Certification Package Overview¶
The Certification Package Overview rules outline the expectations for a simple overview of the cloud service offering that must be included within a FedRAMP Certification Package. This overview replaces the historically required base System Security Plan for FedRAMP Rev5 and is intended to provide a clear, concise, and consistent summary of the offering and the information included in the package to help customers understand the offering at a high level.
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
20x-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP 20x Certifications.
Certification Package Maintenance for 20x¶
CPO-CSX-CPM
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers with 20x Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 3 months.
Timeframe: 3 months
Notes:
- Providers are expected to maintain their FedRAMP Certification Package using automation as changes occur to ensure they are never out of date.
- This rule does not require or expect persistent human review of all materials in this cadence.
Terms: Certification Package, Persistently