FR
IVVassurancestable

Independent Verification and Validation

This ruleset explains the expectations for independent verification and validation assessments.

General Provider ResponsibilitiesGeneral Independent Assessor Responsibilities

General Provider ResponsibilitiesCSO

8 rules

These rules apply to cloud service providers obtaining and maintaining any FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
IVV-CSO-DUS

Document Use of Representative Samples

MUST

Providers MUST document and explain the use of representative samples during verification and validation when using representative samples as allowed by IVV-CSO-USR (Use Representative Samples).

RelatedIVV-CSO-USR
TermsProviderValidationVerification
IVV-CSO-FIA

FedRAMP Independent Assessments

ClassRequirement
A
MAYEvery 1 years

Providers with Class A Certifications MAY persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.

B
MUSTEvery 1 years

Providers with Class B Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.

C
MUSTEvery 1 years

Providers with Class C Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.

D
MUSTEvery 1 years

Providers with Class D Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.

  • The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
  • The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
  • The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council; this is _extremely_ rare.
  • FedRAMP Recognized independent assessment services are listed on the FedRAMP Marketplace.
TermsCertification ClassFedRAMP Independent AssessmentFedRAMP RecognizedPersistentlyProviderValidationVerification
IVV-CSO-ICP

Inclusion in Certification Package

MUST

Providers MUST supply the results of FedRAMP independent assessments in their FedRAMP Certification Package without inappropriate modification.

  • Inappropriate modification in this context means changing the underlying intent/etc. of the content provided by the independent assessment service - the content itself may be modified for presentation, formatting, etc. as needed.
  • This rule is related to IVV-IAS-VIP (Verify Inclusion in Certification Package).
RelatedIVV-IAS-VIP
TermsCertification PackageFedRAMP Independent AssessmentProviderVerification
IVV-CSO-RAA

Receiving Assessor Advice

MAY

Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

TermsAssessorLikelyProviderValidationVerification
IVV-CSO-SEE

Supply Evidence of Effectiveness

MUST

Providers MUST supply evidence to all necessary assessors of the effectiveness of the measures that have been implemented to meet FedRAMP Practices; this evidence is the result of validation.

For example, after verifying that firewalls are configured to block traffic following IVV-CSO-SEI (Supply Evidence of Implementation), the provider would validate that traffic is actually being blocked and supply evidence of that validation to assessors (such as by allowing them to see metrics on the traffic that is blocked vs not).
RelatedIVV-CSO-SEI
TermsAll Necessary AssessorsAssessorFedRAMP PracticesProviderValidation
IVV-CSO-SEI

Supply Evidence of Implementation

MUST

Providers MUST supply evidence to all necessary assessors of the implementation of the measures that have been documented to meet FedRAMP Practices; this evidence is the result of verification.

For example, if the documentation says that firewall rules are used to block traffic then the cloud service provider would verify that firewall rules are in place to block traffic and supply that evidence to assessors (preferably by allowing them to see how firewall configurations are deployed from a source of truth).
TermsAll Necessary AssessorsAssessorFedRAMP PracticesProviderVerification
IVV-CSO-STE

Supply Technical Explanations

SHOULD

Providers SHOULD supply all necessary assessors with technical explanations, demonstrations, and other relevant supporting information about the technical capabilities they employ to address FedRAMP rules; this SHOULD be supplied as necessary to ensure the assessor can effectively complete verification and validation.

TermsAll Necessary AssessorsAssessorProviderValidationVerification
IVV-CSO-USR

Use Representative Samples

MAY

Providers MAY use representative samples as appropriate during verification and validation.

Many modern cloud services using effective automation do not need to use representative sampling and are capable of persistently verifying and validating the majority of their security measures automatically.
TermsPersistentlyProviderValidationVerification

General Independent Assessor ResponsibilitiesIAS

7 rules

These rules apply to independent assessment services supporting all FedRAMP Certification types.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsAssessors
IVV-IAS-EPX

Engage Provider Experts

SHOULD

Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.

TermsAssessorProvider
IVV-IAS-OSA

Overall Summary of Assessment

MUST

Assessors MUST supply the provider with an overall summary of the verification and validation assessment results, including any resulting failures or areas of dispute; this summary will be included by the provider in the FedRAMP Certification Package Overview for the cloud service offering.

FedRAMP does not supply a template for this summary and encourages independent assessment services to optimize for the best customer experience in the creation of these materials.
TermsAssessorCertification PackageCloud Service OfferingProviderValidationVerification
IVV-IAS-SHA

Sharing Advice

MAY

Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve the provider's security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

TermsAssessorLikelyProviderValidationVerification
IVV-IAS-SUM

Assessment Summary

MUST

Assessors MUST supply the provider with a high-level summary of their assessment process and findings for each FedRAMP Practice; this summary will be included by the provider in the FedRAMP Security Decision Record for the cloud service offering.

FedRAMP does not require a separate Security Assessment Plan or Security Assessment Report for FedRAMP 20x or FedRAMP Rev5 Certifications; this information is expected to be included in the Security Decision Record by the cloud service provider.
TermsAssessorCloud Service OfferingFedRAMP PracticesProviderSecurity Decision Record (SDR)
IVV-IAS-VEF

Validate Effectiveness

MUST

Assessors MUST validate the effectiveness of the implemented measures to ensure they have the intended outcome for meeting FedRAMP Practices.

This requires reviewing the actual measures themselves at a technical level, such as reviewing underlying code as appropriate; don't simply review documentation or screenshots.
TermsAssessorFedRAMP PracticesValidation
IVV-IAS-VIM

Verify Implementation

MUST

Assessors MUST verify that the measures implemented by the cloud service offering matches the measures they documented to meet FedRAMP Practices.

This requires reviewing the actual measures themselves at a technical level, such as reviewing underlying code as appropriate; don't simply review documentation or screenshots.
TermsAssessorCloud Service OfferingFedRAMP PracticesVerification

5 rules
IVV-CSX-AIA

Annual Independent Assessments for 20x

FedRAMP 20x
ClassRequirement
A
MUST

Providers with 20x Class A Certifications MUST meet the expectations of their underlying alternative security framework as part of their persistent independent verification and validation assessment.

B
MUSTEvery 1 years

Providers with 20x Class B Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

C
MUSTEvery 1 years

Providers with 20x Class C Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

D
MUSTEvery 1 years

Providers with 20x Class D Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

TermsFedRAMP Independent AssessmentPersistentlyProviderValidationVerification
IVV-CSF-ACF

Assessment of Rev5 Controls with Findings

MUSTRev 5

Providers MUST have Rev5 Controls with negative findings from the previous FedRAMP independent assessment included in the next FedRAMP independent assessment.

TermsFedRAMP Independent AssessmentProvider
IVV-CSF-AIA

Annual Independent Assessments for Rev5

Rev 5
ClassRequirement
B
MUSTEvery 1 years

Providers with Rev5 Class B Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:

C
MUSTEvery 1 years

Providers with Rev5 Class C Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:

D
MUSTEvery 1 years

Providers with Rev5 Class D Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:

TermsFedRAMP Independent AssessmentProvider
IVV-CSF-MCA

Mandatory Control Assessment

MUSTRev 5

Providers MUST have all applicable Rev5 Controls included in FedRAMP independent assessments every 3 years but are not required to have all Rev5 Controls included in the same FedRAMP independent assessment.

Traditionally this has been done by reviewing a rotating selection of Rev5 Controls at each annual assessment, however this requirement is a ceiling and not a floor. See IVV-CSF-PCA (Preferred Control Assessment) for FedRAMP's recommended approach to Rev5 control assessments.
RelatedIVV-CSF-PCA
TermsFedRAMP Independent AssessmentProvider