Certification Package Overview¶
The Certification Package Overview rules outline the expectations for a simple overview of the cloud service offering that must be included within a FedRAMP Certification Package. This overview replaces the historically required base System Security Plan for FedRAMP Rev5 and is intended to provide a clear, concise, and consistent summary of the offering and the information included in the package to help customers understand the offering at a high level.
Subsets
General Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications of any type.
Overview of the Cloud Service Offering¶
CPO-CSO-OVR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Related JSON Schema: FedRAMP Certification Package Overview Schema
Note: This is a placeholder, the URL will not work yet.
Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:
- Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-SVC (Public Service List)
- Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
- Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
- Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
- FedRAMP Assessment: Whatever rule is created to replace the SAR ;)
Notes:
- For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
- This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.
Terms: Certification Class, Certification Data, Certification Package, Information Resource, Initial Incident Report (IIR), Security Category, Third-Party Information Resource
Certification Package Overview Metadata¶
CPO-CSO-MTD
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST also include the following basic metadata in their Certification Package Overview:
- Name, title, and contact information of official that is responsible and accountable for the FedRAMP Certification Package
- Version
- Date and time of last update
- Source of update
Terms: Certification Package
20x-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP 20x Certifications.
Certification Package Maintenance for 20x¶
CPO-CSX-CPM
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers with 20x Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 3 months.
Timeframe: 3 months
Providers with 20x Class B Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every month.
Timeframe: 1 month
Providers with 20x Class C Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 2 weeks.
Timeframe: 2 weeks
Providers with 20x Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every week.
Timeframe: 1 weeks
Notes:
- Providers are expected to maintain their FedRAMP Certification Package using automation as changes occur to ensure they are never out of date.
- This rule does not require or expect persistent human review of all materials in this cadence.
Terms: Certification Package, Persistently