Certification Package Overview¶
The Certification Package Overview rules outline the expectations for a simple overview of the cloud service offering that must be included within a FedRAMP Certification Package. This overview replaces the historically required base System Security Plan for FedRAMP Rev5 and is intended to provide a clear, concise, and consistent summary of the offering and the information included in the package to help customers understand the offering at a high level.
Subsets
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-07-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
- Sign-up Form: ADDME
General Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications of any type.
Overview of the Cloud Service Offering¶
CPO-CSO-OVR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Related JSON Schema: FedRAMP Certification Package Overview Schema
Note: This is a placeholder, the URL will not work yet.
Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:
- Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-SVC (Public Service List)
- Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
- Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
- Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
- FedRAMP Assessment: Whatever rule is created to replace the SAR ;)
Notes:
- For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
- This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.
Terms: Certification Class, Certification Data, Certification Package, Information Resource, Initial Incident Report (IIR), Security Category, Third-Party Information Resource
Certification Package Overview Metadata¶
CPO-CSO-MTD
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST also include the following basic metadata in their Certification Package Overview:
- Name, title, and contact information of official that is responsible and accountable for the FedRAMP Certification Package
- Version
- Date and time of last update
- Source of update
Terms: Certification Package
Rev5-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP Rev5 Certifications.
Certification Package Maintenance for Rev5¶
CPO-CSF-CPM
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers with Rev5 Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every six months.
Timeframe: 6 months
Notes:
- This maximum timeframe for Rev5 is the absolutely poorest worst case for horrible customer experience and is based on legacy FedRAMP Rev5 allowing providers to leave their packages unmaintained for up to a year. Rev5 providers should maintain their packages far more frequently than this requirement to ensure potential customers have access to up-to-date information, updating it at least after every transformative significant change.
- FedRAMP 20x Certifications expect providers to maintain their FedRAMP Certification Packages as changes occur to ensure they are never out of date.
Terms: Certification Package, Persistently, Significant Change, Transformative Change