Secure Configuration Guide¶
The Secure Configuration Guide rules help agencies and other customers understand how to configure a cloud service offering securely. These rules require providers to clearly explain the security impact of common settings so customers can make informed configuration choices.
Rule Sections
General Provider Responsibilities¶
These rules apply to providers with FedRAMP Certifications of any type.
Recommended Secure Configuration¶
SCG-CSO-RSC
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:
- Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
- Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
- Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.
Notes:
- These rules refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.
- This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering.
Terms: Cloud Service Offering, Privileged Account, Top-Level Administrative Account
Use Instructions¶
SCG-CSO-AUP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST include instructions in the FedRAMP Certification package that explain how to obtain and use the Secure Configuration Guide.
Note: These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs.
Terms: Certification Package
Public Guidance¶
SCG-CSO-PUB
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD make the Secure Configuration Guide available publicly.
Secure Defaults¶
SCG-CSO-SDF
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.
Enhanced Capabilities¶
These recommendations apply to providers with FedRAMP Certifications of any type.
Comparison Capability¶
SCG-ENH-CMP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.
Export Capability¶
SCG-ENH-EXP
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD offer the capability to export all security settings in a machine-readable format.
Terms: Machine-Readable
API Capability¶
SCG-ENH-API
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.
Machine-Readable Guidance¶
SCG-ENH-MRG
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings.
Terms: Machine-Readable
Versioning and Release History¶
SCG-ENH-VRH
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.