Security Decision Record

Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP rule:

• Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
• Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
• Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
• Independent verification.
• Independent validation.
• Any responses or clarifications to the comments in the independent verification or validation.
• Rule-specific artifacts (if applicable).

Providers MUST also include the following basic metadata in their Security Decision Record:

• Version
• Date and time of last update
• Source of update

Providers MUST also include short and simple high-level summaries of at least the following for each applicable Key Security Indicator:

• Explanation of measures (and their objectives) that demonstrate the Key Security Indicator, or an explanation of the reason and resulting risk to customers for not having measures available for that Key Security Indicator.
• Explanation of the cycle for any measures that are implemented persistently (if applicable).
• Verification that the measures demonstrate the Key Security Indicator, or that the reason for not having them is accepted.
• Verification that the automation in place is accurate and sufficient to demonstrate appropriate measures for the Key Security Indicator, or that automation is not necessary for each measure.
• Validation that the measures are accurately produced and are in place and working as intended, or that the reason for not having them is valid.

Providers MUST also include short and simple high-level summaries of at least the following for each applicable Rev5 Control:

• Any organization-defined parameter values.
• Implementation status, one of Implemented, Partially Implemented, Planned, Alternative Implementation, or Not Applicable.
• The mechanisms or activities that address the control, including inheritance from another cloud service offering if applicable.
• The verification that is in place to ensure the implementation is appropriate for the control.
• The validation that is in place to ensure the implementation is working as intended.
• Independent verification.
• Independent validation.
• Any responses or clarifications to the comments in the independent verification or validation.
• Control-specific artifacts (if applicable).