FR
CPOmaterialsstable

Certification Package Overview

The Certification Package Overview rules outline the expectations for a simple overview of the cloud service offering that must be included within a FedRAMP Certification Package. This overview replaces the historically required base System Security Plan for FedRAMP Rev5 and is intended to provide a clear, concise, and consistent summary of the offering and the information included in the package to help customers understand the offering at a high level.

General Provider ResponsibilitiesCSO

2 rules

These rules apply to providers for FedRAMP Certifications of any type.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
CPO-CSO-MTD

Certification Package Overview Metadata

MUST

Providers MUST also include the following basic metadata in their Certification Package Overview:

  • Name, title, and contact information of official that is responsible and accountable for the FedRAMP Certification Package
  • Version
  • Date and time of last update
  • Source of update
TermsCertification PackageProvider
CPO-CSO-OVR

Overview of the Cloud Service Offering

MUST

Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:

  • Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
  • Certification Data Sharing: CDS-CSO-PUB (Public Information)
  • Certification Data Sharing: CDS-CSO-SVC (Public Service List)
  • Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
  • Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
  • Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
  • Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
  • Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
  • Independent Verification and Validation: IVV-CSO-ICP (Inclusion in Certification Package)
  • For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
  • This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.

References

FedRAMP Certification Package Overview Schema
RelatedCPO-CSO-MTDCDS-CSO-PUBCDS-CSO-SVCMAS-CSO-IIRMAS-CSO-FLOMAS-CSO-TPRCMU-CSO-CMDCDS-CSO-IRPIVV-CSO-ICP
TermsCertification ClassCertification DataCertification PackageInformation ResourceInitial Incident Report (IIR)ProviderSecurity CategoryThird-Party Information ResourceValidationVerification

2 rules
CPO-CSX-CPM

Certification Package Maintenance for 20x

FedRAMP 20x
ClassRequirement
A
SHOULDEvery 3 months

Providers with 20x Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 3 months.

B
MUSTEvery 1 months

Providers with 20x Class B Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every month.

C
MUSTEvery 2 weeks

Providers with 20x Class C Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 2 weeks.

D
MUSTEvery 1 weeks

Providers with 20x Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every week.

  • Providers are expected to maintain their FedRAMP Certification Package using automation as changes occur to ensure they are never out of date.
  • This rule does not require or expect persistent human review of all materials in this cadence.
TermsCertification PackagePersistentlyProvider
CPO-CSF-CPM

Certification Package Maintenance for Rev5

Rev 5
ClassRequirement
A
SHOULDEvery 1 years

Providers with Rev5 Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.

B
MUSTEvery 1 years

Providers with Rev5 Class B Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.

C
MUSTEvery 1 years

Providers with Rev5 Class C Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.

D
MUSTEvery 6 months

Providers with Rev5 Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every six months.

  • This maximum timeframe for Rev5 is the absolutely poorest worst case for horrible customer experience and is based on legacy FedRAMP Rev5 allowing providers to leave their packages unmaintained for up to a year. Rev5 providers should maintain their packages far more frequently than this requirement to ensure potential customers have access to up-to-date information, updating it at least after every transformative significant change.
  • FedRAMP 20x Certifications expect providers to maintain their FedRAMP Certification Packages as changes occur to ensure they are never out of date.
TermsCertification PackagePersistentlyProviderSignificant ChangeTransformative Change