Assurance¶
There are 6 applicable rulesets with 79 total applicable rules.
| Ruleset | Summary |
|---|---|
| Addressing FedRAMP Communication (AFC) | The Addressing FedRAMP Communication rules (formerly FedRAMP Security Inbox) ensure FedRAMP can reliably contact the security and compliance staff responsible for every FedRAMP-authorized cloud service offering. These rules also set expectations for urgent communications, response time testing, and routing important messages separately from general support or customer service channels. Applicable Rules: 8 |
| Collaborative Continuous Monitoring (CCM) | The Collaborative Continuous Monitoring rules help agencies use shared, current authorization information from providers as part of each agency's own Information Security Continuous Monitoring strategy. These rules reduce unnecessary manual burden by encouraging automated monitoring and review while allowing each agency to make its own risk-based decisions about ongoing authorization. Applicable Rules: 17 |
| Incident Evaluation and Communication (IEC) | The Incident Evaluation and Communication rules explain how providers must communicate incident information to FedRAMP and government customers when they are affected by an incident or likely to be affected by an incident. Applicable Rules: 7 |
| Independent Verification and Validation (IVV) | This ruleset explains the expectations for independent verification and validation assessments. Applicable Rules: 12 |
| Significant Change Notification (SCN) | The Significant Change Notification rules supply a simple framework allowing providers to make significant changes to their own products while keeping agency customers in the loop. These rules organize significant changes into clear categories so agencies can understand the expected risk and make authorization decisions accordingly. Applicable Rules: 16 |
| Vulnerability Evaluation and Reporting (VER) | The Vulnerability Evaluation and Reporting rules require cloud service providers to determine when vulnerabilities are likely to impact federal customers and report the status of such vulnerabilities to all necessary parties. Applicable Rules: 19 |