FR
SCGmaterialsstable

Secure Configuration Guide

The Secure Configuration Guide rules help agencies and other customers understand how to configure a cloud service offering securely. These rules require providers to clearly explain the security impact of common settings so customers can make informed configuration choices.

Effective dates

Obtain by
2026-03-01
Maintain by
2026-03-01
Grace period
2026-07-01
General Provider ResponsibilitiesEnhanced Capabilities

General Provider ResponsibilitiesCSO

4 rules

These rules apply to providers with FedRAMP Certifications of any type.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
SCG-CSO-AUP

Use Instructions

MUST

Providers MUST include instructions in the FedRAMP Certification Package that explain how to obtain and use the Secure Configuration Guide.

These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs.

Required Artifacts

  • URL or explanation of how to request these materials.
  • Explanation of how the provider decides whether or not to share these materials or other related policies.
TermsCertification PackageProvider
SCG-CSO-PUB

Public Secure Configuration Guidance

SHOULD

Providers SHOULD make the Secure Configuration Guide available publicly.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsProvider
SCG-CSO-RSC

Recommended Secure Configuration

MUST

Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:

  • Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
  • Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
  • Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.
  • These rules refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.
  • This guidance should explain how top-level administrative accounts and privileged accounts are named and referred to in the cloud service offering.

Required Artifacts

  • URL to the human-readable data.
  • URL to the machine-readable data.

References

FedRAMP Certification Overview Package (FRC-CSO-PKG)
TermsCloud Service OfferingPrivileged AccountProviderTop-Level Administrative Account
SCG-CSO-SDF

Secure Defaults

SHOULD

Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsPrivileged AccountProviderTop-Level Administrative Account

Enhanced CapabilitiesENH

5 rules

These recommendations apply to providers with FedRAMP Certifications of any type.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
SCG-ENH-API

API Capability

SHOULD

Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsProvider
SCG-ENH-CMP

Comparison Capability

SHOULD

Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsPrivileged AccountProviderTop-Level Administrative Account
SCG-ENH-EXP

Export Capability

SHOULD

Providers SHOULD offer the capability to export all security settings in a machine-readable format.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsMachine-ReadableProvider
SCG-ENH-MRG

Machine-Readable Guidance

SHOULD

Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsMachine-ReadableProvider
SCG-ENH-VRH

Versioning and Release History

SHOULD

Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.

Required Artifacts

  • Explanation of how to access this information
  • or explanation why this functionality is not available
TermsPrivileged AccountProviderTop-Level Administrative Account