General Provider ResponsibilitiesCSO
12 rulesThese rules apply to providers for FedRAMP Certifications of any type.
Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
| Class | Requirement |
|---|
| A | SHOULD Providers with Class A Certifications SHOULD maintain a web service, available to all necessary parties, that indicates current and historical availability of core services within the cloud service offering over at least the past 30 days, including availability incidents, in both human-readable and machine-readable formats; this service SHOULD be available even if the primary cloud service offering is unavailable. |
| B | MUST Providers with Class B Certifications MUST maintain a web service, available to all necessary parties, that indicates current and historical availability of core services within the cloud service offering over at least the past 30 days, including availability incidents, in both human-readable and machine-readable formats; this service MUST be available even if the primary cloud service offering is unavailable. |
| C | MUST Providers with Class C Certifications MUST maintain a web service, available to all necessary parties, that indicates current and historical availability of core services within the cloud service offering over at least the past 30 days, including availability incidents, in both human-readable and machine-readable formats; this service MUST be available even if the primary cloud service offering is unavailable. |
| D | MUST Providers with Class D Certifications MUST maintain a web service, available to all necessary parties, that indicates current and historical availability of core services within the cloud service offering over at least the past 30 days, including availability incidents, in both human-readable and machine-readable formats; this service MUST be available even if the primary cloud service offering is unavailable. |
Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when FedRAMP Certification Data is provided in both formats.
Providers MUST always include the FedRAMP ID of the related cloud service offering in all FedRAMP Certification Data once assigned, including all reports, notifications, and other communication that results from FedRAMP rules.
- The FedRAMP ID is supplied by FedRAMP after a cloud service offering is registered to be listed on the FedRAMP Marketplace - providers will need to use a placeholder until the FedRAMP ID is assigned.
- Many providers have multiple cloud service offerings or use internal names that don't align to public materials; using the FedRAMP ID ensures we can easily align the communication with a specific cloud service offering.
Providers MUST include FedRAMP Certification Reports with their FedRAMP Certification Data without inappropriate modifications, and make such reports available within 2 weeks of receiving the materials from FedRAMP.
FedRAMP provides Certification Reports for all cloud service offerings following the Program Certification path as part of the initial and ongoing FedRAMP Certification process, and may provide Certification Reports for cloud service offerings following the Agency Certification path.
Providers MUST supply snapshots of FedRAMP Certification Data aligned to Ongoing Certification Reports to all necessary parties; these snapshots MUST be available for the duration of FedRAMP Certification.
Historical snapshots do not need to be reconstructed for periods before the provider's first Ongoing Certification Report, but should be maintained for all subsequent Ongoing Certification Reports.
Required Artifacts
- Explanation of how to access this information.
Providers MUST supply all relevant policies and procedures in the FedRAMP Certification Data, including a human-readable and machine-readable reference that explains at least the following about each included policy and procedure:
- Name of policy or procedure
- Name of file, document, web page, etc.
- Brief summary of policy or procedure
- Word count of document
- Current version
- Date of last update
- Related FedRAMP Practices (if applicable)
Required Artifacts
- Explanation of how to access this information.
| Class | Requirement |
|---|
| A | MAY Providers with Class A Certifications MAY supply per-service FedRAMP Certification materials. |
| B | MAY Providers with Class B Certifications MAY supply per-service FedRAMP Certification materials. |
| C | MAY Providers with Class C Certifications MAY supply per-service FedRAMP Certification materials. |
| D | MUST Providers with Class D Certifications MUST supply per-service FedRAMP Certification materials. |
- Providers determine what they consider to be separate services, based on maximizing the customer experience for agencies who may only adopt some services and not others.
- Providers are encouraged to provide a single comprehensive set of materials for all shared aspects of the service offering and only provide separate materials for unique aspects of each service to minimize the burden on providers and agencies.
Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and JSON formats, including at least the following information that is available and applicable:
- FedRAMP ID
- Service Model
- Deployment Model
- Business Category
- UEI Number
- Sales Contact Information
- Security Contact Information
- Product Website Link
- Link to Product Logo
- Overall Service Description
- Detailed list of specific services and their security categories (see CDS-CSO-SVC (Public Service List) (Service List))
- Link to Secure Configuration Guidance
- Overview of documentation supplied by the provider for the cloud service offering
- Link to Trust Center landing page that includes instructions on accessing information in the trust center
- Next Ongoing Certification Report date (see CCM-OCR-NRD (Next Report Date))
- Current FedRAMP Recognized independent assessment service
Generally, this information should be available on a public webpage or publicly shared in a FedRAMP-compatible trust center.
Required Artifacts
- URL to the human-readable data.
- URL to the machine-readable data.
Providers MUST provide sufficient information in FedRAMP Certification Data to support agency authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.
This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with FedRAMP Certification Data should be anticipated by a secure cloud service provider.
Examples & Tips
Tips on sensitive information in FedRAMP Certification Data
- Passwords, API keys, access credentials, etc.
- Excessive detail about methodology that exposes weaknesses
- Personally identifiable information about employees
- DON'T: "In an emergency, an administrator with physical access to a system can log in using "secretadmin" with the password "pleasewutno""
- DO: "In an emergency, administrators with physical access can log in directly."
- DON'T: "All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office."
- DO: "All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access."
- DON'T: "During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)..."
- DO: "During an incident, the incident response team will coordinate over secure channels."
Providers MAY responsibly share some or all of the information in a FedRAMP Certification Package publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.
Required Artifacts
- Explanation of if and how this information is shared with other parties.
Providers MUST publicly share a detailed list of specific services and their security categories that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying FedRAMP Certification Data.
Required Artifacts
- URL to the human-readable data.
- URL to the machine-readable data (if applicable).
Providers MUST use a FedRAMP-compatible trust center to store and share FedRAMP Certification Data with all necessary parties.
Rules for FedRAMP-Compatible Trust Centers are explained in the Certification Data Sharing Rules under the FedRAMP-Compatible Trust Centers section (id: CDS-TRC).