Skip to content

Security Decision Record

The Security Decision Record replaced a traditional System Security Plan with a persistently maintained, verified, and validated record of the security decisions made by the cloud service provider over the lifecycle of their cloud service offering.

Subsets

General Provider Responsibilities

These rules apply to providers for FedRAMP Certifications of any type.

FedRAMP Rules

SDR-CSO-FRR

Changelog:

  • 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.

Related JSON Schema: FedRAMP Security Decision Record Schema

Note: This is a placeholder, the URL will not work yet.

Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP Rule:

  1. Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
  2. Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
  3. Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
  4. Independent verification.
  5. Independent validation.
  6. Any responses or clarifications to the comments in the independent verification or validation.
  7. Rule-specific artifacts (if applicable).

Terms: Artifacts, Validation, Verification

Security Decision Record Metadata

SDR-CSO-MTD

Changelog:

  • 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST also include the following basic metadata in their Security Decision Record:

  1. Version
  2. Date and time of last update
  3. Source of update

Rev5-Specific Provider Responsibilities

These rules apply to providers for FedRAMP Rev5 Certifications.

Rev5 Controls

SDR-CSF-CTF

Changelog:

  • 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST also include short and simple high-level summaries of at least the following for each applicable Rev5 Control:

  1. Any organization-defined parameter values.
  2. Implementation status, one of Implemented, Partially Implemented, Planned, Alternative Implementation, or Not Applicable.
  3. The mechanisms or activities that address the control, including inheritance from another cloud service offering if applicable.
  4. The verification that is in place to ensure the implementation is appropriate for the control.
  5. The validation that is in place to ensure the implementation is working as intended.
  6. Independent verification.
  7. Independent validation.
  8. Any responses or clarifications to the comments in the independent verification or validation.
  9. Control-specific artifacts (if applicable).

Terms: Artifacts, Cloud Service Offering, Validation, Verification

Organization-Defined Parameters

SDR-CSF-ODP

Changelog:

  • 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST define all required organization-defined parameters tied all Rev5 Controls, following FedRAMP Rules if applicable, UNLESS the parameter is assigned by FedRAMP.

Comments