action & Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk).", + "name": "Maintain Agency POA&M", + "affects": ["Agencies"], + "primary_key_word": "SHOULD", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Accepted Vulnerability", "Agency", "Vulnerability"] + }, + "VDR-AGM-DRE": { + "fka": "FRR-VDR-AG-03", + "statement": "Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP process UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such.", + "name": "Do Not Request Extra Info", + "note": "This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e).", + "affects": ["Agencies"], + "primary_key_word": "SHOULD NOT", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Agency"] + }, + "VDR-AGM-NFR": { + "fka": "FRR-VDR-AG-04", + "statement": "Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov).", + "name": "Notify FedRAMP", + "note": "This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a).", + "affects": ["Agencies"], + "primary_key_word": "MUST", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Agency", "Vulnerability"], + "notification": [ + { + "party": "FedRAMP", + "method": "email", + "target": "info@fedramp.gov" + } + ] + } + } + } + } + }, + "KSI": { + "info": { + "name": "Key Security Indicators", + "short_name": "KSI", + "web_name": "key-security-indicators", + "effective": { + "rev5": { + "is": "no" + }, + "20x": { + "is": "required", + "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", + "current_status": "Phase 2 Pilot", + "start_date": "2025-11-18", + "end_date": "2026-03-31", + "comments": [ + "Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.", + "Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review." + ] + } + }, + "front_matter": { + "authority": [ + { + "reference": "OMB Circular A-130", + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf", + "description": "Appendix I states \"Agencies may also develop overlays for specific types of information or communities of interest (e.g., all web-based applications, all health care-related systems) as part of the security control selection process. Overlays provide a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple information systems.\"" + }, + { + "reference": "NIST SP 800-53B", + "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final", + "description": "Section 2.5 states \"As the number of controls in [SP 800-53] grows in response to an increasingly sophisticated threat space, it is important for organizations to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that—if properly designed, developed, and implemented—produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective.\" This section later states \"Ultimately, authorization decisions (i.e., risk acceptance decisions) are made based on the degree to which the desired capabilities have been effectively achieved.\"" + }, + { + "reference": "NIST SP 800-53A", + "reference_url": "https://csrc.nist.gov/pubs/sp/800/53/a/r5/final", + "description": "Section 3.5 states \"When organizations employ the concept of capabilities, automated and manual assessments account for all security and privacy controls that comprise the security and privacy capabilities. Assessors are aware of how the controls work together to provide such capabilities.\"" + }, + { + "reference": "FedRAMP Authorization Act (44 USC § 3609 (a) (1))", + "reference_url": "https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities", + "description": "requires that the Administrator of the General Services Administration shall \"in consultation with the [DHS] Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services...\" 44 USC § 3609 (c) (2) further states that \"the [GSA] Administrator shall establish a means for the automation of security assessments and reviews.\"", + "delegation": "These responsibilities are delegated to the FedRAMP Director", + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" + } + ], + "purpose": "Modern cloud services use automated or code-driven configuration management and control planes to ensure predictable, repeatable, reliable, and secure outcomes during deployment and operation. The majority of a service security assessment can take place continuously via automated validation for simple cloud-native services if the need for a traditional control-by-control narrative approach is removed.", + "expected_outcomes": [ + "Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with the application of simple changes and automated capabilities", + "Third-party independent assessors will have a simpler framework to assess security and implementation decisions based on engineering decisions in context", + "Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorization to operate decisions based on their planned use case" + ] + }, + "labels": { + "CSX": { + "description": "These requirements and recommendations apply to all cloud service offerings following the 20x path.", + "name": "20x-Specific Provider Responsibilities" + } + } + }, + "data": { + "20x": { + "CSX": { + "KSI-CSX-SUM": { + "fka": "FRR-KSI-02", + "statement": "Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:", + "following_information": [ + "Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability", + "The consolidated _information resources_ that will be validated (this should include consolidated summaries such as \"all employees with privileged access that are members of the Admin group\")", + "The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", + "The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)", + "Current implementation status", + "Any clarifications or responses to the assessment summary" + ], + "name": "Implementation Summaries", + "affects": ["Providers"], + "primary_key_word": "MUST", + "impact": { + "low": true, + "moderate": true + }, + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Machine-Based (information resources)", + "Persistent Validation" + ] + }, + "KSI-CSX-MAS": { + "fka": "FRR-KSI-01", + "statement": "Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.", + "name": "Application within MAS", + "affects": ["Providers"], + "primary_key_word": "SHOULD", + "impact": { + "low": true, + "moderate": true + }, + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed unnecessary cloud service at the beginning; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering"] + }, + "KSI-CSX-ORD": { + "statement": "Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:", + "following_information": [ + "Minimum Assessment Scope (MAS)", + "Authorization Data Sharing (ADS)", + "Using Cryptographic Modules (UCM)", + "Vulnerability Detection and Response (VDR)", + "Significant Change Notifications (SCN)", + "Persistent Validation and Assessment (PVA)", + "Secure Configuration Guide (RSC)", + "Collaborative Continuous Monitoring (CCM)", + "FedRAMP Security Inbox (FSI)", + "Incident Communications Procedures (ICP)" + ], + "name": "AFR Order of Criticality", + "affects": ["Providers"], + "primary_key_word": "MAY", + "impact": { + "low": true, + "moderate": true + }, + "updated": [ + { + "date": "2026-02-04", + "comment": "This recommendation is new in v-0.9.0 to clarify expectations." + } + ], + "terms": [ + "Authorization Package", + "Authorization data", + "FedRAMP Security Inbox", + "Incident", + "Persistent Validation", + "Persistently", + "Significant change", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + } + } + } + } + } + }, + "KSI": { + "AFR": { + "id": "KSI-AFR", + "name": "Authorization by FedRAMP", + "web_name": "authorization-by-fedramp", + "short_name": "AFR", + "theme": "A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.", + "indicators": { + "KSI-AFR-ADS": { + "fka": "KSI-AFR-03", + "name": "Authorization Data Sharing", + "statement": "Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.", + "reference": "Authorization Data Sharing", + "reference_url": "https://fedramp.gov/docs/20x/authorization-data-sharing", + "controls": [ + "ac-3", + "ac-4", + "au-2", + "au-3", + "au-6", + "ca-2", + "ir-4", + "ra-5", + "sc-8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Authorization data", + "Persistently" + ] + }, + "KSI-AFR-CCM": { + "fka": "KSI-AFR-06", + "name": "Collaborative Continuous Monitoring", + "statement": "Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations.", + "reference": "Collaborative Continuous Monitoring", + "reference_url": "https://fedramp.gov/docs/20x/collaborative-continuous-monitoring", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["All Necessary Parties", "Persistently", "Quarterly Review"] + }, + "KSI-AFR-FSI": { + "fka": "KSI-AFR-08", + "name": "FedRAMP Security Inbox", + "statement": "Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.", + "reference": "FedRAMP Security Inbox", + "reference_url": "https://fedramp.gov/docs/20x/fedramp-security-inbox", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["FedRAMP Security Inbox", "Persistently"] + }, + "KSI-AFR-ICP": { + "fka": "KSI-AFR-10", + "name": "Incident Communications Procedures", + "statement": "Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.", + "reference": "Incident Communications Procedures", + "reference_url": "https://fedramp.gov/docs/20x/incident-communications-procedures", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Incident", "Persistently", "Vulnerability Response"] + }, + "KSI-AFR-MAS": { + "fka": "KSI-AFR-01", + "name": "Minimum Assessment Scope", + "statement": "Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.", + "controls": [ + "ac-1", + "ac-21", + "at-1", + "au-1", + "ca-1", + "cm-1", + "cp-1", + "cp-2.1", + "cp-2.8", + "cp-4.1", + "ia-1", + "ir-1", + "ma-1", + "mp-1", + "pe-1", + "pl-1", + "pl-2", + "pl-4", + "pl-4.1", + "ps-1", + "ra-1", + "ra-9", + "sa-1", + "sc-1", + "si-1", + "sr-1", + "sr-2", + "sr-3", + "sr-11" + ], + "reference": "Minimum Assessment Scope", + "reference_url": "https://fedramp.gov/docs/20x/minimum-assessment-scope", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering", "Persistently"] + }, + "KSI-AFR-PVA": { + "fka": "KSI-AFR-09", + "name": "Persistent Validation and Assessment", + "statement": "Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations.", + "reference": "Persistent Validation and Assessment", + "reference_url": "https://fedramp.gov/docs/20x/persistent-validation-and-assessment", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Persistent Validation", + "Persistently" + ] + }, + "KSI-AFR-SCG": { + "fka": "KSI-AFR-07", + "name": "Secure Configuration Guide", + "statement": "Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process and persistently address all related requirements and recommendations.", + "reference": "Secure Configuration Guide", + "reference_url": "https://fedramp.gov/docs/20x/secure-configuration-guide", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Cloud Service Offering", "Persistently"] + }, + "KSI-AFR-SCN": { + "fka": "KSI-AFR-05", + "name": "Significant Change Notifications", + "statement": "Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.", + "reference": "Significant Change Notifications", + "reference_url": "https://fedramp.gov/docs/20x/significant-change-notifications", + "controls": [ + "ca-7.4", + "cm-3.4", + "cm-4", + "cm-7.1", + "au-5", + "ca-5", + "ca-7", + "ra-5", + "ra-5.2", + "sa-22", + "si-2", + "si-2.2", + "si-3", + "si-5", + "si-7.7", + "si-10", + "si-11" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "All Necessary Parties", + "Persistently", + "Significant change" + ] + }, + "KSI-AFR-UCM": { + "fka": "KSI-AFR-11", + "name": "Using Cryptographic Modules", + "statement": "Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.", + "reference": "Using Cryptographic Modules", + "reference_url": "https://fedramp.gov/docs/20x/using-cryptographic-modules", + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Federal Customer Data", "Persistently"] + }, + "KSI-AFR-VDR": { + "fka": "KSI-AFR-04", + "name": "Vulnerability Detection and Response", + "statement": "Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.", + "reference": "Vulnerability Detection and Response", + "reference_url": "https://fedramp.gov/docs/20x/vulnerability-detection-and-response", + "controls": [ + "ca-2", + "ca-7", + "ca-7.6", + "ir-1", + "ir-4", + "ir-4.1", + "ir-5", + "ir-5.1", + "ir-6", + "ir-6.1", + "ir-6.2", + "pm-3", + "pm-5", + "pm-31", + "ra-2", + "ra-2.1", + "ra-3", + "ra-3.3", + "ra-5", + "ra-5.2", + "ra-5.3", + "ra-5.4", + "ra-5.5", + "ra-5.6", + "ra-5.7", + "ra-5.11", + "ra-9", + "ra-10", + "si-2", + "si-2.1", + "si-2.2", + "si-2.4", + "si-2.5", + "si-3", + "si-3.1", + "si-3.2", + "si-4", + "si-4.2", + "si-4.3", + "si-4.7", + "ca-7.4", + "ra-5", + "ra-7" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering", + "Persistently", + "Vulnerability", + "Vulnerability Detection", + "Vulnerability Response" + ] + } + } + }, + "CMT": { + "id": "KSI-CMT", + "name": "Change Management", + "web_name": "change-management", + "short_name": "CMT", + "theme": "A secure cloud service provider will ensure that all changes are properly documented and configuration baselines are updated accordingly.", + "indicators": { + "KSI-CMT-LMC": { + "fka": "KSI-CMT-01", + "name": "Logging Changes", + "statement": "Log and monitor modifications to the cloud service offering.", + "controls": [ + "au-2", + "cm-3", + "cm-3.2", + "cm-4.2", + "cm-6", + "cm-8.3", + "ma-2" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Cloud Service Offering" + ] + }, + "KSI-CMT-RMV": { + "fka": "KSI-CMT-02", + "name": "Redeploying vs Modifying", + "statement": "Execute changes to machine-based information resources through redeployment of version controlled immutable resources rather than direct modification wherever reasonable.", + "controls": [ + "cm-2", + "cm-3", + "cm-5", + "cm-6", + "cm-7", + "cm-8.1", + "si-3" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)" + ] + }, + "KSI-CMT-RVP": { + "fka": "KSI-CMT-04", + "name": "Reviewing Change Procedures", + "statement": "Persistently review the effectiveness of documented change management procedures.", + "controls": [ + "cm-3", + "cm-3.2", + "cm-3.4", + "cm-5", + "cm-7.1", + "cm-9" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-CMT-VTD": { + "fka": "KSI-CMT-03", + "name": "Validating Throughout Deployment", + "statement": "Automate persistent testing and validation of changes throughout deployment.", + "controls": [ + "cm-3", + "cm-3.2", + "cm-4.2", + "si-2" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistent Validation", + "Persistently" + ] + } + } + }, + "CNA": { + "id": "KSI-CNA", + "name": "Cloud Native Architecture", + "web_name": "cloud-native-architecture", + "short_name": "CNA", + "theme": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.", + "indicators": { + "KSI-CNA-DFP": { + "fka": "KSI-CNA-04", + "name": "Defining Functionality and Privileges", + "statement": "Strictly define the functionality and privileges for infrastructure and services.", + "controls": ["cm-2", "si-3"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-CNA-EIS": { + "fka": "KSI-CNA-08", + "name": "Enforcing Intended State", + "varies_by_level": { + "low": { + "statement": "**Optional:** Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state." + }, + "moderate": { + "statement": "Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state." + } + }, + "controls": ["ca-2.1", "ca-7.1"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-CNA-IBP": { + "fka": "KSI-CNA-07", + "name": "Implementing Best Practices", + "statement": "Persistently ensure cloud-native machine-based information resources are implemented based on the host provider's best practices and documented guidance.", + "controls": ["ac-17.3", "cm-2", "pl-10"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-CNA-MAT": { + "fka": "KSI-CNA-02", + "name": "Minimizing Attack Surface", + "statement": "Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised.", + "controls": [ + "ac-17.3", + "ac-18.1", + "ac-18.3", + "ac-20.1", + "ca-9", + "sc-7.3", + "sc-7.4", + "sc-7.5", + "sc-7.8", + "sc-8", + "sc-10", + "si-10", + "si-11", + "si-16" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-CNA-OFA": { + "fka": "KSI-CNA-06", + "name": "Optimizing for Availability", + "statement": "Appropriately optimize machine-based information resources for high availability and rapid recovery.", + "controls": [], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)" + ] + }, + "KSI-CNA-RNT": { + "fka": "KSI-CNA-01", + "name": "Restricting Network Traffic", + "statement": "Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic.", + "controls": ["ac-17.3", "ca-9", "cm-7.1", "sc-7.5", "si-8"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-CNA-RVP": { + "fka": "KSI-CNA-05", + "name": "Reviewing Protections", + "statement": "Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity.", + "controls": ["sc-5", "si-8", "si-8.2"], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": ["Persistently"] + }, + "KSI-CNA-ULN": { + "fka": "KSI-CNA-03", + "name": "Using Logical Networking", + "statement": "Use logical networking and related capabilities to enforce traffic flow controls.", + "controls": [ + "ac-12", + "ac-17.3", + "ca-9", + "sc-4", + "sc-7", + "sc-7.7", + "sc-8", + "sc-10" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + } + } + }, + "CED": { + "id": "KSI-CED", + "name": "Cybersecurity Education", + "web_name": "cybersecurity-education", + "short_name": "CED", + "theme": "A secure cloud service provider will educate their employees on cybersecurity measures, testing them persistently to ensure their knowledge is satisfactory.", + "indicators": { + "KSI-CED-DET": { + "fka": "KSI-CED-03", + "name": "Reviewing Development and Engineering Training", + "statement": "Persistently review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software.", + "controls": [ + "cp-3", + "ir-2", + "ps-6" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-CED-RGT": { + "fka": "KSI-CED-01", + "name": "Reviewing General Training", + "statement": "Persistently review the effectiveness of training given to all employees on policies, procedures, and security-related topics.", + "controls": [ + "at-2", + "at-2.2", + "at-2.3", + "at-3.5", + "at-4", + "ir-2.3" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-CED-RRT": { + "fka": "KSI-CED-04", + "name": "Reviewing Response and Recovery Training", + "statement": "Persistently review the effectiveness of role-specific training given to staff involved with incident response or disaster recovery.", + "controls": [], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Incident", + "Persistently", + "Vulnerability Response" + ] + }, + "KSI-CED-RST": { + "fka": "KSI-CED-02", + "name": "Reviewing Role-Specific Training", + "statement": "Persistently review the effectiveness of role-specific training given to employees in high risk roles, including at least roles with privileged access.", + "controls": [ + "at-2", + "at-2.3", + "at-3", + "sr-11.1" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + } + } + }, + "IAM": { + "id": "KSI-IAM", + "web_name": "identity-and-access-management", + "short_name": "IAM", + "name": "Identity and Access Management", + "theme": "A secure cloud service offering will protect user data, control access, and apply zero trust principles.", + "indicators": { + "KSI-IAM-AAM": { + "fka": "KSI-IAM-07", + "name": "Automating Account Management", + "statement": "Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation.", + "controls": [ + "ac-2.2", + "ac-2.3", + "ac-2.13", + "ac-6.7", + "ia-4.4", + "ia-12", + "ia-12.2", + "ia-12.3", + "ia-12.5" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-IAM-APM": { + "fka": "KSI-IAM-02", + "name": "Adopting Passwordless Methods", + "statement": "Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA for authentication.", + "controls": [ + "ac-2", + "ac-3", + "ia-2.1", + "ia-2.2", + "ia-2.8", + "ia-5.1", + "ia-5.2", + "ia-5.6", + "ia-6" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-IAM-ELP": { + "fka": "KSI-IAM-05", + "name": "Ensuring Least Privilege", + "statement": "Persistently ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.", + "controls": [ + "ac-2.5", + "ac-2.6", + "ac-3", + "ac-4", + "ac-6", + "ac-12", + "ac-14", + "ac-17", + "ac-17.1", + "ac-17.2", + "ac-17.3", + "ac-20", + "ac-20.1", + "cm-2.7", + "cm-9", + "ia-2", + "ia-3", + "ia-4", + "ia-4.4", + "ia-5.2", + "ia-5.6", + "ia-11", + "ps-2", + "ps-3", + "ps-4", + "ps-5", + "ps-6", + "sc-4", + "sc-20", + "sc-21", + "sc-22", + "sc-23", + "sc-39", + "si-3" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-IAM-JIT": { + "fka": "KSI-IAM-04", + "name": "Authorizing Just-in-Time", + "statement": "Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services.", + "controls": [ + "ac-2", + "ac-2.1", + "ac-2.2", + "ac-2.3", + "ac-2.4", + "ac-2.6", + "ac-3", + "ac-4", + "ac-5", + "ac-6", + "ac-6.1", + "ac-6.2", + "ac-6.5", + "ac-6.7", + "ac-6.9", + "ac-6.10", + "ac-7", + "ac-20.1", + "ac-17", + "au-9.4", + "cm-5", + "cm-7", + "cm-7.2", + "cm-7.5", + "cm-9", + "ia-4", + "ia-4.4", + "ia-7", + "ps-2", + "ps-3", + "ps-4", + "ps-5", + "ps-6", + "ps-9", + "ra-5.5", + "sc-2", + "sc-23", + "sc-39" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-IAM-MFA": { + "fka": "KSI-IAM-01", + "name": "Enforcing Phishing-Resistant MFA", + "statement": "Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication.", + "controls": [ + "ac-2", + "ia-2", + "ia-2.1", + "ia-2.2", + "ia-2.8", + "ia-5", + "ia-8", + "sc-23" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-IAM-SNU": { + "fka": "KSI-IAM-03", + "name": "Securing Non-User Authentication", + "statement": "Enforce appropriately secure authentication methods for non-user accounts and services.", + "controls": [ + "ac-2", + "ac-2.2", + "ac-4", + "ac-6.5", + "ia-3", + "ia-5.2", + "ra-5.5" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-IAM-SUS": { + "fka": "KSI-IAM-06", + "name": "Responding to Suspicious Activity", + "statement": "Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity.", + "controls": [ + "ac-2", + "ac-2.1", + "ac-2.3", + "ac-2.13", + "ac-7", + "ps-4", + "ps-8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Vulnerability Response" + ] + } + } + }, + "INR": { + "id": "KSI-INR", + "name": "Incident Response", + "web_name": "incident-response", + "short_name": "INR", + "theme": "A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement.", + "indicators": { + "KSI-INR-AAR": { + "fka": "KSI-INR-03", + "name": "Generating After Action Reports", + "statement": "Generate incident after action reports and persistently incorporate lessons learned.", + "controls": [ + "ir-3", + "ir-4", + "ir-4.1", + "ir-8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Incident", + "Persistently" + ] + }, + "KSI-INR-RIR": { + "fka": "KSI-INR-01", + "name": "Reviewing Incident Response Procedures", + "statement": "Persistently review the effectiveness of documented incident response procedures.", + "controls": [ + "ir-4", + "ir-4.1", + "ir-6", + "ir-6.1", + "ir-6.3", + "ir-7", + "ir-7.1", + "ir-8", + "ir-8.1", + "si-4.5" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Incident", + "Persistently", + "Vulnerability Response" + ] + }, + "KSI-INR-RPI": { + "fka": "KSI-INR-02", + "name": "Reviewing Past Incidents", + "statement": "Persistently review past incidents for patterns or vulnerabilities.", + "controls": [ + "ir-3", + "ir-4", + "ir-4.1", + "ir-5", + "ir-8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Incident", + "Persistently", + "Vulnerability" + ] + } + } + }, + "MLA": { + "id": "KSI-MLA", + "name": "Monitoring, Logging, and Auditing", + "web_name": "monitoring-logging-and-auditing", + "short_name": "MLA", + "theme": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes.", + "indicators": { + "KSI-MLA-ALA": { + "fka": "KSI-MLA-08", + "name": "Authorizing Log Access", + "varies_by_level": { + "low": { + "statement": "**Optional:** Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity." + }, + "moderate": { + "statement": "Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity." + } + }, + "controls": [ + "si-11" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-MLA-EVC": { + "fka": "KSI-MLA-05", + "name": "Evaluating Configurations", + "statement": "Persistently evaluate and test the configuration of machine-based information resources, especially infrastructure as code.", + "controls": [ + "ca-7", + "cm-2", + "cm-6", + "si-7.7" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-MLA-LET": { + "fka": "KSI-MLA-07", + "name": "Logging Event Types", + "statement": "Maintain a list of information resources and event types that will be logged, monitored, and audited, then do so.", + "controls": [ + "ac-2.4", + "ac-6.9", + "ac-17.1", + "ac-20.1", + "au-2", + "au-7.1", + "au-12", + "si-4.4", + "si-4.5", + "si-7.7" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource" + ] + }, + "KSI-MLA-OSM": { + "fka": "KSI-MLA-01", + "name": "Operating SIEM Capability", + "statement": "Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes.", + "controls": [ + "ac-17.1", + "ac-20.1", + "au-2", + "au-3", + "au-3.1", + "au-4", + "au-5", + "au-6.1", + "au-6.3", + "au-7", + "au-7.1", + "au-8", + "au-9", + "au-11", + "ir-4.1", + "si-4.2", + "si-4.4", + "si-7.7" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-MLA-RVL": { + "fka": "KSI-MLA-02", + "name": "Reviewing Logs", + "statement": "Persistently review and audit logs.", + "controls": [ + "ac-2.4", + "ac-6.9", + "au-2", + "au-6", + "au-6.1", + "si-4", + "si-4.4" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + } + } + }, + "PIY": { + "id": "KSI-PIY", + "name": "Policy and Inventory", + "web_name": "policy-and-inventory", + "short_name": "PIY", + "theme": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured.", + "indicators": { + "KSI-PIY-GIV": { + "fka": "KSI-PIY-01", + "name": "Generating Inventories", + "statement": "Use authoritative sources to automatically generate real-time inventories of all information resources when needed.", + "controls": [ + "cm-2.2", + "cm-7.5", + "cm-8", + "cm-8.1", + "cm-12", + "cm-12.1", + "cp-2.8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource" + ] + }, + "KSI-PIY-RES": { + "fka": "KSI-PIY-08", + "name": "Reviewing Executive Support", + "statement": "Persistently review executive support for achieving the organization's security objectives.", + "controls": [], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-PIY-RIS": { + "fka": "KSI-PIY-06", + "name": "Reviewing Investments in Security", + "statement": "Persistently review the effectiveness of the organization's investments in achieving security objectives.", + "controls": [ + "ac-5", + "ca-2", + "cp-2.1", + "cp-4.1", + "ir-3.2", + "pm-3", + "sa-2", + "sa-3", + "sr-2.1" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-PIY-RSD": { + "fka": "KSI-PIY-04", + "name": "Reviewing Security in the SDLC", + "statement": "Persistently review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles.", + "controls": [ + "ac-5", + "au-3.3", + "cm-3.4", + "pl-8", + "pm-7", + "sa-3", + "sa-8", + "sc-4", + "sc-18", + "si-10", + "si-11", + "si-16" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-PIY-RVD": { + "fka": "KSI-PIY-03", + "name": "Reviewing Vulnerability Disclosures", + "statement": "Persistently review the effectiveness of the provider's vulnerability disclosure program.", + "controls": [ + "ra-5.11" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently", + "Vulnerability" + ] + } + } + }, + "RPL": { + "id": "KSI-RPL", + "name": "Recovery Planning", + "web_name": "recovery-planning", + "short_name": "RPL", + "theme": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies.", + "indicators": { + "KSI-RPL-ABO": { + "fka": "KSI-RPL-03", + "name": "Aligning Backups with Objectives", + "statement": "Persistently review the alignment of machine-based information resource backups with defined recovery objectives.", + "controls": [ + "cm-2.3", + "cp-6", + "cp-9", + "cp-10", + "cp-10.2", + "si-12" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistently" + ] + }, + "KSI-RPL-ARP": { + "fka": "KSI-RPL-02", + "name": "Aligning Recovery Plan", + "statement": "Persistently review the alignment of recovery plans with defined recovery objectives.", + "controls": [ + "cp-2", + "cp-2.1", + "cp-2.3", + "cp-4.1", + "cp-6", + "cp-6.1", + "cp-6.3", + "cp-7", + "cp-7.1", + "cp-7.2", + "cp-7.3", + "cp-8", + "cp-8.1", + "cp-8.2", + "cp-10", + "cp-10.2" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-RPL-RRO": { + "fka": "KSI-RPL-01", + "name": "Reviewing Recovery Objectives", + "statement": "Persistently review desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).", + "controls": [ + "cp-2.3", + "cp-10" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-RPL-TRC": { + "fka": "KSI-RPL-04", + "name": "Testing Recovery Capabilities", + "statement": "Persistently test the capability to recover from incidents and contingencies, including alignment with defined recovery objectives.", + "controls": [ + "cp-2.1", + "cp-2.3", + "cp-4", + "cp-4.1", + "cp-6", + "cp-6.1", + "cp-9.1", + "cp-10", + "ir-3", + "ir-3.2" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Incident", + "Persistently" + ] + } + } + }, + "SVC": { + "id": "KSI-SVC", + "name": "Service Configuration", + "web_name": "service-configuration", + "short_name": "SVC", + "theme": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources.", + "indicators": { + "KSI-SVC-ACM": { + "fka": "KSI-SVC-04", + "name": "Automating Configuration Management", + "statement": "Manage configuration of machine-based information resources using automation.", + "controls": [ + "ac-2.4", + "cm-2", + "cm-2.2", + "cm-2.3", + "cm-6", + "cm-7.1", + "pl-9", + "pl-10", + "sa-5", + "si-5", + "sr-10" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)" + ] + }, + "KSI-SVC-ASM": { + "fka": "KSI-SVC-06", + "name": "Automating Secret Management", + "statement": "Automate management, protection, and regular rotation of digital keys, certificates, and other secrets.", + "controls": [ + "ac-17.2", + "ia-5.2", + "ia-5.6", + "sc-12", + "sc-17" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Regularly" + ] + }, + "KSI-SVC-EIS": { + "fka": "KSI-SVC-01", + "name": "Evaluating and Improving Security", + "statement": "Implement improvements based on persistent evaluation of information resources for opportunities to improve security.", + "controls": [ + "cm-7.1", + "cm-12.1", + "ma-2", + "pl-8", + "sc-7", + "sc-39", + "si-2.2", + "si-4", + "sr-10" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Persistently" + ] + }, + "KSI-SVC-PRR": { + "fka": "KSI-SVC-08", + "name": "Preventing Residual Risk", + "varies_by_level": { + "low": { + "statement": "**Optional:** Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data." + }, + "moderate": { + "statement": "Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data." + } + }, + "controls": [ + "sc-4" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Federal Customer Data", + "Information Resource", + "Likely", + "Persistently" + ] + }, + "KSI-SVC-RUD": { + "fka": "KSI-SVC-10", + "name": "Removing Unwanted Data", + "varies_by_level": { + "low": { + "statement": "**Optional:** Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage." + }, + "moderate": { + "statement": "Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage." + } + }, + "controls": [ + "si-12.3", + "si-18.4" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Agency", + "Federal Customer Data", + "Promptly" + ] + }, + "KSI-SVC-SNT": { + "fka": "KSI-SVC-02", + "name": "Securing Network Traffic", + "statement": "Encrypt or otherwise secure network traffic.", + "controls": [ + "ac-1", + "ac-17.2", + "cp-9.8", + "sc-8", + "sc-8.1", + "sc-13", + "sc-20", + "sc-21", + "sc-22", + "sc-23" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ] + }, + "KSI-SVC-VCM": { + "fka": "KSI-SVC-09", + "name": "Validating Communications", + "varies_by_level": { + "low": { + "statement": "**Optional:** Persistently validate the authenticity and integrity of communications between machine-based information resources using automation." + }, + "moderate": { + "statement": "Persistently validate the authenticity and integrity of communications between machine-based information resources using automation." + } + }, + "controls": [ + "sc-23", + "si-7.1" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistent Validation", + "Persistently" + ] + }, + "KSI-SVC-VRI": { + "fka": "KSI-SVC-05", + "name": "Validating Resource Integrity", + "statement": "Use cryptographic methods to validate the integrity of machine-based information resources.", + "controls": [ + "cm-2.2", + "cm-8.3", + "sc-13", + "sc-23", + "si-7", + "si-7.1", + "sr-10" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Machine-Based (information resources)", + "Persistent Validation" + ] + } + } + }, + "SCR": { + "id": "KSI-SCR", + "name": "Supply Chain Risk", + "web_name": "supply-chain-risk", + "short_name": "SCR", + "theme": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources.", + "indicators": { + "KSI-SCR-MIT": { + "fka": "KSI-TPR-03", + "name": "Mitigating Supply Chain Risk", + "statement": "Persistently identify, review, and mitigate potential supply chain risks.", + "controls": [ + "ac-20", + "ra-3.1", + "sa-9", + "sa-10", + "sa-11", + "sa-15.3", + "sa-22", + "si-7.1", + "sr-5", + "sr-6", + "ca-7.4", + "sc-18" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Renamed theme to Supply Chain Risk; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Persistently" + ] + }, + "KSI-RSC-MON": { + "fka": "KSI-TPR-04", + "name": "Monitoring Supply Chain Risk", + "statement": "Automatically monitor third party software information resources for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.", + "controls": [ + "ac-20", + "ca-3", + "ir-6.3", + "ps-7", + "ra-5", + "sa-9", + "si-5", + "sr-5", + "sr-6", + "sr-8" + ], + "updated": [ + { + "date": "2026-02-04", + "comment": "Renamed theme to Supply Chain Risk; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes." + } + ], + "terms": [ + "Information Resource", + "Vulnerability" + ] + } + } + } + } +} \ No newline at end of file diff --git a/FRMR.md b/FRMR.md new file mode 100644 index 0000000..ff40a55 --- /dev/null +++ b/FRMR.md @@ -0,0 +1,87 @@ +# FRMR Documentation JSON Information + +This document provides a guide to the structure and data types found in `FRMR.documentation.json`. + +## High-Level Structure + +The JSON root object is divided into three primary sections, plus metadata: + +1. **`info`**: File-level metadata (version, last updated). +2. **`FRD` (FedRAMP Definitions)**: The glossary of terms. +3. **`FRR` (FedRAMP Requirements and Recommendations)**: The collection of policy processes and their specific requirements. +4. **`KSI` (Key Security Indicators)**: The security capabilities and validation criteria. + +Integrators should treat this file as a relational database dump where `FRD` provides the vocabulary referenced by keys in `FRR` and `KSI`. + +## 1. FedRAMP Definitions (`FRD`) + +The `FRD` section is a dictionary of terms used throughout the documentation. + +### Data Layout +* **`FRD.data.both`**: Currently, all definitions are grouped under the `both` key, implying applicability to both 20x and Rev5 frameworks. +* **Keys**: The keys (e.g., `FRD-ACV`) are stable identifiers. +* **Fields**: + * `term`: The human-readable term. + * `definition`: The normative definition. + * `alts`: A list of synonyms or alternative capitalizations. Useful for search indexing. + * `fka`: "Formerly Known As" ID, tracking lineage. + * `updated`: An array of change log entries. + +**Integration Tip**: When rendering requirements from FRR, scan the text for words matching `term` or `alts` in FRD to provide tooltips or hyperlinks. + +## 2. FedRAMP Requirements and Recommendations (`FRR`) + +This section represents hierarchical policy documents. + +### Data Layout +The `FRR` object is keyed by **Process ID** (e.g., `ADS`, `VDR`). Each process represents a specific policy document. + +#### Process Structure +* `info`: Metadata including `effective` dates for `rev5` and `20x`. +* `front_matter`: Narrative content like `authority`, `purpose`, and `expected_outcomes`. +* `labels`: A lookup table defining the actors/scopes (e.g., `CSO` = "General Provider Responsibilities"). +* `data`: The core requirements tree. + +#### The Requirements Tree (`FRR..data`) +The data is nested to allow for context-specific rendering: +1. **Applicability Layer** (`both`, `20x`, `rev5`): Determines which framework the requirements apply to. +2. **Label Layer** (`CSO`, `TRC`, etc.): Groups requirements by the actor defined in `labels`. +3. **Requirement Object** (Keyed by ID, e.g., `ADS-CSO-PUB`): + * `statement`: The normative text. + * `primary_key_word`: The RFC 2119 keyword (MUST, SHOULD, MAY). + * `terms`: A list of FRD terms used in this statement. + * `affects`: The specific actor the requirement applies to. + * `following_information`: An ordered list of sub-points or checklist items. + * `examples`: Structured examples (often with "Do" and "Don't" scenarios). + +**Integration Tip**: To generate a complete checklist for a provider, iterate through `data.both` and `data.20x` (if targeting 20x), then flatten the requirements found under the `CSO` label. + +## 3. Key Security Indicators (`KSI`) + +The `KSI` section defines security outcomes mapped to NIST controls. + +### Data Layout +The `KSI` object is keyed by **Domain ID** (e.g., `IAM`, `VDR`). + +#### Domain Structure +* `theme`: A high-level summary of the security goal. +* `indicators`: A dictionary of specific indicators. + +#### Indicator Object +* `statement`: The validation criteria. +* `controls`: An array of NIST SP 800-53 control identifiers (e.g., `ac-2`, `ia-5`). +* `reference`: Links to external or internal documentation. + +**Integration Tip**: Use the `controls` array to map FedRAMP 20x capabilities back to legacy NIST-based GRC tools. + +## 4. Timeframe Attributes in Requirements + +Some requirements within the `FRR` section, particularly those that vary by impact level (`varies_by_level`), may include structured timeframe data to facilitate automated validation or reporting. + +### Data Layout +When a requirement object (or a level-specific object within `varies_by_level`) includes timeframe constraints, it will have the following fields: + +* `timeframe_type`: The unit of time (e.g., `days`, `month`). +* `timeframe_num`: The numeric value associated with the unit (e.g., `7`, `1`). + +**Integration Tip**: These fields allow programmatic extraction of deadlines or frequencies without parsing the natural language `statement`. For example, a requirement with `timeframe_type: "days"` and `timeframe_num: 7` implies a weekly cadence. diff --git a/IDENTIFIERS.md b/IDENTIFIERS.md deleted file mode 100644 index 3a9f6bf..0000000 --- a/IDENTIFIERS.md +++ /dev/null @@ -1,101 +0,0 @@ -# Understanding FedRAMP 20x Identifier Designators - -This document describes the identifier (designator) conventions used across the -machine-readable JSON files in `data/`. The designators are used consistently -in the FedRAMP 20x standards and guidance files to make references easy to -parse and automate. - -## Structure - -Designators are structured as: `PREFIX-LABEL[-SUFFIX]-NNN` where: - -- `PREFIX`: broad category (definitions, requirements, technical assistance) -- `LABEL`: short standard or sub-area code (ADS, VDR, KSI, etc.) -- `SUFFIX` (optional): sectional qualifier (timeframe, agency guidance, apply, exceptions, etc.) -- `NNN`: numeric identifier (usually two or more digits) - -**Examples:** `FRR-ADS-01`, `FRR-VDR-TF-MO-02`, `KSI-AFR-01`, `FRA-VDR-01` - -## Common Prefixes - -- `FRD-`: FedRAMP Definitions (definition records, often grouped under `FRD-ALL`) -- `FRR-`: FedRAMP Requirements and Recommendations (most rules and recommendations) -- `FRA-`: FedRAMP Technical Assistance / Informational Guidance -- `KSI-`: Key Security Indicator themes and indicators - -## Common Labels (standards / documents) - -- `ADS`: Authorization Data Sharing Standard -- `CCM`: Collaborative Continuous Monitoring Standard -- `KSI`: Key Security Indicators -- `PVA`: Persistent Validation and Assessment -- `VDR`: Vulnerability Detection and Response -- `MAS`: Minimum Assessment Scope -- `RSC`: Recommended Secure Configuration -- `FSI`: FedRAMP Security Inbox -- `ICP`: Incident Communications Procedures -- `SCN`: Significant Change Notifications -- `FRD`: FedRAMP Definitions (used with `FRD-ALL` for global definitions) - -These labels correspond to the `short_name` values found in the JSON files -under `data/` and are used as the second segment of requirement identifiers. - -## KSI Themes (common KSI labels) - -Key Security Indicators use three-letter theme codes. Examples found in -`FRMR.KSI.key-security-indicators.json` include: - -- `AFR` — Authorization by FedRAMP -- `CED` — Cybersecurity Education -- `CMT` — Change Management -- `CNA` — Cloud Native Architecture -- `IAM` — Identity and Access Management -- `INR` — Incident Reporting -- `MLA` — Monitoring, Logging, and Auditing -- `PIY` — Policy and Inventory -- `RPL` — Recovery Planning -- `SVC` — Service Configuration -- `TPR` — Third-Party Information Resources - -KSI indicators then appear as `KSI--` (for example `KSI-AFR-01`). - -## Common Suffixes and Section Qualifiers - -FedRAMP uses short suffixes to split sections within a standard. Common -examples include: - -- `-AY` : Apply / Application guidance (e.g. `FRR-