FedRAMP Certification¶

Providers MUST identify a target FedRAMP Certification Profile and apply all relevant FedRAMP Practices to the cloud service offering.

Note: Information resources (including third-party information resources) MAY vary by security category as appropriate to the type of information handled by or impacted by the information resource.

Terms: Certification Profile, Cloud Service Offering, FedRAMP Practices, Handle, Information Resource, Security Category, Third-Party Information Resource

Terms: Certification Package, Initial Certification

Providers MUST supply machine-readable information in JSON documents that are valid against the corresponding JSON schema when a rule contains a FedRAMP JSON schema, UNLESS otherwise specified in the rule.

Note: FedRAMP JSON schemas are designed to be lightweight and flexible to establish a minimum set of structured information while allowing providers to improve on the format and structure of the information as needed to meet their needs and the needs of their customers.

Terms: Machine-Readable

Providers MUST maintain responsibility and accountability for the accuracy and completeness of all information in the FedRAMP Certification Package, especially when they engage a third party (such as an independent assessor, advisory service, or external tools) to supply information on their behalf.

Terms: Certification Package

Providers MUST NOT seek both FedRAMP Rev5 Program Certification and FedRAMP 20x Program Certification for the same cloud service offering; pick one type.

Note: This rule does not prevent a provider from seeking and maintaining a FedRAMP Rev5 Agency Certification and a FedRAMP 20x Program Certification for the same cloud service offering, however, doing so is strongly discouraged due to the increased complexity and risk of confusion for all parties.

Terms: Cloud Service Offering

Providers seeking a FedRAMP Class A Certification MUST have completed a certification or equivalent process, including an independent assessment if applicable, from one of the following alternative security frameworks:

1. FedRAMP Rev5 (including FedRAMP Ready) at any historical Impact Level
2. SOC 2 Type II
3. GovRAMP at any Impact Level

Terms: Security Category

Providers seeking a FedRAMP Class A Certification MUST supply the full materials from the alternative security assessment to all necessary parties as part of the FedRAMP Certification Package.

Terms: All Necessary Parties, Certification Package

Providers seeking a Class A FedRAMP Certification of any Type MUST address all rules in this FedRAMP Class A Certification subset (FRC-CLA) AND the following additional FedRAMP rules; the appropriate artifacts or information mapping for all rules MUST be supplied in the FedRAMP Certification Package.

1. FedRAMP Certification: FRC-CSO-PKG (FedRAMP Certification Package)
2. FedRAMP Certification: FRC-CSO-JSN (FedRAMP JSON Schemas)
3. FedRAMP Certification: FRC-CSO-POP (Pick One Program Certification Type)
4. Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
5. Certification Data Sharing: CDS-CSO-PUB (Public Information)
6. Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
7. Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
8. Addressing FedRAMP Communication: AFC-CSO-INB (Maintain a FedRAMP Security Inbox)
9. Addressing FedRAMP Communication: AFC-CSO-RCV (Receive Email Without Disruption)
10. Addressing FedRAMP Communication: AFC-CSO-CRA (Complete Required Actions)
11. Incident Evaluation and Communication: IEC-CSO-EFR (Evaluate FedRAMP Reportability)
12. Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
13. Collaborative Continuous Monitoring: CCM-OCR-AVL (Report Availability)
14. Collaborative Continuous Monitoring: CCM-OCR-NRD (Next Report Date)
15. Key Security Indicators: KSI-CMT-LMC (Logging Changes)
16. Key Security Indicators: KSI-CNA-RNT (Restricting Network Traffic)
17. Key Security Indicators: KSI-CED-RAT (Reviewing All Training)
18. Key Security Indicators: KSI-IAM-AAM (Automating Account Management)
19. Key Security Indicators: KSI-INR-RIR (Reviewing Incident Response Procedures)
20. Key Security Indicators: KSI-SVC-SIN (Securing Information)

Notes:

• Some of these specific FedRAMP rules may not have similar counterparts in external frameworks and providers will need to implement new processes to follow these rules.
• In general, for each of these FedRAMP requirements, providers should include a sufficiently detailed summary that reviewers will not need to dig into the related security framework materials to understand the related decisions - just saying "see SOC 2 report" is not particularly helpful.
• Information about how the provider addresses the included Key Security Indicators are required for both Rev5 and 20x Class A Certifications.

Terms: Artifacts, Certification Data, Certification Package, Certification Type, FedRAMP Security Inbox, Incident, Information Resource, Initial Incident Report (IIR), Ongoing Certification Report (OCR), Trust Center, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers seeking a FedRAMP Class A Certification MAY have the FedRAMP Certification Package independently verified and validated by a FedRAMP Recognized assessor before submission to FedRAMP.

Terms: Certification Package, FedRAMP Recognized, Validation, Verification

Providers MUST be listed in the FedRAMP Marketplace before applying for FedRAMP Certification, including:

1. FedRAMP Marketplace: MKT-CSO-MLR (Marketplace Listing Requirements),
2. FedRAMP Marketplace: MKT-CSO-PML (Provider Marketplace Listing Requests)
3. FedRAMP Marketplace: MKT-IIP-AGU (Agency Use Cases)
4. FedRAMP Marketplace: MKT-IIP-DCP (Demonstrating Continuous Progress)

Providers MUST complete the FedRAMP Certification Application Form at https://fedramp.gov/forms/provider-listing-request/ in full to request an initial assessment by FedRAMP.

Reference: FedRAMP Certification Application Form

Providers MUST supply a fresh initial FedRAMP Certification Package that shows the current status of the cloud service offering as verified and validated by the provider within the previous 7 days.

Terms: Certification Package, Cloud Service Offering, Validation, Verification

Providers MUST supply a fresh initial FedRAMP independent assessment that was completed by a FedRAMP Recognized Independent Assessment Service within the previous 3 months.

Terms: FedRAMP Independent Assessment, FedRAMP Recognized

Providers MUST NOT use a third party to apply for a FedRAMP Certification on their behalf; this includes independent assessment services.

Notes:

• FedRAMP previously allowed independent assessment services to submit applications on behalf of providers, but this caused confusion about who was responsible for the application and the information in it. Providers should apply directly to ensure clear accountability.
• Providers may use third parties to help them prepare their application and assessment materials for submission.

Providers MAY freshen a stale initial independent verification and validation assessment by having a FedRAMP Recognized independent assessment service review any changes between the original assessment and the current status of the cloud service offering in place of a full re-assessment, UNLESS the stale assessment is more than 9 months old.

Terms: Cloud Service Offering, FedRAMP Recognized, Validation, Verification