{"catalog":{"uuid":"c28b5036-fdfe-493e-8e6a-10d466048f38","metadata":{"links":[{"rel":"source-profile","href":"https://api.dev.comply0.com/v1/profiles/96fceeac-d3c2-4c05-aee2-de83f95426c2"}],"props":[{"name":"resolution-tool","value":"Comply0"}],"title":"FedRAMP 20x High Resolved","version":"2025-12-12","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"a7039ce5-a289-44f0-95d9-5bc9b77d0931"}],"last-modified":"2025-12-16T22:45:51.714Z","oscal-version":"1.1.3"},"groups":[{"id":"FRR","props":[{"name":"sort-id","value":"00"}],"title":"Requirements","groups":[{"id":"FRR-PVA","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services and those seeking authorization based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Persistent Validation and Assessment","controls":[{"id":"FRR-PVA-01","parts":[{"id":"FRR-PVA-01_smt","name":"statement","parts":[{"id":"FRR-PVA-01_smt_01","name":"item","prose":"Providers MUST *persistently* perform validation of their Key Security Indicators following the processes and cycles documented for their *cloud service offering* per FRR-KSI-02; this process is called *persistent validation* and is part of *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-PVA-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Persistent Validation"},{"id":"FRR-PVA-02","parts":[{"id":"FRR-PVA-02_smt","name":"statement","parts":[{"id":"FRR-PVA-02_smt_01","name":"item","prose":"Providers MUST treat failures detected during *persistent validation* and failures of the *persistent validation* process as *vulnerabilities*, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings."}]}],"props":[{"name":"label","value":"FRR-PVA-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Failures As Vulnerabilities"},{"id":"FRR-PVA-03","parts":[{"id":"FRR-PVA-03_smt","name":"statement","parts":[{"id":"FRR-PVA-03_smt_01","name":"item","prose":"Providers MUST include *persistent validation* activity in the reports on *vulnerability detection* and *response* activity required by the FedRAMP Vulnerability Detection and Response process."}]}],"props":[{"name":"label","value":"FRR-PVA-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Report Persistent Validation"},{"id":"FRR-PVA-04","parts":[{"id":"FRR-PVA-04_smt","name":"statement","parts":[{"id":"FRR-PVA-04_smt_01","name":"item","prose":"Providers MUST track *significant changes* that impact their Key Security Indicator goals and *validation* processes while following the requirements and recommendations in the FedRAMP Significant Change Notification process; if such *significant changes* are not properly tracked and supplied to *all necessary assessors* then a full *Initial FedRAMP Assessment* may be required in place of the expected *Persistent FedRAMP Assessment*."}]}],"props":[{"name":"label","value":"FRR-PVA-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Track Significant Changes"},{"id":"FRR-PVA-05","parts":[{"id":"FRR-PVA-05_smt","name":"statement","parts":[{"id":"FRR-PVA-05_smt_01","name":"item","prose":"Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their *authorization data* without modification."}]},{"name":"guidance","prose":"- The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.\n- FedRAMP recognized assessors are listed on the FedRAMP Marketplace."}],"props":[{"name":"label","value":"FRR-PVA-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Independent Assessment"},{"id":"FRR-PVA-06","parts":[{"id":"FRR-PVA-06_smt","name":"statement","parts":[{"id":"FRR-PVA-06_smt_01","name":"item","prose":"Providers MUST ensure a complete assessment of *validation* procedures (including underlying code, pipelines, configurations, automation tools, etc.) for the *cloud service offering* by *all necessary assessors*."}]}],"props":[{"name":"label","value":"FRR-PVA-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Complete Validation Assessment"},{"id":"FRR-PVA-07","parts":[{"id":"FRR-PVA-07_smt","name":"statement","parts":[{"id":"FRR-PVA-07_smt_01","name":"item","prose":"Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to *all necessary assessors* for the technical capabilities they employ to meet Key Security Indicators and to provide *validation*."}]}],"props":[{"name":"label","value":"FRR-PVA-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Provide Technical Evidence"},{"id":"FRR-PVA-08","parts":[{"id":"FRR-PVA-08_smt","name":"statement","parts":[{"id":"FRR-PVA-08_smt_01","name":"item","prose":"Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their *validation* and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-09)."}]},{"name":"guidance","prose":"The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments."}],"props":[{"name":"label","value":"FRR-PVA-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Receiving Assessor Advice"},{"id":"FRR-PVA-09","parts":[{"id":"FRR-PVA-09_smt","name":"statement","parts":[{"id":"FRR-PVA-09_smt_01","name":"item","prose":"Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their *validation* and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-08)."}]}],"props":[{"name":"label","value":"FRR-PVA-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assessors May Advise"},{"id":"FRR-PVA-10","parts":[{"id":"FRR-PVA-10_smt","name":"statement","parts":[{"id":"FRR-PVA-10_smt_01","name":"item","prose":"Assessors MUST evaluate the underlying processes (both *machine-based* and non-*machine-based* ) that providers use to *validate* Key Security Indicators; this evaluation should include at least:"},{"id":"FRR-PVA-10_smt_02","name":"item","prose":"- The effectiveness, completeness, and integrity of the automated processes that perform validation of the *cloud service offering's* security posture.\n- The effectiveness, completeness, and integrity of the human processes that perform *validation* of the *cloud service offering's* security posture\n- The coverage of these processes within the *cloud service offering* , including if all of the consolidated *information resources* listed are being *validated*."}]}],"props":[{"name":"label","value":"FRR-PVA-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Evaluate Validation Processes"},{"id":"FRR-PVA-11","parts":[{"id":"FRR-PVA-11_smt","name":"statement","parts":[{"id":"FRR-PVA-11_smt_01","name":"item","prose":"Assessors MUST evaluate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals."}]}],"props":[{"name":"label","value":"FRR-PVA-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assess Process Implementation"},{"id":"FRR-PVA-12","parts":[{"id":"FRR-PVA-12_smt","name":"statement","parts":[{"id":"FRR-PVA-12_smt_01","name":"item","prose":"Assessors MUST evaluate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider."}]}],"props":[{"name":"label","value":"FRR-PVA-12"},{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Assess Outcome Consistency"},{"id":"FRR-PVA-13","parts":[{"id":"FRR-PVA-13_smt","name":"statement","parts":[{"id":"FRR-PVA-13_smt_01","name":"item","prose":"Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment."}]}],"props":[{"name":"label","value":"FRR-PVA-13"},{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Mixed Methods Evaluation"},{"id":"FRR-PVA-14","parts":[{"id":"FRR-PVA-14_smt","name":"statement","parts":[{"id":"FRR-PVA-14_smt_01","name":"item","prose":"Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process."}]}],"props":[{"name":"label","value":"FRR-PVA-14"},{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Engage Provider Experts"},{"id":"FRR-PVA-15","parts":[{"id":"FRR-PVA-15_smt","name":"statement","parts":[{"id":"FRR-PVA-15_smt_01","name":"item","prose":"Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts."}]}],"props":[{"name":"label","value":"FRR-PVA-15"},{"name":"sort-id","value":"015"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Avoid Static Evidence"},{"id":"FRR-PVA-16","parts":[{"id":"FRR-PVA-16_smt","name":"statement","parts":[{"id":"FRR-PVA-16_smt_01","name":"item","prose":"Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place."}]},{"name":"guidance","prose":"Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred."}],"props":[{"name":"label","value":"FRR-PVA-16"},{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Verify Procedure Adherence"},{"id":"FRR-PVA-17","parts":[{"id":"FRR-PVA-17_smt","name":"statement","parts":[{"id":"FRR-PVA-17_smt_01","name":"item","prose":"Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the *authorization data* for the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-PVA-17"},{"name":"sort-id","value":"017"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"Deliver Assessment Summary"},{"id":"FRR-PVA-18","parts":[{"id":"FRR-PVA-18_smt","name":"statement","parts":[{"id":"FRR-PVA-18_smt_01","name":"item","prose":"Assessors MUST NOT deliver an overall recommendation on whether or not the *cloud service offering* meets the requirements for FedRAMP authorization."}]},{"name":"guidance","prose":"FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information."}],"props":[{"name":"label","value":"FRR-PVA-18"},{"name":"sort-id","value":"018"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"No Overall Recommendation"}]},{"id":"FRR-RSC","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Recommended Secure Configuration","controls":[{"id":"FRR-RSC-01","parts":[{"id":"FRR-RSC-01_smt","name":"statement","parts":[{"id":"FRR-RSC-01_smt_01","name":"item","prose":"Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission *top-level administrative accounts* that control enterprise access to the entire *cloud service offering*."}]},{"name":"guidance","prose":"This guidance should explain how *top-level administrative accounts* are named and referred to in the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-RSC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Top-Level Administrative Accounts Guidance"},{"id":"FRR-RSC-02","parts":[{"id":"FRR-RSC-02_smt","name":"statement","parts":[{"id":"FRR-RSC-02_smt_01","name":"item","prose":"Providers MUST create and maintain guidance that explains security-related settings that can be operated only by *top-level administrative accounts* and their security implications."}]}],"props":[{"name":"label","value":"FRR-RSC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Top-Level Administrative Accounts Security Settings Guidance"},{"id":"FRR-RSC-03","parts":[{"id":"FRR-RSC-03_smt","name":"statement","parts":[{"id":"FRR-RSC-03_smt_01","name":"item","prose":"Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by *privileged accounts* and their security implications."}]}],"props":[{"name":"label","value":"FRR-RSC-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Privileged Accounts Security Settings Guidance"},{"id":"FRR-RSC-04","parts":[{"id":"FRR-RSC-04_smt","name":"statement","parts":[{"id":"FRR-RSC-04_smt_01","name":"item","prose":"Providers SHOULD set all settings to their recommended secure defaults for *top-level administrative accounts* and *privileged accounts* when initially provisioned."}]}],"props":[{"name":"label","value":"FRR-RSC-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Secure Defaults on Provisioning"},{"id":"FRR-RSC-05","parts":[{"id":"FRR-RSC-05_smt","name":"statement","parts":[{"id":"FRR-RSC-05_smt_01","name":"item","prose":"Providers SHOULD offer the capability to compare all current settings for *top-level administrative accounts* and *privileged accounts* to the recommended secure defaults."}]}],"props":[{"name":"label","value":"FRR-RSC-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Comparison Capability"},{"id":"FRR-RSC-06","parts":[{"id":"FRR-RSC-06_smt","name":"statement","parts":[{"id":"FRR-RSC-06_smt_01","name":"item","prose":"Providers SHOULD offer the capability to export all security settings in a *machine-readable* format."}]}],"props":[{"name":"label","value":"FRR-RSC-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Export Capability"},{"id":"FRR-RSC-07","parts":[{"id":"FRR-RSC-07_smt","name":"statement","parts":[{"id":"FRR-RSC-07_smt_01","name":"item","prose":"Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability."}]}],"props":[{"name":"label","value":"FRR-RSC-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"API Capability"},{"id":"FRR-RSC-08","parts":[{"id":"FRR-RSC-08_smt","name":"statement","parts":[{"id":"FRR-RSC-08_smt_01","name":"item","prose":"Providers SHOULD provide recommended secure configuration guidance in a *machine-readable* format that can be used by customers or third-party tools to compare against current settings."}]}],"props":[{"name":"label","value":"FRR-RSC-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Machine-Readable Guidance"},{"id":"FRR-RSC-09","parts":[{"id":"FRR-RSC-09_smt","name":"statement","parts":[{"id":"FRR-RSC-09_smt_01","name":"item","prose":"Providers SHOULD make recommended secure configuration guidance available publicly."}]}],"props":[{"name":"label","value":"FRR-RSC-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Publish Guidance"},{"id":"FRR-RSC-10","parts":[{"id":"FRR-RSC-10_smt","name":"statement","parts":[{"id":"FRR-RSC-10_smt_01","name":"item","prose":"Providers SHOULD provide versioning and a release history for recommended secure default settings for *top-level administrative accounts* and *privileged accounts* as they are adjusted over time."}]}],"props":[{"name":"label","value":"FRR-RSC-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Versioning and Release History"}]},{"id":"FRR-UCM","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Using Cryptographic Modules","controls":[{"id":"FRR-UCM-01","parts":[{"id":"FRR-UCM-01_smt","name":"statement","parts":[{"id":"FRR-UCM-01_smt_01","name":"item","prose":"Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect *federal customer data*, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules."}]}],"props":[{"name":"label","value":"FRR-UCM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Cryptographic Module Documentation"},{"id":"FRR-UCM-02","parts":[{"id":"FRR-UCM-02_smt","name":"statement","parts":[{"id":"FRR-UCM-02_smt_01","name":"item","prose":"Providers SHOULD configure *agency* tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available."}]}],"props":[{"name":"label","value":"FRR-UCM-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Use of Validated Cryptographic Modules"},{"id":"FRR-UCM-04","parts":[{"id":"FRR-UCM-04_smt","name":"statement","parts":[{"id":"FRR-UCM-04_smt_01","name":"item","prose":"Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect *federal customer data*."}]}],"props":[{"name":"label","value":"FRR-UCM-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Update Streams (High)"}]},{"id":"FRR-ADS","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Authorization Data Sharing","controls":[{"id":"FRR-ADS-01","parts":[{"id":"FRR-ADS-01_smt","name":"statement","parts":[{"id":"FRR-ADS-01_smt_01","name":"item","prose":"Providers MUST publicly share up-to-date information about the *cloud service offering* in both human-readable and *machine-readable* formats, including at least:"},{"id":"FRR-ADS-01_smt_02","name":"item","prose":"- Direct link to the FedRAMP Marketplace for the offering\n- Service Model\n- Deployment Model\n- Business Category\n- UEI Number\n- Contact Information\n- Overall Service Description\n- Detailed list of specific services and their impact levels (see FRR-ADS-03)\n- Summary of customer responsibilities and secure configuration guidance\n- Process for accessing information in the *trust center* (if applicable)\n- Availability status and recent disruptions for the *trust center* (if applicable)\n- Customer support information for the *trust center* (if applicable)"}]}],"props":[{"name":"label","value":"FRR-ADS-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Information"},{"id":"FRR-ADS-02","parts":[{"id":"FRR-ADS-02_smt","name":"statement","parts":[{"id":"FRR-ADS-02_smt_01","name":"item","prose":"Providers MUST use automation to ensure information remains consistent between human-readable and *machine-readable* formats when *authorization data* is provided in both formats; Providers SHOULD generate human-readable and *machine-readable* data from the same source at the same time OR generate human-readable formats directly from *machine-readable* data."}]}],"props":[{"name":"label","value":"FRR-ADS-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Consistency Between Formats"},{"id":"FRR-ADS-03","parts":[{"id":"FRR-ADS-03_smt","name":"statement","parts":[{"id":"FRR-ADS-03_smt_01","name":"item","prose":"Providers MUST share a detailed list of specific services and their impact levels that are included in the *cloud service offering* using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP authorization without requesting access to underlying *authorization data*."}]}],"props":[{"name":"label","value":"FRR-ADS-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Detailed Service List"},{"id":"FRR-ADS-04","parts":[{"id":"FRR-ADS-04_smt","name":"statement","parts":[{"id":"FRR-ADS-04_smt_01","name":"item","prose":"Providers MUST share *authorization data* with all necessary parties without interruption, including at least FedRAMP, CISA, and agency customers."}]}],"props":[{"name":"label","value":"FRR-ADS-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Uninterrupted Sharing"},{"id":"FRR-ADS-05","parts":[{"id":"FRR-ADS-05_smt","name":"statement","parts":[{"id":"FRR-ADS-05_smt_01","name":"item","prose":"Providers MUST provide sufficient information in *authorization data* to support authorization decisions but SHOULD NOT include sensitive information that would *likely* enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-ADS-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Information Sharing"},{"id":"FRR-ADS-06","parts":[{"id":"FRR-ADS-06_smt","name":"statement","parts":[{"id":"FRR-ADS-06_smt_01","name":"item","prose":"Providers of FedRAMP Rev5 Authorized *cloud service offerings* MUST share *authorization data* via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible *trust center*."}]}],"props":[{"name":"label","value":"FRR-ADS-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"USDA Connect Community Portal"},{"id":"FRR-ADS-07","parts":[{"id":"FRR-ADS-07_smt","name":"statement","parts":[{"id":"FRR-ADS-07_smt_01","name":"item","prose":"Providers of FedRAMP 20x Authorized *cloud service offerings* MUST use a FedRAMP-compatible *trust center* to store and share *authorization data* with all necessary parties."}]}],"props":[{"name":"label","value":"FRR-ADS-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"FedRAMP-Compatible Trust Centers"},{"id":"FRR-ADS-08","parts":[{"id":"FRR-ADS-08_smt","name":"statement","parts":[{"id":"FRR-ADS-08_smt_01","name":"item","prose":"Providers MUST notify all necessary parties when migrating to a *trust center* and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the *trust center* to obtain *authorization data*."}]}],"props":[{"name":"label","value":"FRR-ADS-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Trust Center Migration Notification"},{"id":"FRR-ADS-09","parts":[{"id":"FRR-ADS-09_smt","name":"statement","parts":[{"id":"FRR-ADS-09_smt_01","name":"item","prose":"Providers MUST make historical versions of *authorization data* available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly."}]}],"props":[{"name":"label","value":"FRR-ADS-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Historical Authorization Data"},{"id":"FRR-ADS-10","parts":[{"id":"FRR-ADS-10_smt","name":"statement","parts":[{"id":"FRR-ADS-10_smt_01","name":"item","prose":"Providers SHOULD follow FedRAMP’s best practices and technical assistance for sharing *authorization data* where applicable."}]}],"props":[{"name":"label","value":"FRR-ADS-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Best Practices and Technical Assistance"}]},{"id":"FRR-ADS-AC","parts":[{"name":"overview","prose":"These requirements for managing access apply to cloud service providers who establish FedRAMP-compatible *trust centers* for storing and sharing *authorization data*."}],"props":[{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"access_control"}],"title":"Authorization Data Sharing (Access Control)","controls":[{"id":"FRR-ADS-AC-01","parts":[{"id":"FRR-ADS-AC-01_smt","name":"statement","parts":[{"id":"FRR-ADS-AC-01_smt_01","name":"item","prose":"Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to *authorization data* stored in the *trust center*."}]}],"props":[{"name":"label","value":"FRR-ADS-AC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Guidance"},{"id":"FRR-ADS-AC-02","parts":[{"id":"FRR-ADS-AC-02_smt","name":"statement","parts":[{"id":"FRR-ADS-AC-02_smt_01","name":"item","prose":"Providers SHOULD share at least the *authorization package* with prospective agency customers upon request and MUST notify FedRAMP within five business days if a prospective agency customer request is denied."}]}],"props":[{"name":"label","value":"FRR-ADS-AC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Prospective Customer Access"}]},{"id":"FRR-ADS-TC","parts":[{"name":"overview","prose":"These requirements apply to FedRAMP-compatible *trust centers* used to store and share *authorization data*."}],"props":[{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"trust_center"}],"title":"Authorization Data Sharing (Trust Center)","controls":[{"id":"FRR-ADS-TC-01","parts":[{"id":"FRR-ADS-TC-01_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-01_smt_01","name":"item","prose":"*Trust centers* MUST be included as an *information resource* included in the *cloud service offering* for assessment if FRR-MAS-01 applies."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Trust Center Assessment"},{"id":"FRR-ADS-TC-02","parts":[{"id":"FRR-ADS-TC-02_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-02_smt_01","name":"item","prose":"*Trust centers* SHOULD make *authorization data* available to view and download in both human-readable and *machine-readable* formats"}]}],"props":[{"name":"label","value":"FRR-ADS-TC-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Human and Machine-Readable"},{"id":"FRR-ADS-TC-03","parts":[{"id":"FRR-ADS-TC-03_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-03_smt_01","name":"item","prose":"*Trust centers* MUST provide documented programmatic access to all *authorization data*, including programmatic access to human-readable materials."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Programmatic Access"},{"id":"FRR-ADS-TC-04","parts":[{"id":"FRR-ADS-TC-04_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-04_smt_01","name":"item","prose":"*Trust centers* SHOULD include features that encourage all necessary parties to provision and manage access to *authorization data* for their users and services directly."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Self-Service Access Management"},{"id":"FRR-ADS-TC-05","parts":[{"id":"FRR-ADS-TC-05_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-05_smt_01","name":"item","prose":"*Trust centers* MUST maintain an inventory and history of federal agency users or systems with access to *authorization data* and MUST make this information available to FedRAMP without interruption."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Access Inventory"},{"id":"FRR-ADS-TC-06","parts":[{"id":"FRR-ADS-TC-06_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-06_smt_01","name":"item","prose":"*Trust centers* MUST log access to *authorization data* and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Access Logging"},{"id":"FRR-ADS-TC-07","parts":[{"id":"FRR-ADS-TC-07_smt","name":"statement","parts":[{"id":"FRR-ADS-TC-07_smt_01","name":"item","prose":"*Trust centers* SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions."}]}],"props":[{"name":"label","value":"FRR-ADS-TC-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsive Performance"}]},{"id":"FRR-ADS-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this standard."}],"props":[{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Authorization Data Sharing (Exceptions)","controls":[{"id":"FRR-ADS-EX-01","parts":[{"id":"FRR-ADS-EX-01_smt","name":"statement","parts":[{"id":"FRR-ADS-EX-01_smt_01","name":"item","prose":"Providers of FedRAMP Rev5 Authorized *cloud service offerings* at FedRAMP High using a legacy self-managed repository for *authorization data* MAY ignore the requirements in this Authorization Data Sharing document until future notice."}]}],"props":[{"name":"label","value":"FRR-ADS-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Legacy Self-Managed Repository Exception"}]},{"id":"FRR-VDR","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Vulnerability Detection and Response","controls":[{"id":"FRR-VDR-01","parts":[{"id":"FRR-VDR-01_smt","name":"statement","parts":[{"id":"FRR-VDR-01_smt_01","name":"item","prose":"Providers MUST systematically, *persistently* , and *promptly* discover and identify *vulnerabilities* within their *cloud service offering* using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Detection"},{"id":"FRR-VDR-02","parts":[{"id":"FRR-VDR-02_smt","name":"statement","parts":[{"id":"FRR-VDR-02_smt_01","name":"item","prose":"Providers MUST systematically, *persistently* , and *promptly* track, evaluate, monitor, *mitigate* , *remediate* , assess exploitation of, report, and otherwise manage all detected vulnerabilities within their *cloud service offering* ; this process is called *vulnerability response*."}]}],"props":[{"name":"label","value":"FRR-VDR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Response"},{"id":"FRR-VDR-03","parts":[{"id":"FRR-VDR-03_smt","name":"statement","parts":[{"id":"FRR-VDR-03_smt_01","name":"item","prose":"Providers MUST follow the requirements and recommendations outlined in FRR-VDR-TF regarding timeframes for *vulnerability detection* and *response*."}]},{"name":"guidance","prose":"Providers are strongly encouraged to build programs that consistently exceed these thresholds. Performance will be measured by FedRAMP for comparison between providers and scoring within the FedRAMP Marketplace."}],"props":[{"name":"label","value":"FRR-VDR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Timeframe Requirements"},{"id":"FRR-VDR-04","parts":[{"id":"FRR-VDR-04_smt","name":"statement","parts":[{"id":"FRR-VDR-04_smt_01","name":"item","prose":"Providers MAY sample effectively identical *information resources* , especially *machine-based* *information resources* , when performing *vulnerability detection* UNLESS doing so would decrease the efficiency or effectiveness of *vulnerability detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Sampling Identical Resources"},{"id":"FRR-VDR-05","parts":[{"id":"FRR-VDR-05_smt","name":"statement","parts":[{"id":"FRR-VDR-05_smt_01","name":"item","prose":"Providers SHOULD evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to identify logical groupings of affected *information resources* that may improve the efficiency and effectiveness of *vulnerability response* by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of *vulnerabilities* instead of each individual detected instance."}]}],"props":[{"name":"label","value":"FRR-VDR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Grouping Vulnerabilities"},{"id":"FRR-VDR-06","parts":[{"id":"FRR-VDR-06_smt","name":"statement","parts":[{"id":"FRR-VDR-06_smt_01","name":"item","prose":"Providers SHOULD evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *false positive vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate False Positives"},{"id":"FRR-VDR-07","parts":[{"id":"FRR-VDR-07_smt","name":"statement","parts":[{"id":"FRR-VDR-07_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *likely exploitable vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Exploitability"},{"id":"FRR-VDR-08","parts":[{"id":"FRR-VDR-08_smt","name":"statement","parts":[{"id":"FRR-VDR-08_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to determine if they are *internet-reachable vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Internet-Reachability"},{"id":"FRR-VDR-09","parts":[{"id":"FRR-VDR-09_smt","name":"statement","parts":[{"id":"FRR-VDR-09_smt_01","name":"item","prose":"Providers MUST evaluate *detected vulnerabilities* , considering the context of the *cloud service offering* , to estimate the *potential adverse impact* of exploitation on government customers AND assign one of the following *potential adverse impact* ratings:"},{"id":"FRR-VDR-09_smt_02","name":"item","prose":"- **N1** : Exploitation could be expected to have *negligible adverse effects* on one or more *agencies* that use the *cloud service offering*.\n- **N2** : Exploitation could be expected to have *limited adverse effects* on one or more *agencies* that use the *cloud service offering*.\n- **N3** : Exploitation could be expected to have a *serious adverse effect* on one *agency* that uses the *cloud service offering*.\n- **N4** : Exploitation could be expected to have a *catastrophic adverse effect* on one *agency* that uses the *cloud service offering* OR a *serious adverse effect* on more than one federal agency that uses the *cloud service offering*.\n- **N5** : Exploitation could be expected to have a *catastrophic adverse effect* on more than one *agency* that uses the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-VDR-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Estimate Potential Adverse Impact"},{"id":"FRR-VDR-10","parts":[{"id":"FRR-VDR-10_smt","name":"statement","parts":[{"id":"FRR-VDR-10_smt_01","name":"item","prose":"Providers SHOULD consider at least the following factors when considering the context of the *cloud service offering* to evaluate *detected vulnerabilities*:"},{"id":"FRR-VDR-10_smt_02","name":"item","prose":"- **Criticality** : How important are the systems or information that might be impacted by the *vulnerability*?\n- **Reachability** : How might a threat actor reach the *vulnerability* and how *likely* is that?\n- **Exploitability** : How easy is it for a threat actor to exploit the *vulnerability* and how *likely* is that?\n- **Detectability** : How easy is it for a threat actor to become aware of the *vulnerability* and how *likely* is that?\n- **Prevalence** : How much of the *cloud service offering* is affected by the *vulnerability*?\n- **Privilege** : How much privileged authority or access is granted or can be gained from exploiting the *vulnerability*?\n- **Proximate Vulnerabilities** : How does this *vulnerability* interact with previously *detected vulnerabilities* , especially *partially* or *fully mitigated vulnerabilities?*\n- **Known Threats** : How might already known threats leverage the *vulnerability* and how *likely* is that?"}]}],"props":[{"name":"label","value":"FRR-VDR-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluation Factors"},{"id":"FRR-VDR-11","parts":[{"id":"FRR-VDR-11_smt","name":"statement","parts":[{"id":"FRR-VDR-11_smt_01","name":"item","prose":"Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the *authorization data* for the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-VDR-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Documenting Reasons"}]},{"id":"FRR-VDR-AY","parts":[{"name":"overview","prose":"This section provides guidance on the application of this process, including recommendations for implementing high quality *vulnerability detection* and *response* programs; providers who follow some or all of these will be better positioned to meet future FedRAMP authorization requirements."}],"props":[{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"apply"}],"title":"Vulnerability Detection and Response (Apply)","controls":[{"id":"FRR-VDR-AY-01","parts":[{"id":"FRR-VDR-AY-01_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-01_smt_01","name":"item","prose":"If it is not possible to *fully mitigate* or *remediate* *detected vulnerabilities* , providers SHOULD instead *partially mitigate vulnerabilities* *promptly* , progressively, and *persistently*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Partial Mitigation"},{"id":"FRR-VDR-AY-02","parts":[{"id":"FRR-VDR-AY-02_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-02_smt_01","name":"item","prose":"Providers SHOULD make design and architecture decisions for their *cloud service offering* that mitigate the risk of *vulnerabilities* by default AND decrease the risk and complexity of *vulnerability* *detection* and *response*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Design For Resilience"},{"id":"FRR-VDR-AY-03","parts":[{"id":"FRR-VDR-AY-03_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-03_smt_01","name":"item","prose":"Providers SHOULD use automated services to improve and streamline *vulnerability detection* and *response*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Automate Detection"},{"id":"FRR-VDR-AY-04","parts":[{"id":"FRR-VDR-AY-04_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-04_smt_01","name":"item","prose":"Providers SHOULD automatically perform *vulnerability detection* on representative samples of new or *significantly* *changed* *information resources*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Detection on Changes"},{"id":"FRR-VDR-AY-05","parts":[{"id":"FRR-VDR-AY-05_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-05_smt_01","name":"item","prose":"Providers SHOULD NOT weaken the security of *information resources* to facilitate vulnerability scanning or assessment activities."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Maintain Security Postures"},{"id":"FRR-VDR-AY-06","parts":[{"id":"FRR-VDR-AY-06_smt","name":"statement","parts":[{"id":"FRR-VDR-AY-06_smt_01","name":"item","prose":"Providers SHOULD NOT deploy or otherwise activate new *machine-based* *information resources* with *Known Exploited Vulnerabilities*."}]}],"props":[{"name":"label","value":"FRR-VDR-AY-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Avoid Known Exploited Vulnerabilities"}]},{"id":"FRR-VDR-RP","parts":[{"name":"overview","prose":"This section identifies FedRAMP-specific reporting requirements and recommendations for *vulnerabilities*."}],"props":[{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"reporting"}],"title":"Vulnerability Detection and Response (Reporting)","controls":[{"id":"FRR-VDR-RP-01","parts":[{"id":"FRR-VDR-RP-01_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-01_smt_01","name":"item","prose":"Providers MUST report *vulnerability detection* and *response* activity to all necessary parties *persistently* , summarizing ALL activity since the previous report; these reports are *authorization data* and are subject to the FedRAMP Authorization Data Sharing (ADS) process."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Reporting"},{"id":"FRR-VDR-RP-02","parts":[{"id":"FRR-VDR-RP-02_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-02_smt_01","name":"item","prose":"Providers SHOULD include high-level overviews of ALL *vulnerability detection* and *response* activities conducted during this period for the *cloud service offering;* this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"High-Level Overviews"},{"id":"FRR-VDR-RP-03","parts":[{"id":"FRR-VDR-RP-03_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-03_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about *vulnerabilities* that would *likely* lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties."}]},{"name":"guidance","prose":"See FRR-VDR-EX for exceptions to this requirement."}],"props":[{"name":"label","value":"FRR-VDR-RP-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"No Irresponsible Disclosure"},{"id":"FRR-VDR-RP-04","parts":[{"id":"FRR-VDR-RP-04_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-04_smt_01","name":"item","prose":"Providers MAY responsibly disclose *vulnerabilities* publicly or with other parties if the provider determines doing so will NOT *likely* lead to exploitation."}]}],"props":[{"name":"label","value":"FRR-VDR-RP-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Public Disclosure"},{"id":"FRR-VDR-RP-05","parts":[{"id":"FRR-VDR-RP-05_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-05_smt_01","name":"item","prose":"Providers MUST include the following information (if applicable) on *detected vulnerabilities* when reporting on *vulnerability detection* and *response* activity, UNLESS it is an *accepted vulnerability*:"},{"id":"FRR-VDR-RP-05_smt_02","name":"item","prose":"- Provider's internally assigned tracking identifier\n- Time and source of the detection\n- Time of completed evaluation\n- Is it an *internet-reachable vulnerability* or not?\n- Is it a *likely exploitable vulnerability* or not?\n- Historically and currently estimated *potential adverse impact* of exploitation\n- Time and level of each completed and evaluated reduction in *potential adverse impact*\n- Estimated time and target level of next reduction in *potential adverse impact*\n- Is it currently or is it likely to become an *overdue vulnerability* or not? If so, explain.\n- Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their *federal customer data* within the *cloud service offering* resulting from the *vulnerability*\n- Final disposition of the *vulnerability*"}]}],"props":[{"name":"label","value":"FRR-VDR-RP-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Vulnerability Details"},{"id":"FRR-VDR-RP-06","parts":[{"id":"FRR-VDR-RP-06_smt","name":"statement","parts":[{"id":"FRR-VDR-RP-06_smt_01","name":"item","prose":"Providers MUST include the following information on *accepted vulnerabilities* when reporting on *vulnerability detection* and *response* activity:"},{"id":"FRR-VDR-RP-06_smt_02","name":"item","prose":"- Provider's internally assigned tracking identifier\n- Time and source of the detection\n- Time of completed evaluation\n- Is it an *internet-reachable vulnerability* or not?\n- Is it a *likely exploitable vulnerability* or not?\n- Currently estimated *potential adverse impact* of exploitation\n- Explanation of why this is an *accepted vulnerability*\n- Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their *federal customer data* within the *cloud service offering* resulting from the *accepted vulnerability*"}]}],"props":[{"name":"label","value":"FRR-VDR-RP-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Accepted Vulnerability Info"}]},{"id":"FRR-VDR-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements and recommendations in this document."}],"props":[{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Vulnerability Detection and Response (Exceptions)","controls":[{"id":"FRR-VDR-EX-01","parts":[{"id":"FRR-VDR-EX-01_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-01_smt_01","name":"item","prose":"Providers MAY be required to share additional *vulnerability* information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Reporting Requirements"},{"id":"FRR-VDR-EX-02","parts":[{"id":"FRR-VDR-EX-02_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-02_smt_01","name":"item","prose":"Providers MAY be required to provide additional information or details about *vulnerabilities* , including sensitive information that would *likely* lead to exploitation, as part of review, response or investigation by necessary parties."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Details"},{"id":"FRR-VDR-EX-03","parts":[{"id":"FRR-VDR-EX-03_smt","name":"statement","parts":[{"id":"FRR-VDR-EX-03_smt_01","name":"item","prose":"Providers MUST NOT use this process to reject requests for additional information from necessary parties which also include law enforcement, Congress, and Inspectors General."}]}],"props":[{"name":"label","value":"FRR-VDR-EX-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Do Not Reject Requests"}]},{"id":"FRR-VDR-TF","parts":[{"name":"overview","prose":"This section provides guidance on timeframes that apply to all impact levels of FedRAMP authorization for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins."}],"props":[{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"timeframes"}],"title":"Vulnerability Detection and Response (Timeframes)","controls":[{"id":"FRR-VDR-TF-01","parts":[{"id":"FRR-VDR-TF-01_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-01_smt_01","name":"item","prose":"Providers MUST report *vulnerability detection* and *response* activity to all necessary parties in a consistent format that is human readable at least monthly."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Human-Readable"},{"id":"FRR-VDR-TF-02","links":[{"href":"https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities","text":"CISA BOD 22-01"}],"parts":[{"id":"FRR-VDR-TF-02_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-02_smt_01","name":"item","prose":"Providers SHOULD *remediate Known Exploited Vulnerabilities* according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been *fully mitigated*) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Remediate KEVs"},{"id":"FRR-VDR-TF-03","parts":[{"id":"FRR-VDR-TF-03_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-03_smt_01","name":"item","prose":"Providers MUST categorize any vulnerability that is not or will not be *fully mitigated* or *remediated* within 192 days of evaluation as an *accepted vulnerability*."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Mark Accepted Vulnerabilities"}]},{"id":"FRR-VDR-TF-HI","parts":[{"name":"overview","prose":"This section provides guidance on timeframes that apply specifically to FedRAMP High authorizations for activities required or recommended in this process; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins."}],"props":[{"name":"sort-id","value":"017"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"timeframe-high"}],"title":"Vulnerability Detection and Response (Timeframe High)","controls":[{"id":"FRR-VDR-TF-HI-01","parts":[{"id":"FRR-VDR-TF-HI-01_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-01_smt_01","name":"item","prose":"Providers SHOULD make all recent historical *vulnerability detection* and *response* activity available in a *machine-readable* format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated *persistently*, at least once every 7 days."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"7-Day History"},{"id":"FRR-VDR-TF-HI-02","parts":[{"id":"FRR-VDR-TF-HI-02_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-02_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on representative samples of similar *machine-based* *information resources*, at least once per day."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Daily Sampling"},{"id":"FRR-VDR-TF-HI-03","parts":[{"id":"FRR-VDR-TF-HI-03_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-03_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on all *information resources* that are *likely* to *drift*, at least once every 7 days."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"7-Day Drift Detection"},{"id":"FRR-VDR-TF-HI-04","parts":[{"id":"FRR-VDR-TF-HI-04_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-04_smt_01","name":"item","prose":"Providers SHOULD *persistently* perform *vulnerability detection* on all *information resources* that are NOT *likely* to *drift*, at least once every month."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Monthly Detection"},{"id":"FRR-VDR-TF-HI-05","parts":[{"id":"FRR-VDR-TF-HI-05_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-05_smt_01","name":"item","prose":"Providers SHOULD evaluate ALL *vulnerabilities* as required by FRR-VDR-07, FRR-VDR-08, and FRR-VDR-09 within 2 days of *detection*."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Within 2 Days"},{"id":"FRR-VDR-TF-HI-06","parts":[{"id":"FRR-VDR-TF-HI-06_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-06_smt_01","name":"item","prose":"Providers SHOULD treat *internet-reachable likely exploitable vulnerabilities* with a *potential adverse impact* of N4 or N5 as a security *incident* until they are *partially mitigated* to N3 or below."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Treat N4/N5 As Incident"},{"id":"FRR-VDR-TF-HI-07","parts":[{"id":"FRR-VDR-TF-HI-07_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-07_smt_01","name":"item","prose":"Providers SHOULD treat *likely exploitable vulnerabilities* that are NOT *internet-reachable* with a *potential adverse impact* of N5 as a security *incident* until they are partially mitigated to N4 or below."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Treat N5 Non-Internet as Incident"},{"id":"FRR-VDR-TF-HI-08","parts":[{"id":"FRR-VDR-TF-HI-08_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-08_smt_01","name":"item","prose":"Providers SHOULD *partially mitigate* *vulnerabilities* to a lower *potential adverse impact* within the maximum time-frames from evaluation shown below, factoring for the current *potential adverse impact* , *internet reachability,* and *likely exploitability*:"}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Partial Mitigation Timeframes"},{"id":"FRR-VDR-TF-HI-09","parts":[{"id":"FRR-VDR-TF-HI-09_smt","name":"statement","parts":[{"id":"FRR-VDR-TF-HI-09_smt_01","name":"item","prose":"Providers SHOULD *mitigate* or *remediate* remaining *vulnerabilities* during routine operations as determined necessary by the provider."}]}],"props":[{"name":"label","value":"FRR-VDR-TF-HI-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Mitigate During Operations"}]},{"id":"FRR-VDR-AG","parts":[{"name":"overview","prose":"The section provides guidance for agencies that apply under 44 USC § 3613 (e) which states that the assessment and materials within a FedRAMP authorization package \"shall be presumed adequate for use in an agency authorization to operate cloud computing products and services.\""}],"props":[{"name":"sort-id","value":"018"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"agencies"}],"title":"Vulnerability Detection and Response (Agencies)","controls":[{"id":"FRR-VDR-AG-01","parts":[{"id":"FRR-VDR-AG-01_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-01_smt_01","name":"item","prose":"Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers."}]},{"name":"guidance","prose":"FedRAMP recommends that agencies only review *overdue* and *accepted vulnerabilities* with a *potential adverse impact* of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, *accepted vulnerabilities* generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization."}],"props":[{"name":"label","value":"FRR-VDR-AG-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Review Vulnerability Reports"},{"id":"FRR-VDR-AG-02","parts":[{"id":"FRR-VDR-AG-02_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-02_smt_01","name":"item","prose":"Agencies SHOULD use *vulnerability* information reported by the Provider to maintain Plans of Action \\& Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with *accepted vulnerabilities* that put agency information systems at risk)."}]}],"props":[{"name":"label","value":"FRR-VDR-AG-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Maintain Agency POA\\&M"},{"id":"FRR-VDR-AG-03","parts":[{"id":"FRR-VDR-AG-03_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-03_smt_01","name":"item","prose":"Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP process UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such."}]},{"name":"guidance","prose":"This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e)."}],"props":[{"name":"label","value":"FRR-VDR-AG-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Do Not Request Extra Info"},{"id":"FRR-VDR-AG-04","parts":[{"id":"FRR-VDR-AG-04_smt","name":"statement","parts":[{"id":"FRR-VDR-AG-04_smt_01","name":"item","prose":"Agencies MUST inform FedRAMP after requesting any additional *vulnerability* information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov)."}]},{"name":"guidance","prose":"This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-VDR-AG-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP"}]},{"id":"FRR-FSI","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to FedRAMP and ALL cloud services listed in the FedRAMP Marketplace based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"019"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"FedRAMP Security Inbox","controls":[{"id":"FRR-FSI-01","parts":[{"id":"FRR-FSI-01_smt","name":"statement","parts":[{"id":"FRR-FSI-01_smt_01","name":"item","prose":"FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication."}]},{"name":"guidance","prose":"Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have \"FedRAMP\" or \"Q20B\" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers."}],"props":[{"name":"label","value":"FRR-FSI-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Verified Emails"},{"id":"FRR-FSI-02","parts":[{"id":"FRR-FSI-02_smt","name":"statement","parts":[{"id":"FRR-FSI-02_smt_01","name":"item","prose":"FedRAMP MUST convey the criticality of the message in the subject line using one of the following designators if the message requires an elevated response:"},{"id":"FRR-FSI-02_smt_02","name":"item","prose":"- **Emergency:** There is a potential incident or crisis such that FedRAMP requires an extremely urgent response; emergency messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.\n- **Emergency Test:** FedRAMP requires an extremely urgent response to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for response and failure to meet these timeframes will result in corrective action.\n- **Important:** There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for response and failure to meet these timeframes may result in corrective action."}]},{"name":"guidance","prose":"Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated response; these may be resolved in the normal course of business by the cloud service provider."}],"props":[{"name":"label","value":"FRR-FSI-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Criticality Designators"},{"id":"FRR-FSI-03","parts":[{"id":"FRR-FSI-03_smt","name":"statement","parts":[{"id":"FRR-FSI-03_smt_01","name":"item","prose":"FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov."}]}],"props":[{"name":"label","value":"FRR-FSI-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Sender Addresses"},{"id":"FRR-FSI-04","parts":[{"id":"FRR-FSI-04_smt","name":"statement","parts":[{"id":"FRR-FSI-04_smt_01","name":"item","prose":"FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the *likely* expected actions and timeframes for the Emergency Test message."}]}],"props":[{"name":"label","value":"FRR-FSI-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Public Notice of Emergency Tests"},{"id":"FRR-FSI-05","parts":[{"id":"FRR-FSI-05_smt","name":"statement","parts":[{"id":"FRR-FSI-05_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated response."}]}],"props":[{"name":"label","value":"FRR-FSI-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Required Actions"},{"id":"FRR-FSI-06","parts":[{"id":"FRR-FSI-06_smt","name":"statement","parts":[{"id":"FRR-FSI-06_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated response; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:"},{"id":"FRR-FSI-06_smt_02","name":"item","prose":"- **High Impact:** within 12 hours\n- **Moderate Impact:** by 3:00 p.m. Eastern Time on the 2nd business day\n- **Low Impact:** by 3:00 p.m. Eastern Time on the 3rd business day"}]},{"name":"guidance","prose":"Note: High impact cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a response time appropriate to operating a service where failure to respond rapidly might have a severe or catastrophic adverse effect on the U.S. Government; some Emergency messages may require faster responses and all such messages should be addressed as quickly as possible."}],"props":[{"name":"label","value":"FRR-FSI-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Response Timeframes"},{"id":"FRR-FSI-07","parts":[{"id":"FRR-FSI-07_smt","name":"statement","parts":[{"id":"FRR-FSI-07_smt_01","name":"item","prose":"FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated response; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP authorization depending on the severity of the event."}]}],"props":[{"name":"label","value":"FRR-FSI-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Corrective Actions"},{"id":"FRR-FSI-08","parts":[{"id":"FRR-FSI-08_smt","name":"statement","parts":[{"id":"FRR-FSI-08_smt_01","name":"item","prose":"FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated response."}]}],"props":[{"name":"label","value":"FRR-FSI-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Response Metrics"},{"id":"FRR-FSI-09","parts":[{"id":"FRR-FSI-09_smt","name":"statement","parts":[{"id":"FRR-FSI-09_smt_01","name":"item","prose":"Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a *FedRAMP Security Inbox* (FSI)."}]},{"name":"guidance","prose":"- Unless otherwise notified, FedRAMP will use the listed Security E-mail on the Marketplace for these notifications.\n- If a provider establishes a new inbox in response to this guidance that is different from the Security E-Mail then they must follow the requirements in FRR-FSI-12 to notify FedRAMP."}],"props":[{"name":"label","value":"FRR-FSI-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"FedRAMP Security Inbox"},{"id":"FRR-FSI-10","parts":[{"id":"FRR-FSI-10_smt","name":"statement","parts":[{"id":"FRR-FSI-10_smt_01","name":"item","prose":"Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then *FedRAMP Security Inbox* requirements no longer apply."}]}],"props":[{"name":"label","value":"FRR-FSI-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Receiving Messages"},{"id":"FRR-FSI-11","parts":[{"id":"FRR-FSI-11_smt","name":"statement","parts":[{"id":"FRR-FSI-11_smt_01","name":"item","prose":"Providers MUST receive and respond to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP."}]},{"name":"guidance","prose":"Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to respond to a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message."}],"props":[{"name":"label","value":"FRR-FSI-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Response"},{"id":"FRR-FSI-12","parts":[{"id":"FRR-FSI-12_smt","name":"statement","parts":[{"id":"FRR-FSI-12_smt_01","name":"item","prose":"Providers MUST immediately notify FedRAMP of any changes in addressing for their *FedRAMP Security Inbox* by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address."}]}],"props":[{"name":"label","value":"FRR-FSI-12"},{"name":"sort-id","value":"012"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Notification of Changes"},{"id":"FRR-FSI-13","parts":[{"id":"FRR-FSI-13_smt","name":"statement","parts":[{"id":"FRR-FSI-13_smt_01","name":"item","prose":"Providers SHOULD *promptly* and automatically acknowledge the receipt of messages received from FedRAMP in their *FedRAMP Security Inbox*."}]}],"props":[{"name":"label","value":"FRR-FSI-13"},{"name":"sort-id","value":"013"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Acknowledgment of Receipt"},{"id":"FRR-FSI-14","parts":[{"id":"FRR-FSI-14_smt","name":"statement","parts":[{"id":"FRR-FSI-14_smt_01","name":"item","prose":"Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message."}]},{"name":"guidance","prose":"Timeframes may vary by impact level of the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-FSI-14"},{"name":"sort-id","value":"014"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Required Response for Emergency Messages"},{"id":"FRR-FSI-15","parts":[{"id":"FRR-FSI-15_smt","name":"statement","parts":[{"id":"FRR-FSI-15_smt_01","name":"item","prose":"Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness."}]},{"name":"guidance","prose":"Senior security officials are determined by the provider."}],"props":[{"name":"label","value":"FRR-FSI-15"},{"name":"sort-id","value":"015"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Routing"},{"id":"FRR-FSI-16","parts":[{"id":"FRR-FSI-16_smt","name":"statement","parts":[{"id":"FRR-FSI-16_smt_01","name":"item","prose":"Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message."}]},{"name":"guidance","prose":"Timeframes may vary by impact level of the *cloud service offering*."}],"props":[{"name":"label","value":"FRR-FSI-16"},{"name":"sort-id","value":"016"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Recommended Response for Important Messages"}]},{"id":"FRR-ICP","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"020"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Incident Communications Procedures","controls":[{"id":"FRR-ICP-01","parts":[{"id":"FRR-ICP-01_smt","name":"statement","parts":[{"id":"FRR-ICP-01_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov."}]}],"props":[{"name":"label","value":"FRR-ICP-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to FedRAMP"},{"id":"FRR-ICP-02","parts":[{"id":"FRR-ICP-02_smt","name":"statement","parts":[{"id":"FRR-ICP-02_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to all *agency* customers within 1 hour of identification using the *incident* communications points of contact provided by each *agency* customer."}]}],"props":[{"name":"label","value":"FRR-ICP-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to Agencies"},{"id":"FRR-ICP-03","parts":[{"id":"FRR-ICP-03_smt","name":"statement","parts":[{"id":"FRR-ICP-03_smt_01","name":"item","prose":"Providers MUST responsibly report *incidents* to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf."}]}],"props":[{"name":"label","value":"FRR-ICP-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Reporting to CISA"},{"id":"FRR-ICP-04","parts":[{"id":"FRR-ICP-04_smt","name":"statement","parts":[{"id":"FRR-ICP-04_smt_01","name":"item","prose":"Providers MUST update *all necessary parties* , including at least FedRAMP, CISA (if applicable), and all *agency* customers, at least once per calendar day until the *incident* is resolved and recovery is complete."}]}],"props":[{"name":"label","value":"FRR-ICP-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Updates"},{"id":"FRR-ICP-05","parts":[{"id":"FRR-ICP-05_smt","name":"statement","parts":[{"id":"FRR-ICP-05_smt_01","name":"item","prose":"Providers MUST make *incident* report information available in their secure FedRAMP repository (such as USDA Connect) or *trust center*."}]}],"props":[{"name":"label","value":"FRR-ICP-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Incident Report Availability"},{"id":"FRR-ICP-06","parts":[{"id":"FRR-ICP-06_smt","name":"statement","parts":[{"id":"FRR-ICP-06_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about *incidents* that would *likely* increase the impact of the *incident* , but MUST disclose sufficient information for informed risk-based decision-making to *all necessary parties*."}]}],"props":[{"name":"label","value":"FRR-ICP-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Disclosure"},{"id":"FRR-ICP-07","parts":[{"id":"FRR-ICP-07_smt","name":"statement","parts":[{"id":"FRR-ICP-07_smt_01","name":"item","prose":"Providers MUST provide a final report once the *incident* is resolved and recovery is complete that describes at least:"},{"id":"FRR-ICP-07_smt_02","name":"item","prose":"- What occurred\n- Root cause\n- Response\n- Lessons learned\n- Changes needed"}]}],"props":[{"name":"label","value":"FRR-ICP-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Final Incident Report"},{"id":"FRR-ICP-08","parts":[{"id":"FRR-ICP-08_smt","name":"statement","parts":[{"id":"FRR-ICP-08_smt_01","name":"item","prose":"Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA)."}]}],"props":[{"name":"label","value":"FRR-ICP-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Automated Reporting"},{"id":"FRR-ICP-09","parts":[{"id":"FRR-ICP-09_smt","name":"statement","parts":[{"id":"FRR-ICP-09_smt_01","name":"item","prose":"Providers SHOULD make *incident* report information available in consistent human-readable and *machine-readable* formats."}]}],"props":[{"name":"label","value":"FRR-ICP-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Human-Readable and Machine-Readable Formats"}]},{"id":"FRR-SCN","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL *significant changes* based on current Effective Date(s) and Overall Applicability"}],"props":[{"name":"sort-id","value":"021"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Significant Change Notifications","controls":[{"id":"FRR-SCN-01","parts":[{"id":"FRR-SCN-01_smt","name":"statement","parts":[{"id":"FRR-SCN-01_smt_01","name":"item","prose":"Providers MUST notify all necessary parties when Significant Change Notifications are required, including at least FedRAMP and all agency customers. Providers MAY share Significant Change Notifications publicly or with other parties."}]}],"props":[{"name":"label","value":"FRR-SCN-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Notifications"},{"id":"FRR-SCN-02","parts":[{"id":"FRR-SCN-02_smt","name":"statement","parts":[{"id":"FRR-SCN-02_smt_01","name":"item","prose":"Providers MUST follow the procedures documented in their security plan to plan, evaluate, test, perform, assess, and document changes."}]}],"props":[{"name":"label","value":"FRR-SCN-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Procedures and Documentation"},{"id":"FRR-SCN-03","parts":[{"id":"FRR-SCN-03_smt","name":"statement","parts":[{"id":"FRR-SCN-03_smt_01","name":"item","prose":"Providers MUST evaluate and type label all *significant changes*, then follow FedRAMP requirements for the type."}]}],"props":[{"name":"label","value":"FRR-SCN-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Evaluate Changes"},{"id":"FRR-SCN-04","parts":[{"id":"FRR-SCN-04_smt","name":"statement","parts":[{"id":"FRR-SCN-04_smt_01","name":"item","prose":"Providers MUST maintain auditable records of these activities and make them available to all necessary parties."}]}],"props":[{"name":"label","value":"FRR-SCN-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-05","parts":[{"id":"FRR-SCN-05_smt","name":"statement","parts":[{"id":"FRR-SCN-05_smt_01","name":"item","prose":"Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment."}]}],"props":[{"name":"label","value":"FRR-SCN-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-06","parts":[{"id":"FRR-SCN-06_smt","name":"statement","parts":[{"id":"FRR-SCN-06_smt_01","name":"item","prose":"All parties SHOULD follow FedRAMP's best practices and technical assistance on *significant change* assessment and notification where applicable."}]}],"props":[{"name":"label","value":"FRR-SCN-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-07","parts":[{"id":"FRR-SCN-07_smt","name":"statement","parts":[{"id":"FRR-SCN-07_smt_01","name":"item","prose":"Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible."}]}],"props":[{"name":"label","value":"FRR-SCN-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-08","parts":[{"id":"FRR-SCN-08_smt","name":"statement","parts":[{"id":"FRR-SCN-08_smt_01","name":"item","prose":"Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible *machine-readable* formats."}]}],"props":[{"name":"label","value":"FRR-SCN-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-09","parts":[{"id":"FRR-SCN-09_smt","name":"statement","parts":[{"id":"FRR-SCN-09_smt_01","name":"item","prose":"Providers MUST include at least the following information in Significant Change Notifications:"},{"id":"FRR-SCN-09_smt_02","name":"item","prose":"- Service Offering FedRAMP ID\n- Assessor Name (if applicable)\n- Related POA\\&M (if applicable)\n- Significant Change type and explanation of categorization\n- Short description of change\n- Reason for change\n- Summary of customer impact, including changes to services and customer configuration responsibilities\n- Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls\n- Copy of the business or security impact analysis\n- Name and title of approver"}]}],"props":[{"name":"label","value":"FRR-SCN-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-10","parts":[{"id":"FRR-SCN-10_smt","name":"statement","parts":[{"id":"FRR-SCN-10_smt_01","name":"item","prose":"Providers MAY include additional relevant information in Significant Change Notifications."}]}],"props":[{"name":"label","value":"FRR-SCN-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-RR","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *routine recurring*."}],"props":[{"name":"sort-id","value":"022"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"routine_recurring"}],"title":"Significant Change Notifications (Routine Recurring)","controls":[{"id":"FRR-SCN-RR-01","parts":[{"id":"FRR-SCN-RR-01_smt","name":"statement","parts":[{"id":"FRR-SCN-RR-01_smt_01","name":"item","prose":"Providers SHOULD NOT make formal Significant Change Notifications for *routine recurring* changes; this type of change is exempted from the notification requirements of this process."}]}],"props":[{"name":"label","value":"FRR-SCN-RR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-AD","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *adaptive*."}],"props":[{"name":"sort-id","value":"023"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"adaptive"}],"title":"Significant Change Notifications (Adaptive)","controls":[{"id":"FRR-SCN-AD-01","parts":[{"id":"FRR-SCN-AD-01_smt","name":"statement","parts":[{"id":"FRR-SCN-AD-01_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within ten business days after finishing *adaptive* changes, also including the following information:"},{"id":"FRR-SCN-AD-01_smt_02","name":"item","prose":"- Summary of any new risks identified and/or POA\\&Ms resulting from the change (if applicable)"}]}],"props":[{"name":"label","value":"FRR-SCN-AD-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-TR","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *transformative*."}],"props":[{"name":"sort-id","value":"024"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"transformative"}],"title":"Significant Change Notifications (Transformative)","controls":[{"id":"FRR-SCN-TR-01","parts":[{"id":"FRR-SCN-TR-01_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-01_smt_01","name":"item","prose":"Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting *transformative* changes if human validation is necessary. This review SHOULD be limited to security decisions that require human validation. Providers MUST document this decision and justification."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-02","parts":[{"id":"FRR-SCN-TR-02_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-02_smt_01","name":"item","prose":"Providers MUST notify all necessary parties of initial plans for *transformative* changes at least 30 business days before starting *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-03","parts":[{"id":"FRR-SCN-TR-03_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-03_smt_01","name":"item","prose":"Providers MUST notify all necessary parties of final plans for *transformative* changes at least 10 business days before starting *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-04","parts":[{"id":"FRR-SCN-TR-04_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-04_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within 5 business days after finishing *transformative* changes, also including the following information:"},{"id":"FRR-SCN-TR-04_smt_02","name":"item","prose":"- Updates to all previously sent information"}]}],"props":[{"name":"label","value":"FRR-SCN-TR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-05","parts":[{"id":"FRR-SCN-TR-05_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-05_smt_01","name":"item","prose":"Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of *transformative* changes, also including the following information:"},{"id":"FRR-SCN-TR-05_smt_02","name":"item","prose":"- Updates to all previously sent information\n- Summary of any new risks identified and/or POA\\&Ms resulting from the change (if applicable)\n- Copy of the security assessment report (if applicable)"}]}],"props":[{"name":"label","value":"FRR-SCN-TR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-06","parts":[{"id":"FRR-SCN-TR-06_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-06_smt_01","name":"item","prose":"Providers MUST publish updated service documentation and other materials to reflect *transformative* changes within 30 business days after finishing *transformative* changes."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-TR-07","parts":[{"id":"FRR-SCN-TR-07_smt","name":"statement","parts":[{"id":"FRR-SCN-TR-07_smt_01","name":"item","prose":"Providers MUST allow agency customers to OPT OUT of *transformative* changes whenever feasible."}]}],"props":[{"name":"label","value":"FRR-SCN-TR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-IM","parts":[{"name":"overview","prose":"These requirements apply ONLY to *significant changes* of type *impact categorization*."}],"props":[{"name":"sort-id","value":"025"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"impact"}],"title":"Significant Change Notifications (Impact)","controls":[{"id":"FRR-SCN-IM-01","parts":[{"id":"FRR-SCN-IM-01_smt","name":"statement","parts":[{"id":"FRR-SCN-IM-01_smt_01","name":"item","prose":"Providers MUST follow the legacy Significant Change Request process or full re-authorization for *impact categorization* changes, with advance approval from an identified lead agency, until further notice."}]}],"props":[{"name":"label","value":"FRR-SCN-IM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-SCN-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this process."}],"props":[{"name":"sort-id","value":"026"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Significant Change Notifications (Exceptions)","controls":[{"id":"FRR-SCN-EX-01","parts":[{"id":"FRR-SCN-EX-01_smt","name":"statement","parts":[{"id":"FRR-SCN-EX-01_smt_01","name":"item","prose":"Providers MAY be required to delay *significant changes* beyond the standard Significant Change Notification period and/or submit *significant changes* for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement."}]}],"props":[{"name":"label","value":"FRR-SCN-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"},{"id":"FRR-SCN-EX-02","parts":[{"id":"FRR-SCN-EX-02_smt","name":"statement","parts":[{"id":"FRR-SCN-EX-02_smt_01","name":"item","prose":"Providers MAY execute *significant changes* (including *transformative* changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident."}]}],"props":[{"name":"label","value":"FRR-SCN-EX-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"\\[no title\\]"}]},{"id":"FRR-CCM","parts":[{"name":"overview","prose":"These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document."}],"props":[{"name":"sort-id","value":"039"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Collaborative Continuous Monitoring","controls":[{"id":"FRR-CCM-01","parts":[{"id":"FRR-CCM-01_smt","name":"statement","parts":[{"id":"FRR-CCM-01_smt_01","name":"item","prose":"Providers MUST make an *Ongoing Authorization Report* available to *all necessary parties* every 3 months, in a consistent format that is human readable, covering the entire period since the previous summary; this report MUST include high-level summaries of at least the following information:"},{"id":"FRR-CCM-01_smt_02","name":"item","prose":"- Changes to *authorization data*\n- Planned changes to *authorization data* during at least the next 3 months\n- _Accepted vulnerabilities\n- *Transformative* changes\n- Updated recommendations or best practices for security, configuration, usage, or similar aspects of the *cloud service offering*"}]}],"props":[{"name":"label","value":"FRR-CCM-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Ongoing Authorization Reports"},{"id":"FRR-CCM-02","parts":[{"id":"FRR-CCM-02_smt","name":"statement","parts":[{"id":"FRR-CCM-02_smt_01","name":"item","prose":"Providers SHOULD establish a regular 3 month cycle for *Ongoing Authorization Reports* that is spread out from the beginning, middle, or end of each quarter."}]},{"name":"guidance","prose":"This recommendation is intended to discourage hundreds of cloud service providers from releasing their *Ongoing Authorization Reports* during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle."}],"props":[{"name":"label","value":"FRR-CCM-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Avoiding Simultaneous Reports"},{"id":"FRR-CCM-03","parts":[{"id":"FRR-CCM-03_smt","name":"statement","parts":[{"id":"FRR-CCM-03_smt_01","name":"item","prose":"Providers MUST publicly include the target date for their next *Ongoing Authorization Report* with the *authorization data* required by FRR-ADS-01."}]}],"props":[{"name":"label","value":"FRR-CCM-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Public Next Report Date"},{"id":"FRR-CCM-04","parts":[{"id":"FRR-CCM-04_smt","name":"statement","parts":[{"id":"FRR-CCM-04_smt_01","name":"item","prose":"Providers MUST establish and share an asynchronous mechanism for *all necessary parties* to provide feedback or ask questions about each *Ongoing Authorization Report*."}]}],"props":[{"name":"label","value":"FRR-CCM-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Feedback Mechanism"},{"id":"FRR-CCM-05","parts":[{"id":"FRR-CCM-05_smt","name":"statement","parts":[{"id":"FRR-CCM-05_smt_01","name":"item","prose":"Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each *Ongoing Authorization Report* as an addendum to the *Ongoing Authorization Report*."}]},{"name":"guidance","prose":"This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from *agencies* and ensure FedRAMP has access to this information. It is generally in the provider’s interest to update this addendum frequently throughout the quarter."}],"props":[{"name":"label","value":"FRR-CCM-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Anonymized Feedback Summary"},{"id":"FRR-CCM-06","parts":[{"id":"FRR-CCM-06_smt","name":"statement","parts":[{"id":"FRR-CCM-06_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose sensitive information in an *Ongoing Authorization Report* that would *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Protect Sensitive Information"},{"id":"FRR-CCM-07","parts":[{"id":"FRR-CCM-07_smt","name":"statement","parts":[{"id":"FRR-CCM-07_smt_01","name":"item","prose":"Providers MAY responsibly share some or all of the information an *Ongoing Authorization Report* publicly or with other parties if the provider determines doing so will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Responsible Public Sharing"}]},{"id":"FRR-CCM-QR","parts":[{"name":"overview","prose":"These requirements and recommendations apply to providers hosting synchronous *Quarterly Reviews* with all agencies."}],"props":[{"name":"sort-id","value":"040"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"quarterly_reviews"}],"title":"Collaborative Continuous Monitoring (Quarterly Reviews)","controls":[{"id":"FRR-CCM-QR-02","parts":[{"id":"FRR-CCM-QR-02_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-02_smt_01","name":"item","prose":"Providers MUST host a synchronous *Quarterly Review* every 3 months, open to *all necessary parties* , to review aspects of the most recent *Ongoing Authorization Reports* that the provider determines are of the most relevance to *agencies*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Quarterly Review"},{"id":"FRR-CCM-QR-03","parts":[{"id":"FRR-CCM-QR-03_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-03_smt_01","name":"item","prose":"Providers SHOULD regularly schedule *Quarterly Reviews* to occur at least 3 business days after releasing an *Ongoing Authorization Report* AND within 10 business days of such release."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Review Scheduling Window"},{"id":"FRR-CCM-QR-04","parts":[{"id":"FRR-CCM-QR-04_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-04_smt_01","name":"item","prose":"Providers MUST NOT irresponsibly disclose sensitive information in a *Quarterly Review* that would *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"No Irresponsible Disclosure"},{"id":"FRR-CCM-QR-05","parts":[{"id":"FRR-CCM-QR-05_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-05_smt_01","name":"item","prose":"Providers MUST include either a registration link or a downloadable calendar file with meeting information for *Quarterly Reviews* in the *authorization data* available to all *necessary parties* required by FRR-ADS-06 and FRR-ADS-07."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Meeting Registration Info"},{"id":"FRR-CCM-QR-06","parts":[{"id":"FRR-CCM-QR-06_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-06_smt_01","name":"item","prose":"Providers MUST publicly include the target date for their next *Quarterly Review* with the *authorization data* required by FRR-ADS-01."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Next Review Date"},{"id":"FRR-CCM-QR-07","parts":[{"id":"FRR-CCM-QR-07_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-07_smt_01","name":"item","prose":"Providers SHOULD include additional information in *Quarterly Reviews* that the provider determines is of interest, use, or otherwise relevant to *agencies*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Additional Content"},{"id":"FRR-CCM-QR-08","parts":[{"id":"FRR-CCM-QR-08_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-08_smt_01","name":"item","prose":"Providers SHOULD NOT invite third parties to attend *Quarterly Reviews* intended for *agencies* unless they have specific relevance."}]},{"name":"guidance","prose":"This is because *agencies* are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default."}],"props":[{"name":"label","value":"FRR-CCM-QR-08"},{"name":"sort-id","value":"008"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Restrict Third Parties"},{"id":"FRR-CCM-QR-09","parts":[{"id":"FRR-CCM-QR-09_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-09_smt_01","name":"item","prose":"Providers SHOULD record or transcribe *Quarterly Reviews* and make such available to *all necessary parties* with other *authorization data* required by FRR-ADS-06 and FRR-ADS07."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-09"},{"name":"sort-id","value":"009"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Record/Transcribe Reviews"},{"id":"FRR-CCM-QR-10","parts":[{"id":"FRR-CCM-QR-10_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-10_smt_01","name":"item","prose":"Providers MAY responsibly share recordings or transcriptions of *Quarterly Reviews* with the public or other parties ONLY if the provider removes all *agency* information (comments, questions, names, etc.) AND determines sharing will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-10"},{"name":"sort-id","value":"010"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Share Recordings Responsibly"},{"id":"FRR-CCM-QR-11","parts":[{"id":"FRR-CCM-QR-11_smt","name":"statement","parts":[{"id":"FRR-CCM-QR-11_smt_01","name":"item","prose":"Providers MAY responsibly share content prepared for a *Quarterly Review* with the public or other parties if the provider determines doing so will NOT *likely* have an adverse effect on the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-CCM-QR-11"},{"name":"sort-id","value":"011"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Share Content Responsibly"}]},{"id":"FRR-CCM-AG","parts":[{"name":"overview","prose":"This section includes requirements and recommendations for *agencies* who are using FedRAMP Authorized cloud services based on statute and policy directives from OMB that apply to *agencies*."}],"props":[{"name":"sort-id","value":"041"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"agencies"}],"title":"Collaborative Continuous Monitoring (Agencies)","controls":[{"id":"FRR-CCM-AG-01","parts":[{"id":"FRR-CCM-AG-01_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-01_smt_01","name":"item","prose":"Agencies MUST review each *Ongoing Authorization Report* to understand how changes to the *cloud service offering* may impact the previously agreed-upon risk tolerance documented in the *agency's* Authorization to Operate of a federal information system that includes the *cloud service offering* in its boundary."}]},{"name":"guidance","prose":"This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15."}],"props":[{"name":"label","value":"FRR-CCM-AG-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Review Ongoing Reports"},{"id":"FRR-CCM-AG-02","parts":[{"id":"FRR-CCM-AG-02_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-02_smt_01","name":"item","prose":"Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the *cloud service offering* in its boundary and assign appropriate information security resources for reviewing *Ongoing Authorization Reports* , attending *Quarterly Reviews* , and other ongoing *authorization data*."}]}],"props":[{"name":"label","value":"FRR-CCM-AG-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Consider Security Category"},{"id":"FRR-CCM-AG-03","parts":[{"id":"FRR-CCM-AG-03_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-03_smt_01","name":"item","prose":"Agencies SHOULD designate a senior information security official to review *Ongoing Authorization Reports* and represent the agency at *Quarterly Reviews* for *cloud service offerings* included in agency information systems with a Security Category of High."}]}],"props":[{"name":"label","value":"FRR-CCM-AG-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Senior Security Reviewer"},{"id":"FRR-CCM-AG-04","parts":[{"id":"FRR-CCM-AG-04_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-04_smt_01","name":"item","prose":"Agencies SHOULD formally notify the provider if the information presented in an *Ongoing Authorization Report* , *Quarterly Review* , or other ongoing *authorization data* causes significant concerns that may lead the *agency* to remove the *cloud service offering* from operation."}]}],"props":[{"name":"label","value":"FRR-CCM-AG-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify Provider of Concerns"},{"id":"FRR-CCM-AG-05","parts":[{"id":"FRR-CCM-AG-05_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-05_smt_01","name":"item","prose":"Agencies MUST notify FedRAMP by sending a notification to info@fedramp.gov if the information presented in an *Ongoing Authorization Report* , *Quarterly Review* , or other ongoing *authorization data* causes significant concerns that may lead the *agency* to stop operation of the *cloud service offering*."}]},{"name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-CCM-AG-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP of Concerns"},{"id":"FRR-CCM-AG-06","parts":[{"id":"FRR-CCM-AG-06_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-06_smt_01","name":"item","prose":"Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about *authorization data*."}]},{"name":"guidance","prose":"This is a statory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP authorization."}],"props":[{"name":"label","value":"FRR-CCM-AG-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST NOT"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"No Additional Requirements"},{"id":"FRR-CCM-AG-07","parts":[{"id":"FRR-CCM-AG-07_smt","name":"statement","parts":[{"id":"FRR-CCM-AG-07_smt_01","name":"item","prose":"Agencies MUST inform FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to info@fedramp.gov."}]},{"name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."}],"props":[{"name":"label","value":"FRR-CCM-AG-07"},{"name":"sort-id","value":"007"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"}],"title":"Notify FedRAMP After Requests"}]},{"id":"FRR-MAS","parts":[{"name":"overview","prose":"These requirements apply ALWAYS to ALL FedRAMP authorizations based on the Effective Date(s) and Overall Applicability."}],"props":[{"name":"sort-id","value":"042"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"base"}],"title":"Minimum Assessment Scope","controls":[{"id":"FRR-MAS-01","parts":[{"id":"FRR-MAS-01_smt","name":"statement","parts":[{"id":"FRR-MAS-01_smt_01","name":"item","prose":"Providers MUST identify a set of *information resources* to assess for FedRAMP authorization that includes all *information resources* that are *likely* to *handle* *federal customer data* or *likely* to impact the confidentiality, integrity, or availability of *federal customer data* *handled* by the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-MAS-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Cloud Service Offering Identification"},{"id":"FRR-MAS-02","parts":[{"id":"FRR-MAS-02_smt","name":"statement","parts":[{"id":"FRR-MAS-02_smt_01","name":"item","prose":"Providers MUST include the configuration and usage of *third-party information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Third-Party Information Resources"},{"id":"FRR-MAS-03","parts":[{"id":"FRR-MAS-03_smt","name":"statement","parts":[{"id":"FRR-MAS-03_smt_01","name":"item","prose":"Providers MUST clearly identify and document the justification, mitigation measures, compensating controls, and potential impact to *federal customer data* from the configuration and usage of non-FedRAMP authorized *third-party information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Non-FedRAMP Authorized Third-Party Information Resources"},{"id":"FRR-MAS-04","parts":[{"id":"FRR-MAS-04_smt","name":"statement","parts":[{"id":"FRR-MAS-04_smt_01","name":"item","prose":"Providers MUST include metadata (including metadata about *federal customer data* ), ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Metadata Inclusion"},{"id":"FRR-MAS-05","parts":[{"id":"FRR-MAS-05_smt","name":"statement","parts":[{"id":"FRR-MAS-05_smt_01","name":"item","prose":"Providers MUST clearly identify, document, and explain information flows and impact levels for ALL *information resources* , ONLY IF *FRR-MAS-01* APPLIES."}]}],"props":[{"name":"label","value":"FRR-MAS-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Information Flows and Impact Levels"}]},{"id":"FRR-MAS-AY","parts":[{"name":"overview","prose":"This section provides general guidance on the application of this process."}],"props":[{"name":"sort-id","value":"043"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"application"}],"title":"Minimum Assessment Scope (Application)","controls":[{"id":"FRR-MAS-AY-01","links":[{"href":"http://fedramp.gov/scope","text":"Overall Scope of FedRAMP"}],"parts":[{"id":"FRR-MAS-AY-01_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-01_smt_01","name":"item","prose":"Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the *cloud service offering* for FedRAMP. For more, see https://fedramp.gov/scope."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Scope of FedRAMP"},{"id":"FRR-MAS-AY-02","links":[{"href":"http://fedramp.gov/scope","text":"Overall Scope of FedRAMP"}],"parts":[{"id":"FRR-MAS-AY-02_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-02_smt_01","name":"item","prose":"Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the *cloud service offering* for FedRAMP. For more, see fedramp.gov/scope."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-02"},{"name":"sort-id","value":"002"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Non-Cloud-Based Software"},{"id":"FRR-MAS-AY-03","parts":[{"id":"FRR-MAS-AY-03_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-03_smt_01","name":"item","prose":"*Information resources* (including *third-party information resources* ) that do not meet the conditions in FRR-MAS-01 are not included in the *cloud service offering* for FedRAMP (*FRR-MAS-02*)."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-03"},{"name":"sort-id","value":"003"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Exclusion of Non-Impacting Information Resources"},{"id":"FRR-MAS-AY-04","parts":[{"id":"FRR-MAS-AY-04_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-04_smt_01","name":"item","prose":"*Information resources* (including *third-party information resources* ) MAY vary by impact level as appropriate to the level of information *handled* or impacted by the information resource (*FRR-MAS-05*)."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-04"},{"name":"sort-id","value":"004"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Impact Level Variations"},{"id":"FRR-MAS-AY-05","parts":[{"id":"FRR-MAS-AY-05_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-05_smt_01","name":"item","prose":"All parties SHOULD review best practices and technical assistance provided separately by FedRAMP for help with applying the Minimum Assessment Scope as needed."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-05"},{"name":"sort-id","value":"005"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"SHOULD"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Review of Best Practices"},{"id":"FRR-MAS-AY-06","parts":[{"id":"FRR-MAS-AY-06_smt","name":"statement","parts":[{"id":"FRR-MAS-AY-06_smt_01","name":"item","prose":"All aspects of the *cloud service offering* are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials."}]}],"props":[{"name":"label","value":"FRR-MAS-AY-06"},{"name":"sort-id","value":"006"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MUST"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"agencies"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"assessors"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"fedramp"}],"title":"Cloud Service Offering Determination"}]},{"id":"FRR-MAS-EX","parts":[{"name":"overview","prose":"These exceptions MAY override some or all of the FedRAMP requirements for this process."}],"props":[{"name":"sort-id","value":"044"},{"ns":"http://fedramp.gov/ns/oscal","name":"category","value":"exceptions"}],"title":"Minimum Assessment Scope (Exceptions)","controls":[{"id":"FRR-MAS-EX-01","parts":[{"id":"FRR-MAS-EX-01_smt","name":"statement","parts":[{"id":"FRR-MAS-EX-01_smt_01","name":"item","prose":"Providers MAY include documentation of *information resources* beyond the *cloud service offering* , or even entirely outside the scope of FedRAMP, in a FedRAMP assessment and *authorization package* supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the *cloud service offering*."}]}],"props":[{"name":"label","value":"FRR-MAS-EX-01"},{"name":"sort-id","value":"001"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"low"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"moderate"},{"ns":"http://fedramp.gov/ns/oscal","name":"assurance-level","value":"high"},{"ns":"http://fedramp.gov/ns/oscal","name":"primary-key-word","value":"MAY"},{"ns":"http://fedramp.gov/ns/oscal","name":"affects","value":"providers"}],"title":"Supplemental Information"}]}]}]}}