Independent Verification and Validation¶
This ruleset explains the expectations for independent verification and validation assessments.
General Independent Assessor Responsibilities¶
These rules apply to independent assessment services supporting all FedRAMP Certification types.
Verify Implementation¶
IVV-IAS-VIM
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST verify that the measures implemented by the cloud service offering matches the measures they documented to meet FedRAMP Practices.
Terms: Cloud Service Offering, FedRAMP Practices, Verification
Validate Effectiveness¶
IVV-IAS-VEF
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST validate the effectiveness of the implemented measures to ensure they have the intended outcome for meeting FedRAMP Practices.
Terms: FedRAMP Practices, Validation
Assessment Summary¶
IVV-IAS-SUM
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST supply the provider with a high-level summary of their assessment process and findings for each FedRAMP Rule, control, and Key Security Indicator; this summary will be included by the provider in the FedRAMP Security Decision Record for the cloud service offering.
Note: FedRAMP does not require a separate Security Assessment Plan or Security Assessment Report for FedRAMP 20x or FedRAMP Rev5 Certifications; this information is expected to be included in the Security Decision Record by the cloud service provider.
Terms: Cloud Service Offering
Overall Summary of Assessment¶
IVV-IAS-OSA
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST supply the provider with an overall summary of the verification and validation assessment results, including any resulting failures or areas of dispute; this summary will be included by the provider in the FedRAMP Certification Package Overview for the cloud service offering.
Note: FedRAMP does not supply a template for this summary and encourages independent assessment services to optimize for the best customer experience in the creation of these materials.
Terms: Certification Package, Cloud Service Offering, Validation, Verification
Verify Inclusion in Certification Package¶
IVV-IAS-VIP
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST verify that information supplied during a FedRAMP independent assessment is included in the FedRAMP Certification Package by the provider without inappropriate modification.
Note: This rule is related to IVV-CSO-ICP (Inclusion in Certification Package).
Terms: Certification Package, FedRAMP Independent Assessment, Verification
Engage Provider Experts¶
IVV-IAS-EPX
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.
Sharing Advice¶
IVV-IAS-SHA
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve the provider's security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.
Terms: Likely, Validation, Verification