Hotfix ADS UTC FRR IDs

This fixes some IDs that weren't properly updated within the ADS - no changes to any structured wording/etc.

• 9d87345 - this adds a validator to make sure IDs match the object subsection they are in and fixes the incorrectly id'd ADS bits

Hotfixes for errors in various KSIs

• 71326dd KSI-RSC-MON was renamed to KSI-SCR-MON (this update included executing prettier with opinionated formatting against FRMR.documentation.json which unfortunately created a lot of changes but they are not material)
• 6d14116 PVA-CSX-RAD and PVA-TPX-SHA were referencing outdated FRR names.
• 18de64b - KSI-AFR-VDR referenced ra-5 twice in the controls array
• 305f3e6- incremented version and fixed last updated to 2026 (oops)

v0.9.0-beta - Restructuring based on Phase 2 Pilot activity

What's Changed

• Release v0.9.0 by @pete-gov in #47

Full Changelog: v0.4.0-alpha...v0.9.0-beta

This release includes a significant rework of
FedRAMP Machine-Readable Documentation,
affecting both 20x and Rev5 Balance Improvement Release materials.

This rework applies lessons learned from the alpha of these materials to
improve function, layout, readability, and the ability to directly reference
requirements and recommendations. Some requirements and recommendations have
been updated for clarity or reorganized but in general there are no significant
changes to the guidance itself.

Phase 2 pilot participants are not required to update!

20x Phase 2 pilot participants
may continue to use v0.4.0 names and ids.
The authorization package for pilot participants should be updated to v0.9.0 or a subsequent
version within 3 months of receiving a pilot authorization.

Specific Changes of Note

1. The Recommended Secure Configuration was renamed to Secure Configuration Guide and simplified by combining a few requirements and recommendations for clarity and establishing a separate Enhanced Capabilities section for recommendations.

2. The Minimum Assessment Scope has been simplified considerably.

3. The FedRAMP Security Inbox has been updated to generally change use of "respond" (or similar) to "react" (or similar) to clarify that a reply via email is not always the expected reaction.

General Display Changes

The following changes will be noted by humans using these materials:

1. Individual FRR and KSI identifiers have all been renamed to make them easier to reference and avoid future gaps:

   • Numbers have been removed
   • Each id is now 3x3 letters, such as FSI-FRP-VRE instead of FRR-FSI-01
     • The first three indicate the process
     • The second three indicate the subset, theme, or group
     • The third three are the specific item
   • The previous identifier is included as an fka string or fkas array if applicable

2. FRD identifiers have been simplified to 2x3 letters, with the first indicating they are a definition and the second indicating the item, such as FRD-ACV instead of FRD-ALL-31

3. All requirements, recommendations, and key security indicators have been given a human-readable name; those that already had human-readable names have been updated for clarity in many cases.

4. Changes to individual items will be tracked individually moving forward and can be reviewed by expanding the identifier box under the name.

5. All items that varied by impact level or category have been combined to avoid repeat rules assigned to different impact levels. If a requirement, recommendations, or key security indicator varies by level then a selection box appears for each level.

6. Many of the traditional application (-AY-) sections have been removed and repurposed as notes on specific requirements and recommendations, matching their intent.

7. Technical assistance has been folded into the specific requirements and recommendations as appropriate.

8. All requirements, recommendations, and key security indicators have been re-ordered for clarity and readability.

9. FedRAMP defined terms are now listed in each item where they are used with a link to the definition and a hover-based tooltip; these terms were previously italicized.

10. Some requirements and recommendations are now Rev5 or 20x specific; these are only displayed in the respective documentation section.

11. Key security indicators are now grouped and displayed by theme instead of all being on one very long page.

12. Items with notification requirements are explicitly highlighted.

Machine-Readable Changes

The underlying JSON data has gone through considerable change; technical implementers should review the core JSON data.

In general this should be the last significant shift like this of the underlying JSON data. There may be minor tweaks here and there to metadata but further restructuring is unexpected at this time. Apologies and thank you for participating in the alpha!

1. All individual JSON files have been combined into one. The new singular JSON data is structured with major sections for FRD, FRR, and KSI.

2. All the release history per section has been removed; individual items now contain their own updated array.

3. Each item has either an fka string with the previous id or an fkas array with all previous ids where items were combined. This allows for easier migrating from previous versions; you'll need to script a map or similar against these to bring information you've populated against the previous ids into the new ids.

4. Some items have a new varies_by_level object that includes a different statement depending on the impact level.

5. Tried to add additional timeframe and notification metadata bits; these are still being refined and can be ignored.

6. Added a terms array, built by keyword search, to flag when a defined term appears.

7. Many various other smaller changes here and there.

Final Alpha Version for the 20x Phase 2 Pilot

This release contained major overhauls to the data structure and related tools, including full Zensical-based website generation for the FedRAMP documentation site and a rework to many Key Security Indicator names during Cohort 1 of the Phase 2 pilot.

This is the final alpha release. Providers may continue to use this v.0.4.0-alpha during the Phase 2 pilot but will benefit from a quick and early transition to v0.9.0-beta which will be released soon.

What's Changed

• Add Vulnerabilty Detection and Response standard by @pete-gov in #10
• new pdf converter to fix italics bug by @pete-gov in #11
• fix typos, table, add clarification on VDR, regenerate by @pete-gov in #12
• adding impact categories and various minor tweaks by @pete-gov in #13
• Add "impact" classification to multiple FedRAMP statement definitions… by @dan-fedramp in #16
• update output materials from bug-fixed JSON by @pete-gov in #17
• merge changes from main by @dan-fedramp in #18
• update FedRAMP.schema.json by @dan-fedramp in #20
• merge schema updates to working branch by @pete-gov in #21
• Revert "merge schema updates to working branch" by @pete-gov in #22
• Json schema updates by @dan-fedramp in #24
• Enhance FedRAMP JSON schema and add auto-generated documentation by @dan-fedramp in #25
• Update JSON Schema and improve naming consistency by @dan-fedramp in #26
• update links by @pete-gov in #27
• remove duplicate impacts by @pete-gov in #28
• address missing impact statements by @pete-gov in #29
• cleanup site by @pete-gov in #31
• Add Rev5 section, rework effective fields. by @pete-gov in #32
• Add preview support to develop branch by @pete-gov in #33
• Better warning about corrective action by @pete-gov in #35
• refactor zensical by @pete-gov in #42
• typos are bad mkay by @pete-gov in #45
• KSI improvements from Cohort 1 collaborative workshops by @pete-gov in #46

New Contributors

• @dan-fedramp made their first contribution in #16

Full Changelog: v0.3.1-alpha...v0.4.0-alpha

v.0.3.1-alpha

This is a hotfix release to fix a typo resulting from a copy/paste of the SCN JSON description for the ADS.

For additional information, see this thread in the FedRAMP Community.

Added Authorization Data Sharing, consolidated FedRAMP Definitions

For additional information, see this thread in the FedRAMP Community.

FedRAMP Machine Readable (FRMR) Docs v0.2.0

This release is intended for initial testing and evaluation of FedRAMP Machine Readable documents. Feedback in our FedRAMP 20x Community Working Group is strongly encouraged!

This release updates previous Key Security Indicators to include reference control mappings for KSIs.

Docs included in this release are:

• Key Security Indicators (25.05C)
• Minimum Assessment Standard (25.06A)
• Significant Change Notification Requirements (25.06A)