FedRAMP Recognition of Independent Assessment Services¶
The FedRAMP Recognition of Independent Assessment Services rules explain the requirements for assessors to obtain and maintain FedRAMP Recognition in order to support the FedRAMP Certification process.
General Independent Assessor Responsibilities¶
These rules apply to independent assessment services seeking to obtain or maintain FedRAMP Recognition.
A2LA Accreditation¶
REC-IAS-ACC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST obtain and maintain accreditation through the American Association for Laboratory Accreditation (A2LA) Cybersecurity Inspection Body Program to qualify for FedRAMP Recognition.
Note: FedRAMP will remove FedRAMP Recognition immediately after the American Association for Laboratory Accreditation notifies FedRAMP that an assessor's accreditation has lapsed.
Terms: FedRAMP Recognized
Actually Do Assessments¶
REC-IAS-ADA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST complete at least 2 initial or ongoing assessments for Class B, C, or D FedRAMP Certifications every 2 years to maintain FedRAMP Recognition.
Timeframe: 2 years
Effective Date(s): - Obtain: 2026-06-01 - Maintain: 2026-06-01 - Grace Ends: 2026-06-01
Corrective Actions
- FedRAMP will notify assessors when they are within 6 months of losing FedRAMP Recognition under this rule and request a corrective action plan.
- Assessors whose corrective action plan is not accepted will lose FedRAMP Recognition and must supply an alternative corrective action plan to move toward renewed FedRAMP Recognition.
Note: For a newly FedRAMP Recognized Assessor, this rule applies beginning on the initial date of FedRAMP Recognition if that date is later than 2026-06-01.
Terms: FedRAMP Recognized
Policy and Standards Compliance¶
REC-IAS-PSC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST maintain compliance with the latest American Association for Laboratory Accreditation (A2LA) R311 - Specific Requirements - Federal Risk and Authorization Management Program to maintain FedRAMP Recognition.
Reference: A2LA Public Documents
Terms: FedRAMP Recognized
Annual Surveillance Assessment¶
REC-IAS-ANR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST achieve a favorable annual surveillance assessment by the American Association for Laboratory Accreditation (A2LA) to maintain FedRAMP Recognition.
Timeframe: 1 years
Corrective Actions
- Assessors have 75 days to complete corrective actions for nonconformances identified by the American Association for Laboratory Accreditation (A2LA)during a surveillance assessment. If an assessor exceeds the 75 day resolution timeframe, A2LA will supply FedRAMP with a narrative of the assessor's current status, the assessor will be designated as in Remediation in the FedRAMP Marketplace, and the assessor must supply a corrective action plan to FedRAMP.
Terms: FedRAMP Recognized
Full A2LA Reassessment¶
REC-IAS-RAS
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST achieve a favorable full reassessment by the American Association for Laboratory Accreditation (A2LA) at least once every 2 years to maintain FedRAMP Recognition.
Timeframe: 2 years
Corrective Actions
- Assessors have 75 days to complete corrective actions for nonconformances identified by the American Association for Laboratory Accreditation during a reassessment. If an assessor exceeds the 75 day resolution timeframe, the American Association for Laboratory Accreditation will supply FedRAMP with a narrative of the assessor's current status, the assessor will be designated as In Remediation in the FedRAMP Marketplace, and the assessor must supply a corrective action plan to FedRAMP.
Terms: FedRAMP Recognized
Re-entry after Revocation¶
REC-IAS-RAR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST satisfy all American Association for Laboratory Accreditation (A2LA) re-entry conditions before regaining FedRAMP Recognition after revocation.
Note: A revocation may require extended time in revoked status while the assessor demonstrates acceptable performance in the A2LA Cybersecurity Inspection Body Program before seeking FedRAMP Recognition again.
Terms: FedRAMP Recognized
Advisory Separation¶
REC-IAS-SEP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST NOT perform an independent assessment of the same cloud service offering within 2 years after supplying advisory or consulting services for that offering, unless FedRAMP publishes a specific exception for a limited pilot or other explicitly scoped process.
Timeframe: 2 years
Corrective Actions
- FedRAMP may require a consultation meeting, corrective action plan, or revocation for failure to comply.
Terms: Cloud Service Offering
Roles and Qualifications¶
REC-IAS-RQU
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST staff FedRAMP assessments with all roles required by the American Association for Laboratory Accreditation (A2LA) R311, including personnel who meet the qualifications for each role, unless FedRAMP publishes a specific exception for a limited pilot or other explicitly scoped process.
Corrective Actions
- FedRAMP may require a consultation meeting, corrective action plan, or revocation for failure to comply.
Annual Foreign Interest Reports¶
REC-IAS-AFI
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by web using FedRAMP Foreign Ownership, Control, or Influence Declaration Form.
Assessors MUST report information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service to FedRAMP annually.
Timeframe: 1 years
Changes in Foreign Interest¶
REC-IAS-CFI
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by web using FedRAMP Foreign Ownership, Control, or Influence Declaration Form.
Assessors MUST report updated information relating to any foreign interest, foreign influence, or foreign control of the independent assessment service within 48 hours of any change in foreign ownership or control.
Timeframe: 48 hours
Performance Standards¶
REC-IAS-PST
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST meet FedRAMP performance standards for assessor deliverables to support independent, risk-based reviews by FedRAMP and federal agencies, including at least:
- Complete Assessment Packages: Supplies complete and thoroughly prepared documents on the first submission.
- Deliverable Quality: Ensures documentation content is clear, complete, concise, and consistent.
- Deliverable Format: Uses current FedRAMP templates, procedures, and required formats for assessor-authored deliverables unless FedRAMP publishes an alternate format for a specific path, pilot, or process, and does not alter or delete required template content.
- Timeliness and Responsiveness: Delivers documents on time according to the schedule agreed to by the federal government, provider, and assessor.
- Testing Accuracy and Completeness: Ensures accurate and complete testing of a cloud service offering in accordance with ISO 17020 and FedRAMP security rules.
- Assessment Integrity: Submits independent assessments of provider security implementations that are not influenced by provider demands.
- Chain of Custody: Preserves the integrity and chain of custody of assessor-authored documents and provider-supplied evidence used in FedRAMP assessments.
Terms: Cloud Service Offering
Corrective Action Plan¶
REC-IAS-CAP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST supply a corrective action plan when FedRAMP requires one for performance standards deficiencies or organizational risks.
Invalid Deliverables¶
REC-IAS-INV
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST treat deliverables prepared, performed, or submitted by personnel who do not meet required role qualifications as invalid for FedRAMP purposes.