{"catalog":{"uuid":"a3f7b2c1-9d4e-4a8f-b6e3-1c5d7f2a9b04","metadata":{"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"source-version","value":"0.9.41-beta"},{"ns":"https://fedramp.gov/ns/oscal","name":"scope","value":"20x"}],"roles":[{"id":"publisher","title":"Document Publisher"},{"id":"author","title":"Document Author"}],"title":"FedRAMP 20x","parties":[{"name":"FedRAMP, General Services Administration","type":"organization","uuid":"e408be31-621c-5f06-b74f-7e348969d995","links":[{"rel":"homepage","href":"https://www.fedramp.gov"}],"short-name":"FedRAMP"}],"remarks":"This datafile contains FedRAMP documentation for cloud service providers seeking FedRAMP Authorization. This includes definitions, requirements, recommendations, and key security indicators.","version":"0.9.41-beta","published":"2026-03-12T00:00:00Z","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"eb3670fc-f5b7-4eee-8bfd-457a1bab6278"}],"last-modified":"2026-03-12T00:00:00Z","oscal-version":"1.1.2","responsible-parties":[{"role-id":"publisher","party-uuids":["e408be31-621c-5f06-b74f-7e348969d995"]},{"role-id":"author","party-uuids":["e408be31-621c-5f06-b74f-7e348969d995"]}]},"groups":[{"id":"FRR","props":[{"name":"label","value":"FRR"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"FRR"}],"title":"FedRAMP Requirements and Recommendations","groups":[{"id":"FRR-ADS","parts":[{"id":"FRR-ADS_purpose","name":"overview","prose":"Modern cloud services store and share security and compliance information in convenient repositories that allow customers to rapidly review security information and gain access to additional information as needed. These services often include automated integration with cloud service infrastructure to remove manual burden and ensure information is accurate and up to date.\n\nThis security and compliance information (including FedRAMP authorization data) is the intellectual property of the cloud service provider and is not federal customer data in most cases.* The federal government benefits when the same security information is shared among all customers and even the public to ensure maximum transparency and accountability of cloud service providers.\n\nFedRAMP's Authorization Data Sharing process provides a process or mechanism for cloud service providers to store and share authorization data on their preferred platform of choice if it meets certain FedRAMP requirements.\n\n_* Providers with questions about this should consult with a lawyer who specializes in procurement law. Typically a contract with the government granting ownership of information is required to transfer ownership to the government._"},{"id":"FRR-ADS_outcomes","name":"expected-outcomes","prose":"- Cloud service providers will be able to manage authorization data in the same platforms used for commercial customers, reusing data as appropriate\n\n- Federal agencies will be able to access necessary authorization data via API or other automated mechanisms integrated into agency authorization systems to simplify the burden of review and continuous monitoring\n\n- Trust center providers and GRC automation tool providers will develop innovative solutions and improvements to ensure standardized automated data sharing and validation within the FedRAMP ecosystem"}],"props":[{"name":"label","value":"ADS"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"ADS"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"authorization-data-sharing"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Authorization Data Sharing","controls":[{"id":"ADS-CSX-UTC","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-CSX-UTC_stmt","name":"statement","prose":"Providers MUST use a FedRAMP-compatible trust center to store and share authorization data with all necessary parties."},{"id":"ADS-CSX-UTC_guidance.1","name":"guidance","prose":"Requirements and recommendations for FedRAMP-compatible trust centers are explained in ADS-TRC."},{"id":"ADS-CSX-UTC_guidance.2","name":"guidance","prose":"This requirement only applies to FedRAMP 20x."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-07"},{"name":"label","value":"ADS-CSX-UTC"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Use Trust Centers"},{"id":"ADS-CSO-PUB","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-CSO-PUB_stmt","name":"statement","parts":[{"id":"ADS-CSO-PUB_stmt.item-01","name":"item","prose":"Direct link to the FedRAMP Marketplace for the offering"},{"id":"ADS-CSO-PUB_stmt.item-02","name":"item","prose":"Service Model"},{"id":"ADS-CSO-PUB_stmt.item-03","name":"item","prose":"Deployment Model"},{"id":"ADS-CSO-PUB_stmt.item-04","name":"item","prose":"Business Category"},{"id":"ADS-CSO-PUB_stmt.item-05","name":"item","prose":"UEI Number"},{"id":"ADS-CSO-PUB_stmt.item-06","name":"item","prose":"Contact Information"},{"id":"ADS-CSO-PUB_stmt.item-07","name":"item","prose":"Overall Service Description"},{"id":"ADS-CSO-PUB_stmt.item-08","name":"item","prose":"Detailed list of specific services and their security objectives (see ADS-CSO-SVC)"},{"id":"ADS-CSO-PUB_stmt.item-09","name":"item","prose":"Summary of customer responsibilities and secure configuration guidance (if applicable, see the FedRAMP Secure Configuration Guide process)"},{"id":"ADS-CSO-PUB_stmt.item-10","name":"item","prose":"Process for accessing information in the trust center (if applicable)"},{"id":"ADS-CSO-PUB_stmt.item-11","name":"item","prose":"Availability status and recent disruptions for the trust center (if applicable)"},{"id":"ADS-CSO-PUB_stmt.item-12","name":"item","prose":"Customer support information for the trust center (if applicable)"},{"id":"ADS-CSO-PUB_stmt.item-13","name":"item","prose":"Next Ongoing Authorization Report date (see CCM-OAR-NRD)"}],"prose":"Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and machine-readable formats, including at least:"},{"id":"ADS-CSO-PUB_guidance","name":"guidance","prose":"Generally, this information should be available on a public webpage."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-01"},{"name":"label","value":"ADS-CSO-PUB"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Public Information"},{"id":"ADS-CSO-SVC","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"ADS-CSO-SVC_stmt","name":"statement","prose":"Providers MUST publicly share a detailed list of specific services and their security objectives that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-03"},{"name":"label","value":"ADS-CSO-SVC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Service List"},{"id":"ADS-CSO-CBF","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"}],"parts":[{"id":"ADS-CSO-CBF_stmt","name":"statement","prose":"Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when authorization data is provided in both formats."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-02"},{"name":"label","value":"ADS-CSO-CBF"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Consistency Between Formats"},{"id":"ADS-CSO-RIS","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"}],"parts":[{"id":"ADS-CSO-RIS_stmt","name":"statement","prose":"Providers MUST provide sufficient information in authorization data to support authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering."},{"id":"ADS-CSO-RIS_guidance","name":"guidance","prose":"This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with authorization data should be anticipated by a secure cloud service provider."},{"id":"ADS-CSO-RIS_example.01","name":"example","prose":{"id":"Tips on sensitive information in authorization data","examples":["DON'T: \"In an emergency, an administrator with physical access to a system can log in using \"secretadmin\" with the password \"pleasewutno\"\"","DO: \"In an emergency, administrators with physical access can log in directly.\"","DON'T: \"All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office.\"","DO: \"All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access.\"","DON'T: \"During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)...\"","DO: \"During an incident, the incident response team will coordinate over secure channels.\""],"key_tests":["Passwords, API keys, access credentials, etc.","Excessive detail about methodology that exposes weaknesses","Personally identifiable information about employees"]}}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-05"},{"name":"label","value":"ADS-CSO-RIS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsible Information Sharing"},{"id":"ADS-CSO-HAD","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"}],"parts":[{"id":"ADS-CSO-HAD_stmt","name":"statement","prose":"Providers MUST make historical versions of authorization data available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-09"},{"name":"label","value":"ADS-CSO-HAD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Historical Authorization Data"},{"id":"ADS-UTC-PGD","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-UTC-PGD_stmt","name":"statement","prose":"Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to authorization data stored in the trust center."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-AC-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"ADS-CSO-PGD"},{"name":"label","value":"ADS-UTC-PGD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Public Guidance"},{"id":"ADS-UTC-AGA","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#b4ac8872-3bd8-5d73-a372-82b37d8b9c27","text":"Authorization Package"}],"parts":[{"id":"ADS-UTC-AGA_stmt","name":"statement","prose":"Providers SHOULD share the authorization package with agencies upon request."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-AC-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"ADS-CSO-AGA"},{"name":"label","value":"ADS-UTC-AGA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Agency Access"},{"id":"ADS-UTC-AAD","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"}],"parts":[{"id":"ADS-UTC-AAD_stmt","name":"statement","prose":"Providers MUST notify FedRAMP by email to info@fedramp.gov within 5 business days of denying an agency access request for authorization data."},{"id":"ADS-UTC-AAD_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"ADS-CSO-AAD"},{"name":"label","value":"ADS-UTC-AAD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"5 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Agency Access Denial"},{"id":"ADS-TRC-USH","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-USH_stmt","name":"statement","prose":"Trust centers MUST share authorization data with all necessary parties without interruption."},{"id":"ADS-TRC-USH_guidance","name":"guidance","prose":"\"Without interruption\" means that parties should not have to request manual approval each time they need to access authorization data or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-04"},{"name":"label","value":"ADS-TRC-USH"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Uninterrupted Sharing"},{"id":"ADS-TRC-PAC","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-PAC_stmt","name":"statement","prose":"Trust centers MUST provide documented programmatic access to all authorization data, including programmatic access to human-readable materials."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-03"},{"name":"label","value":"ADS-TRC-PAC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Programmatic Access"},{"id":"ADS-TRC-AAI","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-AAI_stmt","name":"statement","prose":"Trust centers MUST maintain an inventory and history of federal agency users or systems with access to authorization data and MUST make this information available to FedRAMP without interruption."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-05"},{"name":"label","value":"ADS-TRC-AAI"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Agency Access Inventory"},{"id":"ADS-TRC-ACL","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-ACL_stmt","name":"statement","prose":"Trust centers MUST log access to authorization data and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-06"},{"name":"label","value":"ADS-TRC-ACL"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Access Logging"},{"id":"ADS-TRC-HMR","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-HMR_stmt","name":"statement","prose":"Trust centers SHOULD make authorization data available to view and download in both human-readable and machine-readable formats."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-02"},{"name":"label","value":"ADS-TRC-HMR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Human and Machine-Readable"},{"id":"ADS-TRC-SSM","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-SSM_stmt","name":"statement","prose":"Trust centers SHOULD include features that encourage all necessary parties to provision and manage access to authorization data for their users and services directly."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-04"},{"name":"label","value":"ADS-TRC-SSM"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Self-Service Access Management"},{"id":"ADS-TRC-RSP","links":[{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ADS-TRC-RSP_stmt","name":"statement","prose":"Trust centers SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ADS-TC-07"},{"name":"label","value":"ADS-TRC-RSP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsive Performance"}]},{"id":"FRR-CCM","parts":[{"id":"FRR-CCM_purpose","name":"overview","prose":"Agencies are required to continuously monitor all of their information systems following a documented process integrated into their Information Security Continuous Monitoring (ISCM) strategy. These strategies are specific to each agency and may even vary at the bureau, component, or information system levels.\n\nThe concept behind collaborative continuous monitoring is unique to government customers and creates a burden for commercial cloud service providers. This process attempts to minimize this burden by encouraging the use of automated monitoring and review of authorization data required by other FedRAMP standards and limiting the expected human interaction costs for cloud service providers and agencies. Agencies are expected to use information from the cloud service provider collaboratively in accordance with their agency ISCM strategy without blocking other agencies from making their own risk-based decisions about ongoing authorization."},{"id":"FRR-CCM_outcomes","name":"expected-outcomes","prose":"- Cloud service providers will operate their services and share additional information with agency customers to ensure they can meet their responsibilities and obligations for safely and securely operating the service\n\n- Federal agencies will have streamlined access to the information they actually need to make ongoing security and authorization decisions while having support from government-wide policies that demonstrate the different responsibilities and obligations for operating cloud services"}],"props":[{"name":"label","value":"CCM"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"CCM"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"collaborative-continuous-monitoring"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Collaborative Continuous Monitoring","controls":[{"id":"CCM-OAR-AVL","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"CCM-OAR-AVL_stmt","name":"statement","parts":[{"id":"CCM-OAR-AVL_stmt.item-01","name":"item","prose":"Changes to authorization data"},{"id":"CCM-OAR-AVL_stmt.item-02","name":"item","prose":"Planned changes to authorization data during at least the next 3 months"},{"id":"CCM-OAR-AVL_stmt.item-03","name":"item","prose":"Accepted vulnerabilities"},{"id":"CCM-OAR-AVL_stmt.item-04","name":"item","prose":"Transformative changes"},{"id":"CCM-OAR-AVL_stmt.item-05","name":"item","prose":"Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering"}],"prose":"Providers MUST make an Ongoing Authorization Report available to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-01"},{"name":"label","value":"CCM-OAR-AVL"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Report Availability"},{"id":"CCM-OAR-NRD","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-OAR-NRD_stmt","name":"statement","prose":"Providers MUST publicly include the target date for their next Ongoing Authorization Report with other public authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-03"},{"name":"label","value":"CCM-OAR-NRD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Next Report Date"},{"id":"CCM-OAR-FBM","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-OAR-FBM_stmt","name":"statement","prose":"Providers MUST establish and share an asynchronous mechanism for all necessary parties to provide feedback or ask questions about each Ongoing Authorization Report."},{"id":"CCM-OAR-FBM_guidance","name":"guidance","prose":"This could be email by default but providers are encouraged to consider something more interactive as appropriate."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-04"},{"name":"label","value":"CCM-OAR-FBM"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Feedback Mechanism"},{"id":"CCM-OAR-AFS","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-OAR-AFS_stmt","name":"statement","prose":"Providers MUST maintain an anonymized and desensitized summary of the feedback, questions, and answers about each Ongoing Authorization Report as an addendum to the Ongoing Authorization Report."},{"id":"CCM-OAR-AFS_guidance","name":"guidance","prose":"This is intended to encourage sharing of information and decrease the burden on the cloud service provider - providing this summary will reduce duplicate questions from agencies and ensure FedRAMP has access to this information. It is generally in the provider’s interest to update this addendum frequently throughout the quarter."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-05"},{"name":"label","value":"CCM-OAR-AFS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Anonymized Feedback Summary"},{"id":"CCM-OAR-LSI","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-OAR-LSI_stmt","name":"statement","prose":"Providers MUST NOT irresponsibly disclose sensitive information in an Ongoing Authorization Report that would likely have an adverse effect on the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-06"},{"name":"label","value":"CCM-OAR-LSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Limit Sensitive Information"},{"id":"CCM-OAR-SOR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#1b31d765-df3b-5c9c-bdce-1ca439819906","text":"Regularly"}],"parts":[{"id":"CCM-OAR-SOR_stmt","name":"statement","prose":"Providers SHOULD establish a regular 3 month cycle for Ongoing Authorization Reports that is spread out from the beginning, middle, or end of each quarter."},{"id":"CCM-OAR-SOR_guidance","name":"guidance","prose":"This recommendation is intended to discourage hundreds of cloud service providers from releasing their Ongoing Authorization Reports during the first or last week of each quarter because that is the easiest way for a single provider to track this deliverable; the result would overwhelm agencies with many cloud services. Widely used cloud service providers are encouraged to work with their customers to identify ideal timeframes for this cycle."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-02"},{"name":"label","value":"CCM-OAR-SOR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Spread Out Reports"},{"id":"CCM-OAR-RPS","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-OAR-RPS_stmt","name":"statement","prose":"Providers MAY responsibly share some or all of the information an Ongoing Authorization Report publicly or with other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-07"},{"name":"label","value":"CCM-OAR-RPS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsible Public Sharing"},{"id":"CCM-QTR-MTG","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-MTG_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"3 months"}],"prose":"Providers SHOULD host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies."},{"id":"CCM-QTR-MTG_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"3 months"}],"prose":"Providers MUST host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies."},{"id":"CCM-QTR-MTG_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"3 months"}],"prose":"Providers MUST host a synchronous Quarterly Review every 3 months, open to all necessary parties, to review aspects of the most recent Ongoing Authorization Reports that the provider determines are of the most relevance to agencies."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-02"},{"name":"label","value":"CCM-QTR-MTG"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Quarterly Review Meeting"},{"id":"CCM-QTR-REG","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-REG_stmt","name":"statement","prose":"Providers MUST include either a registration link or a downloadable calendar file with meeting information for Quarterly Reviews in the authorization data available to all necessary parties required by ADS-CSL-UCP and ADS-CSO-FCT."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-05"},{"name":"label","value":"CCM-QTR-REG"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Meeting Registration Info"},{"id":"CCM-QTR-NRD","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-NRD_stmt","name":"statement","prose":"Providers MUST publicly include the target date for their next Quarterly Review with other public authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-06"},{"name":"label","value":"CCM-QTR-NRD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Next Review Date"},{"id":"CCM-QTR-NID","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-NID_stmt","name":"statement","prose":"Providers MUST NOT irresponsibly disclose sensitive information in a Quarterly Review that would likely have an adverse effect on the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-04"},{"name":"label","value":"CCM-QTR-NID"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"No Irresponsible Disclosure"},{"id":"CCM-QTR-SAR","links":[{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"},{"rel":"defined-term","href":"#1b31d765-df3b-5c9c-bdce-1ca439819906","text":"Regularly"}],"parts":[{"id":"CCM-QTR-SAR_stmt","name":"statement","prose":"Providers SHOULD regularly schedule Quarterly Reviews to occur at least 3 business days after releasing an Ongoing Authorization Report AND within 10 business days of such release."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-03"},{"name":"label","value":"CCM-QTR-SAR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Schedule Around Reports"},{"id":"CCM-QTR-ACT","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-ACT_stmt","name":"statement","prose":"Providers SHOULD include additional information in Quarterly Reviews that the provider determines is of interest, use, or otherwise relevant to agencies."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-07"},{"name":"label","value":"CCM-QTR-ACT"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Additional Content"},{"id":"CCM-QTR-RTR","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-RTR_stmt","name":"statement","prose":"Providers SHOULD record or transcribe Quarterly Reviews and make such available to all necessary parties with other authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-09"},{"name":"label","value":"CCM-QTR-RTR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Record/Transcribe Reviews"},{"id":"CCM-QTR-RTP","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-RTP_stmt","name":"statement","prose":"Providers SHOULD NOT invite third parties to attend Quarterly Reviews intended for agencies unless they have specific relevance."},{"id":"CCM-QTR-RTP_guidance","name":"guidance","prose":"This is because agencies are less likely to actively participate in meetings with third parties; the cloud service provider's independent assessor should be considered relevant by default."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-08"},{"name":"label","value":"CCM-QTR-RTP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Restrict Third Parties"},{"id":"CCM-QTR-SRR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-SRR_stmt","name":"statement","prose":"Providers MAY responsibly share recordings or transcriptions of Quarterly Reviews with the public or other parties ONLY if the provider removes all agency information (comments, questions, names, etc.) AND determines sharing will NOT likely have an adverse effect on the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-10"},{"name":"label","value":"CCM-QTR-SRR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Share Recordings Responsibly"},{"id":"CCM-QTR-SCR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-QTR-SCR_stmt","name":"statement","prose":"Providers MAY responsibly share content prepared for a Quarterly Review with the public or other parties if the provider determines doing so will NOT likely have an adverse effect on the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-QR-11"},{"name":"label","value":"CCM-QTR-SCR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Share Content Responsibly"},{"id":"CCM-AGM-ROR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"}],"parts":[{"id":"CCM-AGM-ROR_stmt","name":"statement","prose":"Agencies MUST review each Ongoing Authorization Report to understand how changes to the cloud service offering may impact the previously agreed-upon risk tolerance documented in the agency's Authorization to Operate of a federal information system that includes the cloud service offering in its boundary."},{"id":"CCM-AGM-ROR_guidance","name":"guidance","prose":"This is required by 44 USC § 35, OMB A-130, FIPS-200, and M-24-15."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-01"},{"name":"label","value":"CCM-AGM-ROR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Review Ongoing Reports"},{"id":"CCM-AGM-NFR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-AGM-NFR_stmt","name":"statement","prose":"Agencies MUST notify FedRAMP by sending an email to info@fedramp.gov if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to stop operation of the cloud service offering."},{"id":"CCM-AGM-NFR_guidance","name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."},{"id":"CCM-AGM-NFR_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-05"},{"name":"label","value":"CCM-AGM-NFR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Notify FedRAMP of Concerns"},{"id":"CCM-AGM-NFA","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"}],"parts":[{"id":"CCM-AGM-NFA_stmt","name":"statement","prose":"Agencies MUST notify FedRAMP after requesting any additional information or materials from a cloud service provider beyond those FedRAMP requires by sending an email to info@fedramp.gov."},{"id":"CCM-AGM-NFA_guidance","name":"guidance","prose":"Agencies are required to notify FedRAMP by OMB Memorandum M-24-15 section IV (a)."},{"id":"CCM-AGM-NFA_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-07"},{"name":"label","value":"CCM-AGM-NFA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Notify FedRAMP After Requests"},{"id":"CCM-AGM-NAR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"}],"parts":[{"id":"CCM-AGM-NAR_stmt","name":"statement","prose":"Agencies MUST NOT place additional security requirements on cloud service providers beyond those required by FedRAMP UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such; this does not apply to seeking clarification or asking general questions about authorization data."},{"id":"CCM-AGM-NAR_guidance","name":"guidance","prose":"This is a statutory requirement in 44 USC § 3613 (e) related to the Presumption of Adequacy for a FedRAMP authorization."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-06"},{"name":"label","value":"CCM-AGM-NAR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"No Additional Requirements"},{"id":"CCM-AGM-CSC","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-AGM-CSC_stmt","name":"statement","prose":"Agencies SHOULD consider the Security Category noted in their Authorization to Operate of the federal information system that includes the cloud service offering in its boundary and assign appropriate information security resources for reviewing Ongoing Authorization Reports, attending Quarterly Reviews, and other ongoing authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-02"},{"name":"label","value":"CCM-AGM-CSC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Consider Security Category"},{"id":"CCM-AGM-SSR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-AGM-SSR_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Agencies MAY designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High."},{"id":"CCM-AGM-SSR_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Agencies MAY designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High."},{"id":"CCM-AGM-SSR_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Agencies SHOULD designate a senior information security official to review Ongoing Authorization Reports and represent the agency at Quarterly Reviews for cloud service offerings included in agency information systems with a Security Category of High."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-03"},{"name":"label","value":"CCM-AGM-SSR"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Senior Security Reviewer"},{"id":"CCM-AGM-NPC","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#5814e022-8b3a-5535-832f-c1d6c8ada953","text":"Ongoing Authorization Report (OAR)"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"}],"parts":[{"id":"CCM-AGM-NPC_stmt","name":"statement","prose":"Agencies SHOULD formally notify the provider if the information presented in an Ongoing Authorization Report, Quarterly Review, or other ongoing authorization data causes significant concerns that may lead the agency to remove the cloud service offering from operation."},{"id":"CCM-AGM-NPC_notification","name":"notification","prose":[{"party":"provider","method":"email","target":"security-email"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-CCM-AG-04"},{"name":"label","value":"CCM-AGM-NPC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Notify Provider of Concerns"}]},{"id":"FRR-FSI","parts":[{"id":"FRR-FSI_purpose","name":"overview","prose":"FedRAMP must have a reliable way to directly contact security and compliance staff operating all FedRAMP Authorized cloud service offerings without tracking individual contacts or maintaining provider-specific logins to customer support portals. These requirements for a FedRAMP Security Inbox apply to all cloud service providers to ensure this direct reliable path remains open, especially in the event of critical security issues.\n\nAll Emergency and Important messages sent by FedRAMP will include specific actions, timeframes expected for action, and an explanation of the corrective actions that FedRAMP will take if the timeframes are not met. Failure to take timely action as required by Emergency communications will result in corrective action from FedRAMP.\n\nFedRAMP will conduct strictly controlled tests of reactions to emergency communications regularly and provide public notice of these tests in advance. The reaction times for these tests will be tracked by FedRAMP and made publicly available.\n\nThis set of requirements and recommendations include explicit requirements that FedRAMP will follow to ensure important communications or those sent during emergencies can be routed by cloud service providers separately from general communications."},{"id":"FRR-FSI_outcomes","name":"expected-outcomes","prose":"- FedRAMP will follow a consistent and repeatable process to communicate with cloud service providers, especially when sending important or emergency messages.\n\n- Cloud service providers will always receive messages from FedRAMP and prioritize the review and reaction to important or emergency messages."}],"props":[{"name":"label","value":"FSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"FSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"fedramp-security-inbox"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"FedRAMP Security Inbox","controls":[{"id":"FSI-FRP-VRE","parts":[{"id":"FSI-FRP-VRE_stmt","name":"statement","prose":"FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication."},{"id":"FSI-FRP-VRE_guidance","name":"guidance","prose":"Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have \"FedRAMP\" or \"Q20B\" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-01"},{"name":"label","value":"FSI-FRP-VRE"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Verified Emails"},{"id":"FSI-FRP-CDS","links":[{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"}],"parts":[{"id":"FSI-FRP-CDS_stmt","name":"statement","parts":[{"id":"FSI-FRP-CDS_stmt.item-01","name":"item","prose":"**Emergency:** There is a potential incident or crisis such that FedRAMP requires an extremely urgent reaction; emergency messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action."},{"id":"FSI-FRP-CDS_stmt.item-02","name":"item","prose":"**Emergency Test:** FedRAMP requires an extremely urgent reaction to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action."},{"id":"FSI-FRP-CDS_stmt.item-03","name":"item","prose":"**Important:** There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for reaction and failure to meet these timeframes may result in corrective action."}],"prose":"FedRAMP MUST convey the criticality of the message in the subject line, IF the message requires an elevated reaction, using one of the following designators:"},{"id":"FSI-FRP-CDS_guidance","name":"guidance","prose":"Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated reaction; these may be resolved in the normal course of business by the cloud service provider."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-02"},{"name":"label","value":"FSI-FRP-CDS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Criticality Designators"},{"id":"FSI-FRP-UFS","parts":[{"id":"FSI-FRP-UFS_stmt","name":"statement","prose":"FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-03"},{"name":"label","value":"FSI-FRP-UFS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Use FedRAMP_Security Email in Emergencies"},{"id":"FSI-FRP-PNT","links":[{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"}],"parts":[{"id":"FSI-FRP-PNT_stmt","name":"statement","prose":"FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the likely expected actions and timeframes for the Emergency Test message."},{"id":"FSI-FRP-PNT_guidance.1","name":"guidance","prose":"Public notice may include blog posts, social media posts, announcements during Community Updates, or e-blasts."},{"id":"FSI-FRP-PNT_guidance.2","name":"guidance","prose":"As this process matures, additional confirmed options may become available."},{"id":"FSI-FRP-PNT_notification","name":"notification","prose":[{"party":"public","method":"web","target":"fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-04"},{"name":"label","value":"FSI-FRP-PNT"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"10 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Public Notice of Emergency Tests"},{"id":"FSI-FRP-RQA","parts":[{"id":"FSI-FRP-RQA_stmt","name":"statement","prose":"FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated reaction."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-05"},{"name":"label","value":"FSI-FRP-RQA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Required Actions"},{"id":"FSI-FRP-ERT","links":[{"rel":"defined-term","href":"#a2c30a2e-b73d-5ef8-85d2-ec8239323018","text":"Catastrophic Adverse Effect"}],"parts":[{"id":"FSI-FRP-ERT_stmt","name":"statement","parts":[{"id":"FSI-FRP-ERT_stmt.item-01","name":"item","prose":"**High Impact:** within 12 hours"},{"id":"FSI-FRP-ERT_stmt.item-02","name":"item","prose":"**Moderate Impact:** by 3:00 p.m. Eastern Time on the 2nd business day"},{"id":"FSI-FRP-ERT_stmt.item-03","name":"item","prose":"**Low Impact:** by 3:00 p.m. Eastern Time on the 3rd business day"}],"prose":"FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated reaction; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:"},{"id":"FSI-FRP-ERT_guidance","name":"guidance","prose":"High impact cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a reaction time appropriate to operating a service where failure to react rapidly might have a severe or catastrophic adverse effect on the U.S. Government; some Emergency messages may require faster reaction and all such messages should be addressed as quickly as possible."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-06"},{"name":"label","value":"FSI-FRP-ERT"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Elevated Reaction Timeframes"},{"id":"FSI-FRP-COR","parts":[{"id":"FSI-FRP-COR_stmt","name":"statement","prose":"FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated reaction; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP authorization depending on the severity of the event."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-07"},{"name":"label","value":"FSI-FRP-COR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Explain Corrective Actions"},{"id":"FSI-FRP-RPM","parts":[{"id":"FSI-FRP-RPM_stmt","name":"statement","prose":"FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated reaction."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-08"},{"name":"label","value":"FSI-FRP-RPM"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Reaction Metrics"},{"id":"FSI-CSO-INB","links":[{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"}],"parts":[{"id":"FSI-CSO-INB_stmt","name":"statement","prose":"Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI)."},{"id":"FSI-CSO-INB_guidance.1","name":"guidance","prose":"Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications."},{"id":"FSI-CSO-INB_guidance.2","name":"guidance","prose":"If a provider establishes a new inbox in reaction to this guidance that is different from the Security EMail then they must follow the requirements in FSI-CSO-NOC to notify FedRAMP."},{"id":"FSI-CSO-INB_warning","name":"warning","prose":"Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-09"},{"name":"label","value":"FSI-CSO-INB"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Maintain a FedRAMP Security Inbox"},{"id":"FSI-CSO-NOC","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"}],"parts":[{"id":"FSI-CSO-NOC_stmt","name":"statement","prose":"Providers MUST immediately notify FedRAMP of any changes in addressing for their FedRAMP Security Inbox by emailing info@fedramp.gov with the name and FedRAMP ID of the cloud service offering and the updated email address."},{"id":"FSI-CSO-NOC_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-12"},{"name":"label","value":"FSI-CSO-NOC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification of Changes"},{"id":"FSI-CSO-TFG","links":[{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"}],"parts":[{"id":"FSI-CSO-TFG_stmt","name":"statement","prose":"Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then FedRAMP Security Inbox requirements no longer apply."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-10"},{"name":"label","value":"FSI-CSO-TFG"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Trust @fedramp.gov and @gsa.gov"},{"id":"FSI-CSO-RCV","parts":[{"id":"FSI-CSO-RCV_stmt","name":"statement","prose":"Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP."},{"id":"FSI-CSO-RCV_guidance","name":"guidance","prose":"This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-11"},{"name":"label","value":"FSI-CSO-RCV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Receive Email Without Disruption"},{"id":"FSI-CSO-CRA","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"FSI-CSO-CRA_stmt","name":"statement","prose":"Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message."},{"id":"FSI-CSO-CRA_guidance","name":"guidance","prose":"Timeframes may vary by impact level of the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-14"},{"name":"label","value":"FSI-CSO-CRA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Complete Required Actions"},{"id":"FSI-CSO-EMR","parts":[{"id":"FSI-CSO-EMR_stmt","name":"statement","prose":"Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness."},{"id":"FSI-CSO-EMR_guidance","name":"guidance","prose":"Senior security officials are determined by the provider."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-15"},{"name":"label","value":"FSI-CSO-EMR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Emergency Message Routing"},{"id":"FSI-CSO-IMA","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"FSI-CSO-IMA_stmt","name":"statement","prose":"Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message."},{"id":"FSI-CSO-IMA_guidance","name":"guidance","prose":"Timeframes may vary by impact level of the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-16"},{"name":"label","value":"FSI-CSO-IMA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Important Message Actions"},{"id":"FSI-CSO-ACK","links":[{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"},{"rel":"defined-term","href":"#d3ad40f6-6ef1-5d16-a663-e28dcbf4ad0d","text":"Promptly"}],"parts":[{"id":"FSI-CSO-ACK_stmt","name":"statement","prose":"Providers SHOULD promptly and automatically acknowledge the receipt of messages received from FedRAMP in their FedRAMP Security Inbox."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-FSI-13"},{"name":"label","value":"FSI-CSO-ACK"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Acknowledge Receipt"}]},{"id":"FRR-ICP","parts":[{"id":"FRR-ICP_purpose","name":"overview","prose":"This set of requirements and recommendations converts the existing FedRAMP Incident Communications Procedures to the simpler FedRAMP 20x style and clarifies the expectations for FedRAMP 20x.\n\nThe only notable change from the default Incident Communications Procedures for 20x is the addition of a recommendation that incident information be made available in both human-readable and machine-readable formats."}],"props":[{"name":"label","value":"ICP"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"ICP"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"incident-communications-procedures"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Incident Communications Procedures","controls":[{"id":"ICP-CSX-IRF","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"}],"parts":[{"id":"ICP-CSX-IRF_stmt","name":"statement","prose":"Providers MUST responsibly report incidents to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov."},{"id":"ICP-CSX-IRF_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-01"},{"name":"label","value":"ICP-CSX-IRF"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 hours"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Incident Reporting to FedRAMP"},{"id":"ICP-CSX-IRA","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"}],"parts":[{"id":"ICP-CSX-IRA_stmt","name":"statement","prose":"Providers MUST responsibly report incidents to all agency customers within 1 hour of identification using the incident communications points of contact provided by each agency customer."},{"id":"ICP-CSX-IRA_notification","name":"notification","prose":[{"party":"Agencies","method":"various","target":"various"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-02"},{"name":"label","value":"ICP-CSX-IRA"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 hours"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Incident Reporting to Agencies"},{"id":"ICP-CSX-IRC","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"reference","href":"https://myservices.cisa.gov/irf","text":"CISA IRF Incident Reporting System"}],"parts":[{"id":"ICP-CSX-IRC_stmt","name":"statement","prose":"Providers MUST responsibly report incidents to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf. "},{"id":"ICP-CSX-IRC_notification","name":"notification","prose":[{"party":"CISA","method":"web","target":"https://myservices.cisa.gov/irf"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-03"},{"name":"label","value":"ICP-CSX-IRC"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 hours"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Incident Reporting to CISA"},{"id":"ICP-CSX-ICU","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"}],"parts":[{"id":"ICP-CSX-ICU_stmt","name":"statement","prose":"Providers MUST update all necessary parties, including at least FedRAMP, CISA (if applicable), and all agency customers, at least once per calendar day until the incident is resolved and recovery is complete."},{"id":"ICP-CSX-ICU_notification","name":"notification","prose":[{"party":"all necessary parties","method":"various","target":"various"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-04"},{"name":"label","value":"ICP-CSX-ICU"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Incident Updates"},{"id":"ICP-CSX-RPT","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#8a0ae6fa-c550-5e86-9a4b-c4657c918de9","text":"Trust Center"}],"parts":[{"id":"ICP-CSX-RPT_stmt","name":"statement","prose":"Providers MUST make incident report information available in their secure FedRAMP repository (such as USDA Connect) or trust center."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-05"},{"name":"label","value":"ICP-CSX-RPT"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Incident Report Availability"},{"id":"ICP-CSX-FIR","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"ICP-CSX-FIR_stmt","name":"statement","parts":[{"id":"ICP-CSX-FIR_stmt.item-01","name":"item","prose":"What occurred"},{"id":"ICP-CSX-FIR_stmt.item-02","name":"item","prose":"Root cause"},{"id":"ICP-CSX-FIR_stmt.item-03","name":"item","prose":"Response"},{"id":"ICP-CSX-FIR_stmt.item-04","name":"item","prose":"Lessons learned"},{"id":"ICP-CSX-FIR_stmt.item-05","name":"item","prose":"Changes needed"}],"prose":"Providers MUST provide a final report once the incident is resolved and recovery is complete that describes at least:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-07"},{"name":"label","value":"ICP-CSX-FIR"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Final Incident Report"},{"id":"ICP-CSX-RSD","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"}],"parts":[{"id":"ICP-CSX-RSD_stmt","name":"statement","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about incidents that would likely increase the impact of the incident, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-06"},{"name":"label","value":"ICP-CSX-RSD"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsible Disclosure"},{"id":"ICP-CSX-AUR","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"}],"parts":[{"id":"ICP-CSX-AUR_stmt","name":"statement","prose":"Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA)."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-08"},{"name":"label","value":"ICP-CSX-AUR"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Automated Reporting"},{"id":"ICP-CSX-HRM","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"}],"parts":[{"id":"ICP-CSX-HRM_stmt","name":"statement","prose":"Providers SHOULD make incident report information available in consistent human-readable and machine-readable formats."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-ICP-09"},{"name":"label","value":"ICP-CSX-HRM"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Human and Machine-Readable"}]},{"id":"FRR-MAS","parts":[{"id":"FRR-MAS_purpose","name":"overview","prose":"Application boundaries that are defined too broadly complicate the assessment process by introducing components that are unlikely to have an impact on the confidentiality, integrity or accessibility of the offering. The Minimum Assessment Scope provides guidance for cloud service providers to narrowly define information resource boundaries while still including all necessary components."},{"id":"FRR-MAS_outcomes","name":"expected-outcomes","prose":"- Boundaries will include the minimum number of components to make authorization and assessment easier\n\n- Cloud service providers will define clear boundaries for security and assessment of offerings based on the direct risk to federal customer data\n\n- Third-party independent assessors will have a simple well documented approach to assess security and implementation decisions\n\n- Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based Authorization to Operate decisions based on their planned use case"}],"props":[{"name":"label","value":"MAS"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"MAS"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"minimum-assessment-scope"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Minimum Assessment Scope","controls":[{"id":"MAS-CSO-IIR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#6ecaa831-d07b-5c3e-829e-4996034dd3be","text":"Handle"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"}],"parts":[{"id":"MAS-CSO-IIR_stmt","name":"statement","prose":"Providers MUST identify a set of information resources to assess for FedRAMP authorization that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering."},{"id":"MAS-CSO-IIR_guidance.1","name":"guidance","prose":"Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope."},{"id":"MAS-CSO-IIR_guidance.2","name":"guidance","prose":"Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Authorization Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see fedramp.gov/scope."},{"id":"MAS-CSO-IIR_guidance.3","name":"guidance","prose":"All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP authorization requirements and documented by the cloud service provider in their assessment and authorization materials."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-01"},{"name":"label","value":"MAS-CSO-IIR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Identify Information Resources"},{"id":"MAS-CSO-FLO","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#6ecaa831-d07b-5c3e-829e-4996034dd3be","text":"Handle"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#464993e6-ae33-5d05-bd2a-48cbdc150857","text":"Third-party Information Resource"}],"parts":[{"id":"MAS-CSO-FLO_stmt","name":"statement","prose":"Providers MUST clearly identify, document, and explain information flows and security objectives for ALL information resources or sets of information resources in the cloud service offering."},{"id":"MAS-CSO-FLO_guidance","name":"guidance","prose":"Information resources (including third-party information resources) MAY vary by security objectives as appropriate to the level of information handled or impacted by the information resource."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-05"},{"name":"label","value":"MAS-CSO-FLO"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Information Flows and Security Objectives"},{"id":"MAS-CSO-TPR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#464993e6-ae33-5d05-bd2a-48cbdc150857","text":"Third-party Information Resource"}],"parts":[{"id":"MAS-CSO-TPR_stmt","name":"statement","parts":[{"id":"MAS-CSO-TPR_stmt.item-01","name":"item","prose":"General usage and configuration"},{"id":"MAS-CSO-TPR_stmt.item-02","name":"item","prose":"Explanation or justification for use"},{"id":"MAS-CSO-TPR_stmt.item-03","name":"item","prose":"Mitigation measures in place to reduce the potential impact to federal customer data"},{"id":"MAS-CSO-TPR_stmt.item-04","name":"item","prose":"Compensating controls in place to reduce the potential impact to federal customer data"}],"prose":"Providers MUST address the potential impact to federal customer data from third-party information resources used by the cloud service offering, ONLY IF MAS-CSO-IIR APPLIES, by documenting the following information about each applicable third-party information resource:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-03"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-02"},{"name":"label","value":"MAS-CSO-TPR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Third-Party Information Resources"},{"id":"MAS-CSO-MDI","links":[{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"}],"parts":[{"id":"MAS-CSO-MDI_stmt","name":"statement","prose":"Providers MUST include metadata (including metadata about federal customer data) in the Minimum Assessment Scope ONLY IF MAS-CSO-IIR APPLIES."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-04"},{"name":"label","value":"MAS-CSO-MDI"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Metadata Inclusion"},{"id":"MAS-CSO-SUP","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#b4ac8872-3bd8-5d73-a372-82b37d8b9c27","text":"Authorization Package"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"}],"parts":[{"id":"MAS-CSO-SUP_stmt","name":"statement","prose":"Providers MAY include additional materials about other information resources that are not part of the cloud service offering in a FedRAMP assessment and authorization package supplement; these resources will not be FedRAMP authorized and MUST be clearly marked and separated from the cloud service offering."},{"id":"MAS-CSO-SUP_guidance","name":"guidance","prose":"This is intended to allow inclusion of things like security materials for apps, supplemental marketing collateral, and other information that is not part of the cloud service offering but may be useful to agencies."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-MAS-EX-01"},{"name":"label","value":"MAS-CSO-SUP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Supplemental Information"}]},{"id":"FRR-PVA","parts":[{"id":"FRR-PVA_purpose","name":"overview","prose":"FedRAMP 20x is built around the core concept that secure cloud service providers will persistently and automatically validate that their security decisions and policies are being implemented as expected within their cloud service offering. The activities of a secure service should be intentional, documented, and in a state that is always known and understood by the provider.\n\nSecure providers will design their business processes and technical procedures to maximize the use of automation, persistent validation, and reporting across the entirety of their cloud service offering. This reduces cost by increasing efficiency, enables fast agile delivery of new capabilities and prevents unintended drift between the deployed cloud service offering and the business goals for the offering. Secure providers leverage automated and independent audits to evaluate the validity and effectiveness of their secure practices.\n\nAll FedRAMP 20x Authorized providers are expected to implement persistent validation programs as part of their core engineering workflow. These programs should be optimized to deliver value to the provider and their engineering teams first and foremost, though agencies and other customers will benefit from the improved security and insight resulting from high quality persistent validation programs.\n\nTo obtain and maintain a FedRAMP 20x authorization, providers will be required to have their persistent validation programs assessed regularly for effectiveness and completeness."},{"id":"FRR-PVA_outcomes","name":"expected-outcomes","prose":"- Cloud service providers will operate effective persistent validation programs to always understand the state of their services.\n\n- Assessors will prioritize technical review of validation programs to ensure the quality and effectiveness of a cloud service provider’s security programs are documented accurately.\n\n- Federal agencies will have significantly increased confidence in the quality and effectiveness of cloud service provider’s security programs."}],"props":[{"name":"label","value":"PVA"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"PVA"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"persistent-validation-and-assessment"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Persistent Validation and Assessment","controls":[{"id":"PVA-CSX-VAL","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"PVA-CSX-VAL_stmt","name":"statement","prose":"Providers MUST persistently perform validation of their Key Security Indicators; this process is called persistent validation and is part of vulnerability detection."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-01"},{"name":"label","value":"PVA-CSX-VAL"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Validation"},{"id":"PVA-CSX-FAV","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"PVA-CSX-FAV_stmt","name":"statement","prose":"Providers MUST treat issues detected during persistent validation and failures of the persistent validation process as vulnerabilities, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response process for such findings."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-02"},{"name":"label","value":"PVA-CSX-FAV"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Issues As Vulnerabilities"},{"id":"PVA-CSX-RPV","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"PVA-CSX-RPV_stmt","name":"statement","prose":"Providers MUST include persistent validation activity in the reports on vulnerability detection and response activity required by the FedRAMP Vulnerability Detection and Response process."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-03"},{"name":"label","value":"PVA-CSX-RPV"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Report Persistent Validation"},{"id":"PVA-CSX-IVV","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-CSX-IVV_stmt","name":"statement","prose":"Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their authorization data without modification."},{"id":"PVA-CSX-IVV_guidance.1","name":"guidance","prose":"The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai."},{"id":"PVA-CSX-IVV_guidance.2","name":"guidance","prose":"FedRAMP recognized assessors are listed on the FedRAMP Marketplace."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-05"},{"name":"label","value":"PVA-CSX-IVV"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Independent Verification and Validation"},{"id":"PVA-CSX-NMV","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-CSX-NMV_stmt","name":"statement","prose":"Providers MUST complete the validation processes for Key Security Indicators of non-machine-based information resources at least once every 3 months."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-TF-LO-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-TF-MO-01"},{"name":"label","value":"PVA-CSX-NMV"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Non-Machine Validation"},{"id":"PVA-CSX-PMV","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-CSX-PMV_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"7 days"}],"prose":"Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 7 days."},{"id":"PVA-CSX-PMV_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"3 days"}],"prose":"Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 3 days."},{"id":"PVA-CSX-PMV_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD plan for this requirement to be more frequent at 20x High but the anticipated requirements for this FRR have not yet been established for 20x High."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-TF-LO-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-TF-MO-02"},{"name":"label","value":"PVA-CSX-PMV"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Machine Validation"},{"id":"PVA-CSX-PTE","links":[{"rel":"defined-term","href":"#02ff215f-9a99-567c-a20e-7f20a2b94459","text":"All Necessary Assessors"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-CSX-PTE_stmt","name":"statement","prose":"Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to all necessary assessors for the technical capabilities they employ to meet Key Security Indicators and to provide validation."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-07"},{"name":"label","value":"PVA-CSX-PTE"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Provide Technical Evidence"},{"id":"PVA-CSX-RAD","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-CSX-RAD_stmt","name":"statement","prose":"Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also PVA-TPX-SHA)."},{"id":"PVA-CSX-RAD_guidance","name":"guidance","prose":"The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-08"},{"name":"label","value":"PVA-CSX-RAD"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Receiving Advice"},{"id":"PVA-TPX-UNP","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-TPX-UNP_stmt","name":"statement","parts":[{"id":"PVA-TPX-UNP_stmt.item-01","name":"item","prose":"The effectiveness, completeness, and integrity of the automated processes that perform validation of the cloud service offering's security posture."},{"id":"PVA-TPX-UNP_stmt.item-02","name":"item","prose":"The effectiveness, completeness, and integrity of the human processes that perform validation of the cloud service offering's security posture"},{"id":"PVA-TPX-UNP_stmt.item-03","name":"item","prose":"The coverage of these processes within the cloud service offering, including if all of the consolidated information resources listed are being validated."}],"prose":"Assessors MUST verify and validate the underlying processes (both machine-based and non-machine-based) that providers use to validate Key Security Indicators; this should include at least:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-10"},{"name":"label","value":"PVA-TPX-UNP"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Underlying Processes"},{"id":"PVA-TPX-PDK","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-TPX-PDK_stmt","name":"statement","prose":"Assessors MUST verify and validate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-11"},{"name":"label","value":"PVA-TPX-PDK"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Processes Derived from Key Security Indicators"},{"id":"PVA-TPX-OUC","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-TPX-OUC_stmt","name":"statement","prose":"Assessors MUST verify and validate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-12"},{"name":"label","value":"PVA-TPX-OUC"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Outcome Consistency"},{"id":"PVA-TPX-MME","parts":[{"id":"PVA-TPX-MME_stmt","name":"statement","prose":"Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-13"},{"name":"label","value":"PVA-TPX-MME"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Mixed Methods Evaluation"},{"id":"PVA-TPX-PAD","parts":[{"id":"PVA-TPX-PAD_stmt","name":"statement","prose":"Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place."},{"id":"PVA-TPX-PAD_guidance","name":"guidance","prose":"This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-16"},{"name":"label","value":"PVA-TPX-PAD"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Procedure Adherence"},{"id":"PVA-TPX-SUM","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"PVA-TPX-SUM_stmt","name":"statement","prose":"Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the authorization data for the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-17"},{"name":"label","value":"PVA-TPX-SUM"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Assessment Summary"},{"id":"PVA-TPX-STE","parts":[{"id":"PVA-TPX-STE_stmt","name":"statement","prose":"Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-15"},{"name":"label","value":"PVA-TPX-STE"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Static Evidence"},{"id":"PVA-TPX-NOR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"PVA-TPX-NOR_stmt","name":"statement","prose":"Assessors MUST NOT deliver an overall recommendation on whether or not the cloud service offering meets the requirements for FedRAMP authorization."},{"id":"PVA-TPX-NOR_guidance","name":"guidance","prose":"FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-18"},{"name":"label","value":"PVA-TPX-NOR"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"No Overall Recommendation"},{"id":"PVA-TPX-PEX","parts":[{"id":"PVA-TPX-PEX_stmt","name":"statement","prose":"Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-14"},{"name":"label","value":"PVA-TPX-PEX"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Provider Experts"},{"id":"PVA-TPX-SHA","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"PVA-TPX-SHA_stmt","name":"statement","prose":"Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also PVA-CSX-RAD)."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-PVA-09"},{"name":"label","value":"PVA-TPX-SHA"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Assessors"}],"title":"Sharing Advice"}]},{"id":"FRR-SCG","parts":[{"id":"FRR-SCG_purpose","name":"overview","prose":"All customers benefit from simple, easy to follow, easy to understand instructions for securely configuring a cloud service offering. Cloud service providers often provide a wide range of configuration options to allow individual customers to pick and choose their security posture based on their individual customer needs and are best positioned to provide instructions about the overall security impacts of many of these choices.\n\nThis process outlines simple requirements for FedRAMP authorized cloud service providers to effectively communicate the security impact of common settings to new and current agency customers."}],"props":[{"name":"label","value":"SCG"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"SCG"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"secure-configuration-guide"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Secure Configuration Guide","controls":[{"id":"SCG-CSO-RSC","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#5e343a2d-d1c8-5645-a1e5-a1a89936deb9","text":"Privileged account"},{"rel":"defined-term","href":"#999c8b56-7c37-5478-a2d5-99ee37f0fb93","text":"Top-level administrative account"}],"parts":[{"id":"SCG-CSO-RSC_stmt","name":"statement","parts":[{"id":"SCG-CSO-RSC_stmt.item-01","name":"item","prose":"Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering."},{"id":"SCG-CSO-RSC_stmt.item-02","name":"item","prose":"Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications."},{"id":"SCG-CSO-RSC_stmt.item-03","name":"item","prose":"Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications."}],"prose":"Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:"},{"id":"SCG-CSO-RSC_guidance.1","name":"guidance","prose":"These requirements and recommendations refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience."},{"id":"SCG-CSO-RSC_guidance.2","name":"guidance","prose":"This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-03"},{"name":"label","value":"SCG-CSO-RSC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Recommended Secure Configuration"},{"id":"SCG-CSO-AUP","links":[{"rel":"defined-term","href":"#b4ac8872-3bd8-5d73-a372-82b37d8b9c27","text":"Authorization Package"}],"parts":[{"id":"SCG-CSO-AUP_stmt","name":"statement","prose":"Providers MUST include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide."},{"id":"SCG-CSO-AUP_guidance","name":"guidance","prose":"These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs."}],"props":[{"name":"label","value":"SCG-CSO-AUP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Use Instructions"},{"id":"SCG-CSO-PUB","parts":[{"id":"SCG-CSO-PUB_stmt","name":"statement","prose":"Providers SHOULD make the Secure Configuration Guide available publicly."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-09"},{"name":"label","value":"SCG-CSO-PUB"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Public Guidance"},{"id":"SCG-CSO-SDF","links":[{"rel":"defined-term","href":"#5e343a2d-d1c8-5645-a1e5-a1a89936deb9","text":"Privileged account"},{"rel":"defined-term","href":"#999c8b56-7c37-5478-a2d5-99ee37f0fb93","text":"Top-level administrative account"}],"parts":[{"id":"SCG-CSO-SDF_stmt","name":"statement","prose":"Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-04"},{"name":"label","value":"SCG-CSO-SDF"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Secure Defaults"},{"id":"SCG-ENH-CMP","links":[{"rel":"defined-term","href":"#5e343a2d-d1c8-5645-a1e5-a1a89936deb9","text":"Privileged account"},{"rel":"defined-term","href":"#999c8b56-7c37-5478-a2d5-99ee37f0fb93","text":"Top-level administrative account"}],"parts":[{"id":"SCG-ENH-CMP_stmt","name":"statement","prose":"Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-05"},{"name":"label","value":"SCG-ENH-CMP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Comparison Capability"},{"id":"SCG-ENH-EXP","links":[{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"}],"parts":[{"id":"SCG-ENH-EXP_stmt","name":"statement","prose":"Providers SHOULD offer the capability to export all security settings in a machine-readable format."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-06"},{"name":"label","value":"SCG-ENH-EXP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Export Capability"},{"id":"SCG-ENH-API","parts":[{"id":"SCG-ENH-API_stmt","name":"statement","prose":"Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-07"},{"name":"label","value":"SCG-ENH-API"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"API Capability"},{"id":"SCG-ENH-MRG","links":[{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"}],"parts":[{"id":"SCG-ENH-MRG_stmt","name":"statement","prose":"Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-08"},{"name":"label","value":"SCG-ENH-MRG"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Machine-Readable Guidance"},{"id":"SCG-ENH-VRH","links":[{"rel":"defined-term","href":"#5e343a2d-d1c8-5645-a1e5-a1a89936deb9","text":"Privileged account"},{"rel":"defined-term","href":"#999c8b56-7c37-5478-a2d5-99ee37f0fb93","text":"Top-level administrative account"}],"parts":[{"id":"SCG-ENH-VRH_stmt","name":"statement","prose":"Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-RSC-10"},{"name":"label","value":"SCG-ENH-VRH"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Versioning and Release History"}]},{"id":"FRR-SCN","parts":[{"id":"FRR-SCN_purpose","name":"overview","prose":"The Significant Change Notification (SCN) process establishes conditions for FedRAMP authorized cloud service providers to make most significant changes without requiring advance government approval. Agency authorizing officials who authorize the use of FedRAMP authorized cloud services are expected to account for the risk of cloud service providers making changes to improve the service.\n\nThis process broadly identifies four types of significant changes, from least impactful to most impactful:\n1. Routine Recurring\n2. Adaptive\n3. Transformative\n4. Impact Categorization\n\nThese categories, and the resulting requirements, apply only to significant changes."},{"id":"FRR-SCN_outcomes","name":"expected-outcomes","prose":"- Cloud service providers will securely deliver new features and capabilities for government customers at the same speed and pace of delivery for commercial customers, without needing advance government approval\n\n- Federal agencies will have equal access to features and capabilities as commercial customers without sacrificing the visibility and information they need to maintain ongoing confidence in the service"}],"props":[{"name":"label","value":"SCN"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"SCN"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"significant-change-notifications"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Significant Change Notifications","controls":[{"id":"SCN-FRP-CAP","links":[{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-FRP-CAP_stmt","name":"statement","prose":"FedRAMP MAY require providers to delay significant changes beyond the standard Significant Change Notification period and/or submit significant changes for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement."},{"id":"SCN-FRP-CAP_guidance","name":"guidance","prose":"The circumstances and conditions of such a Corrective Action Plan will vary and be documented in the Correcive Action Plan."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-EX-01"},{"name":"label","value":"SCN-FRP-CAP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Corrective Action Plan Conditions"},{"id":"SCN-CSO-EVA","links":[{"rel":"defined-term","href":"#2e9c76eb-56b9-5c24-a324-99846cd2ac82","text":"Adaptive"},{"rel":"defined-term","href":"#056646f2-c06b-5416-a7de-dd417b20b360","text":"Impact Categorization"},{"rel":"defined-term","href":"#f4d6804e-4814-5872-9579-af39259dbbb8","text":"Routine Recurring"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-CSO-EVA_stmt","name":"statement","parts":[{"id":"SCN-CSO-EVA_stmt.item-01","name":"item","prose":"Is it a significant change? --> Continue evaluation and follow the Significant Change Notification process."},{"id":"SCN-CSO-EVA_stmt.item-02","name":"item","prose":"If it is, is it an impact categorization change?  --> This requires a new assessment and cannot be done under the Significant Change Notification process."},{"id":"SCN-CSO-EVA_stmt.item-03","name":"item","prose":"If it is not, is it a routine recurring change? --> Follow the Routine Recurring Change process (SCN-CSO-RTR)."},{"id":"SCN-CSO-EVA_stmt.item-04","name":"item","prose":"If it is not, is it a transformative change? --> Follow the Transformative Change process (SCN-CSO-TRF)."},{"id":"SCN-CSO-EVA_stmt.item-05","name":"item","prose":"If it is not, then it is an adaptive change --> Follow the Adaptive Change process (SCN-CSO-ADP)."}],"prose":"Providers MUST evaluate all potential significant changes to determine the type of significant change and apply the appropriate Significant Change Notification requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-03"},{"name":"label","value":"SCN-CSO-EVA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluate Changes"},{"id":"SCN-CSO-MAR","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-CSO-MAR_stmt","name":"statement","prose":"Providers MUST maintain auditable records of the significant change evaluation activities required by SCN-CSO-EVA (Evaluate Changes) and make them available to FedRAMP."},{"id":"SCN-CSO-MAR_guidance","name":"guidance","prose":"These audit records must be available to FedRAMP on request; these records do not need to be included in the authorization package by default."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-04"},{"name":"label","value":"SCN-CSO-MAR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Maintain Audit Records"},{"id":"SCN-CSO-INF","links":[{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-CSO-INF_stmt","name":"statement","parts":[{"id":"SCN-CSO-INF_stmt.item-01","name":"item","prose":"Service Offering FedRAMP ID"},{"id":"SCN-CSO-INF_stmt.item-02","name":"item","prose":"Assessor Name (if applicable)"},{"id":"SCN-CSO-INF_stmt.item-03","name":"item","prose":"Related POA&M (if applicable)"},{"id":"SCN-CSO-INF_stmt.item-04","name":"item","prose":"Significant Change type and explanation of categorization"},{"id":"SCN-CSO-INF_stmt.item-05","name":"item","prose":"Short description of change"},{"id":"SCN-CSO-INF_stmt.item-06","name":"item","prose":"Reason for change"},{"id":"SCN-CSO-INF_stmt.item-07","name":"item","prose":"Summary of customer impact, including changes to services and customer configuration responsibilities"},{"id":"SCN-CSO-INF_stmt.item-08","name":"item","prose":"Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls"},{"id":"SCN-CSO-INF_stmt.item-09","name":"item","prose":"Copy of the business or security impact analysis"},{"id":"SCN-CSO-INF_stmt.item-10","name":"item","prose":"Name and title of approver"}],"prose":"Providers MUST include at least the following information in Significant Change Notifications:"},{"id":"SCN-CSO-INF_guidance","name":"guidance","prose":"Structure of the information may vary depending on how the provider tracks this internally."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-09"},{"name":"label","value":"SCN-CSO-INF"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Required Information"},{"id":"SCN-CSO-HIS","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-CSO-HIS_stmt","name":"statement","prose":"Providers MUST keep 12 months of historical Significant Change Notifications available with their authorization data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-05"},{"name":"label","value":"SCN-CSO-HIS"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Historical Notifications"},{"id":"SCN-CSO-HRM","links":[{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-CSO-HRM_stmt","name":"statement","prose":"Providers MUST make ALL Significant Change Notifications and related audit records available in human-readable and machine-readable formats."},{"id":"SCN-CSO-HRM_guidance","name":"guidance","prose":"During the SCN beta, many cloud service providers met this requirement by using carefully structured and organized csv files to meet human-readable and machine-readable requirements simultaneously."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-08"},{"name":"label","value":"SCN-CSO-HRM"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Human and Machine-Readable"},{"id":"SCN-CSO-ARI","links":[{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-CSO-ARI_stmt","name":"statement","prose":"Providers MAY include additional relevant information in Significant Change Notifications."},{"id":"SCN-CSO-ARI_guidance","name":"guidance","prose":"This allows providers to convey whatever additional information they think is relevant without worrying about negative consequences from not following an exact template."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-10"},{"name":"label","value":"SCN-CSO-ARI"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Additional Relevant Information"},{"id":"SCN-CSO-NOM","parts":[{"id":"SCN-CSO-NOM_stmt","name":"statement","prose":"Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented in the authorization package and easily accessible."},{"id":"SCN-CSO-NOM_guidance.1","name":"guidance","prose":"The sharing mechanism should be designed based on the needs of the provider and their customers and may vary between providers."},{"id":"SCN-CSO-NOM_guidance.2","name":"guidance","prose":"The default sharing mechanism for most providers during the SCN beta was to send an email to agency customers and upload a copy of the notification to the provider's secure sharing location."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-07"},{"name":"label","value":"SCN-CSO-NOM"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification Mechanisms"},{"id":"SCN-CSO-EMG","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-CSO-EMG_stmt","name":"statement","prose":"Providers MAY execute significant changes (including transformative changes) during an emergency or incident without meeting Significant Change Notification requirements in advance. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident."},{"id":"SCN-CSO-EMG_guidance","name":"guidance","prose":"Procedures for emergency changes should be documented in the authorization package."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-EX-02"},{"name":"label","value":"SCN-CSO-EMG"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Emergency Changes"},{"id":"SCN-RTR-NNR","links":[{"rel":"defined-term","href":"#f4d6804e-4814-5872-9579-af39259dbbb8","text":"Routine Recurring"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"}],"parts":[{"id":"SCN-RTR-NNR_stmt","name":"statement","prose":"Providers SHOULD NOT make formal Significant Change Notifications for routine recurring changes; this type of change is exempted from the notification requirements of this process."},{"id":"SCN-RTR-NNR_guidance.1","name":"guidance","prose":"Activities that match the routine recurring significant change type are performed regularly and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations."},{"id":"SCN-RTR-NNR_guidance.2","name":"guidance","prose":"These changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service."},{"id":"SCN-RTR-NNR_guidance.3","name":"guidance","prose":"If the activity does not occur regularly and routinely then it cannot be a significant change of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine)."},{"id":"SCN-RTR-NNR_example.01","name":"example","prose":{"id":"Tips on ongoing operations","examples":["Provisioning or deprovisioning capacity to support service elasticity","Changing or tuning performance configurations for instances or services","Updating and maintaining operational handling of information flows and protection across physical and logical networks (e.g., updating firewall rules)","Generating or refreshing API or access tokens"],"key_tests":["Routine care and feeding by staff during normal duties","No major impact to service availability","Does not require executive approval"]}},{"id":"SCN-RTR-NNR_example.02","name":"example","prose":{"id":"Tips on vulnerability management","examples":["Updating security service or endpoint signatures","Routine patching of devices, operating systems, software or libraries","Updating and deploying code that applies normal fixes and improvements as part of a regular development cycle","Vulnerability remediation activity that simply replaces a known-bad component(s) with a better version of the exact same thing, running in the exact same way with no changes to processes"],"key_tests":["Minor, incremental patching or updates","Significant refactoring or migration process NOT required","No breaking changes"]}}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-RR-01"},{"name":"label","value":"SCN-RTR-NNR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"No Notification Requirements"},{"id":"SCN-ADP-NTF","links":[{"rel":"defined-term","href":"#2e9c76eb-56b9-5c24-a324-99846cd2ac82","text":"Adaptive"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"}],"parts":[{"id":"SCN-ADP-NTF_stmt","name":"statement","parts":[{"id":"SCN-ADP-NTF_stmt.item-01","name":"item","prose":"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)"}],"prose":"Providers MUST notify all necessary parties within 10 business days after finishing adaptive changes, also including the following information:"},{"id":"SCN-ADP-NTF_guidance.1","name":"guidance","prose":"Activities that match the adaptive significant change type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks."},{"id":"SCN-ADP-NTF_guidance.2","name":"guidance","prose":"In general, most changes that do not happen regularly will be adaptive changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration."},{"id":"SCN-ADP-NTF_notification","name":"notification","prose":[{"party":"all necessary parties","method":"update","target":"authorization data"}]},{"id":"SCN-ADP-NTF_example.01","name":"example","prose":{"id":"Tips on adaptive changes","examples":["Updates to operating systems, containers, virtual machines, software or libraries with known breaking changes, complex steps, or service disruption","Deploying larger than normal incremental feature improvements in code or libraries that are the work of multiple weeks of development efforts but are not considered a major new service","Changing cryptographic modules where the new module meets the same standards and characteristics of the former","Replacing a like-for-like component where some security plan or procedure adjustments are required (e.g., scanning tool or managed database swap)","Adding models to existing approved AI services without exposing federal customer data to new services"],"key_tests":["Requires minimal changes to security plans or procedures","Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes","Requires verification of existing functionality and secure configuration after implementation"]}}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-AD-01"},{"name":"label","value":"SCN-ADP-NTF"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"10 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification Requirements"},{"id":"SCN-TRF-NIP","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"}],"parts":[{"id":"SCN-TRF-NIP_stmt","name":"statement","prose":"Providers MUST notify all necessary parties of initial plans for transformative changes at least 30 business days before starting transformative changes, including a summary of any likely security impacts or changes in risk."},{"id":"SCN-TRF-NIP_notification","name":"notification","prose":[{"party":"all necessary parties","method":"update","target":"authorization data"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-02"},{"name":"label","value":"SCN-TRF-NIP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"30 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification of Initial Plans"},{"id":"SCN-TRF-NFP","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-TRF-NFP_stmt","name":"statement","prose":"Providers MUST notify all necessary parties of final plans for transformative changes at least 10 business days before starting transformative changes, including updates to all previously sent information."},{"id":"SCN-TRF-NFP_notification","name":"notification","prose":[{"party":"all necessary parties","method":"update","target":"authorization data"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-03"},{"name":"label","value":"SCN-TRF-NFP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"10 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification of Final Plans"},{"id":"SCN-TRF-NAF","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-TRF-NAF_stmt","name":"statement","prose":"Providers MUST notify all necessary parties within 5 business days after finishing transformative changes, including updates to all previously sent information."},{"id":"SCN-TRF-NAF_notification","name":"notification","prose":[{"party":"all necessary parties","method":"update","target":"authorization data"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-04"},{"name":"label","value":"SCN-TRF-NAF"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"5 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification After Finishing"},{"id":"SCN-TRF-NAV","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-TRF-NAV_stmt","name":"statement","parts":[{"id":"SCN-TRF-NAV_stmt.item-01","name":"item","prose":"Updates to all previously sent information"},{"id":"SCN-TRF-NAV_stmt.item-02","name":"item","prose":"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)"},{"id":"SCN-TRF-NAV_stmt.item-03","name":"item","prose":"Copy of the security assessment report (if applicable)"}],"prose":"Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of transformative changes, also including the following information:"},{"id":"SCN-TRF-NAV_notification","name":"notification","prose":[{"party":"all necessary parties","method":"update","target":"authorization data"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-05"},{"name":"label","value":"SCN-TRF-NAV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"5 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Notification After Verification"},{"id":"SCN-TRF-UPD","links":[{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-TRF-UPD_stmt","name":"statement","prose":"Providers MUST publish updated service documentation and other materials to reflect transformative changes within 30 business days after finishing transformative changes."},{"id":"SCN-TRF-UPD_guidance","name":"guidance","prose":"This requirement is focused on service documentation like user guides, information listed in the marketplace, and other such materials; it does not require updating the system security plan or authorization package."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-06"},{"name":"label","value":"SCN-TRF-UPD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"30 bizdays"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Update Documentation"},{"id":"SCN-TRF-TPR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"},{"rel":"defined-term","href":"#8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","text":"Transformative"}],"parts":[{"id":"SCN-TRF-TPR_stmt","name":"statement","prose":"Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting transformative changes if human validation is necessary; such reviews SHOULD be limited to security decisions that require human validation."},{"id":"SCN-TRF-TPR_guidance","name":"guidance","prose":"Activities that match the transformative significant change type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without transformative changes, while hyperscale providers may release multiple transformative changes per year."},{"id":"SCN-TRF-TPR_example.01","name":"example","prose":{"id":"Tips on transformative changes","examples":["The addition, removal, or replacement of a critical third party service that handles a significant portion of information (e.g., IaaS change)","Increasing the security categorization of a service within the offering that actively handles federal customer data (does NOT include impact change of entire offering - see impact categorization change)","Replacement of underlying management planes or paradigm shift in workload orchestration (e.g., bare-metal servers or virtual machines to containers, migration to kubernetes)","Datacenter migration where large amounts of federal customer data is moved across boundaries different from normal day-to-day operations","Adding a new AI-based capability that impacts federal customer data in a different way than existing services or capabilities (such as integrating a new third-party service or training on federal customer data)"],"key_tests":["Alters the service risk profile or require new or significantly different actions to address customer responsibilities","Requires significant new design, development and testing with discrete associated project planning, budget, marketing, etc.","Requires extensive updates to security assessments, documentation, and how a large number of security requirements are met and validated"]}}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-SCN-TR-01"},{"name":"label","value":"SCN-TRF-TPR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Third-Party Review"}]},{"id":"FRR-UCM","parts":[{"id":"FRR-UCM_purpose","name":"overview","prose":"This set of requirements and recommendations converts the existing FedRAMP Policy for Cryptographic Module Selection and Use (https://www.fedramp.gov/resources/documents/FedRAMP_Policy_for_Cryptographic_Module_Selection_v1.1.0.pdf) to the simpler FedRAMP 20x style and clarifies the implementation expectations for FedRAMP 20x.\n\nThe notable change from the default Rev5 Policy for Cryptographic Module Selection and Use is that the use of cryptographic modules (or update streams) validated under the NIST Cryptographic Module Validation Program are not explicitly required when cryptographic modules are used to protect federal customer data in cloud service offerings seeking FedRAMP authorization at the Moderate impact level. This acknowledges that not all Moderate impact federal customer data is considered “sensitive” and allows both cloud service providers and agency customers to make risk-based decisions about their use of Moderate impact services for agency use cases that do not include sensitive data.\n\nFedRAMP recommends that cloud service providers seeking FedRAMP authorization at the Moderate impact level use such cryptographic modules whenever technically feasible and reasonable but acknowledges there may be sound reasons not to do so across the board at the Moderate impact level. As always, the reasoning and justification for such decisions must be documented by the cloud service provider."}],"props":[{"name":"label","value":"UCM"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"UCM"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"using-cryptographic-modules"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Using Cryptographic Modules","controls":[{"id":"UCM-CSX-CMD","links":[{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"UCM-CSX-CMD_stmt","name":"statement","prose":"Providers MUST document the cryptographic modules used in each service (or groups of services that use the same modules) where cryptographic services are used to protect federal customer data, including whether these modules are validated under the NIST Cryptographic Module Validation Program or are update streams of such modules."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-UCM-01"},{"name":"label","value":"UCM-CSX-CMD"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Cryptographic Module Documentation"},{"id":"UCM-CSX-UVM","links":[{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"UCM-CSX-UVM_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Providers MAY use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data."},{"id":"UCM-CSX-UVM_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data."},{"id":"UCM-CSX-UVM_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"}],"prose":"Providers MUST use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when using cryptographic services to protect federal customer data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-UCM-03"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-UCM-04"},{"name":"label","value":"UCM-CSX-UVM"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Using Validated Cryptographic Modules"},{"id":"UCM-CSX-CAT","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"UCM-CSX-CAT_stmt","name":"statement","prose":"Providers SHOULD configure agency tenants by default to use cryptographic services that use cryptographic modules or update streams of cryptographic modules with active validations under the NIST Cryptographic Module Validation Program when such modules are available."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-UCM-02"},{"name":"label","value":"UCM-CSX-CAT"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Configuration of Agency Tenants"}]},{"id":"FRR-VDR","parts":[{"id":"FRR-VDR_purpose","name":"overview","prose":"The FedRAMP Vulnerability Detection and Response process ensures FedRAMP Authorized cloud service offerings use automated systems to effectively and continuously identify, analyze, prioritize, mitigate, and remediate vulnerabilities and related exposures to threats; and that information related to these activities are effectively and continuously reported to federal agencies for the purposes of ongoing authorization.\n\nThe Vulnerability Detection and Response process defines minimum security requirements that cloud service providers must meet to be FedRAMP Authorized while allowing them flexibility in how they implement and adopt the majority of FedRAMP's requirements and recommendations. This creates a marketplace where cloud service providers can compete based on their individual approach and prioritization of security and agencies can choose to adopt cloud services with less effective security programs for less sensitive use cases while prioritizing cloud services with high performing security programs when needed.\n\nOver time, FedRAMP will automatically review the machine-readable authorization data shared by participating cloud service providers to begin scoring cloud service offerings based on how effectively they meet or exceed the requirements and recommendations in this and other FedRAMP 20x processes.\n\nAll existing FedRAMP requirements, including control statements, standards, and other guidelines that reference vulnerability scanning or formal Plans of Action and Milestones (POA&Ms) are superseded by this process and MAY be ignored by providers of cloud service offerings that have met the requirements to adopt this process with approval by FedRAMP."},{"id":"FRR-VDR_outcomes","name":"expected-outcomes","prose":"- Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with simple changes and automated capabilities\n\n- Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorizations based on their use cases"}],"props":[{"name":"label","value":"VDR"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"VDR"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"vulnerability-detection-and-response"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Vulnerability Detection and Response","controls":[{"id":"VDR-FRP-ARP","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-FRP-ARP_stmt","name":"statement","prose":"FedRAMP MAY require providers to share additional vulnerability information, alternative reports, or to report at an alternative frequency as a condition of a FedRAMP Corrective Action Plan or other agreements with federal agencies."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-EX-01"},{"name":"label","value":"VDR-FRP-ARP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Additional Requirements"},{"id":"VDR-FRP-ADV","links":[{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-FRP-ADV_stmt","name":"statement","prose":"FedRAMP MAY required providers to share additional information or details about vulnerabilities, including sensitive information that would likely lead to exploitation, as part of review, response or investigation by necessary parties."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-EX-02"},{"name":"label","value":"VDR-FRP-ADV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"FedRAMP"}],"title":"Sensitive Details"},{"id":"VDR-CSO-DET","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#d3ad40f6-6ef1-5d16-a663-e28dcbf4ad0d","text":"Promptly"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-CSO-DET_stmt","name":"statement","prose":"Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-01"},{"name":"label","value":"VDR-CSO-DET"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Vulnerability Detection"},{"id":"VDR-CSO-RES","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#d3ad40f6-6ef1-5d16-a663-e28dcbf4ad0d","text":"Promptly"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-CSO-RES_stmt","name":"statement","prose":"Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response."},{"id":"VDR-CSO-RES_guidance","name":"guidance","prose":"If it is not possible to fully mitigate or remediate detected vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-02"},{"name":"label","value":"VDR-CSO-RES"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Vulnerability Response"},{"id":"VDR-CSO-DOC","links":[{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"VDR-CSO-DOC_stmt","name":"statement","prose":"Providers MUST document the reason and resulting implications for their customers when choosing not to meet FedRAMP recommendations in this process; this documentation MUST be included in the authorization data for the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-11"},{"name":"label","value":"VDR-CSO-DOC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Documentation for Recommendations"},{"id":"VDR-EVA-ELX","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#1a1db995-0854-50b0-9bcc-6bca56cd1264","text":"Likely Exploitable Vulnerability (LEV)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-EVA-ELX_stmt","name":"statement","prose":"Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are likely exploitable vulnerabilities."},{"id":"VDR-EVA-ELX_guidance.1","name":"guidance","prose":"The simple reality is that most traditional vulnerabilities discovered by scanners or during assessment are not likely to be exploitable; exploitation typically requires an unrealistic set of circumstances that will not occur during normal operation. The likelihood of exploitation will vary depending on so many factors that FedRAMP will not recommend a specific framework for approaching this beyond the recommendations and requirements in this document."},{"id":"VDR-EVA-ELX_guidance.2","name":"guidance","prose":"The proof, ultimately, is in the pudding - providers who regularly evaluate vulnerabilities as not likely exploitable without careful consideration are more likely to suffer from an adverse impact where the root cause was an exploited vulnerability that was improperly evaluated. If done recklessly or deliberately, such actions will have a potential adverse impact on a provider's FedRAMP authorization."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-07"},{"name":"label","value":"VDR-EVA-ELX"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluate Exploitability"},{"id":"VDR-EVA-EIR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#423fd9c1-f289-543a-9501-3204619b1e4d","text":"Internet-Reachable Vulnerability (IRV)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-EVA-EIR_stmt","name":"statement","prose":"Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are internet-reachable vulnerabilities."},{"id":"VDR-EVA-EIR_guidance.1","name":"guidance","prose":"FedRAMP focuses on internet-reachable (rather than internet-accessible) to ensure that any service that might receive a payload from the internet is prioritized if that service has a vulnerability that can be triggered by processing the data in the payload."},{"id":"VDR-EVA-EIR_guidance.2","name":"guidance","prose":"The simplest way to prevent exploitation of internet-reachable vulnerabilities is to intercept, inspect, filter, sanitize, reject, or otherwise deflect triggering payloads before they are processed by the vulnerable resource; once this prevention is in place the vulnerability should no longer be considered an internet-reachable vulnerability."},{"id":"VDR-EVA-EIR_guidance.3","name":"guidance","prose":"A classic example of an internet-reachable vulnerability on systems that are not typically internet-accessible is [SQL injection](https://en.wikipedia.org/wiki/SQL_injection), where an application stack behind a load balancer and firewall with no ability to route traffic to or from the internet can receive a payload indirectly from the internet that triggers the manipulation or compromise of data in a database that can only be accessed by an authorized connection from the application server on a private network."},{"id":"VDR-EVA-EIR_guidance.4","name":"guidance","prose":"Another simple example is the infamous Log4Shell (https://en.wikipedia.org/wiki/Log4Shell) vulnerability from 2021, where exploitation was possible via vulnerable internet-reachable resources deep in the application stack that were often not internet-accessible themselves."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-08"},{"name":"label","value":"VDR-EVA-EIR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluate Internet-Reachability"},{"id":"VDR-EVA-EPA","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#a2c30a2e-b73d-5ef8-85d2-ec8239323018","text":"Catastrophic Adverse Effect"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#3a9626c9-9c57-5eaa-9f63-34a0d5d99f66","text":"Limited Adverse Effect"},{"rel":"defined-term","href":"#31504e44-2bdd-574c-b27f-5afe57d4ea30","text":"Negligible Adverse Effect"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#f0a95236-1686-5286-b862-ba01f74211e5","text":"Serious Adverse Effect"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-EVA-EPA_stmt","name":"statement","parts":[{"id":"VDR-EVA-EPA_stmt.item-01","name":"item","prose":"**N1**: Exploitation could be expected to have negligible adverse effects on one or more agencies that use the cloud service offering."},{"id":"VDR-EVA-EPA_stmt.item-02","name":"item","prose":"**N2**: Exploitation could be expected to have limited adverse effects on one or more agencies that use the cloud service offering."},{"id":"VDR-EVA-EPA_stmt.item-03","name":"item","prose":"**N3**: Exploitation could be expected to have a serious adverse effect on one agency that uses the cloud service offering."},{"id":"VDR-EVA-EPA_stmt.item-04","name":"item","prose":"**N4**: Exploitation could be expected to have a catastrophic adverse effect on one agency that uses the cloud service offering OR a serious adverse effect on more than one federal agency that uses the cloud service offering."},{"id":"VDR-EVA-EPA_stmt.item-05","name":"item","prose":"**N5**: Exploitation could be expected to have a catastrophic adverse effect on more than one agency that uses the cloud service offering."}],"prose":"Providers MUST evaluate detected vulnerabilities, considering the context of the cloud service offering, to estimate the potential adverse impact of exploitation on government customers AND assign one of the following potential adverse impact ratings:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-09"},{"name":"label","value":"VDR-EVA-EPA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Estimate Potential Adverse Impact"},{"id":"VDR-EVA-GRV","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-EVA-GRV_stmt","name":"statement","prose":"Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to identify logical groupings of affected information resources that may improve the efficiency and effectiveness of vulnerability response by consolidating further activity; requirements and recommendations in this process are then applied to these consolidated groupings of vulnerabilities instead of each individual detected instance."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-05"},{"name":"label","value":"VDR-EVA-GRV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Group Vulnerabilities"},{"id":"VDR-EVA-EFP","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#fd917f34-f410-561d-b3b8-aa69bd881969","text":"False Positive Vulnerability"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-EVA-EFP_stmt","name":"statement","prose":"Providers SHOULD evaluate detected vulnerabilities, considering the context of the cloud service offering, to determine if they are false positive vulnerabilities."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-06"},{"name":"label","value":"VDR-EVA-EFP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluate False Positives"},{"id":"VDR-EVA-EFA","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#c1b7a146-d667-51f8-8ceb-ec2fe0d2c3e3","text":"Fully Mitigated Vulnerability"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-EVA-EFA_stmt","name":"statement","parts":[{"id":"VDR-EVA-EFA_stmt.item-01","name":"item","prose":"**Criticality**: How important are the systems or information that might be impacted by the vulnerability?"},{"id":"VDR-EVA-EFA_stmt.item-02","name":"item","prose":"**Reachability**: How might a threat actor reach the vulnerability and how likely is that?"},{"id":"VDR-EVA-EFA_stmt.item-03","name":"item","prose":"**Exploitability**: How easy is it for a threat actor to exploit the vulnerability and how likely is that?"},{"id":"VDR-EVA-EFA_stmt.item-04","name":"item","prose":"**Detectability**: How easy is it for a threat actor to become aware of the vulnerability and how likely is that?"},{"id":"VDR-EVA-EFA_stmt.item-05","name":"item","prose":"**Prevalence**: How much of the cloud service offering is affected by the vulnerability?"},{"id":"VDR-EVA-EFA_stmt.item-06","name":"item","prose":"**Privilege**: How much privileged authority or access is granted or can be gained from exploiting the vulnerability?"},{"id":"VDR-EVA-EFA_stmt.item-07","name":"item","prose":"**Proximate Vulnerabilities**: How does this vulnerability interact with previously detected vulnerabilities, especially partially or fully mitigated vulnerabilities?"},{"id":"VDR-EVA-EFA_stmt.item-08","name":"item","prose":"**Known Threats**: How might already known threats leverage the vulnerability and how likely is that?"}],"prose":"Providers SHOULD consider at least the following factors when considering the context of the cloud service offering to evaluate detected vulnerabilities:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-10"},{"name":"label","value":"VDR-EVA-EFA"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluation Factors"},{"id":"VDR-BST-DFR","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-BST-DFR_stmt","name":"statement","prose":"Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AY-02"},{"name":"label","value":"VDR-BST-DFR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Design For Resilience"},{"id":"VDR-BST-ADT","links":[{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-BST-ADT_stmt","name":"statement","prose":"Providers SHOULD use automated services to improve and streamline vulnerability detection and response."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AY-03"},{"name":"label","value":"VDR-BST-ADT"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Automate Detection"},{"id":"VDR-BST-DAC","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-BST-DAC_stmt","name":"statement","prose":"Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AY-04"},{"name":"label","value":"VDR-BST-DAC"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Detect After Changes"},{"id":"VDR-BST-MSP","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-BST-MSP_stmt","name":"statement","prose":"Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning, detection, or assessment activities."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AY-05"},{"name":"label","value":"VDR-BST-MSP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Maintain Security"},{"id":"VDR-BST-AKE","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#86d71efe-fefd-5bbb-becb-62bf52d64f21","text":"Known Exploited Vulnerability (KEV)"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-BST-AKE_stmt","name":"statement","prose":"Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AY-06"},{"name":"label","value":"VDR-BST-AKE"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Avoid KEVs"},{"id":"VDR-BST-SIR","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-BST-SIR_stmt","name":"statement","prose":"Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-04"},{"name":"label","value":"VDR-BST-SIR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Sampling"},{"id":"VDR-TFR-MHR","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-TFR-MHR_stmt","name":"statement","prose":"Providers MUST report vulnerability detection and response activity to all necessary parties in a consistent format that is human readable at least monthly."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-01"},{"name":"label","value":"VDR-TFR-MHR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 month"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Monthly Activity Report"},{"id":"VDR-TFR-MAV","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-TFR-MAV_stmt","name":"statement","prose":"Providers MUST categorize any vulnerability that is not or will not be fully mitigated or remediated within 192 days of evaluation as an accepted vulnerability."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-03"},{"name":"label","value":"VDR-TFR-MAV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"192 days"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Mark Accepted Vulnerabilities"},{"id":"VDR-TFR-KEV","links":[{"rel":"defined-term","href":"#86d71efe-fefd-5bbb-becb-62bf52d64f21","text":"Known Exploited Vulnerability (KEV)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"reference","href":"https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities","text":"CISA BOD 22-01"}],"parts":[{"id":"VDR-TFR-KEV_stmt","name":"statement","prose":"Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 22-01 or any successor guidance from CISA."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-02"},{"name":"label","value":"VDR-TFR-KEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Remediate KEVs"},{"id":"VDR-TFR-MRH","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#7e13e8cd-3ad6-59b3-8552-b35d63beab2b","text":"Machine-Readable"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-TFR-MRH_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 month"}],"prose":"Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every month."},{"id":"VDR-TFR-MRH_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"14 days"}],"prose":"Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 14 days."},{"id":"VDR-TFR-MRH_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"7 days"}],"prose":"Providers SHOULD make all recent historical vulnerability detection and response activity available in a machine-readable format for automated retrieval by all necessary parties (e.g. using an API service or similar); this information SHOULD be updated persistently, at least once every 7 days."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-01"},{"name":"label","value":"VDR-TFR-MRH"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Historical Activity"},{"id":"VDR-TFR-PSD","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-TFR-PSD_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"7 days"}],"prose":"Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 7 days."},{"id":"VDR-TFR-PSD_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"3 days"}],"prose":"Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once every 3 days."},{"id":"VDR-TFR-PSD_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 days"}],"prose":"Providers SHOULD persistently perform vulnerability detection on representative samples of similar machine-based information resources, at least once per day."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-02"},{"name":"label","value":"VDR-TFR-PSD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Sample Detection"},{"id":"VDR-TFR-PDD","links":[{"rel":"defined-term","href":"#0f3427cb-ae50-54ef-9ae3-af988882787b","text":"Drift"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-TFR-PDD_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 month"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every month."},{"id":"VDR-TFR-PDD_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"14 days"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 14 days."},{"id":"VDR-TFR-PDD_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"7 days"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are likely to drift, at least once every 7 days."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-03"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-03"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-03"},{"name":"label","value":"VDR-TFR-PDD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Drift Detection"},{"id":"VDR-TFR-PCD","links":[{"rel":"defined-term","href":"#0f3427cb-ae50-54ef-9ae3-af988882787b","text":"Drift"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-TFR-PCD_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"6 month"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every six months."},{"id":"VDR-TFR-PCD_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 month"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month."},{"id":"VDR-TFR-PCD_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"1 month"}],"prose":"Providers SHOULD persistently perform vulnerability detection on all information resources that are NOT likely to drift, at least once every month."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-04"},{"name":"label","value":"VDR-TFR-PCD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Complete Detection"},{"id":"VDR-TFR-EVU","links":[{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"}],"parts":[{"id":"VDR-TFR-EVU_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"7 days"}],"prose":"Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 7 days of detection."},{"id":"VDR-TFR-EVU_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"5 days"}],"prose":"Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 5 days of detection."},{"id":"VDR-TFR-EVU_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"timeframe","value":"2 days"}],"prose":"Providers SHOULD evaluate ALL vulnerabilities as required by VDR-EVA (Evaluation) within 2 days of detection."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-05"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-05"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-05"},{"name":"label","value":"VDR-TFR-EVU"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Evaluate Vulnerabilities Quickly"},{"id":"VDR-TFR-PVR","links":[{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-TFR-PVR_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:"},{"id":"VDR-TFR-PVR_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD partially mitigate, fully mitigate, or remediate vulnerabilities to a lower potential adverse impact within the timeframes from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:"},{"id":"VDR-TFR-PVR_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD partially mitigate vulnerabilities to a lower potential adverse impact within the maximum time-frames from evaluation shown below (in days), factoring for the current potential adverse impact, internet reachability, and likely exploitability:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-06"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-07"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-08"},{"name":"label","value":"VDR-TFR-PVR"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Mitigation and Remediation Expectations"},{"id":"VDR-TFR-RMN","links":[{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-TFR-RMN_stmt","name":"statement","prose":"Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-LO-07"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-09"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-09"},{"name":"label","value":"VDR-TFR-RMN"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Remaining Vulnerabilities"},{"id":"VDR-TFR-IRI","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#1a1db995-0854-50b0-9bcc-6bca56cd1264","text":"Likely Exploitable Vulnerability (LEV)"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-TFR-IRI_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Providers MAY treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below."},{"id":"VDR-TFR-IRI_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below."},{"id":"VDR-TFR-IRI_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD treat internet-reachable likely exploitable vulnerabilities with a potential adverse impact of N4 or N5 as a security incident until they are partially mitigated to N3 or below."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-MO-06"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-06"},{"name":"label","value":"VDR-TFR-IRI"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Internet-Reachable Incidents"},{"id":"VDR-TFR-NRI","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#1a1db995-0854-50b0-9bcc-6bca56cd1264","text":"Likely Exploitable Vulnerability (LEV)"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-TFR-NRI_stmt.low","name":"statement","class":"low","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Providers MAY treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below."},{"id":"VDR-TFR-NRI_stmt.moderate","name":"statement","class":"moderate","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"}],"prose":"Providers MAY treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below."},{"id":"VDR-TFR-NRI_stmt.high","name":"statement","class":"high","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"}],"prose":"Providers SHOULD treat likely exploitable vulnerabilities that are NOT internet-reachable with a potential adverse impact of N5 as a security incident until they are partially mitigated to N4 or below."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-TF-HI-07"},{"name":"label","value":"VDR-TFR-NRI"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Non-Internet-Reachable Incidents"},{"id":"VDR-RPT-PER","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-RPT-PER_stmt","name":"statement","prose":"Providers MUST report vulnerability detection and response activity to all necessary parties persistently, summarizing ALL activity since the previous report; these reports are authorization data and are subject to the FedRAMP Authorization Data Sharing (ADS) process."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-01"},{"name":"label","value":"VDR-RPT-PER"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Persistent Reporting"},{"id":"VDR-RPT-NID","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-RPT-NID_stmt","name":"statement","prose":"Providers MUST NOT irresponsibly disclose specific sensitive information about vulnerabilities that would likely lead to exploitation, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties."},{"id":"VDR-RPT-NID_guidance","name":"guidance","prose":"This requirement will be superseded in the event of formal action related to an investigation or corrective action plan."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-03"},{"name":"label","value":"VDR-RPT-NID"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsible Disclosure"},{"id":"VDR-RPT-VDT","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#423fd9c1-f289-543a-9501-3204619b1e4d","text":"Internet-Reachable Vulnerability (IRV)"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#1a1db995-0854-50b0-9bcc-6bca56cd1264","text":"Likely Exploitable Vulnerability (LEV)"},{"rel":"defined-term","href":"#9f50c8f3-4199-5aad-83ca-8f730f8ffb6a","text":"Overdue Vulnerability"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-RPT-VDT_stmt","name":"statement","parts":[{"id":"VDR-RPT-VDT_stmt.item-01","name":"item","prose":"Provider's internally assigned tracking identifier"},{"id":"VDR-RPT-VDT_stmt.item-02","name":"item","prose":"Time and source of the detection"},{"id":"VDR-RPT-VDT_stmt.item-03","name":"item","prose":"Time of completed evaluation"},{"id":"VDR-RPT-VDT_stmt.item-04","name":"item","prose":"Is it an internet-reachable vulnerability or not?"},{"id":"VDR-RPT-VDT_stmt.item-05","name":"item","prose":"Is it a likely exploitable vulnerability or not?"},{"id":"VDR-RPT-VDT_stmt.item-06","name":"item","prose":"Historically and currently estimated potential adverse impact of exploitation"},{"id":"VDR-RPT-VDT_stmt.item-07","name":"item","prose":"Time and level of each completed and evaluated reduction in potential adverse impact"},{"id":"VDR-RPT-VDT_stmt.item-08","name":"item","prose":"Estimated time and target level of next reduction in potential adverse impact"},{"id":"VDR-RPT-VDT_stmt.item-09","name":"item","prose":"Is it currently or is it likely to become an overdue vulnerability or not? If so, explain."},{"id":"VDR-RPT-VDT_stmt.item-10","name":"item","prose":"Any supplementary information the provider responsibly determines will help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the vulnerability"},{"id":"VDR-RPT-VDT_stmt.item-11","name":"item","prose":"Final disposition of the vulnerability"}],"prose":"Providers MUST include the following information (if applicable) on detected vulnerabilities when reporting on vulnerability detection and response activity, UNLESS it is an accepted vulnerability:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-05"},{"name":"label","value":"VDR-RPT-VDT"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Vulnerability Details"},{"id":"VDR-RPT-AVI","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#423fd9c1-f289-543a-9501-3204619b1e4d","text":"Internet-Reachable Vulnerability (IRV)"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#1a1db995-0854-50b0-9bcc-6bca56cd1264","text":"Likely Exploitable Vulnerability (LEV)"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-RPT-AVI_stmt","name":"statement","parts":[{"id":"VDR-RPT-AVI_stmt.item-01","name":"item","prose":"Provider's internally assigned tracking identifier"},{"id":"VDR-RPT-AVI_stmt.item-02","name":"item","prose":"Time and source of the detection"},{"id":"VDR-RPT-AVI_stmt.item-03","name":"item","prose":"Time of completed evaluation"},{"id":"VDR-RPT-AVI_stmt.item-04","name":"item","prose":"Is it an internet-reachable vulnerability or not?"},{"id":"VDR-RPT-AVI_stmt.item-05","name":"item","prose":"Is it a likely exploitable vulnerability or not?"},{"id":"VDR-RPT-AVI_stmt.item-06","name":"item","prose":"Currently estimated potential adverse impact of exploitation"},{"id":"VDR-RPT-AVI_stmt.item-07","name":"item","prose":"Explanation of why this is an accepted vulnerability"},{"id":"VDR-RPT-AVI_stmt.item-08","name":"item","prose":"Any supplementary information the provider determines will responsibly help federal agencies assess or mitigate the risk to their federal customer data within the cloud service offering resulting from the accepted vulnerability"}],"prose":"Providers MUST include the following information on accepted vulnerabilities when reporting on vulnerability detection and response activity:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-06"},{"name":"label","value":"VDR-RPT-AVI"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Accepted Vulnerability Info"},{"id":"VDR-RPT-HLO","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"VDR-RPT-HLO_stmt","name":"statement","prose":"Providers SHOULD include high-level overviews of ALL vulnerability detection and response activities conducted during this period for the cloud service offering; this includes vulnerability disclosure programs, bug bounty programs, penetration testing, assessments, etc."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-02"},{"name":"label","value":"VDR-RPT-HLO"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"High-Level Overviews"},{"id":"VDR-RPT-RPD","links":[{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-RPT-RPD_stmt","name":"statement","prose":"Providers MAY responsibly disclose vulnerabilities publicly or with other parties if the provider determines doing so will NOT likely lead to exploitation."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-RP-04"},{"name":"label","value":"VDR-RPT-RPD"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"}],"title":"Responsible Public Disclosure"},{"id":"VDR-AGM-RVR","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#38e4c36f-7cea-59a0-8646-d148c804d97b","text":"Potential Adverse Impact (of vulnerability exploitation)"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-AGM-RVR_stmt","name":"statement","prose":"Agencies SHOULD review the information provided in vulnerability reports at appropriate and reasonable intervals commensurate with the expectations and risk posture indicated by their Authorization to Operate, and SHOULD use automated processing and filtering of machine readable information from cloud service providers."},{"id":"VDR-AGM-RVR_guidance","name":"guidance","prose":"FedRAMP recommends that agencies only review overdue and accepted vulnerabilities with a potential adverse impact of N3 or higher unless the cloud service provider recommends mitigations or the service is included in a higher risk federal information system. Furthermore, accepted vulnerabilities generally only need to be reviewed when they are added or during an updated risk assessment due to changes in the agency’s use or authorization."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AG-01"},{"name":"label","value":"VDR-AGM-RVR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Review Vulnerability Reports"},{"id":"VDR-AGM-MAP","links":[{"rel":"defined-term","href":"#d412e612-661e-5cf6-907c-6cedae2e85a4","text":"Accepted Vulnerability"},{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-AGM-MAP_stmt","name":"statement","prose":"Agencies SHOULD use vulnerability information reported by the Provider to maintain Plans of Action & Milestones for agency security programs when relevant according to agency security policies (such as if the agency takes action to mitigate the risk of exploitation or authorized the continued use of a cloud service with accepted vulnerabilities that put agency information systems at risk)."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AG-02"},{"name":"label","value":"VDR-AGM-MAP"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Maintain Agency POA&M"},{"id":"VDR-AGM-DRE","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"}],"parts":[{"id":"VDR-AGM-DRE_stmt","name":"statement","prose":"Agencies SHOULD NOT request additional information from cloud service providers that is not required by this FedRAMP process UNLESS the head of the agency or an authorized delegate makes a determination that there is a demonstrable need for such."},{"id":"VDR-AGM-DRE_guidance","name":"guidance","prose":"This is related to the Presumption of Adequacy directed by 44 USC § 3613 (e)."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AG-03"},{"name":"label","value":"VDR-AGM-DRE"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD NOT"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Do Not Request Extra Info"},{"id":"VDR-AGM-NFR","links":[{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"VDR-AGM-NFR_stmt","name":"statement","prose":"Agencies MUST notify FedRAMP after requesting any additional vulnerability information or materials from a cloud service provider beyond those FedRAMP requires by sending a notification to [info@fedramp.gov](mailto:info@fedramp.gov)."},{"id":"VDR-AGM-NFR_guidance","name":"guidance","prose":"This is an OMB policy; agencies are required to notify FedRAMP in OMB Memorandum M-24-15 section IV (a)."},{"id":"VDR-AGM-NFR_notification","name":"notification","prose":[{"party":"FedRAMP","method":"email","target":"info@fedramp.gov"}]}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-VDR-AG-04"},{"name":"label","value":"VDR-AGM-NFR"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Agencies"}],"title":"Notify FedRAMP"}]},{"id":"FRR-KSI","parts":[{"id":"FRR-KSI_purpose","name":"overview","prose":"Modern cloud services use automated or code-driven configuration management and control planes to ensure predictable, repeatable, reliable, and secure outcomes during deployment and operation. The majority of a service security assessment can take place continuously via automated validation for simple cloud-native services if the need for a traditional control-by-control narrative approach is removed."},{"id":"FRR-KSI_outcomes","name":"expected-outcomes","prose":"- Cloud service providers following commercial security best practices will be able to meet and validate FedRAMP security requirements with the application of simple changes and automated capabilities\n\n- Third-party independent assessors will have a simpler framework to assess security and implementation decisions based on engineering decisions in context\n\n- Federal agencies will be able to easily, quickly, and effectively review and consume security information about the service to make informed risk-based authorization to operate decisions based on their planned use case"}],"props":[{"name":"label","value":"KSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"KSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"key-security-indicators"},{"ns":"https://fedramp.gov/ns/oscal","name":"effective-status","value":"required"},{"ns":"https://fedramp.gov/ns/oscal","name":"current-status","value":"Phase 2 Pilot"},{"ns":"https://fedramp.gov/ns/oscal","name":"start-date","value":"2025-11-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"end-date","value":"2026-03-31"}],"title":"Key Security Indicators","controls":[{"id":"KSI-CSX-SUM","links":[{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"KSI-CSX-SUM_stmt","name":"statement","parts":[{"id":"KSI-CSX-SUM_stmt.item-01","name":"item","prose":"Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability"},{"id":"KSI-CSX-SUM_stmt.item-02","name":"item","prose":"The consolidated _information resources_ that will be validated (this should include consolidated summaries such as \"all employees with privileged access that are members of the Admin group\")"},{"id":"KSI-CSX-SUM_stmt.item-03","name":"item","prose":"The machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)"},{"id":"KSI-CSX-SUM_stmt.item-04","name":"item","prose":"The non-machine-based processes for _validation_ and the _persistent_ cycle on which they will be performed (or an explanation of why this doesn't apply)"},{"id":"KSI-CSX-SUM_stmt.item-05","name":"item","prose":"Current implementation status"},{"id":"KSI-CSX-SUM_stmt.item-06","name":"item","prose":"Any clarifications or responses to the assessment summary"}],"prose":"Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:"}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-KSI-02"},{"name":"label","value":"KSI-CSX-SUM"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MUST"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"},{"ns":"https://fedramp.gov/ns/oscal","name":"impact","value":{"low":true,"moderate":true}}],"title":"Implementation Summaries"},{"id":"KSI-CSX-MAS","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"KSI-CSX-MAS_stmt","name":"statement","prose":"Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRR-KSI-01"},{"name":"label","value":"KSI-CSX-MAS"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"SHOULD"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"},{"ns":"https://fedramp.gov/ns/oscal","name":"impact","value":{"low":true,"moderate":true}}],"title":"Application within MAS"},{"id":"KSI-CSX-ORD","links":[{"rel":"defined-term","href":"#b4ac8872-3bd8-5d73-a372-82b37d8b9c27","text":"Authorization Package"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"KSI-CSX-ORD_stmt","name":"statement","parts":[{"id":"KSI-CSX-ORD_stmt.item-01","name":"item","prose":"Minimum Assessment Scope (MAS)"},{"id":"KSI-CSX-ORD_stmt.item-02","name":"item","prose":"Authorization Data Sharing (ADS)"},{"id":"KSI-CSX-ORD_stmt.item-03","name":"item","prose":"Using Cryptographic Modules (UCM)"},{"id":"KSI-CSX-ORD_stmt.item-04","name":"item","prose":"Vulnerability Detection and Response (VDR)"},{"id":"KSI-CSX-ORD_stmt.item-05","name":"item","prose":"Significant Change Notifications (SCN)"},{"id":"KSI-CSX-ORD_stmt.item-06","name":"item","prose":"Persistent Validation and Assessment (PVA)"},{"id":"KSI-CSX-ORD_stmt.item-07","name":"item","prose":"Secure Configuration Guide (RSC)"},{"id":"KSI-CSX-ORD_stmt.item-08","name":"item","prose":"Collaborative Continuous Monitoring (CCM)"},{"id":"KSI-CSX-ORD_stmt.item-09","name":"item","prose":"FedRAMP Security Inbox (FSI)"},{"id":"KSI-CSX-ORD_stmt.item-10","name":"item","prose":"Incident Communications Procedures (ICP)"}],"prose":"Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:"}],"props":[{"name":"label","value":"KSI-CSX-ORD"},{"ns":"https://fedramp.gov/ns/oscal","name":"applicability","value":"20x"},{"ns":"https://fedramp.gov/ns/oscal","name":"keyword","value":"MAY"},{"ns":"https://fedramp.gov/ns/oscal","name":"affects","value":"Providers"},{"ns":"https://fedramp.gov/ns/oscal","name":"impact","value":{"low":true,"moderate":true}}],"title":"AFR Order of Criticality"}]}]},{"id":"KSI","props":[{"name":"label","value":"KSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"KSI"}],"title":"Key Security Indicators","groups":[{"id":"KSI-AFR","parts":[{"id":"KSI-AFR_theme","name":"overview","prose":"A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers."}],"props":[{"name":"label","value":"AFR"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"AFR"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"authorization-by-fedramp"}],"title":"Authorization by FedRAMP","controls":[{"id":"KSI-AFR-ADS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-3","resource-fragment":"ac-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-4","resource-fragment":"ac-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-2","resource-fragment":"au-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-3","resource-fragment":"au-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-6","resource-fragment":"au-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-2","resource-fragment":"ca-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4","resource-fragment":"ir-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5","resource-fragment":"ra-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-8","resource-fragment":"sc-8"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#db58b45b-718f-5880-a149-1c037958ee90","text":"Authorization data"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-ADS","text":"FRR-ADS Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/authorization-data-sharing","text":"Authorization Data Sharing"}],"parts":[{"id":"KSI-AFR-ADS_stmt","name":"statement","prose":"Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-03"},{"name":"label","value":"KSI-AFR-ADS"}],"title":"Authorization Data Sharing"},{"id":"KSI-AFR-CCM","links":[{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#ed097ed9-3dc1-521d-80f8-743f513826e3","text":"Quarterly Review"},{"rel":"related","href":"#FRR-CCM","text":"FRR-CCM Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/collaborative-continuous-monitoring","text":"Collaborative Continuous Monitoring"}],"parts":[{"id":"KSI-AFR-CCM_stmt","name":"statement","prose":"Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-06"},{"name":"label","value":"KSI-AFR-CCM"}],"title":"Collaborative Continuous Monitoring"},{"id":"KSI-AFR-FSI","links":[{"rel":"defined-term","href":"#07282bbb-927e-58cc-8350-0a8593d6a549","text":"FedRAMP Security Inbox"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-FSI","text":"FRR-FSI Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/fedramp-security-inbox","text":"FedRAMP Security Inbox"}],"parts":[{"id":"KSI-AFR-FSI_stmt","name":"statement","prose":"Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-08"},{"name":"label","value":"KSI-AFR-FSI"}],"title":"FedRAMP Security Inbox"},{"id":"KSI-AFR-ICP","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"},{"rel":"related","href":"#FRR-ICP","text":"FRR-ICP Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/incident-communications-procedures","text":"Incident Communications Procedures"}],"parts":[{"id":"KSI-AFR-ICP_stmt","name":"statement","prose":"Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-10"},{"name":"label","value":"KSI-AFR-ICP"}],"title":"Incident Communications Procedures"},{"id":"KSI-AFR-MAS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-1","resource-fragment":"ac-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-21","resource-fragment":"ac-21"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-1","resource-fragment":"at-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-1","resource-fragment":"au-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-1","resource-fragment":"ca-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-1","resource-fragment":"cm-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-1","resource-fragment":"cp-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.1","resource-fragment":"cp-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.8","resource-fragment":"cp-2.8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-4.1","resource-fragment":"cp-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-1","resource-fragment":"ia-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-1","resource-fragment":"ir-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"MA-1","resource-fragment":"ma-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"MP-1","resource-fragment":"mp-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PE-1","resource-fragment":"pe-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-1","resource-fragment":"pl-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-2","resource-fragment":"pl-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-4","resource-fragment":"pl-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-4.1","resource-fragment":"pl-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-1","resource-fragment":"ps-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-1","resource-fragment":"ra-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-9","resource-fragment":"ra-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-1","resource-fragment":"sa-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-1","resource-fragment":"sc-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-1","resource-fragment":"si-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-1","resource-fragment":"sr-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-2","resource-fragment":"sr-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-3","resource-fragment":"sr-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-11","resource-fragment":"sr-11"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-MAS","text":"FRR-MAS Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/minimum-assessment-scope","text":"Minimum Assessment Scope"}],"parts":[{"id":"KSI-AFR-MAS_stmt","name":"statement","prose":"Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-01"},{"name":"label","value":"KSI-AFR-MAS"}],"title":"Minimum Assessment Scope"},{"id":"KSI-AFR-PVA","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-PVA","text":"FRR-PVA Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/persistent-validation-and-assessment","text":"Persistent Validation and Assessment"}],"parts":[{"id":"KSI-AFR-PVA_stmt","name":"statement","prose":"Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-09"},{"name":"label","value":"KSI-AFR-PVA"}],"title":"Persistent Validation and Assessment"},{"id":"KSI-AFR-SCG","links":[{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-SCG","text":"FRR-SCG Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/secure-configuration-guide","text":"Secure Configuration Guide"}],"parts":[{"id":"KSI-AFR-SCG_stmt","name":"statement","prose":"Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-07"},{"name":"label","value":"KSI-AFR-SCG"}],"title":"Secure Configuration Guide"},{"id":"KSI-AFR-SCN","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7.4","resource-fragment":"ca-7.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.4","resource-fragment":"cm-3.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-4","resource-fragment":"cm-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.1","resource-fragment":"cm-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-5","resource-fragment":"au-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-5","resource-fragment":"ca-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7","resource-fragment":"ca-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5","resource-fragment":"ra-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.2","resource-fragment":"ra-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-22","resource-fragment":"sa-22"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2","resource-fragment":"si-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.2","resource-fragment":"si-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3","resource-fragment":"si-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-5","resource-fragment":"si-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.7","resource-fragment":"si-7.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-10","resource-fragment":"si-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-11","resource-fragment":"si-11"},{"rel":"defined-term","href":"#b1060108-b417-5545-9937-6ddfbda32670","text":"All Necessary Parties"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","text":"Significant change"},{"rel":"related","href":"#FRR-SCN","text":"FRR-SCN Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/significant-change-notifications","text":"Significant Change Notifications"}],"parts":[{"id":"KSI-AFR-SCN_stmt","name":"statement","prose":"Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-05"},{"name":"label","value":"KSI-AFR-SCN"}],"title":"Significant Change Notifications"},{"id":"KSI-AFR-UCM","links":[{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"related","href":"#FRR-UCM","text":"FRR-UCM Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/using-cryptographic-modules","text":"Using Cryptographic Modules"}],"parts":[{"id":"KSI-AFR-UCM_stmt","name":"statement","prose":"Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-11"},{"name":"label","value":"KSI-AFR-UCM"}],"title":"Using Cryptographic Modules"},{"id":"KSI-AFR-VDR","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-2","resource-fragment":"ca-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7","resource-fragment":"ca-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7.6","resource-fragment":"ca-7.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-1","resource-fragment":"ir-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4","resource-fragment":"ir-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4.1","resource-fragment":"ir-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-5","resource-fragment":"ir-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-5.1","resource-fragment":"ir-5.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6","resource-fragment":"ir-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6.1","resource-fragment":"ir-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6.2","resource-fragment":"ir-6.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PM-3","resource-fragment":"pm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PM-5","resource-fragment":"pm-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PM-31","resource-fragment":"pm-31"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-2","resource-fragment":"ra-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-2.1","resource-fragment":"ra-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-3","resource-fragment":"ra-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-3.3","resource-fragment":"ra-3.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5","resource-fragment":"ra-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.2","resource-fragment":"ra-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.3","resource-fragment":"ra-5.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.4","resource-fragment":"ra-5.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.5","resource-fragment":"ra-5.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.6","resource-fragment":"ra-5.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.7","resource-fragment":"ra-5.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.11","resource-fragment":"ra-5.11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-9","resource-fragment":"ra-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-10","resource-fragment":"ra-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2","resource-fragment":"si-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.1","resource-fragment":"si-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.2","resource-fragment":"si-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.4","resource-fragment":"si-2.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.5","resource-fragment":"si-2.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3","resource-fragment":"si-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3.1","resource-fragment":"si-3.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3.2","resource-fragment":"si-3.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4","resource-fragment":"si-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.2","resource-fragment":"si-4.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.3","resource-fragment":"si-4.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.7","resource-fragment":"si-4.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7.4","resource-fragment":"ca-7.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-7","resource-fragment":"ra-7"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"},{"rel":"defined-term","href":"#c43220f3-fafe-59f6-aadb-e2c84764bbb9","text":"Vulnerability Detection"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"},{"rel":"related","href":"#FRR-VDR","text":"FRR-VDR Requirements"},{"rel":"reference","href":"https://fedramp.gov/docs/20x/vulnerability-detection-and-response","text":"Vulnerability Detection and Response"}],"parts":[{"id":"KSI-AFR-VDR_stmt","name":"statement","prose":"Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-AFR-04"},{"name":"label","value":"KSI-AFR-VDR"}],"title":"Vulnerability Detection and Response"}]},{"id":"KSI-CMT","parts":[{"id":"KSI-CMT_theme","name":"overview","prose":"A secure cloud service provider will ensure that all changes are properly documented and configuration baselines are updated accordingly."}],"props":[{"name":"label","value":"CMT"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"CMT"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"change-management"}],"title":"Change Management","controls":[{"id":"KSI-CMT-LMC","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-2","resource-fragment":"au-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3","resource-fragment":"cm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.2","resource-fragment":"cm-3.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-4.2","resource-fragment":"cm-4.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-6","resource-fragment":"cm-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-8.3","resource-fragment":"cm-8.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"MA-2","resource-fragment":"ma-2"},{"rel":"defined-term","href":"#2f617999-bc56-546e-bcc2-0dcaef8478e0","text":"Cloud Service Offering"}],"parts":[{"id":"KSI-CMT-LMC_stmt","name":"statement","prose":"Log and monitor modifications to the cloud service offering."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CMT-01"},{"name":"label","value":"KSI-CMT-LMC"}],"title":"Logging Changes"},{"id":"KSI-CMT-RMV","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2","resource-fragment":"cm-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3","resource-fragment":"cm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-5","resource-fragment":"cm-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-6","resource-fragment":"cm-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7","resource-fragment":"cm-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-8.1","resource-fragment":"cm-8.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3","resource-fragment":"si-3"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"}],"parts":[{"id":"KSI-CMT-RMV_stmt","name":"statement","prose":"Execute changes to machine-based information resources through redeployment of version controlled immutable resources rather than direct modification wherever reasonable."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CMT-02"},{"name":"label","value":"KSI-CMT-RMV"}],"title":"Redeploying vs Modifying"},{"id":"KSI-CMT-RVP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3","resource-fragment":"cm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.2","resource-fragment":"cm-3.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.4","resource-fragment":"cm-3.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-5","resource-fragment":"cm-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.1","resource-fragment":"cm-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-9","resource-fragment":"cm-9"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CMT-RVP_stmt","name":"statement","prose":"Persistently review the effectiveness of documented change management procedures."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CMT-04"},{"name":"label","value":"KSI-CMT-RVP"}],"title":"Reviewing Change Procedures"},{"id":"KSI-CMT-VTD","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3","resource-fragment":"cm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.2","resource-fragment":"cm-3.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-4.2","resource-fragment":"cm-4.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2","resource-fragment":"si-2"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CMT-VTD_stmt","name":"statement","prose":"Automate persistent testing and validation of changes throughout deployment."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CMT-03"},{"name":"label","value":"KSI-CMT-VTD"}],"title":"Validating Throughout Deployment"}]},{"id":"KSI-CNA","parts":[{"id":"KSI-CNA_theme","name":"overview","prose":"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system."}],"props":[{"name":"label","value":"CNA"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"CNA"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"cloud-native-architecture"}],"title":"Cloud Native Architecture","controls":[{"id":"KSI-CNA-DFP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2","resource-fragment":"cm-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3","resource-fragment":"si-3"}],"parts":[{"id":"KSI-CNA-DFP_stmt","name":"statement","prose":"Strictly define the functionality and privileges for infrastructure and services."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-04"},{"name":"label","value":"KSI-CNA-DFP"}],"title":"Defining Functionality and Privileges"},{"id":"KSI-CNA-EIS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-2.1","resource-fragment":"ca-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7.1","resource-fragment":"ca-7.1"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CNA-EIS_stmt.low","name":"statement","class":"low","prose":"**Optional:** Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state."},{"id":"KSI-CNA-EIS_stmt.moderate","name":"statement","class":"moderate","prose":"Use automated services to persistently assess the security posture of all machine-based information resources and automatically enforce their intended operational state."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-08"},{"name":"label","value":"KSI-CNA-EIS"}],"title":"Enforcing Intended State"},{"id":"KSI-CNA-IBP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.3","resource-fragment":"ac-17.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2","resource-fragment":"cm-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-10","resource-fragment":"pl-10"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CNA-IBP_stmt","name":"statement","prose":"Persistently ensure cloud-native machine-based information resources are implemented based on the host provider's best practices and documented guidance."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-07"},{"name":"label","value":"KSI-CNA-IBP"}],"title":"Implementing Best Practices"},{"id":"KSI-CNA-MAT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.3","resource-fragment":"ac-17.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-18.1","resource-fragment":"ac-18.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-18.3","resource-fragment":"ac-18.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20.1","resource-fragment":"ac-20.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-9","resource-fragment":"ca-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.3","resource-fragment":"sc-7.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.4","resource-fragment":"sc-7.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.5","resource-fragment":"sc-7.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.8","resource-fragment":"sc-7.8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-8","resource-fragment":"sc-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-10","resource-fragment":"sc-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-10","resource-fragment":"si-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-11","resource-fragment":"si-11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-16","resource-fragment":"si-16"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CNA-MAT_stmt","name":"statement","prose":"Persistently ensure machine-based information resources have a minimal attack surface and that lateral movement is minimized if compromised."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-02"},{"name":"label","value":"KSI-CNA-MAT"}],"title":"Minimizing Attack Surface"},{"id":"KSI-CNA-OFA","links":[{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"}],"parts":[{"id":"KSI-CNA-OFA_stmt","name":"statement","prose":"Appropriately optimize machine-based information resources for high availability and rapid recovery."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-06"},{"name":"label","value":"KSI-CNA-OFA"}],"title":"Optimizing for Availability"},{"id":"KSI-CNA-RNT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.3","resource-fragment":"ac-17.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-9","resource-fragment":"ca-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.1","resource-fragment":"cm-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.5","resource-fragment":"sc-7.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-8","resource-fragment":"si-8"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CNA-RNT_stmt","name":"statement","prose":"Persistently ensure all machine-based information resources are configured to limit inbound and outbound network traffic."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-01"},{"name":"label","value":"KSI-CNA-RNT"}],"title":"Restricting Network Traffic"},{"id":"KSI-CNA-RVP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-5","resource-fragment":"sc-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-8","resource-fragment":"si-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-8.2","resource-fragment":"si-8.2"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CNA-RVP_stmt","name":"statement","prose":"Persistently review the effectiveness of protection against denial of service attacks and other unwanted activity."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-05"},{"name":"label","value":"KSI-CNA-RVP"}],"title":"Reviewing Protections"},{"id":"KSI-CNA-ULN","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-12","resource-fragment":"ac-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.3","resource-fragment":"ac-17.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-9","resource-fragment":"ca-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-4","resource-fragment":"sc-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7","resource-fragment":"sc-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7.7","resource-fragment":"sc-7.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-8","resource-fragment":"sc-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-10","resource-fragment":"sc-10"}],"parts":[{"id":"KSI-CNA-ULN_stmt","name":"statement","prose":"Use logical networking and related capabilities to enforce traffic flow controls."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CNA-03"},{"name":"label","value":"KSI-CNA-ULN"}],"title":"Using Logical Networking"}]},{"id":"KSI-CED","parts":[{"id":"KSI-CED_theme","name":"overview","prose":"A secure cloud service provider will educate their employees on cybersecurity measures, testing them persistently to ensure their knowledge is satisfactory."}],"props":[{"name":"label","value":"CED"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"CED"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"cybersecurity-education"}],"title":"Cybersecurity Education","controls":[{"id":"KSI-CED-DET","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-3","resource-fragment":"cp-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-2","resource-fragment":"ir-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-6","resource-fragment":"ps-6"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CED-DET_stmt","name":"statement","prose":"Persistently review the effectiveness of role-specific training given to development and engineering staff that covers best practices for delivering secure software."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CED-03"},{"name":"label","value":"KSI-CED-DET"}],"title":"Reviewing Development and Engineering Training"},{"id":"KSI-CED-RGT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-2","resource-fragment":"at-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-2.2","resource-fragment":"at-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-2.3","resource-fragment":"at-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-3.5","resource-fragment":"at-3.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-4","resource-fragment":"at-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-2.3","resource-fragment":"ir-2.3"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CED-RGT_stmt","name":"statement","prose":"Persistently review the effectiveness of training given to all employees on policies, procedures, and security-related topics."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CED-01"},{"name":"label","value":"KSI-CED-RGT"}],"title":"Reviewing General Training"},{"id":"KSI-CED-RRT","links":[{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"KSI-CED-RRT_stmt","name":"statement","prose":"Persistently review the effectiveness of role-specific training given to staff involved with incident response or disaster recovery."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CED-04"},{"name":"label","value":"KSI-CED-RRT"}],"title":"Reviewing Response and Recovery Training"},{"id":"KSI-CED-RST","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-2","resource-fragment":"at-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-2.3","resource-fragment":"at-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AT-3","resource-fragment":"at-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-11.1","resource-fragment":"sr-11.1"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-CED-RST_stmt","name":"statement","prose":"Persistently review the effectiveness of role-specific training given to employees in high risk roles, including at least roles with privileged access."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-CED-02"},{"name":"label","value":"KSI-CED-RST"}],"title":"Reviewing Role-Specific Training"}]},{"id":"KSI-IAM","parts":[{"id":"KSI-IAM_theme","name":"overview","prose":"A secure cloud service offering will protect user data, control access, and apply zero trust principles."}],"props":[{"name":"label","value":"IAM"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"IAM"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"identity-and-access-management"}],"title":"Identity and Access Management","controls":[{"id":"KSI-IAM-AAM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.2","resource-fragment":"ac-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.3","resource-fragment":"ac-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.13","resource-fragment":"ac-2.13"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.7","resource-fragment":"ac-6.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-4.4","resource-fragment":"ia-4.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-12","resource-fragment":"ia-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-12.2","resource-fragment":"ia-12.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-12.3","resource-fragment":"ia-12.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-12.5","resource-fragment":"ia-12.5"}],"parts":[{"id":"KSI-IAM-AAM_stmt","name":"statement","prose":"Securely manage the lifecycle and privileges of all accounts, roles, and groups, using automation."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-07"},{"name":"label","value":"KSI-IAM-AAM"}],"title":"Automating Account Management"},{"id":"KSI-IAM-APM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2","resource-fragment":"ac-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-3","resource-fragment":"ac-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.1","resource-fragment":"ia-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.2","resource-fragment":"ia-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.8","resource-fragment":"ia-2.8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.1","resource-fragment":"ia-5.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.2","resource-fragment":"ia-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.6","resource-fragment":"ia-5.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-6","resource-fragment":"ia-6"}],"parts":[{"id":"KSI-IAM-APM_stmt","name":"statement","prose":"Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA for authentication."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-02"},{"name":"label","value":"KSI-IAM-APM"}],"title":"Adopting Passwordless Methods"},{"id":"KSI-IAM-ELP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.5","resource-fragment":"ac-2.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.6","resource-fragment":"ac-2.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-3","resource-fragment":"ac-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-4","resource-fragment":"ac-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6","resource-fragment":"ac-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-12","resource-fragment":"ac-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-14","resource-fragment":"ac-14"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17","resource-fragment":"ac-17"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.1","resource-fragment":"ac-17.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.2","resource-fragment":"ac-17.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.3","resource-fragment":"ac-17.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20","resource-fragment":"ac-20"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20.1","resource-fragment":"ac-20.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.7","resource-fragment":"cm-2.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-9","resource-fragment":"cm-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2","resource-fragment":"ia-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-3","resource-fragment":"ia-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-4","resource-fragment":"ia-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-4.4","resource-fragment":"ia-4.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.2","resource-fragment":"ia-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.6","resource-fragment":"ia-5.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-11","resource-fragment":"ia-11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-2","resource-fragment":"ps-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-3","resource-fragment":"ps-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-4","resource-fragment":"ps-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-5","resource-fragment":"ps-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-6","resource-fragment":"ps-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-4","resource-fragment":"sc-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-20","resource-fragment":"sc-20"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-21","resource-fragment":"sc-21"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-22","resource-fragment":"sc-22"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-39","resource-fragment":"sc-39"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-3","resource-fragment":"si-3"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-IAM-ELP_stmt","name":"statement","prose":"Persistently ensure that identity and access management employs measures to ensure each user or device can only access the resources they need."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-05"},{"name":"label","value":"KSI-IAM-ELP"}],"title":"Ensuring Least Privilege"},{"id":"KSI-IAM-JIT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2","resource-fragment":"ac-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.1","resource-fragment":"ac-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.2","resource-fragment":"ac-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.3","resource-fragment":"ac-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.4","resource-fragment":"ac-2.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.6","resource-fragment":"ac-2.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-3","resource-fragment":"ac-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-4","resource-fragment":"ac-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-5","resource-fragment":"ac-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6","resource-fragment":"ac-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.1","resource-fragment":"ac-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.2","resource-fragment":"ac-6.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.5","resource-fragment":"ac-6.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.7","resource-fragment":"ac-6.7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.9","resource-fragment":"ac-6.9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.10","resource-fragment":"ac-6.10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-7","resource-fragment":"ac-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20.1","resource-fragment":"ac-20.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17","resource-fragment":"ac-17"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-9.4","resource-fragment":"au-9.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-5","resource-fragment":"cm-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7","resource-fragment":"cm-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.2","resource-fragment":"cm-7.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.5","resource-fragment":"cm-7.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-9","resource-fragment":"cm-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-4","resource-fragment":"ia-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-4.4","resource-fragment":"ia-4.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-7","resource-fragment":"ia-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-2","resource-fragment":"ps-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-3","resource-fragment":"ps-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-4","resource-fragment":"ps-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-5","resource-fragment":"ps-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-6","resource-fragment":"ps-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-9","resource-fragment":"ps-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.5","resource-fragment":"ra-5.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-2","resource-fragment":"sc-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-39","resource-fragment":"sc-39"}],"parts":[{"id":"KSI-IAM-JIT_stmt","name":"statement","prose":"Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-04"},{"name":"label","value":"KSI-IAM-JIT"}],"title":"Authorizing Just-in-Time"},{"id":"KSI-IAM-MFA","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2","resource-fragment":"ac-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2","resource-fragment":"ia-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.1","resource-fragment":"ia-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.2","resource-fragment":"ia-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-2.8","resource-fragment":"ia-2.8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5","resource-fragment":"ia-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-8","resource-fragment":"ia-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"}],"parts":[{"id":"KSI-IAM-MFA_stmt","name":"statement","prose":"Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-01"},{"name":"label","value":"KSI-IAM-MFA"}],"title":"Enforcing Phishing-Resistant MFA"},{"id":"KSI-IAM-SNU","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2","resource-fragment":"ac-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.2","resource-fragment":"ac-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-4","resource-fragment":"ac-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.5","resource-fragment":"ac-6.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-3","resource-fragment":"ia-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.2","resource-fragment":"ia-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.5","resource-fragment":"ra-5.5"}],"parts":[{"id":"KSI-IAM-SNU_stmt","name":"statement","prose":"Enforce appropriately secure authentication methods for non-user accounts and services."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-03"},{"name":"label","value":"KSI-IAM-SNU"}],"title":"Securing Non-User Authentication"},{"id":"KSI-IAM-SUS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2","resource-fragment":"ac-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.1","resource-fragment":"ac-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.3","resource-fragment":"ac-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.13","resource-fragment":"ac-2.13"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-7","resource-fragment":"ac-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-4","resource-fragment":"ps-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-8","resource-fragment":"ps-8"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"KSI-IAM-SUS_stmt","name":"statement","prose":"Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-IAM-06"},{"name":"label","value":"KSI-IAM-SUS"}],"title":"Responding to Suspicious Activity"}]},{"id":"KSI-INR","parts":[{"id":"KSI-INR_theme","name":"overview","prose":"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement."}],"props":[{"name":"label","value":"INR"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"INR"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"incident-response"}],"title":"Incident Response","controls":[{"id":"KSI-INR-AAR","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-3","resource-fragment":"ir-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4","resource-fragment":"ir-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4.1","resource-fragment":"ir-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-8","resource-fragment":"ir-8"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-INR-AAR_stmt","name":"statement","prose":"Generate incident after action reports and persistently incorporate lessons learned."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-INR-03"},{"name":"label","value":"KSI-INR-AAR"}],"title":"Generating After Action Reports"},{"id":"KSI-INR-RIR","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4","resource-fragment":"ir-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4.1","resource-fragment":"ir-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6","resource-fragment":"ir-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6.1","resource-fragment":"ir-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6.3","resource-fragment":"ir-6.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-7","resource-fragment":"ir-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-7.1","resource-fragment":"ir-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-8","resource-fragment":"ir-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-8.1","resource-fragment":"ir-8.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.5","resource-fragment":"si-4.5"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#0b3a3fc3-80a2-5f58-a91a-9b21de483000","text":"Vulnerability Response"}],"parts":[{"id":"KSI-INR-RIR_stmt","name":"statement","prose":"Persistently review the effectiveness of documented incident response procedures."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-INR-01"},{"name":"label","value":"KSI-INR-RIR"}],"title":"Reviewing Incident Response Procedures"},{"id":"KSI-INR-RPI","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-3","resource-fragment":"ir-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4","resource-fragment":"ir-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4.1","resource-fragment":"ir-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-5","resource-fragment":"ir-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-8","resource-fragment":"ir-8"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"KSI-INR-RPI_stmt","name":"statement","prose":"Persistently review past incidents for patterns or vulnerabilities."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-INR-02"},{"name":"label","value":"KSI-INR-RPI"}],"title":"Reviewing Past Incidents"}]},{"id":"KSI-MLA","parts":[{"id":"KSI-MLA_theme","name":"overview","prose":"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes."}],"props":[{"name":"label","value":"MLA"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"MLA"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"monitoring-logging-and-auditing"}],"title":"Monitoring, Logging, and Auditing","controls":[{"id":"KSI-MLA-ALA","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-11","resource-fragment":"si-11"}],"parts":[{"id":"KSI-MLA-ALA_stmt.low","name":"statement","class":"low","prose":"**Optional:** Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity."},{"id":"KSI-MLA-ALA_stmt.moderate","name":"statement","class":"moderate","prose":"Use a least-privileged, role and attribute-based, and just-in-time access authorization model for access to log data based on organizationally defined data sensitivity."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-MLA-08"},{"name":"label","value":"KSI-MLA-ALA"}],"title":"Authorizing Log Access"},{"id":"KSI-MLA-EVC","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7","resource-fragment":"ca-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2","resource-fragment":"cm-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-6","resource-fragment":"cm-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.7","resource-fragment":"si-7.7"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-MLA-EVC_stmt","name":"statement","prose":"Persistently evaluate and test the configuration of machine-based information resources, especially infrastructure as code."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-MLA-05"},{"name":"label","value":"KSI-MLA-EVC"}],"title":"Evaluating Configurations"},{"id":"KSI-MLA-LET","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.4","resource-fragment":"ac-2.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.9","resource-fragment":"ac-6.9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.1","resource-fragment":"ac-17.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20.1","resource-fragment":"ac-20.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-2","resource-fragment":"au-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-7.1","resource-fragment":"au-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-12","resource-fragment":"au-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.4","resource-fragment":"si-4.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.5","resource-fragment":"si-4.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.7","resource-fragment":"si-7.7"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"}],"parts":[{"id":"KSI-MLA-LET_stmt","name":"statement","prose":"Maintain a list of information resources and event types that will be logged, monitored, and audited, then do so."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-MLA-07"},{"name":"label","value":"KSI-MLA-LET"}],"title":"Logging Event Types"},{"id":"KSI-MLA-OSM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.1","resource-fragment":"ac-17.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20.1","resource-fragment":"ac-20.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-2","resource-fragment":"au-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-3","resource-fragment":"au-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-3.1","resource-fragment":"au-3.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-4","resource-fragment":"au-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-5","resource-fragment":"au-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-6.1","resource-fragment":"au-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-6.3","resource-fragment":"au-6.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-7","resource-fragment":"au-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-7.1","resource-fragment":"au-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-8","resource-fragment":"au-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-9","resource-fragment":"au-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-11","resource-fragment":"au-11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-4.1","resource-fragment":"ir-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.2","resource-fragment":"si-4.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.4","resource-fragment":"si-4.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.7","resource-fragment":"si-7.7"}],"parts":[{"id":"KSI-MLA-OSM_stmt","name":"statement","prose":"Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-MLA-01"},{"name":"label","value":"KSI-MLA-OSM"}],"title":"Operating SIEM Capability"},{"id":"KSI-MLA-RVL","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.4","resource-fragment":"ac-2.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-6.9","resource-fragment":"ac-6.9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-2","resource-fragment":"au-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-6","resource-fragment":"au-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-6.1","resource-fragment":"au-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4","resource-fragment":"si-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4.4","resource-fragment":"si-4.4"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-MLA-RVL_stmt","name":"statement","prose":"Persistently review and audit logs."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-MLA-02"},{"name":"label","value":"KSI-MLA-RVL"}],"title":"Reviewing Logs"}]},{"id":"KSI-PIY","parts":[{"id":"KSI-PIY_theme","name":"overview","prose":"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured."}],"props":[{"name":"label","value":"PIY"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"PIY"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"policy-and-inventory"}],"title":"Policy and Inventory","controls":[{"id":"KSI-PIY-GIV","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.2","resource-fragment":"cm-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.5","resource-fragment":"cm-7.5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-8","resource-fragment":"cm-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-8.1","resource-fragment":"cm-8.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-12","resource-fragment":"cm-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-12.1","resource-fragment":"cm-12.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.8","resource-fragment":"cp-2.8"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"}],"parts":[{"id":"KSI-PIY-GIV_stmt","name":"statement","prose":"Use authoritative sources to automatically generate real-time inventories of all information resources when needed."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-PIY-01"},{"name":"label","value":"KSI-PIY-GIV"}],"title":"Generating Inventories"},{"id":"KSI-PIY-RES","links":[{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-PIY-RES_stmt","name":"statement","prose":"Persistently review executive support for achieving the organization's security objectives."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-PIY-08"},{"name":"label","value":"KSI-PIY-RES"}],"title":"Reviewing Executive Support"},{"id":"KSI-PIY-RIS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-5","resource-fragment":"ac-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-2","resource-fragment":"ca-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.1","resource-fragment":"cp-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-4.1","resource-fragment":"cp-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-3.2","resource-fragment":"ir-3.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PM-3","resource-fragment":"pm-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-2","resource-fragment":"sa-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-3","resource-fragment":"sa-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-2.1","resource-fragment":"sr-2.1"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-PIY-RIS_stmt","name":"statement","prose":"Persistently review the effectiveness of the organization's investments in achieving security objectives."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-PIY-06"},{"name":"label","value":"KSI-PIY-RIS"}],"title":"Reviewing Investments in Security"},{"id":"KSI-PIY-RSD","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-5","resource-fragment":"ac-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AU-3.3","resource-fragment":"au-3.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-3.4","resource-fragment":"cm-3.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-8","resource-fragment":"pl-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PM-7","resource-fragment":"pm-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-3","resource-fragment":"sa-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-8","resource-fragment":"sa-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-4","resource-fragment":"sc-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-18","resource-fragment":"sc-18"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-10","resource-fragment":"si-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-11","resource-fragment":"si-11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-16","resource-fragment":"si-16"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-PIY-RSD_stmt","name":"statement","prose":"Persistently review the effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-PIY-04"},{"name":"label","value":"KSI-PIY-RSD"}],"title":"Reviewing Security in the SDLC"},{"id":"KSI-PIY-RVD","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5.11","resource-fragment":"ra-5.11"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"KSI-PIY-RVD_stmt","name":"statement","prose":"Persistently review the effectiveness of the provider's vulnerability disclosure program."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-PIY-03"},{"name":"label","value":"KSI-PIY-RVD"}],"title":"Reviewing Vulnerability Disclosures"}]},{"id":"KSI-RPL","parts":[{"id":"KSI-RPL_theme","name":"overview","prose":"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies."}],"props":[{"name":"label","value":"RPL"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"RPL"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"recovery-planning"}],"title":"Recovery Planning","controls":[{"id":"KSI-RPL-ABO","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.3","resource-fragment":"cm-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6","resource-fragment":"cp-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-9","resource-fragment":"cp-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10","resource-fragment":"cp-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10.2","resource-fragment":"cp-10.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-12","resource-fragment":"si-12"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-RPL-ABO_stmt","name":"statement","prose":"Persistently review the alignment of machine-based information resource backups with defined recovery objectives."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-RPL-03"},{"name":"label","value":"KSI-RPL-ABO"}],"title":"Aligning Backups with Objectives"},{"id":"KSI-RPL-ARP","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2","resource-fragment":"cp-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.1","resource-fragment":"cp-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.3","resource-fragment":"cp-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-4.1","resource-fragment":"cp-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6","resource-fragment":"cp-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6.1","resource-fragment":"cp-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6.3","resource-fragment":"cp-6.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-7","resource-fragment":"cp-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-7.1","resource-fragment":"cp-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-7.2","resource-fragment":"cp-7.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-7.3","resource-fragment":"cp-7.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-8","resource-fragment":"cp-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-8.1","resource-fragment":"cp-8.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-8.2","resource-fragment":"cp-8.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10","resource-fragment":"cp-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10.2","resource-fragment":"cp-10.2"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-RPL-ARP_stmt","name":"statement","prose":"Persistently review the alignment of recovery plans with defined recovery objectives."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-RPL-02"},{"name":"label","value":"KSI-RPL-ARP"}],"title":"Aligning Recovery Plan"},{"id":"KSI-RPL-RRO","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.3","resource-fragment":"cp-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10","resource-fragment":"cp-10"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-RPL-RRO_stmt","name":"statement","prose":"Persistently review desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-RPL-01"},{"name":"label","value":"KSI-RPL-RRO"}],"title":"Reviewing Recovery Objectives"},{"id":"KSI-RPL-TRC","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.1","resource-fragment":"cp-2.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-2.3","resource-fragment":"cp-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-4","resource-fragment":"cp-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-4.1","resource-fragment":"cp-4.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6","resource-fragment":"cp-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-6.1","resource-fragment":"cp-6.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-9.1","resource-fragment":"cp-9.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-10","resource-fragment":"cp-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-3","resource-fragment":"ir-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-3.2","resource-fragment":"ir-3.2"},{"rel":"defined-term","href":"#31851285-83a2-5fde-ab3c-a2b3eb256939","text":"Incident"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-RPL-TRC_stmt","name":"statement","prose":"Persistently test the capability to recover from incidents and contingencies, including alignment with defined recovery objectives."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-RPL-04"},{"name":"label","value":"KSI-RPL-TRC"}],"title":"Testing Recovery Capabilities"}]},{"id":"KSI-SVC","parts":[{"id":"KSI-SVC_theme","name":"overview","prose":"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources."}],"props":[{"name":"label","value":"SVC"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"SVC"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"service-configuration"}],"title":"Service Configuration","controls":[{"id":"KSI-SVC-ACM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-2.4","resource-fragment":"ac-2.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2","resource-fragment":"cm-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.2","resource-fragment":"cm-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.3","resource-fragment":"cm-2.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-6","resource-fragment":"cm-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.1","resource-fragment":"cm-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-9","resource-fragment":"pl-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-10","resource-fragment":"pl-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-5","resource-fragment":"sa-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-5","resource-fragment":"si-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-10","resource-fragment":"sr-10"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"}],"parts":[{"id":"KSI-SVC-ACM_stmt","name":"statement","prose":"Manage configuration of machine-based information resources using automation."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-04"},{"name":"label","value":"KSI-SVC-ACM"}],"title":"Automating Configuration Management"},{"id":"KSI-SVC-ASM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.2","resource-fragment":"ac-17.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.2","resource-fragment":"ia-5.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IA-5.6","resource-fragment":"ia-5.6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-12","resource-fragment":"sc-12"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-17","resource-fragment":"sc-17"},{"rel":"defined-term","href":"#1b31d765-df3b-5c9c-bdce-1ca439819906","text":"Regularly"}],"parts":[{"id":"KSI-SVC-ASM_stmt","name":"statement","prose":"Automate management, protection, and regular rotation of digital keys, certificates, and other secrets."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-06"},{"name":"label","value":"KSI-SVC-ASM"}],"title":"Automating Secret Management"},{"id":"KSI-SVC-EIS","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-7.1","resource-fragment":"cm-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-12.1","resource-fragment":"cm-12.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"MA-2","resource-fragment":"ma-2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PL-8","resource-fragment":"pl-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-7","resource-fragment":"sc-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-39","resource-fragment":"sc-39"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-2.2","resource-fragment":"si-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-4","resource-fragment":"si-4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-10","resource-fragment":"sr-10"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-SVC-EIS_stmt","name":"statement","prose":"Implement improvements based on persistent evaluation of information resources for opportunities to improve security."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-01"},{"name":"label","value":"KSI-SVC-EIS"}],"title":"Evaluating and Improving Security"},{"id":"KSI-SVC-PRR","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-4","resource-fragment":"sc-4"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#65aaf313-9003-5ba2-80d3-7081c3704564","text":"Likely"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-SVC-PRR_stmt.low","name":"statement","class":"low","prose":"**Optional:** Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data."},{"id":"KSI-SVC-PRR_stmt.moderate","name":"statement","class":"moderate","prose":"Persistently review plans, procedures, and the state of information resources after making changes to limit and remove unwanted residual elements that would likely negatively affect the confidentiality, integrity, or availability of federal customer data."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-08"},{"name":"label","value":"KSI-SVC-PRR"}],"title":"Preventing Residual Risk"},{"id":"KSI-SVC-RUD","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-12.3","resource-fragment":"si-12.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-18.4","resource-fragment":"si-18.4"},{"rel":"defined-term","href":"#0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","text":"Agency"},{"rel":"defined-term","href":"#1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","text":"Federal Customer Data"},{"rel":"defined-term","href":"#d3ad40f6-6ef1-5d16-a663-e28dcbf4ad0d","text":"Promptly"}],"parts":[{"id":"KSI-SVC-RUD_stmt.low","name":"statement","class":"low","prose":"**Optional:** Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage."},{"id":"KSI-SVC-RUD_stmt.moderate","name":"statement","class":"moderate","prose":"Remove unwanted federal customer data promptly when requested by an agency in alignment with customer agreements, including from backups if appropriate; this typically applies when a customer spills information or when a customer seeks to remove information from a service due to a change in usage."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-10"},{"name":"label","value":"KSI-SVC-RUD"}],"title":"Removing Unwanted Data"},{"id":"KSI-SVC-SNT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-1","resource-fragment":"ac-1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-17.2","resource-fragment":"ac-17.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CP-9.8","resource-fragment":"cp-9.8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-8","resource-fragment":"sc-8"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-8.1","resource-fragment":"sc-8.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-13","resource-fragment":"sc-13"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-20","resource-fragment":"sc-20"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-21","resource-fragment":"sc-21"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-22","resource-fragment":"sc-22"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"}],"parts":[{"id":"KSI-SVC-SNT_stmt","name":"statement","prose":"Encrypt or otherwise secure network traffic."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-02"},{"name":"label","value":"KSI-SVC-SNT"}],"title":"Securing Network Traffic"},{"id":"KSI-SVC-VCM","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.1","resource-fragment":"si-7.1"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-SVC-VCM_stmt.low","name":"statement","class":"low","prose":"**Optional:** Persistently validate the authenticity and integrity of communications between machine-based information resources using automation."},{"id":"KSI-SVC-VCM_stmt.moderate","name":"statement","class":"moderate","prose":"Persistently validate the authenticity and integrity of communications between machine-based information resources using automation."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-09"},{"name":"label","value":"KSI-SVC-VCM"}],"title":"Validating Communications"},{"id":"KSI-SVC-VRI","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-2.2","resource-fragment":"cm-2.2"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CM-8.3","resource-fragment":"cm-8.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-13","resource-fragment":"sc-13"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-23","resource-fragment":"sc-23"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7","resource-fragment":"si-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.1","resource-fragment":"si-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-10","resource-fragment":"sr-10"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","text":"Machine-Based (information resources)"},{"rel":"defined-term","href":"#2306e337-62f1-5d1c-984c-b948008bb17d","text":"Persistent Validation"}],"parts":[{"id":"KSI-SVC-VRI_stmt","name":"statement","prose":"Use cryptographic methods to validate the integrity of machine-based information resources."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-SVC-05"},{"name":"label","value":"KSI-SVC-VRI"}],"title":"Validating Resource Integrity"}]},{"id":"KSI-SCR","parts":[{"id":"KSI-SCR_theme","name":"overview","prose":"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources."}],"props":[{"name":"label","value":"SCR"},{"ns":"https://fedramp.gov/ns/oscal","name":"short-name","value":"SCR"},{"ns":"https://fedramp.gov/ns/oscal","name":"web-name","value":"supply-chain-risk"}],"title":"Supply Chain Risk","controls":[{"id":"KSI-SCR-MIT","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20","resource-fragment":"ac-20"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-3.1","resource-fragment":"ra-3.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-9","resource-fragment":"sa-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-10","resource-fragment":"sa-10"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-11","resource-fragment":"sa-11"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-15.3","resource-fragment":"sa-15.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-22","resource-fragment":"sa-22"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-7.1","resource-fragment":"si-7.1"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-5","resource-fragment":"sr-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-6","resource-fragment":"sr-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-7.4","resource-fragment":"ca-7.4"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SC-18","resource-fragment":"sc-18"},{"rel":"defined-term","href":"#74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","text":"Persistently"}],"parts":[{"id":"KSI-SCR-MIT_stmt","name":"statement","prose":"Persistently identify, review, and mitigate potential supply chain risks."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-TPR-03"},{"name":"label","value":"KSI-SCR-MIT"}],"title":"Mitigating Supply Chain Risk"},{"id":"KSI-SCR-MON","links":[{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"AC-20","resource-fragment":"ac-20"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"CA-3","resource-fragment":"ca-3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"IR-6.3","resource-fragment":"ir-6.3"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"PS-7","resource-fragment":"ps-7"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"RA-5","resource-fragment":"ra-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SA-9","resource-fragment":"sa-9"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SI-5","resource-fragment":"si-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-5","resource-fragment":"sr-5"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-6","resource-fragment":"sr-6"},{"rel":"required","href":"#3576fc5e-9ce3-56cd-9069-0249bd215a0b","text":"SR-8","resource-fragment":"sr-8"},{"rel":"defined-term","href":"#c68fdd10-43a0-5d68-82cd-796b48cc4984","text":"Information Resource"},{"rel":"defined-term","href":"#4576fa67-e6a5-512a-b76c-e5fd874df27b","text":"Vulnerability"}],"parts":[{"id":"KSI-SCR-MON_stmt","name":"statement","prose":"Automatically monitor third party software information resources for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services."}],"props":[{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"KSI-TPR-04"},{"name":"label","value":"KSI-SCR-MON"}],"title":"Monitoring Supply Chain Risk"}]}]}],"back-matter":{"resources":[{"uuid":"3576fc5e-9ce3-56cd-9069-0249bd215a0b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"catalog-reference"}],"title":"NIST SP 800-53 Rev 5 Control Catalog","rlinks":[{"href":"https://raw.githubusercontent.com/usnistgov/oscal-content/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json","media-type":"application/json"},{"href":"https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final"}],"remarks":"NIST Special Publication 800-53 Revision 5 control catalog. KSI indicators reference specific controls within this catalog using resource-fragment identifiers."},{"uuid":"d412e612-661e-5cf6-907c-6cedae2e85a4","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-ACV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-31"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"accepted vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"accepted vulnerabilities"}],"title":"Accepted Vulnerability","description":"A vulnerability that the provider does not intend to fully mitigate or remediate, OR that has not or will not be fully mitigated or remediated within the maximum overdue period recommended or required by FedRAMP."},{"uuid":"2e9c76eb-56b9-5c24-a324-99846cd2ac82","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-ADP"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-10"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"adaptive"}],"title":"Adaptive","remarks":"Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation.","description":"The type of significant change that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth."},{"uuid":"0e6c9fb3-2ae3-5e1f-9977-2ce28f301492","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-AGY"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-19"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"agency"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"agencies"}],"title":"Agency","rlinks":[{"href":"https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502"}],"description":"Has the meaning given in 44 U.S. Code § 3502 (1), which is \"any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include—(A) the Government Accountability Office; (B) Federal Election Commission; (C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.\""},{"uuid":"02ff215f-9a99-567c-a20e-7f20a2b94459","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-ANA"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-46"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"all necessary assessors"}],"title":"All Necessary Assessors","remarks":"This process identifies the requirements for an assessment and authorization performed by FedRAMP prior to any agency use of the cloud service offering, therefore agency assessment teams are not included in the FedRAMP assessment and authorization. The resulting FedRAMP authorization package will include all the materials agency authorization teams need to assess the cloud service offering for agency use, including evidence. Program authorization is an authorization path defined in Section IV (c) of OMB Memorandum M-24-15.","description":"All entities who participate in the FedRAMP assessment of a cloud service offering in the context of a FedRAMP program authorization. This always includes FedRAMP and any FedRAMP recognized independent assessor contracted by the provider to perform a FedRAMP assessment."},{"uuid":"b1060108-b417-5545-9937-6ddfbda32670","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-ANP"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-18"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"all necessary parties"}],"title":"All Necessary Parties","description":"All entities whose interests are affected directly by activity related to a specific cloud service offering in the context of a FedRAMP authorization. This always includes FedRAMP and any agency customer who is operating the cloud service offering, but may include additional parties depending on agreements made by the cloud service provider (such as consultants or third-party assessors). Potential agency customers or third-party cloud service providers should also be included in most cases but this is not a mandatory requirement under FedRAMP as ultimately the cloud service provider may choose who they wish to do business with."},{"uuid":"db58b45b-718f-5880-a149-1c037958ee90","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-AUD"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-15"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"authorization data"}],"title":"Authorization data","remarks":"In FedRAMP documentation, authorization data always refers to FedRAMP authorization data unless otherwise specified.","description":"The collective information required by FedRAMP for initial and ongoing assessment and authorization of a cloud service offering, including the authorization package. "},{"uuid":"b4ac8872-3bd8-5d73-a372-82b37d8b9c27","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-AUP"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-14"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"authorization package"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"authorization packages"}],"title":"Authorization Package","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#b-additional-definitions"}],"remarks":"In FedRAMP documentation, authorization package always refers to a FedRAMP authorization package unless otherwise specified.","description":"Has meaning from 44 USC § 3607 (b)(8) which is \"the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.\""},{"uuid":"a2c30a2e-b73d-5ef8-85d2-ec8239323018","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-CAE"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-32"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"catastrophic adverse effect"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"catastrophic adverse effects"}],"title":"Catastrophic Adverse Effect","description":"A severe negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in a severe degradation in the availability or performance of services within the cloud service offering for 24+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a majority of the federal customer data stored within the cloud service offering."},{"uuid":"2f617999-bc56-546e-bcc2-0dcaef8478e0","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-CSO"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-06"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"cloud service offering"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"cloud service offerings"}],"title":"Cloud Service Offering","description":"A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Scope."},{"uuid":"0f3427cb-ae50-54ef-9ae3-af988882787b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-DFT"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-39"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"drift"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"drifts"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"drifting"}],"title":"Drift","description":"Changes to information resources that cause deviations from the intended and assessed state; common forms of drift include changes to configurations, deployed software, privileges, running processes, and availability."},{"uuid":"1c60b8eb-43b3-5ebe-a68b-8315d7ceaad5","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-FCD"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-01"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"federal customer data"}],"title":"Federal Customer Data","remarks":"In the context of FedRAMP authorization, \"federal customer data\" ONLY ever refers to data owned by federal agency customers. Agreements and contracts with specific agencies may require providers to protect additional data or even transfer ownshership of telemetry or usage data to the agency; always consult a lawyer that is familiar with company agreements and contracts when determining the scope of federal customer data.","description":"All electronic information, content, and materials that an agency or its authorized users upload, store, or otherwise provide to a cloud service for processing or storage. This does NOT include account information, service metadata, analytics, telemetry, or other similar metadata generated by the cloud service provider."},{"uuid":"c1b7a146-d667-51f8-8ceb-ec2fe0d2c3e3","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-FMV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-28"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"fully mitigated vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"fully mitigated vulnerabilities"}],"title":"Fully Mitigated Vulnerability","description":"A vulnerability where the likelihood of exploitation or potential adverse impact of exploitation has been reduced from the original evaluation until either are negligible, but the vulnerability is still detected."},{"uuid":"fd917f34-f410-561d-b3b8-aa69bd881969","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-FPV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-29"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"false positive vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"false positive vulnerabilities"}],"title":"False Positive Vulnerability","remarks":"This only applies if the vulnerability is not and was not present; a remediated vulnerability or a fully mitigated vulnerability cannot also be a false positive vulnerability.","description":"A detected vulnerability that is not actually present in an exploitable state in the information resource; this includes situations where vulnerable software or code exist on an machine-based information resource but are not loaded, running, or otherwise in an operating state required for exploitation."},{"uuid":"07282bbb-927e-58cc-8350-0a8593d6a549","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-FSI"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-45"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"security inbox"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"security inboxes"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"FSI"}],"title":"FedRAMP Security Inbox","description":"An email address that meets the requirements outlined in the FedRAMP Security Inbox requirements."},{"uuid":"6ecaa831-d07b-5c3e-829e-4996034dd3be","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-HAN"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-03"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"handle"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"handles"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"handled"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"handling"}],"title":"Handle","description":"Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc."},{"uuid":"0f355a9d-11c5-5aeb-bc53-477b7b5de256","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-IFA"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-48"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"initial FedRAMP assessment"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"IFRA"}],"title":"Initial FedRAMP Assessment","description":"The first full assessment of a cloud service offering seeking FedRAMP authorization, coordinated by the provider with all necessary assessors, that results in a FedRAMP authorization."},{"uuid":"31851285-83a2-5fde-ab3c-a2b3eb256939","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-INT"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-40"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"incident"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"incidents"}],"title":"Incident","rlinks":[{"href":"https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapII-sec3552"}],"description":"Has the meaning given in 44 USC § 3552 (b)(2) applied to federal customer data, which is \"an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of [federal customer data]; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies [related to federal customer data].\""},{"uuid":"056646f2-c06b-5416-a7de-dd417b20b360","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-IPC"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-12"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"impact categorization"}],"title":"Impact Categorization","description":"The type of significant change that is likely to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate)."},{"uuid":"c68fdd10-43a0-5d68-82cd-796b48cc4984","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-IRS"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-02"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"information resource"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"information resources"}],"title":"Information Resource","rlinks":[{"href":"https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502"}],"remarks":"Information resources are either machine-based or non-machine-based; any requirement or recommendation that references information resources without specifying a type is inclusive of all information resources.","description":"Has the meaning from 44 USC § 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\" This includes any aspect of the cloud service offering, both technical and managerial, including everything that makes up the business of the offering from non-machine-based information resources like organizational policies, procedures, employees, etc. to machine-based information resources like hardware, software, cloud services, code, etc."},{"uuid":"423fd9c1-f289-543a-9501-3204619b1e4d","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-IRV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-24"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"internet-reachable vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"internet-reachable vulnerabilities"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"IRV"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"IRVs"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"NIRV"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"NIRVs"}],"title":"Internet-Reachable Vulnerability (IRV)","remarks":"The opposite of this is a \"Not Internet-reachable Vulnerability\" (NIRV).\n\nInternet-reachability applies only to the specific vulnerable machine-based information resources processing the payload; please review the relevant FedRAMP technical assistance on internet-reachable vulnerabilities for examples.","description":"A vulnerability in a machine-based information resource that might be exploited or otherwise triggered by a payload originating from a source on the public internet; this includes machine-based information resources that have no direct route to/from the internet but receive payloads or otherwise take action triggered by internet activity."},{"uuid":"86d71efe-fefd-5bbb-becb-62bf52d64f21","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-KEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-25"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"known exploited vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"known exploited vulnerabilities"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"KEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"KEVs"}],"title":"Known Exploited Vulnerability (KEV)","description":"Has the meaning given in CISA Binding Operational Directive 22-01, which is any vulnerability identified in CISA's Known Exploited Vulnerabilities catalog."},{"uuid":"3a9626c9-9c57-5eaa-9f63-34a0d5d99f66","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-LAE"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-34"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"limited adverse effect"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"limited adverse effects"}],"title":"Limited Adverse Effect","description":"A minor negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in degradation of the availability or performance of services within the cloud service offering for a minority of relevant users; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a small amount of the federal customer data stored within the cloud service offering by only a few relevant users."},{"uuid":"1a1db995-0854-50b0-9bcc-6bca56cd1264","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-LEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-23"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"likely exploitable vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"likely exploitable vulnerabilities"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"LEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"LEVs"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"NLEV"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"NLEVs"}],"title":"Likely Exploitable Vulnerability (LEV)","remarks":"The opposite of this is a \"Not Likely Exploitable Vulnerability\" (NLEV).\n\nAt the absolute minimum, any vulnerability that an automated unauthenticated system can exploit over the internet is a likely exploitable vulnerability.","description":"A vulnerability that is not fully mitigated, AND is reachable by a likely threat actor, AND a likely threat actor with knowledge of the vulnerability would likely be able to gain unauthorized access, cause harm, disrupt operations, or otherwise have an undesired adverse impact within the cloud service offering by exploiting the vulnerability."},{"uuid":"65aaf313-9003-5ba2-80d3-7081c3704564","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-LKY"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-04"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"likely"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"likelihood"}],"title":"Likely","description":"A reasonable degree of probability based on context."},{"uuid":"b69be3bc-1854-5ca9-b1c1-66b9c02f98f3","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-MBI"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-50"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"machine-based"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"machine based"}],"title":"Machine-Based (information resources)","remarks":"All other information resources that do not rely on computers are non-machine-based information resources.","description":"Any information technology information resource—including systems, processes, software, hardware, services, cloud-native capabilities, and any other such capability, component, or resource—that relies primarily on mechanical or electronic devices (i.e. computers) for operation."},{"uuid":"7e13e8cd-3ad6-59b3-8552-b35d63beab2b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-MRD"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-17"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"machine-readable"}],"title":"Machine-Readable","rlinks":[{"href":"https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502"}],"description":"Has the meaning from 44 U.S. Code § 3502 (18) which is \"the term \"machine-readable\", when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost\""},{"uuid":"31504e44-2bdd-574c-b27f-5afe57d4ea30","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-NAE"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-35"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"negligible adverse effect"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"negligible adverse effects"}],"title":"Negligible Adverse Effect","description":"A small negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in minor inconvenience when accessing or using services within the cloud service offering; OR (ii) result in degradation of the availability or performance of services within the cloud service offering for only a few relevant users."},{"uuid":"5814e022-8b3a-5535-832f-c1d6c8ada953","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-OAR"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-43"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"ongoing authorization report"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"OAR"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"OARs"}],"title":"Ongoing Authorization Report (OAR)","description":"A regular report that is supplied by FedRAMP Authorized cloud service providers to agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process."},{"uuid":"9f50c8f3-4199-5aad-83ca-8f730f8ffb6a","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-ODV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-30"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"overdue vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"overdue vulnerabilities"}],"title":"Overdue Vulnerability","description":"A vulnerability that the provider intends to fully mitigate or remediate but has not or will not do so within the time frames recommended or required by FedRAMP."},{"uuid":"5e343a2d-d1c8-5645-a1e5-a1a89936deb9","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PAC"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-42"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"privileged account"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"privileged accounts"}],"title":"Privileged account","remarks":"Any references to privileged accounts in FedRAMP materials should be presumed to apply to privileged roles or other similar capabilities that are used to assign privileges to privileged accounts.","description":"An account with elevated privileges that enables administrative functions over some aspect of the cloud service offering that may affect the confidentiality, integrity, or availability of information beyond those given to normal users; levels of privilege may vary wildly."},{"uuid":"38e4c36f-7cea-59a0-8646-d148c804d97b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PAI"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-36"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"potential adverse impact"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"potential adverse impacts"}],"title":"Potential Adverse Impact (of vulnerability exploitation)","description":"The estimated cumulative effect of unauthorized access, disruption, harm, or other adverse impact to agencies that _likely_ could result if a threat actor exploits a _vulnerability_ in the _cloud service offering_; as estimated following FedRAMP recommendations and requirements."},{"uuid":"74b6caa2-3cb9-5e9c-ba24-ec002ad292ca","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PER"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-38"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistently"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistent"}],"title":"Persistently","remarks":"The use of persistently indicates a process that may not always occur continuously (without interruption or gaps) or regularly (on a consistent, predictable basis) but will repeat frequently in cycles. It aligns generally with historical misuse of \"continuous\" in federal information security policies.","description":"Occurring in a firm, steady way that is repeated over a long period of time in spite of obstacles or difficulties. Persistent activities may vary between actors, may occur irregularly, and may include interruptions or waiting periods between cycles. These attributes of persistent activities should be intentional, understood, and documented; the status of persistent activities will always be known. "},{"uuid":"9edd3e95-76f1-5ed8-925e-d63d78d861ab","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PFA"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-49"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistent FedRAMP assessment"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"PFRA"}],"title":"Persistent FedRAMP Assessment","description":"Follow-on assessments of a cloud service offering focused on Key Security Indicators, coordinated by the provider with all necessary assessors, to maintain a FedRAMP authorization or change its impact categorization."},{"uuid":"22f1d559-a4ce-569f-bd6f-8317a1b8a1b4","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PMV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-27"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"partially mitigated vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"partially mitigated vulnerabilities"}],"title":"Partially Mitigated Vulnerability","description":"A vulnerability where the likelihood or potential adverse impact of exploitation has been reduced from the original evaluation but the risk of exploitation still exists and the vulnerability is still detected."},{"uuid":"d3ad40f6-6ef1-5d16-a663-e28dcbf4ad0d","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PRO"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-37"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"promptly"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"prompt"}],"title":"Promptly","remarks":"The use of promptly in FedRAMP materials frames conveys a need for urgent action where the expected time frame will vary by circumstance but earlier action is more likely to improve security outcomes and increase the security posture of a cloud service offering.","description":"Without unnecessary delay."},{"uuid":"2306e337-62f1-5d1c-984c-b948008bb17d","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-PVL"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-47"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistent validation"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistently validate"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"persistently validated"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"validate"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"validated"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"validation"}],"title":"Persistent Validation","description":"The systematic and persistent process of validating that information resources within a cloud service offering are operating in a secure manner as expected by the goals and objectives outlined by the provider against FedRAMP Key Security Indicators."},{"uuid":"ed097ed9-3dc1-521d-80f8-743f513826e3","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-QTR"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-44"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"quarterly review"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"quarterly reviews"}],"title":"Quarterly Review","description":"A regular synchronous meeting hosted by a FedRAMP Authorized cloud service provider for agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring process."},{"uuid":"1b31d765-df3b-5c9c-bdce-1ca439819906","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-RGL"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-07"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"regularly"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"regular"}],"title":"Regularly","description":"Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements."},{"uuid":"e0d626a1-d0a1-5ee1-9a7e-5e20a8bf9ec9","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-RMV"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-26"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"remediated vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"remediated vulnerabilities"}],"title":"Remediated Vulnerability","description":"A vulnerability that has been neutralized or eliminated and is no longer detected."},{"uuid":"f4d6804e-4814-5872-9579-af39259dbbb8","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-RTR"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-09"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"routine recurring"}],"title":"Routine Recurring","description":"The type of significant change that regularly and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation."},{"uuid":"f0a95236-1686-5286-b862-ba01f74211e5","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-SAE"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-33"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"serious adverse effect"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"serious adverse effects"}],"title":"Serious Adverse Effect","description":"A significant negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in intermittent or ongoing degradation in the availability or performance of services within the cloud service offering, causing unpredictable interruptions to operations for 12+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a minority of the federal customer data stored within the cloud service offering."},{"uuid":"ff54178c-85d6-5b09-9c96-b5ac74b9ba7f","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-SGC"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-08"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"significant change"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"significant changes"}],"title":"Significant change","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/37/r2/final"}],"description":"Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is likely to substantively affect the security or privacy posture of a system.\""},{"uuid":"999c8b56-7c37-5478-a2d5-99ee37f0fb93","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-TLA"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-41"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"top-level administrative account"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"top-level administrative accounts"}],"title":"Top-level administrative account","remarks":"Any references to top-level administrative accounts in FedRAMP materials should be presumed to apply to top-level administrative roles or other similar capabilities that are used to assign top-level administrative account privileges.","description":"The most privileged account with the highest level of access within a cloud service offering for a customer organization, typically with complete control over all aspects of the cloud service offering, including managing resources, users, access, privileges, and the account itself."},{"uuid":"464993e6-ae33-5d05-bd2a-48cbdc150857","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-TPR"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-05"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"third-party information resource"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"third-party information resources"}],"title":"Third-party Information Resource","description":"Any information resource that is not entirely included in the assessment for the cloud service offering seeking authorization."},{"uuid":"8a0ae6fa-c550-5e86-9a4b-c4657c918de9","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-TRC"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-16"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"trust center"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"trust centers"}],"title":"Trust Center","remarks":"In FedRAMP documentation, all references to trust centers indicate FedRAMP-compatible trust centers unless otherwise specified.","description":"A secure repository or service used by cloud service providers to store and share authorization data. Trust centers are the complete and definitive source for authorization data and must meet the requirements outlined in the FedRAMP Authorization Data Sharing process to be FedRAMP-compatible."},{"uuid":"8b3a6dfc-92f4-5f9d-a158-50811f8f7e4a","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-TRF"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-11"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"transformative"}],"title":"Transformative","remarks":"Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation.","description":"The type of significant change that introduces substantive potential security risks that are likely to affect existing risk determinations and must be assessed in depth."},{"uuid":"c43220f3-fafe-59f6-aadb-e2c84764bbb9","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-VLD"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-21"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"vulnerability detection"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"detect vulnerabilities"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"detect"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"detection"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"detected"}],"title":"Vulnerability Detection","remarks":"This definition applies to other forms such as \"detect vulnerabilities\" or simply \"detection\" / \"detected\" used in FedRAMP materials.","description":"The systematic process of discovering and identifying security vulnerabilities in information resources through assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other capabilities. This process includes the initial discovery of a vulnerability's existence and the determination of affected information resources within a cloud service offering."},{"uuid":"0b3a3fc3-80a2-5f58-a91a-9b21de483000","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-VLR"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-22"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"vulnerability response"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"respond to vulnerabilities"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"respond"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"response"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"responded"}],"title":"Vulnerability Response","remarks":"This definition applies to other forms such as \"respond to vulnerabilities\" or simply \"response\" / \"responded\" used in FedRAMP materials.","description":"The systematic process of tracking, evaluating, mitigating, monitoring, remediating, assessing exploitation, reporting, and otherwise managing detected vulnerabilities."},{"uuid":"4576fa67-e6a5-512a-b76c-e5fd874df27b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"type","value":"definition"},{"ns":"https://fedramp.gov/ns/oscal","name":"identifier","value":"FRD-VUL"},{"ns":"https://fedramp.gov/ns/oscal","name":"formerly-known-as","value":"FRD-ALL-20"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"vulnerability"},{"ns":"https://fedramp.gov/ns/oscal","name":"alt-identifier","value":"vulnerabilities"}],"title":"Vulnerability","rlinks":[{"href":"https://www.govinfo.gov/app/details/USCODE-2024-title6/USCODE-2024-title6-chap1-subchapXVIII-sec650"}],"description":"Has the meaning given to \"security vulnerability\" in 6 USC § 650 (25), which is \"any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of [...] management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.\" This includes gaps in Rev5 controls and 20x Key Security Indicators, software vulnerabilities, misconfigurations, exposures, weak credentials, insecure services, and all other such potential weaknesses in protection (intentional or unintentional)."},{"uuid":"c010497d-4adf-513b-a047-f0159f1a63a1","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"These responsibilities are delegated to the FedRAMP Director"}],"title":"FedRAMP Authorization Act (44 USC § 3608)","rlinks":[{"href":"http://fedramp.gov/docs/authority/law/#sec-3608-federal-risk-and-authorization-management-program"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"requires that the Administrator of the General Services Administration shall \"establish a Government- wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies\""},{"uuid":"8c138591-f69b-58d8-aab3-7a0725f7556b","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"This responsibility is delegated to the FedRAMP Director"}],"title":"44 USC § 3609 (a)(8)","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"The FedRAMP Authorization Act directs the Administrator of the General Services Administration to \"provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies...\""},{"uuid":"c3e84b51-88c4-5f2c-ac3c-82e3c730dfb1","title":"OMB Memorandum M-24-15 on Modernizing FedRAMP","rlinks":[{"href":"https://www.fedramp.gov/docs/authority/m-24-15"}],"description":"Section 6 states that \"In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs' commercial customer base.\""},{"uuid":"ba3f3d98-d329-5a41-987d-8978a62c6ba0","title":"OMB Circular A-130: Managing Information as a Strategic Resource","rlinks":[{"href":"https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf"}],"description":"section 4 (c) states that agencies SHALL \"conduct and document security and privacy control assessments prior to the operation of an information system, and periodically thereafter, consistent with the frequency defined in the agency information security continuous monitoring (ISCM) and privacy continuous monitoring (PCM) strategies and the agency risk tolerance\""},{"uuid":"5cdc8b75-617d-50e2-a144-7f14387eb552","title":"The FedRAMP Authorization Act (44 USC § 3609 (a)(1))","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"}],"description":"directs the Administrator of the General Services Administration to \"develop, coordinate, and implement a process … including, as appropriate, oversight of continuous monitoring of cloud computing products and services\""},{"uuid":"8a22b717-3059-5765-abcd-47b5a554f19f","title":"FedRAMP Incident Communications Procedures","rlinks":[{"href":"https://www.fedramp.gov/docs/rev5/playbook/csp/continuous-monitoring/incident-communication/"}],"description":""},{"uuid":"90581c37-46aa-582d-8ecf-3d688a91e730","title":"NIST SP 800-37 Rev. 2","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/37/r2/final"}],"description":"Chapter 2.4 footnote 36 similarly states that \"the term authorization boundary is now used exclusively to refer to the set of system elements comprising the system to be authorized for operation or authorized for use by an authorizing official (i.e., the scope of the authorization).\""},{"uuid":"cace79aa-aff8-5845-8f7e-ede808dfa90e","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"This responsibility is delegated to the FedRAMP Director"}],"title":"FedRAMP Authorization Act (44 USC § 3609 (a) (4))","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"Requires the General Services Administration to \"establish and update guidance on the boundaries of FedRAMP authorization packages to enhance the security and protection of Federal information and promote transparency for agencies and users as to which services are included in the scope of a FedRAMP authorization.\""},{"uuid":"b141b71f-452c-5f2d-97ac-bda0ab54eaaa","title":"The FedRAMP Authorization Act (44 USC § 3609 (a) (7))","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"}],"description":"directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\""},{"uuid":"a5ed9649-2379-5c81-938d-0b2b519df505","title":"Executive Order 14144 Strengthening and Promoting Innovation in the Nation’s Cybersecurity Section 3 (d), as amended by Executive Order 14306 Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144","rlinks":[{"href":"https://www.federalregister.gov/documents/2025/06/11/2025-10804/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694"}],"description":" to Section 3 (b), states \"the Administrator of General Services, acting through the Director of the Federal Risk and Authorization Management Program (FedRAMP), in coordination with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.\""},{"uuid":"6ceb40a1-5cf2-5b83-8b2b-1ba7d9cb024f","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"This responsibility is delegated to the FedRAMP Director"}],"title":"FedRAMP Authorization Act (44 USC § 3609 (a) (7))","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the [OMB] Director and the [DHS] Secretary, to establish and regularly update a framework for continuous monitoring...\""},{"uuid":"a5ed9ad0-d90d-52c3-8412-ecc96711ffaf","title":"OMB Circular A-130, Managing Information as a Strategic Resource","rlinks":[{"href":"https://whitehouse.gov/wp-content/uploads/legacydrupalfiles/omb/circulars/A130/a130revised.pdf"}],"description":"OMB Circular A-130 defines continuous monitoring as \"maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions.\""},{"uuid":"cf0f7d2e-878b-5043-addc-36782214183a","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"This responsibility is delegated to the FedRAMP Director"}],"title":"44 USC § 3609 (a)(7)","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"The FedRAMP Authorization Act (44 USC § 3609 (a)(7)) directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring...\""},{"uuid":"adaefe2b-0b81-5b80-b40d-3c59b60727ea","title":"OMB Circular A-130","rlinks":[{"href":"https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf"}],"description":"Appendix I states \"Agencies may also develop overlays for specific types of information or communities of interest (e.g., all web-based applications, all health care-related systems) as part of the security control selection process. Overlays provide a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple information systems.\""},{"uuid":"67051418-0501-5eae-88f8-305b842461d0","title":"NIST SP 800-53B","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/53/b/upd1/final"}],"description":"Section 2.5 states \"As the number of controls in [SP 800-53] grows in response to an increasingly sophisticated threat space, it is important for organizations to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that—if properly designed, developed, and implemented—produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective.\" This section later states \"Ultimately, authorization decisions (i.e., risk acceptance decisions) are made based on the degree to which the desired capabilities have been effectively achieved.\""},{"uuid":"60591750-9106-5176-b368-5933437253ef","title":"NIST SP 800-53A","rlinks":[{"href":"https://csrc.nist.gov/pubs/sp/800/53/a/r5/final"}],"description":"Section 3.5 states \"When organizations employ the concept of capabilities, automated and manual assessments account for all security and privacy controls that comprise the security and privacy capabilities. Assessors are aware of how the controls work together to provide such capabilities.\""},{"uuid":"4bf35191-cd94-5172-8a05-450449828139","props":[{"ns":"https://fedramp.gov/ns/oscal","name":"delegation","value":"These responsibilities are delegated to the FedRAMP Director"}],"title":"FedRAMP Authorization Act (44 USC § 3609 (a) (1))","rlinks":[{"href":"https://fedramp.gov/docs/authority/law/#a-roles-and-responsibilities"},{"href":"https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"}],"description":"requires that the Administrator of the General Services Administration shall \"in consultation with the [DHS] Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services...\" 44 USC § 3609 (c) (2) further states that \"the [GSA] Administrator shall establish a means for the automation of security assessments and reviews.\""}]}}}