20x Class A Related Rules¶

Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.

Note: Timeframes may vary by FedRAMP Certification class.

Terms: Certification Class

Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).

Notes:

• Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
• If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the AFC-CSO-NOC (Notification of Changes) rules to notify FedRAMP.

Terms: FedRAMP Security Inbox

Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.

Note: This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.

Terms: All Necessary Parties, Cloud Service Offering, Incident, Machine-Readable

Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and JSON formats, including at least the following information that is available and applicable:

1. FedRAMP ID
2. Service Model
3. Deployment Model
4. Business Category
5. UEI Number
6. Sales Contact Information
7. Security Contact Information
8. Product Website Link
9. Link to Product Logo
10. Overall Service Description
11. Detailed list of specific services and their security categories (see CDS-CSO-SVC (Public Service List) (Service List))
12. Link to Secure Configuration Guidance
13. Overview of documentation supplied by the provider for the cloud service offering
14. Link to Trust Center landing page that includes instructions on accessing information in the trust center
15. Next Ongoing Certification Report date (see CCM-OCR-NRD (Next Report Date))
16. Current FedRAMP Recognized independent assessment service

Note: Generally, this information should be available on a public webpage or publicly shared in a FedRAMP-compatible trust center.

Terms: Cloud Service Offering, FedRAMP Certification Report, FedRAMP Recognized, Ongoing Certification, Ongoing Certification Report (OCR), Security Category, Trust Center

Providers MUST use a FedRAMP-compatible trust center to store and share FedRAMP Certification Data with all necessary parties.

Note: Rules for FedRAMP-Compatible Trust Centers are explained in the Certification Data Sharing Rules under the FedRAMP-Compatible Trust Centers section (id: CDS-TRC).

Terms: All Necessary Parties, Certification Data, Trust Center

Providers MUST notify FedRAMP within 5 business days of denying an agency access request for FedRAMP Certification Data.

Timeframe: 5 business days

Terms: Certification Data

Providers MUST supply an Ongoing Certification Report to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:

1. Changes to FedRAMP Certification Data
2. Planned changes to FedRAMP Certification Data during at least the next 3 months
3. Accepted vulnerabilities
4. Transformative changes
5. Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering
6. A list of all agencies that are directly using the product
7. FedRAMP Reportable Incidents or an attestation that no such incidents occurred
8. Lessons learned and changes planned or made as a result of FedRAMP Reportable Incidents (if such occurred)

Terms: Accepted Vulnerability, All Necessary Parties, Certification Data, Cloud Service Offering, FedRAMP Certification Report, FedRAMP Reportable Incident, Incident, Ongoing Certification, Ongoing Certification Report (OCR), Transformative Change, Vulnerability

Providers MUST supply the target date for their next Ongoing Certification Report with other public FedRAMP Certification Data.

Terms: Certification Data, FedRAMP Certification Report, Ongoing Certification, Ongoing Certification Report (OCR)

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Response rules.

Terms: FedRAMP Reportable Incident, Federal Customer Data, Incident, Likely, Promptly, Vulnerability Response

Terms: All Affected Parties, Final Incident Report (FIR), Incident, Responsibly

Terms: FedRAMP Independent Assessment

Terms: FedRAMP Independent Assessment, Persistently, Validation, Verification

Providers MUST identify a set of information resources to assess for FedRAMP Certification that includes all information resources that are likely to handle federal customer data or likely to impact the confidentiality, integrity, or availability of federal customer data handled by the cloud service offering; this set of information resources is the cloud service offering.

Notes:

• Certain categories of cloud computing products and services are specified as entirely outside the scope of FedRAMP by the Director of the Office of Management and Budget. All such products and services are therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.
• Software produced by cloud service providers that is delivered separately for installation on agency systems and not operated in a shared responsibility model (typically including agents, application clients, mobile applications, etc. that are not fully managed by the cloud service provider) is not a cloud computing product or service and is entirely outside the scope of FedRAMP under the FedRAMP Certification Act. All such software is therefore not included in the cloud service offering for FedRAMP. For more, see https://fedramp.gov/scope.
• All aspects of the cloud service offering are determined and maintained by the cloud service provider in accordance with related FedRAMP Certification rules and documented by the cloud service provider in their FedRAMP Certification Package.

Terms: Certification Package, Cloud Service Offering, Federal Customer Data, Handle, Information Resource, Likely

Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, penetration testing, incident response, automated control testing, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection. Vulnerability detection includes persistently verifying and validating that information resources and processes are operating as intended and documented for FedRAMP Practices.

Notes:

• FedRAMP's vulnerability detection (and response) rules are intended to set modern expectations for maintaining the security of a cloud service. Historical FedRAMP guidance on vulnerability scanning or continuous monitoring generally focused only on CVE-type vulnerabilities while leaving other types of vulnerabilities and exposures unaddressed.
• Providers are encouraged to leverage their existing holistic security review, architecture review, and similar processes to meet these requirements. FedRAMP strongly discourages providers from implementing separate vulnerability detection and response processes for FedRAMP reporting that are operated by independent compliance branches unless these processes are consuming data directly from the areas of the cloud service that actively maintain it.

Terms: Cloud Service Offering, FedRAMP Practices, Incident, Information Resource, Persistently, Promptly, Vulnerability, Vulnerability Detection, Vulnerability Response

Notes:

• This maximum timeframe for Rev5 is the absolutely poorest worst case for horrible customer experience and is based on legacy FedRAMP Rev5 allowing providers to leave their packages unmaintained for up to a year. Rev5 providers should maintain their packages far more frequently than this requirement to ensure potential customers have access to up-to-date information, updating it at least after every transformative significant change.
• FedRAMP 20x Certifications expect providers to maintain their FedRAMP Certification Packages as changes occur to ensure they are never out of date.

Terms: Certification Package, Persistently, Significant Change, Transformative Change

Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Initial Incident Report (IIR), Responsibly

Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Responsibly, Vulnerability Response

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification

Terms: Drift, Information Resource, Likely, Persistently, Vulnerability, Vulnerability Detection

Terms: Drift, Information Resource, Likely, Persistently, Vulnerability, Vulnerability Detection

Terms: Information Resource, Machine-Based (Information Resources), Persistently, Vulnerability, Vulnerability Detection

Terms: Fully Mitigated Vulnerability, Likely, Partially Mitigated Vulnerability, Potential Agency Impact, Remediated Vulnerability, Vulnerability

Terms: Vulnerability, Vulnerability Detection

Notes:

• Providers determine what they consider to be separate services, based on maximizing the customer experience for agencies who may only adopt some services and not others.
• Providers are encouraged to provide a single comprehensive set of materials for all shared aspects of the service offering and only provide separate materials for unique aspects of each service to minimize the burden on providers and agencies.

Terms: All Necessary Parties, Ongoing Certification, Quarterly Review

Terms: Federal Customer Data, Validation

Notes:

• The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
• The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
• The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council; this is _extremely rare._
• FedRAMP Recognized independent assessment services are listed on the FedRAMP Marketplace.

Terms: Certification Class, FedRAMP Independent Assessment, FedRAMP Recognized, Persistently, Validation, Verification

Terms: Security Decision Record (SDR)

Terms: FedRAMP Reportable Incident, Incident, Likely, Likely Exploitable Vulnerability (LEV), Partially Mitigated Vulnerability, Potential Agency Impact, Vulnerability

Terms: All Necessary Parties, Persistently, Vulnerability, Vulnerability Detection, Vulnerability Response

Terms: FedRAMP Reportable Incident, Incident, Likely, Likely Exploitable Vulnerability (LEV), Partially Mitigated Vulnerability, Potential Agency Impact, Vulnerability