FedRAMP Certification¶
The FedRAMP Certification rules define how cloud service offerings obtain and maintain FedRAMP Certification across certification classes and paths. They give providers, assessors, agencies, and FedRAMP a common set of expectations for required rule sets, current evidence, independent verification and validation, and ongoing certification decisions.
General Independent Assessor Responsibilities¶
These rules apply to independent assessment services supporting all FedRAMP Certification types.
Verify and Validate Processes¶
FRC-IAS-VVP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST verify and validate the implementation of processes derived from FedRAMP requirements, including rules, controls and Key Security Indicators, to determine whether or not the provider has accurately documented their process and security goals for the cloud service offering.
Terms: Cloud Service Offering, Validation, Verification
Outcome Consistency¶
FRC-IAS-OUC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST verify and validate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider.
Terms: Validation, Verification
Procedure Adherence¶
FRC-IAS-PAD
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST assess whether or not procedures are consistently followed, including evaluating the processes in place to ensure this occurs, without relying solely on the existence of procedure documents.
Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred.
Mixed Methods Evaluation¶
FRC-IAS-MME
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST perform verification and validation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment.
Terms: Validation, Verification
Assessment Summary¶
FRC-IAS-SUM
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST deliver a high-level summary of their assessment process and findings for each FedRAMP requirement, including rules, controls, and Key Security Indicators; this summary will be included in the FedRAMP Certification Data for the cloud service offering.
Overall Summary of Assessment¶
FRC-IAS-OSA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MUST supply an overall summary of the verification and validation assessment results, including any resulting failures or areas of dispute, to the provider and all necessary assessors.
Note: FedRAMP will make the final FedRAMP Certification decision based on the assessor's findings and other relevant information.
Engage Provider Experts¶
FRC-IAS-EPX
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.
Sharing Advice¶
FRC-IAS-SHA
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve the provider's security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.
Terms: Likely, Validation, Verification