20x Class A Related Rules¶

Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.

Note: Timeframes may vary by FedRAMP Certification class.

Terms: Certification Class

Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).

Notes:

• Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
• If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the AFC-CSO-NOC (Notification of Changes) rules to notify FedRAMP.

Terms: FedRAMP Security Inbox

Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.

Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.

Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and JSON formats, including at least the following information that is available and applicable:

1. Direct link to the FedRAMP Marketplace for the offering
2. Service Model
3. Deployment Model
4. Business Category
5. UEI Number
6. Sales Contact Information
7. Security Contact Information
8. Product Website Link
9. Link to Product Logo
10. Overall Service Description
11. Detailed list of specific services and their security categories (see CDS-CSO-SVC (Public Service List) (Service List))
12. Link to Secure Configuration Guidance
13. Overview of documentation supplied by the provider for the cloud service offering
14. Link to Trust Center landing page that includes instructions on accessing information in the trust center
15. Next Ongoing Certification Report date (see CCM-OCR-NRD (Next Report Date))
16. Current FedRAMP Recognized Independent Assessment Service

Note: Generally, this information should be available on a public webpage or publicly shared in a FedRAMP-compatible trust center.

Terms: Cloud Service Offering, FedRAMP Recognized, Ongoing Certification, Ongoing Certification Report (OCR), Security Category, Trust Center

Providers MUST use a FedRAMP-compatible trust center to store and share FedRAMP Certification Data with all necessary parties.

Note: Rules for FedRAMP-Compatible Trust Centers are explained in the Certification Data Sharing Rules under the FedRAMP-Compatible Trust Centers section (id: CDS-TRC).

Terms: All Necessary Parties, Certification Data, Trust Center

Providers MUST notify FedRAMP within 5 business days of denying an agency access request for FedRAMP Certification Data.

Timeframe: 5 business days

Terms: Certification Data

Providers MUST supply an Ongoing Certification Report to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:

1. Changes to FedRAMP Certification Data
2. Planned changes to FedRAMP Certification Data during at least the next 3 months
3. Accepted vulnerabilities
4. Transformative changes
5. Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering
6. A list of all agencies that are directly using the product
7. FedRAMP Reportable Incidents or an attestation that no such incidents occurred
8. Lessons learned and changes planned or made as a result of FedRAMP Reportable Incidents (if such occurred)

Terms: Accepted Vulnerability, All Necessary Parties, Certification Data, Cloud Service Offering, FedRAMP Reportable Incident, Incident, Ongoing Certification, Ongoing Certification Report (OCR), Transformative Change, Vulnerability

Providers MUST supply the target date for their next Ongoing Certification Report with other public FedRAMP Certification Data.

Terms: Certification Data, Ongoing Certification, Ongoing Certification Report (OCR)

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Communications Procedures.

Terms: FedRAMP Reportable Incident, Federal Customer Data, Incident, Likely, Promptly

Providers MUST demonstrate that a cloud service offering is intended for one of the following use cases:

1. Direct Use: The product will be used directly by agency customers for integration into a federal information system that falls within the scope of 44 USC § 3506 and will receive an agency Authorization to Operate.
2. Indirect Use: The product will be included as a third-party information resource in other cloud service offerings that are directly used by agency customers.

Notes:

• FedRAMP will not list products or services that are outside the explicit statutory scope of FedRAMP; See MKT-FRP-SOF (Scope of FedRAMP).
• Services used by private companies to meet other compliance requirements (such as CMMC) that do not also meet one of the above use cases are outside the scope of FedRAMP.

Terms: Cloud Service Offering, Information Resource, Third-Party Information Resource

Providers MUST demonstrate continuous progress towards a FedRAMP Certification, documented in their Trust Center or website and updated at least quarterly; progress is measured by the provider against documented goals and milestones.

Note: This is an opportunity for a business to showcase its goals and progress, and should be seen as a marketing and customer experience challenge instead of a compliance challenge.

Terms: Trust Center

Providers MUST identify a set of information resources to assess for FedRAMP Certification that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.

Notes:

• Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.
• Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Certification Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope.
• All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP Certification rules and documented by the cloud service provider in their FedRAMP Certification Package.

Terms: Certification Package, Cloud Service Offering, Federal Customer Data, Handle, Information Resource, Likely

Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, penetration testing, incident response, automated control testing, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection. Vulnerability detection includes persistently verifying and validating that information resources and processes are operating as intended and documented for FedRAMP Practices.

Notes:

• FedRAMP's vulnerability detection (and response) rules are intended to set modern expectations for maintaining the security of a cloud service. Historical FedRAMP guidance on vulnerability scanning or continuous monitoring generally focused only on CVE-type vulnerabilities while leaving other types of vulnerabilities and exposures unaddressed.
• Providers are encouraged to leverage their existing holistic security review, architecture review, and similar processes to meet these requirements. FedRAMP strongly discourages providers from implementing separate vulnerability detection and response processes for FedRAMP reporting that are operated by independent compliance branches unless these processes are consuming data directly from the areas of the cloud service that actively maintain it.

Terms: Cloud Service Offering, FedRAMP Practices, Incident, Information Resource, Persistently, Promptly, Vulnerability, Vulnerability Detection, Vulnerability Response