Security Decision Record¶
The Security Decision Record replaced a traditional System Security Plan with a persistently maintained, verified, and validated record of the security decisions made by the cloud service provider over the lifecycle of their cloud service offering.
Subsets
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
General Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications of any type.
FedRAMP Rules¶
SDR-CSO-FRR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Related JSON Schema: FedRAMP Security Decision Record Schema
Note: This is a placeholder, the URL will not work yet.
Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP Rule:
- Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
- Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
- Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
- Independent verification.
- Independent validation.
- Any responses or clarifications to the comments in the independent verification or validation.
- Rule-specific artifacts (if applicable).
Terms: Artifacts, Validation, Verification
Security Decision Record Metadata¶
SDR-CSO-MTD
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST also include the following basic metadata in their Security Decision Record:
- Version
- Date and time of last update
- Source of update
20x-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP 20x Certifications.
Key Security Indicators¶
SDR-CSX-KSI
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Related JSON Schema: FedRAMP Security Decision Record Schema
Note: This is a placeholder, the URL will not work yet.
Providers MUST also include short and simple high-level summaries of at least the following for each applicable Key Security Indicator:
- Explanation of measures (and their objectives) that demonstrate the Key Security Indicator, or an explanation of the reason and resulting risk to customers for not having measures available for that Key Security Indicator.
- Explanation of the cycle for any measures that are implemented persistently (if applicable).
- Verification that the measures demonstrate the Key Security Indicator, or that the reason for not having them is accepted.
- Verification that the automation in place is accurate and sufficient to demonstrate appropriate measures for the Key Security Indicator, or that automation is not necessary for each measure.
- Validation that the measures are accurately produced and are in place and working as intended, or that the reason for not having them is valid.
Terms: Persistently, Validation, Verification
Key Security Indicator Metrics¶
SDR-CSX-KMT
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Related JSON Schema: FedRAMP Security Decision Record Schema
Note: This is a placeholder, the URL will not work yet.
Providers with 20x Class C Certifications MUST also include historical metrics in their Security Decision Record, supplying at least the following information for each applicable Key Security Indicator:
- Summary of each metric over the past 30 days
- Summary of metric up to the past year (where available)
- All daily metric data up to the past year (where available)