Certification Data Sharing¶

Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and JSON formats, including at least the following information that is available and applicable:

1. Direct link to the FedRAMP Marketplace for the offering
2. Service Model
3. Deployment Model
4. Business Category
5. UEI Number
6. Sales Contact Information
7. Security Contact Information
8. Product Website Link
9. Link to Product Logo
10. Overall Service Description
11. Detailed list of specific services and their security categories (see CDS-CSO-SVC (Public Service List) (Service List))
12. Link to Secure Configuration Guidance
13. Overview of documentation supplied by the provider for the cloud service offering
14. Link to Trust Center landing page that includes instructions on accessing information in the trust center
15. Next Ongoing Certification Report date (see CCM-OCR-NRD (Next Report Date))
16. Current FedRAMP Recognized Independent Assessment Service

Note: Generally, this information should be available on a public webpage or publicly shared in a FedRAMP-compatible trust center.

Terms: Cloud Service Offering, FedRAMP Recognized, Ongoing Certification, Ongoing Certification Report (OCR), Security Category, Trust Center

Providers MUST publicly share a detailed list of specific services and their security categories that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying FedRAMP Certification Data.

Terms: Certification Data, Cloud Service Offering, Security Category

Providers MUST always include the FedRAMP ID of the related cloud service offering in all FedRAMP Certification Data, including all reports, notifications, and other communication that results from FedRAMP Rules.

Note: Many providers have multiple cloud service offerings or use internal names that don't align to public materials; using the FedRAMP ID ensures we can easily align the communication with a specific cloud service offering.

Terms: Certification Data, Cloud Service Offering

Terms: All Necessary Parties, Cloud Service Offering, Incident, Machine-Readable

Providers MUST use a FedRAMP-compatible trust center to store and share FedRAMP Certification Data with all necessary parties.

Note: Rules for FedRAMP-Compatible Trust Centers are explained in the Certification Data Sharing Rules under the FedRAMP-Compatible Trust Centers section (id: CDS-TRC).

Terms: All Necessary Parties, Certification Data, Trust Center

Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when FedRAMP Certification Data is provided in both formats.

Terms: Certification Data, Machine-Readable

Providers MUST provide sufficient information in FedRAMP Certification Data to support agency authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.

Note: This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with FedRAMP Certification Data should be anticipated by a secure cloud service provider.

Terms: Certification Data, Cloud Service Offering, Likely

Providers MUST supply all relevant policies and procedures in the FedRAMP Certification Data, including a human-readable and machine-readable reference that explains at least the following about each included policy and procedure:

1. Name of policy or procedure
2. Name of file, document, web page, etc.
3. Brief summary of policy or procedure
4. Word count of document
5. Current version
6. Date of last update
7. Related FedRAMP Practices (if applicable)

Terms: Certification Data, FedRAMP Practices, Machine-Readable

Providers MUST supply historical versions of FedRAMP Certification Data for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP rules; deltas between versions MAY be consolidated quarterly.

Note: Consolidating changes quarterly means that the historical status at the end of each quarter or at the time of the Ongoing Certification Report or Quarterly Review is sufficient, instead of maintaining separate versions with every single change that took place throughout the quarter.

Terms: All Necessary Parties, Certification Data, Ongoing Certification, Ongoing Certification Report (OCR), Quarterly Review

Notes:

• Providers determine what they consider to be separate services, based on maximizing the customer experience for agencies who may only adopt some services and not others.
• Providers are encouraged to provide a single comprehensive set of materials for all shared aspects of the service offering and only provide separate materials for unique aspects of each service to minimize the burden on providers and agencies.

Providers MAY responsibly share some or all of the information in a FedRAMP Certification Package publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering.

Terms: Certification Package, Cloud Service Offering, Likely, Responsibly

Trust centers MUST share FedRAMP Certification Data with all necessary parties without interruption.

Note: "Without interruption" means that parties should not have to request manual approval each time they need to access FedRAMP Certification Data or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning.

Terms: All Necessary Parties, Certification Data, Trust Center

Trust centers MUST provide documented programmatic access to all FedRAMP Certification Data, including programmatic access to human-readable materials.

Terms: Certification Data, Trust Center

Trust centers MUST maintain an inventory and history of federal agency users or systems with access to FedRAMP Certification Data and MUST make this information available to FedRAMP upon request.

Terms: Certification Data, Trust Center

Trust centers MUST log access to FedRAMP Certification Data and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.

Terms: Certification Data, Trust Center

Trust centers SHOULD make FedRAMP Certification Data available to view and download in both human-readable and machine-readable formats.

Terms: Certification Data, Machine-Readable, Trust Center

Trust centers SHOULD include features that encourage all necessary parties to provision and manage access to FedRAMP Certification Data for their users and services directly.

Terms: All Necessary Parties, Certification Data, Trust Center

Providers MUST notify FedRAMP within 5 business days of denying an agency access request for FedRAMP Certification Data.

Timeframe: 5 business days

Terms: Certification Data

Providers SHOULD supply access to the FedRAMP Certification package with agencies upon request.

Terms: Certification Package

Providers MUST notify all necessary parties when migrating to a trust center and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the trust center to obtain FedRAMP Certification Data.

Terms: All Necessary Parties, Certification Data, Trust Center