FR
FRCotherstable

FedRAMP Certification

This ruleset explains how cloud service offerings obtain and maintain FedRAMP Certification across certification classes and paths.

General Provider ResponsibilitiesFedRAMP Class A Certification RulesApplying for FedRAMP CertificationApplying for FedRAMP Certification with an Agency SponsorChanging Certification Class

General Provider ResponsibilitiesCSO

5 rules

These rules apply to cloud service providers obtaining and maintaining any FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesABCD
AffectsProviders
FRC-CSO-FCP

FedRAMP Certification Profile

MUST

Providers MUST identify a target FedRAMP Certification Profile and apply all relevant FedRAMP Practices to the cloud service offering.

Information resources (including third-party information resources) MAY vary by security category as appropriate to the type of information handled by or impacted by the information resource.
TermsCertification ProfileCloud Service OfferingFedRAMP PracticesHandleInformation ResourceProviderSecurity CategoryThird-Party Information Resource
FRC-CSO-JSN

FedRAMP JSON Schemas

MUST

Providers MUST supply machine-readable information in JSON documents that are valid against the corresponding JSON schema when a rule contains a FedRAMP JSON schema, UNLESS otherwise specified in the rule.

FedRAMP JSON schemas are designed to be lightweight and flexible to establish a minimum set of structured information while allowing providers to improve on the format and structure of the information as needed to meet their needs and the needs of their customers.
TermsMachine-ReadableProvider
FRC-CSO-MRA

Maintain Responsibility and Accountability

MUST

Providers MUST maintain responsibility and accountability for the accuracy and completeness of all information in the FedRAMP Certification Package, especially when they engage a third party (such as an independent assessor, advisory service, or external tools) to supply information on their behalf.

TermsAssessorCertification PackageProvider
FRC-CSO-PKG

FedRAMP Certification Package

MUST

Providers seeking a Class B Certification MUST supply a complete FedRAMP Certification Package to FedRAMP for initial certification; the FedRAMP Certification Package MUST include at least the following information:

  • A Certification Package Overview
  • A Security Decision Record
  • A real or example Ongoing Certification Report following CCM-OCR-AVL (Report Availability)

References

FedRAMP Certification Overview Package (FRC-CSO-PKG)
RelatedCCM-OCR-AVL
TermsCertification PackageFedRAMP Certification ReportInitial CertificationOngoing CertificationOngoing Certification Report (OCR)ProviderSecurity Decision Record (SDR)
FRC-CSO-POP

Pick One Program Certification Type

MUST NOT

Providers MUST NOT seek both FedRAMP Rev5 Program Certification and FedRAMP 20x Program Certification for the same cloud service offering; pick one type.

This rule does not prevent a provider from seeking and maintaining a FedRAMP Rev5 Agency Certification and a FedRAMP 20x Program Certification for the same cloud service offering, however, doing so is strongly discouraged due to the increased complexity and risk of confusion for all parties.
TermsAgencyCloud Service OfferingProvider

FedRAMP Class A Certification RulesCLA

6 rules

These are specific rules that apply to providers seeking FedRAMP Class A Certifications.

Types20xRev5
PathsProgramAgency
ClassesA
AffectsProviders
FRC-CLA-ASF

Approved Alternative Security Frameworks

MUST

Providers seeking a FedRAMP Class A Certification MUST have completed a certification or equivalent process, including an independent assessment if applicable, from one of the following alternative security frameworks within the past 12 months:

  • FedRAMP Rev5 (including FedRAMP Ready) at any historical Impact Level
  • SOC 2 Type II
  • GovRAMP at any Impact Level
TermsProviderSecurity Category
FRC-CLA-EAM

External Assessment Materials

MUST

Providers seeking a FedRAMP Class A Certification MUST supply the following materials from their alternative security framework assessment to all necessary parties:

  • SOC 2 Type II: Complete report, bridge or gap letter (if applicable), verified audit engagement documentation, estimated schedule for upcoming report, supplemental compliance evidence (if applicable)
  • FedRAMP Ready: Readiness Assessment Report, Security Assessment Plan, and any other materials required by FedRAMP.
  • GovRAMP: Readiness Assessment Report, Security Assessment Plan, and any other materials required by GovRAMP.
TermsAll Necessary PartiesProviderVerification
FRC-CLA-MFR

Mandatory FedRAMP Rules for Class A

MUST

Providers seeking a Class A FedRAMP Certification MUST address all rules in this FedRAMP Class A Certification subset (FRC-CLA) AND the following additional FedRAMP Class Arules; the appropriate artifacts or information mapping for all rules MUST be supplied in the FedRAMP Certification Package.

  • FedRAMP Certification: FRC-CSO-PKG (FedRAMP Certification Package)
  • FedRAMP Certification: FRC-CSO-JSN (FedRAMP JSON Schemas)
  • FedRAMP Certification: FRC-CSO-POP (Pick One Program Certification Type)
  • Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
  • Certification Data Sharing: CDS-CSO-PUB (Public Information)
  • Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
  • Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
  • Certification Data Sharing: CDS-CSO-AVR (Availability Reporting)
  • Addressing FedRAMP Communication: AFC-CSO-INB (Maintain a FedRAMP Security Inbox)
  • Addressing FedRAMP Communication: AFC-CSO-RCV (Receive Email Without Disruption)
  • Addressing FedRAMP Communication: AFC-CSO-CRA (Complete Required Actions)
  • Incident Evaluation and Communication: IEC-CSO-EFR (Evaluate FedRAMP Reportability)
  • Incident Evaluation and Communication: IEC-CSO-FIR (Final Incident Report)
  • Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
  • Collaborative Continuous Monitoring: CCM-OCR-AVL (Report Availability)
  • Collaborative Continuous Monitoring: CCM-OCR-NRD (Next Report Date)
  • Independent Verification and Validation: IVV-CSX-AIA (Annual Independent Assessments for 20x)
  • Independent Verification and Validation: IVV-CSF-AIA (Annual Independent Assessments for Rev5)
  • Key Security Indicators: KSI-CMT-LMC (Logging Changes)
  • Key Security Indicators: KSI-CNA-RNT (Restricting Network Traffic)
  • Key Security Indicators: KSI-CED-RAT (Reviewing All Training)
  • Key Security Indicators: KSI-IAM-AAM (Automating Account Management)
  • Key Security Indicators: KSI-IAM-APM (Adopting Passwordless Methods)
  • Key Security Indicators: KSI-INR-RIR (Reviewing Incident Response Procedures)
  • Key Security Indicators: KSI-SVC-SIN (Securing Information)
  • Some of these specific FedRAMP rules may not have similar counterparts in external frameworks and providers will need to implement new processes to follow these rules.
  • In general, for each of these FedRAMP requirements, providers should include a sufficiently detailed summary that reviewers will not need to dig into the related security framework materials to understand the related decisions - just saying "see SOC 2 report" is not particularly helpful.
  • Information about how the provider addresses the included Key Security Indicators are required for both Rev5 and 20x Class A Certifications.
RelatedFRC-CSO-POPMAS-CSO-IIRCDS-CSO-PUBCDS-CSO-UTCCDS-UTC-AADAFC-CSO-INBAFC-CSO-RCVAFC-CSO-CRAIEC-CSO-EFRIEC-CSO-FIRVDR-CSO-DETCCM-OCR-AVLCCM-OCR-NRDIVV-CSX-AIAIVV-CSF-AIAFRC-CSO-PKGFRC-CSO-JSNKSI-CMT-LMCKSI-CNA-RNTKSI-CED-RATKSI-IAM-AAMKSI-INR-RIRKSI-SVC-SINKSI-IAM-APMCDS-CSO-AVR
TermsAgencyArtifactsCertification DataCertification PackageCertification TypeFedRAMP Security InboxFinal Incident Report (FIR)IncidentInformation ResourceInitial Incident Report (IIR)Ongoing Certification Report (OCR)ProviderTrust CenterValidationVerificationVulnerabilityVulnerability DetectionVulnerability Response
FRC-CLA-OFR

Address Optional FedRAMP Rules for Class A

MAY

Providers seeking a Class A FedRAMP Certification MAY address the following additional optional FedRAMP Class A rules (if applicable):

  • Collaborative Continuous Monitoring: CCM-QTR-MTG (Quarterly Review Meeting)
  • Certification Data Sharing: CDS-CSO-PSM (Per-Service Certification Materials)
  • Cryptographic Module Use: CMU-CSO-UVM (Using Validated Cryptographic Modules)
  • FedRAMP Certification: FRC-APP-FIA (Fresh Independent Assessment)
  • Independent Verification and Validation: IVV-CSO-FIA (FedRAMP Independent Assessments)
  • Security Decision Record: SDR-CSX-KMT (Key Security Indicator Metrics)
  • Vulnerability Evaluation and Reporting: VER-TFR-IRI (Internet-Reachable Incidents)
  • Vulnerability Evaluation and Reporting: VER-TFR-MRH (Historical Activity)
  • Vulnerability Evaluation and Reporting: VER-TFR-NRI (Non-Internet-Reachable Incidents)
RelatedCCM-QTR-MTGCDS-CSO-PSMCMU-CSO-UVMFRC-APP-FIAIVV-CSO-FIASDR-CSX-KMTVER-TFR-IRIVER-TFR-MRHVER-TFR-NRI
TermsCertification DataFedRAMP Independent AssessmentIncidentProviderQuarterly ReviewSecurity Decision Record (SDR)ValidationVerificationVulnerability
FRC-CLA-RFR

Recommended FedRAMP Rules for Class A

SHOULD

Providers seeking a Class A FedRAMP Certification SHOULD address the following additional recommended FedRAMP Class A rules (if applicable):

  • Certification Data Sharing: CDS-CSO-AVR (Availability Reporting)
  • Certification Package Overview: CPO-CSF-CPM (Certification Package Maintenance for Rev5)
  • Certification Package Overview: CPO-CSX-CPM (Certification Package Maintenance for 20x)
  • Incident Evaluation and Communication: IEC-CSO-IIR (Initial Incident Report)
  • Incident Evaluation and Communication: IEC-CSO-OIR (Ongoing Incident Reports)
  • Vulnerability Detection and Response: VDR-TFR-MVX (Persistent Machine Verification and Validation for 20x)
  • Vulnerability Detection and Response: VDR-TFR-PCD (Persistently Complete Detection)
  • Vulnerability Detection and Response: VDR-TFR-PDD (Persistent Drift Detection)
  • Vulnerability Detection and Response: VDR-TFR-PSD (Persistent Sample Detection)
  • Vulnerability Detection and Response: VDR-TFR-PVR (Mitigation and Remediation Expectations)
  • Vulnerability Evaluation and Reporting: VER-TFR-EVU (Evaluate Vulnerabilities Quickly)
RelatedCDS-CSO-AVRCPO-CSF-CPMCPO-CSX-CPMIEC-CSO-IIRIEC-CSO-OIRVDR-TFR-MVXVDR-TFR-PCDVDR-TFR-PDDVDR-TFR-PSDVDR-TFR-PVRVER-TFR-EVU
TermsCertification DataCertification PackageDriftIncidentInitial Incident Report (IIR)Ongoing Incident Report (OIR)PersistentlyProviderValidationVerificationVulnerabilityVulnerability DetectionVulnerability Response

Applying for FedRAMP CertificationAPP

6 rules

These rules apply to cloud service providers who have met all other relevant rules and are ready to apply for any FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesABCD
AffectsProviders
FRC-APP-FIA

Fresh Independent Assessment

ClassRequirement
A
MAYEvery 3 months

Providers seeking Class A Certification MAY supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized independent assessment service within the previous 3 months.

B
MUSTEvery 3 months

Providers seeking Class B Certification MUST supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized independent assessment service within the previous 3 months.

C
MUSTEvery 3 months

Providers seeking Class C Certification MUST supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized independent assessment service within the previous 3 months.

D
MUSTEvery 3 months

Providers seeking Class D Certification MUST supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized independent assessment service within the previous 3 months.

TermsFedRAMP Independent AssessmentFedRAMP RecognizedProvider
FRC-APP-MLF

Marketplace Listing First

MUST

Providers MUST be listed in the FedRAMP Marketplace before applying for FedRAMP Certification, including:

  • FedRAMP Marketplace: MKT-CSO-MLR (Marketplace Listing Requirements),
  • FedRAMP Marketplace: MKT-CSO-PML (Provider Marketplace Listing Requests)
  • FedRAMP Marketplace: MKT-IIP-AGU (Agency Use Cases)
  • FedRAMP Marketplace: MKT-IIP-DCP (Demonstrating Continuous Progress)
RelatedMKT-CSO-MLRMKT-CSO-PMLMKT-IIP-AGUMKT-IIP-DCP
TermsAgencyProvider
FRC-APP-NTP

No Third-Party Applicants

MUST NOT

Providers MUST NOT use a third party to apply for a FedRAMP Certification on their behalf; this includes independent assessment services.

  • FedRAMP previously allowed independent assessment services to submit applications on behalf of providers, but this caused confusion about who was responsible for the application and the information in it. Providers should apply directly to ensure clear accountability.
  • Providers may use third parties to help them prepare their application and assessment materials for submission.
TermsProvider
FRC-APP-USA

Updating Stale Assessments

MAY

Providers MAY freshen a stale initial independent verification and validation assessment by having a FedRAMP Recognized independent assessment service review any changes between the original assessment and the current status of the cloud service offering in place of a full re-assessment, UNLESS the stale assessment is more than 9 months old.

TermsCloud Service OfferingFedRAMP RecognizedProviderValidationVerification

Applying for FedRAMP Certification with an Agency SponsorAPS

1 rules

These rules apply to cloud service providers with an Agency Sponsor who have met all other relevant rules and are ready to apply for any FedRAMP Certification.

TypesRev5
PathsAgency
ClassesBCD
AffectsProviders
FRC-APS-ATO

Agency Authorization to Operate

MUST

Providers seeking a FedRAMP Rev5 Agency Certification MUST have completed the Authorization to Operate (ATO) process with their agency sponsor for the cloud service offering, concluding with a formal signed ATO letter that the agency has sent over official government channels to FedRAMP.

TermsAgencyCloud Service OfferingProvider

Changing Certification ClassCCL

3 rules

These rules apply to cloud service providers when changing their FedRAMP Certification Class.

TypesRev5
PathsAgency
ClassesABCD
AffectsProviders
FRC-CCL-DCC

Downgrading Certification Class

MUST

Providers MUST apply for a new FedRAMP Certification to downgrade their Certification Class.

  • Downgrade paths include moving from D to C, B, or A; C to B or A; or B to A.
  • FRC-CCL-DNP (Downgrade Notification Period) applies - please DO NOT downgrade Certification Class with providing advance notification to all necessary parties!
RelatedFRC-CCL-DNP
TermsAll Necessary PartiesCertification ClassProvider
FRC-CCL-DNP

Downgrade Notification Period

SHOULD

Providers SHOULD notify all necessary parties at least 120 days in advance of an intended downgrade or cancellation of FedRAMP Certification.

Downgrading or canceling FedRAMP Certification will have severe negative consequences for the provider and their agency customers and should only be done after careful consideration and planning... but if it must be done, notify all necessary parties as soon as possible.
TermsAgencyAll Necessary PartiesProvider
FRC-CCL-UCC

Upgrading Certification Class

MUST

Providers MUST apply for a new FedRAMP Certification to upgrade their Certification Class; all applicable requirements MUST be met in advance.

  • Upgrade paths include moving from A to B, C, or D; B to C or D; and C to D.
  • The preferred path is to incrementally update the implementation and assurance commitments within the current Certification Class until the provider has met all requirements for the target Certification Class, then apply for the new Certification Class.
TermsCertification ClassProvider

8 rules
FRC-CSX-MAS

Application within MAS

SHOULDFedRAMP 20x

Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

TermsCloud Service OfferingProvider
FRC-CSX-MOT

Metrics Over Time for Key Security Indicators

FedRAMP 20x
ClassRequirement
A
MAY

Providers seeking 20x Class A Certification MAY supply historical metrics for Key Security Indicators.

B
SHOULD

Providers seeking 20x Class B Certification SHOULD supply historical metrics for Key Security Indicators.

C
MUST

Providers seeking 20x Class C Certification MUST supply historical metrics including status from persistent validation over at least the past 6 months for all Key Security Indicators.

D
MUST

Providers seeking 20x Class D Certification MUST provide historical metrics including status from persistent validation over at least the past 18 months for all Key Security Indicators.

For initial FedRAMP Certification, providers will need to have mechanisms in place and agree to meet this requirement in the event the cloud service has not been operating with related metrics available for the required period prior to applying for initial certification.
TermsInitial CertificationPersistentlyProviderValidation
FRC-CSX-VVK

Automated Verification and Validation of Key Security Indicators

FedRAMP 20x
ClassRequirement
A
MAY

Providers seeking 20x Class A Certification MAY implement automated methods to persistently verify and validate the accuracy and completeness of Key Security Indicators.

B
SHOULD

Providers seeking 20x Class B Certification SHOULD implement automated methods to persistently verify and validate the accuracy and completeness of Key Security Indicators with at least 1 automated method for each Key Security Indicator.

C
MUST

Providers seeking 20x Class C Certification MUST implement automated methods to persistently verify and validate the accuracy and completeness of Key Security Indicators with at least 2 automated methods for each Key Security Indicator.

D
MUST

Providers seeking 20x Class D Certification MUST implement automated methods to persistently verify and validate the accuracy and completeness of Key Security Indicators with at least 4 automated methods for each Key Security Indicator.

TermsPersistentlyProviderValidationVerification
FRC-CSX-VVR

Automated Verification and Validation of FedRAMP Rules

FedRAMP 20x
ClassRequirement
A
MAY

Providers seeking 20x Class A Certification MAY implement automated methods to persistently verify and validate the accuracy and completeness of the Security Decision Record for FedRAMP rules when applicable.

B
SHOULD

Providers seeking 20x Class B Certification SHOULD implement automated methods to persistently verify and validate the accuracy and completeness of the Security Decision Record for FedRAMP rules when applicable.

C
SHOULD

Providers seeking 20x Class C Certification SHOULD implement automated methods to persistently verify and validate the accuracy and completeness of the Security Decision Record for FedRAMP rules when applicable.

D
SHOULD

Providers seeking 20x Class D Certification SHOULD implement automated methods to persistently verify and validate the accuracy and completeness of the Security Decision Record for FedRAMP rules when applicable.

Different rules will be easy to automate for different providers, depending on the implementation, so FedRAMP generally leaves this implementation up to providers based on what makes the most sense for their own business and approach.
TermsPersistentlyProviderSecurity Decision Record (SDR)ValidationVerification
FRC-CSF-ACP

Assign Control Parameters

MUSTRev 5

Providers MUST assign all organization-defined control parameters, following FedRAMP Rev5 Controls Guidance, and ensure that all control parameter assignments are documented in the Security Decision Record (SDR).

TermsProviderSecurity Decision Record (SDR)
FRC-CSF-BSL

FedRAMP Rev5 Baselines

Rev 5
ClassRequirement
B
MUST

Providers seeking FedRAMP Rev5 Class B Certification MUST include at least the following NIST SP 800-53 Rev. 5 controls in their Security Decision Record:

C
MUST

Providers seeking FedRAMP Rev5 Class C Certification MUST include at least the following NIST SP 800-53 Rev. 5 controls in their Security Decision Record:

D
MUST

Providers seeking FedRAMP Rev5 Class D Certification MUST include at least the following NIST SP 800-53 Rev. 5 controls in their Security Decision Record:

References

NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
TermsProviderSecurity Decision Record (SDR)
FRC-CSF-FFG

Follow FedRAMP Rev5 Controls Guidance

MUSTRev 5

Providers MUST follow FedRAMP Rev5 Controls Guidance for the implementation and documentation of all applicable controls.

TermsProvider
FRC-CSF-RDY

FedRAMP Ready Conversion

MUSTRev 5

Providers with FedRAMP Rev5 Ready status MUST convert to a FedRAMP Certification by whichever of the follow dates is later: the expiration of their annual assessment or November 17, 2026 (the legacy FedRAMP Ready status will be entirely removed on December 31, 2027).

  • The simplest conversion in most cases would be to a FedRAMP 20x Class A Certification.
  • Cloud services that do not wish to convert or do not meet conversion criteria will be renamed Legacy FedRAMP Ready and otherwise retired from FedRAMP Ready.
TermsProvider