Skip to content

Using FedRAMP 20x Certification Packages

FedRAMP 20x Certification packages are different from traditional FedRAMP packages. They are not meant to be a single folder of static documents that an agency downloads once, reviews once, and files away forever.

A 20x package is a set of FedRAMP Certification Data that a cloud service provider maintains over time and shares with FedRAMP, agencies, and other necessary parties. The package may be presented through a provider trust center, a documentation portal, downloadable files, APIs, or a combination of these. The important thing is not that every package looks identical; the important thing is that the required information is accurate, current, understandable, and available in both human-readable and machine-readable forms when required.

What to Expect in a 20x Package

A 20x package should give agencies a clear picture of the cloud service offering and the evidence behind its FedRAMP Certification. Depending on the Certification Class, the package may include different levels of detail, but agencies should generally expect these kinds of materials:

  1. Certification Package Overview: A concise overview of the cloud service offering, including basic metadata, public service information, relevant policies, assessment scope, information resources, information flows, third-party information resources, and other information needed to understand what is included in the Certification.

  2. Security Decision Record: A maintained record of how the cloud service provider follows applicable FedRAMP rules, including verification, validation, independent assessment information when required, clarifications, and related artifacts.

  3. Key Security Indicators: Summaries and measures showing how the cloud service provider demonstrates important security outcomes across the FedRAMP 20x Key Security Indicators.

  4. Secure Configuration Guide: Instructions that help agency customers configure and operate the cloud service securely, especially for top-level administrative accounts, privileged accounts, and security-related settings.

  5. Ongoing Certification Data: Current information that supports ongoing agency authorization decisions, such as Ongoing Certification Reports, vulnerability information, availability information, change information, incident-related information, and other required updates.

Do not expect agency Rev5 artifacts just because the agency authorization uses a Rev5-style process.

Agencies should reference the 20x Certification package as reusable evidence and document the agency-specific authorization decision in the agency's own materials.

When Agencies Need More Information

Agencies may ask clarifying questions about FedRAMP Certification Data and may require additional information when there is a demonstrable agency need. Agencies should be careful not to turn every agency authorization into a new provider assessment.

If the 20x package appears incomplete, conflicts with the agency's security determination, or creates serious concerns for the authorizing official, the agency should work with the provider and coordinate with FedRAMP. The Agency Use rules explain when agencies must notify FedRAMP about additional information requests, package conflicts, monitoring concerns, and other issues.

The goal is reuse with judgment: rely on the FedRAMP 20x package for the common provider assessment work, then focus agency effort on the agency's actual decision about using the service.

Comments