FedRAMP Certification¶

FedRAMP MUST perform a minimum level of continuous monitoring for cloud service offerings with FedRAMP Program Certification, including at least reviewing Ongoing Certification Reports.

Terms: Cloud Service Offering, Ongoing Certification

FedRAMP MAY approve exemptions from some FedRAMP Certification rules in rare circumstances by supplying an explicit waiver, based on a prioritization and risk assessment completed by FedRAMP.

Notes:

• FedRAMP will determine when such exemptions are appropriate.
• Exemptions will typically be part of a public prioritization process and criteria will be published publicly.
• Do not ask FedRAMP for an exemption unless the publicly published criteria is met.

Providers MUST follow and persistently address the FedRAMP Certification Data Sharing (CDS) rules, based on the applicability and effective date(s) in those rules.

Related SP 800-53 Controls: AC-3, AC-4, AU-2, AU-3, AU-6, CA-2, IR-4, RA-5, SC-8

Reference: FedRAMP Certification Data Sharing

Terms: Certification Data, Persistently

Providers MUST follow and persistently address the Collaborative Continuous Monitoring (CCM) rules, based on the applicability and effective date(s) in those rules.

Reference: Collaborative Continuous Monitoring

Terms: Persistently

Providers MUST follow and persistently address the FedRAMP Security Inbox (FSI) rules, based on the applicability and effective date(s) in those rules.

Reference: FedRAMP Security Inbox

Terms: FedRAMP Security Inbox, Persistently

Providers MUST follow and persistently address the FedRAMP Incident Communications Procedures (ICP) rules, based on the applicability and effective date(s) in those rules.

Reference: Incident Communications Procedures

Terms: Incident, Persistently

Providers MUST follow and persistently address the FedRAMP Minimum Assessment Scope (MAS) rules, based on the applicability and effective date(s) in those rules.

Related SP 800-53 Controls: AC-1, AC-21, AT-1, AU-1, CA-1, CM-1, CP-1, CP-2.1, CP-2.8, CP-4.1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PL-2, PL-4, PL-4.1, PS-1, RA-1, RA-9, SA-1, SC-1, SI-1, SR-1, SR-2, SR-3, SR-11

Reference: Minimum Assessment Scope

Terms: Persistently

Providers MUST follow and persistently address the FedRAMP Secure Configuration Guide (SCG) rules, based on the applicability and effective date(s) in those rules.

Reference: Secure Configuration Guide

Terms: Persistently

Providers MUST follow and persistently address the FedRAMP Significant Change Notifications (SCN) rules, based on the applicability and effective date(s) in those rules.

Related SP 800-53 Controls: CA-7.4, CM-3.4, CM-4, CM-7.1, AU-5, CA-5, CA-7, RA-5, RA-5.2, SA-22, SI-2, SI-2.2, SI-3, SI-5, SI-7.7, SI-10, SI-11

Reference: Significant Change Notifications

Terms: Persistently, Significant Change

Providers MUST follow and persistently address the FedRAMP Using Cryptographic Modules (UCM) rules, based on the applicability and effective date(s) in those rules.

Reference: Using Cryptographic Modules

Terms: Persistently

Providers MUST follow and persistently address the FedRAMP Vulnerability Detection and Response (VDR) rules, based on the applicability and effective date(s) in those rules.

Related SP 800-53 Controls: CA-2, CA-7, CA-7.6, IR-1, IR-4, IR-4.1, IR-5, IR-5.1, IR-6, IR-6.1, IR-6.2, PM-3, PM-5, PM-31, RA-2, RA-2.1, RA-3, RA-3.3, RA-5, RA-5.2, RA-5.3, RA-5.4, RA-5.5, RA-5.6, RA-5.7, RA-5.11, RA-9, RA-10, SI-2, SI-2.1, SI-2.2, SI-2.4, SI-2.5, SI-3, SI-3.1, SI-3.2, SI-4, SI-4.2, SI-4.3, SI-4.7, CA-7.4, RA-7

Reference: Vulnerability Detection and Response

Terms: Persistently, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers MUST NOT seek both FedRAMP Rev5 Program Certification and FedRAMP 20x Program Certification for the same cloud service offering; pick one type.

Note: This rule does not prevent a provider from seeking and maintaining a FedRAMP Rev5 Agency Certification and a FedRAMP 20x Program Certification for the same cloud service offering, however, doing so is strongly discouraged due to the increased complexity and risk of confusion for all parties.

Terms: Cloud Service Offering

Providers MUST persistently verify and validate that their information resources are operating as intended; this process is called Persistent Verification and Validation (PVV) and is part of vulnerability detection.

Terms: Information Resource, Persistently, Validation, Verification, Vulnerability, Vulnerability Detection

Providers MUST treat problems detected during persistent verification and validation as vulnerabilities, including failures of the verification and validation process it; FedRAMP Vulnerability Detection and Response rules MUST be followed for such findings.

Terms: Persistently, Validation, Verification, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers MUST verify and validate the status of non-machine-based information resources at least once every 3 months.

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification

Notes:

• The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
• The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
• The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council.
• FedRAMP Recognized independent assessors are listed on the FedRAMP Marketplace.

Terms: Certification Data, FedRAMP Recognized, Persistently, Validation, Verification

Providers SHOULD supply all necessary accessors with technical explanations, demonstrations, and other relevant supporting information about the technical capabilities they employ to address FedRAMP rules; this SHOULD be supplied as necessary to ensure the assessor can effectively complete verification and validation.

Terms: Validation, Verification

Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

Terms: Likely, Validation, Verification

Assessors MUST verify and validate the implementation of processes derived from FedRAMP requirements, including rules, controls and Key Security Indicators, to determine whether or not the provider has accurately documented their process and security goals for the cloud service offering.

Terms: Cloud Service Offering, Validation, Verification

Assessors MUST verify and validate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider.

Terms: Validation, Verification

Assessors MUST assess whether or not procedures are consistently followed, including evaluating the processes in place to ensure this occurs, without relying solely on the existence of procedure documents.

Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred.

Assessors MUST perform verification and validation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment.

Terms: Validation, Verification

Assessors MUST deliver a high-level summary of their assessment process and findings for each FedRAMP requirement, including rules, controls, and Key Security Indicators; this summary will be included in the FedRAMP Certification Data for the cloud service offering.

Terms: Certification Data, Cloud Service Offering

Assessors MUST supply an overall summary of the verification and validation assessment results, including any resulting failures or areas of dispute, to the provider and all necessary assessors.

Note: FedRAMP will make the final FedRAMP Certification decision based on the assessor's findings and other relevant information.

Terms: All Necessary Assessors, Validation, Verification

Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.

Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve the provider's security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

Terms: Likely, Validation, Verification

Providers seeking a FedRAMP Class A Certification MUST have completed a certification or equivalent process, including an independent assessment, from one of the following alternative security frameworks:

1. FedRAMP Ready
2. SOC 2 Type II
3. GovRAMP

Providers seeking a FedRAMP Class A Certification MUST supply the full materials from the alternative security assessment to all necessary parties as part of the FedRAMP Certification Package.

Terms: All Necessary Parties, Certification Package

Providers seeking a Class A FedRAMP Certification MUST address the following FedRAMP rules and supply the appropriate artifacts or information mapping in the FedRAMP Certification Package:

1. FedRAMP Certification: FRC-CSO-POP (Pick One Program Certification Type)
2. Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
3. Certification Data Sharing: CDS-CSO-PUB (Public Information)
4. Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
5. Certification Data Sharing: CDS-UTC-PGD (Public Guidance)
6. Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
7. FedRAMP Security Inbox: FSI-CSO-INB (Maintain a FedRAMP Security Inbox)
8. FedRAMP Security Inbox: FSI-CSO-RCV (Receive Email Without Disruption)
9. FedRAMP Security Inbox: FSI-CSO-CRA (Complete Required Actions)
10. Incident Communications Procedures: ICP-CSO-EFR (Evaluate FedRAMP Reportability)
11. Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
12. Continuous Collaborative Monitoring: CCM-OCR-AVL (Report Availability)
13. Continuous Collaborative Monitoring: CCM-OCR-NRD (Next Report Date)

Note: If the alternative security framework has existing rules that align with these FedRAMP rules then a mapping to the alternative security framework content may be supplied instead of generating new artifacts.

Terms: Artifacts, Certification Data, Certification Package, FedRAMP Security Inbox, Incident, Information Resource, Initial Incident Report (IIR), Ongoing Certification Report (OCR), Trust Center, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers seeking a FedRAMP Class A Certification MAY have the FedRAMP Certification Package independently verified and validated by a FedRAMP Recognized assessor before submission to FedRAMP.

Terms: Certification Package, FedRAMP Recognized, Validation, Verification

Providers seeking a FedRAMP 20x Certification Class A by leveraging an alternative security framework MUST supply a temporary mapping from the alternative security assessment to the following FedRAMP Key Security Indicators:

1. KSI-CMT-LMC
2. KSI-CNA-RNT
3. KSI-CED-RAT
4. KSI-IAM-AAM
5. KSI-INR-RIR
6. KSI-SVC-SNT

Notes:

• The mapping must be available in both machine-readable and human-readable formats.
• If a mapping is not clear, the provider should supply new information indicating that the Key Security Indicator has not been independently audited.

Terms: Machine-Readable

Providers seeking a FedRAMP Rev5 Class A Certification by leveraging an alternative security framework that is based on the SP 800-53 Revision 5 MUST supply all Security Decision Record materials required for FedRAMP Rev5 Class B Certification.

Notes:

• The only approved alternative security frameworks based on the SP 800-53 Revision 5 are FedRAMP Ready and GovRAMP.
• An independent assessment is not required for FedRAMP Rev5 Class A Certification.

Providers MUST be listed in the FedRAMP Marketplace before applying for FedRAMP Certification.

Note: See FedRAMP's Marketplace Listing rules for information about being listed in the Marketplace in the Preparation Phase prior to receiving a formal FedRAMP Certification.

Providers MUST complete the FedRAMP Certification Application Form at https://fedramp.gov/forms/provider-listing-request/ in full to request an initial assessment by FedRAMP.

Reference: FedRAMP Certification Application Form

Providers MUST supply a fresh initial FedRAMP Certification Package that shows the current status of the cloud service offering as verified and validated by the provider within the previous 7 days.

Terms: Certification Package, Cloud Service Offering, Validation, Verification

Providers MUST supply a fresh initial independent verification and validation assessment that was completed by a FedRAMP Recognized Independent Assessment Service within the previous 3 months.

Terms: FedRAMP Recognized, Validation, Verification

Providers seeking a FedRAMP Rev5 Agency Certification MUST have completed the Authorization to Operate (ATO) process with their agency sponsor for the cloud service offering, concluding with a formal signed ATO letter that the agency has sent over official government channels to FedRAMP.

Terms: Cloud Service Offering

Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:

1. Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability
2. The consolidated information resources that will be validated (this should include consolidated summaries such as "all employees with privileged access that are members of the Admin group")
3. The machine-based processes for validation and the persistent cycle on which they will be performed (or an explanation of why this doesn't apply)
4. The non-machine-based processes for validation and the persistent cycle on which they will be performed (or an explanation of why this doesn't apply)
5. Current implementation status
6. Any clarifications or responses to the assessment summary

Terms: Machine-Based (Information Resources), Validation

Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

Terms: Cloud Service Offering

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification

Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts.

Terms: Artifacts

Assessors MUST verify and validate the underlying processes (both machine-based and non-machine-based) that providers use to validate Key Security Indicators; this should include at least:

1. The effectiveness, completeness, and integrity of the automated processes that perform validation of the cloud service offering's security posture.
2. The effectiveness, completeness, and integrity of the human processes that perform validation of the cloud service offering's security posture
3. The coverage of these processes within the cloud service offering, including if all of the consolidated information resources listed are being validated.

Terms: Cloud Service Offering, Information Resource, Machine-Based (Information Resources), Validation, Verification

Providers seeking a FedRAMP Rev5 Class D Certification MUST use the FedRAMP Agency Certification path.

Note: FedRAMP will not perform FedRAMP Rev5 Class D Program Certifications.

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification

Providers with FedRAMP Rev5 Ready status MUST convert to a FedRAMP Certification before the furthest date of the expiration of their most recently yearly assessment or November 17, 2026; the legacy FedRAMP Ready status will be entirely removed on December 31, 2027.

Note: Cloud services that do not wish to convert or do not meet conversion criteria will be renamed Legacy FedRAMP Ready and otherwise retired from FedRAMP Ready.