Skip to main content

FedRAMP RFC-0007 Significant Change Notification Standard

RFC-0007 Significant Change Notification Standard

  • Status: Open
  • Created By: FedRAMP PMO
  • Start Date: 2025-04-24
  • Closing Date: 2025-05-24
  • Short Name: rfc-0007-significant-change-notification

Where to Comment

Summary

The Significant Change Notification Standard asserts that authorizations granted to cloud service providers include the authority to make changes that are in the best interest of agency customers without asking permission from an authorizing official in advance, in most cases.

This draft standard establishes a tiered notification framework that differentiates between adaptive changes (significant but routine) and transformative changes (major functionality changes). Adaptive changes may be made as appropriate without consulting with agency customers, while transformative changes require consultation with agency customers in advance. Cloud service providers are still expected to follow procedures in their security plans and collaborate with third-party assessment organizations to verify outcomes.

Changes that increase or decrease the impact level rating for the cloud service (e.g. from low to moderate or from high to moderate) are not covered under the Significant Change Notification Standard as these changes require reauthorization.

Motivation and Rotationale

The existing FedRAMP standard for Significant Change Requests creates a devastating bottleneck that slows government adoption of new cloud technology and features, raises costs for government customers by increasing the burden of operating a cloud service for government customers, encourages the operation of separate service instances for government customers, hinders agency sponsorship of FedRAMP authorizations, and decreases the effective security of cloud services by obstructing proactive innovation.

FedRAMP asserts that cloud service providers, supported by trusted third-party assessment organizations, must be trusted to continuously improve their systems responsibly. This draft standard acknowledges that cloud service offerings can and should make significant changes without requesting federal agency review of engineering decisions or third-party assessment. This change aligns with guidance in OMB Circular A-130 and NIST SP 800-37 Rev 2 to substantially reduce the burden of lead agency authorizing officials and reusing agency authorizing officials by encouraging them to focus on their overall risk posture instead of redundant reviews of complex engineering decisions.

Due to executive branch restrictions on the production of significant guidance and policy materials, this draft proposes a basic standard that replaces the previous Significant Change Process with a simple and reasonable approach that can be applied by cloud service providers, third-party assessment organizations, and agency officials. The Significant Change Notification Standard avoids excessive detail identifying types of potential significant changes to support FedRAMP’s ongoing shift from compliance-based decision making and assessment to security-based decision making and assessment.

Explanation

The full draft standard is approximately 5 pages and is available for review in the following formats:

Discussion Requested

This draft standard is open for any public comment. FedRAMP encourages fast, informal comments from any member of the public. The public may submit multiple comments and may respond to other public comments. All comments from the public sent via email will be made public.

The FedRAMP Rev 5 Continuous Monitoring Working Group will simultaneously host discussions on potential best practices and implementation of machine readable Significant Change Notifications based on this draft standard.

RFC-0006 Significant Change Notification Standard

Thursday, April 24, 2025

Background

OMB Circular A-130: Managing Information as a Strategic Resource Appendix I states “under ongoing authorization, reauthorization is typically an event-driven action initiated by the authorizing official or directed by the Risk Executive (function) in response to an event or significant change that increases information security or privacy risk above the previously agreed-upon agency risk tolerance.”

NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Appendix F similarly states that “under ongoing authorization, reauthorization is in most instances, an event-driven action initiated by the authorizing official or directed by the senior accountable official for risk management or risk executive (function) in response to an event that results in security and privacy risk above the level of risk previously accepted by the authorizing official.” This section also states that “Organizations establish criteria for what constitutes significant change based on a variety of factors.”

The FedRAMP Authorization Act (44 USC § 3609 (a) (7)) directs the Administrator of the General Services Administration to “coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the [OMB] Director and the [DHS] Secretary, to establish and regularly update a framework for continuous] monitoring…” This responsibility is delegated to the FedRAMP Director.

Introduction

This FedRAMP standard moves away from the historical presumption that all significant changes to FedRAMP authorized cloud service offerings require prior federal approval and reauthorization by a “lead agency.” Agencies must follow OMB policy and NIST standards when adopting FedRAMP authorized cloud services, including performing a full review and risk assessment based on the materials within a FedRAMP authorization package.

FedRAMP asserts that authorization to operate a cloud service establishes an agreed-upon agency risk tolerance that expects the provider to continuously improve the service without triggering reauthorization for most significant changes, and that third-party assessment organizations provide the necessary rigor to identify the risks of such changes on behalf of the authorizing officials. FedRAMP further asserts, as a program responsible for a government-wide approach to the use of cloud services, that no single agency should block improvements to shared services when those improvements may be used by other agencies.

This updated standard creates a new Significant Change Notification standard that replaces all previous FedRAMP guidance related to Significant Change Requests for all FedRAMP authorizations and certifications, including the current Rev 5 Agency Authorization process and FedRAMP 20x. Best practices and technical assistance to help stakeholders follow this standard will be provided separately.

This standard does not supersede any agreement signed between a federal agency and a cloud service provider that sets additional requirements beyond those required by FedRAMP.

Definitions

The following definitions apply to all FedRAMP materials:

a. “Significant change” has the meaning given in NIST SP 800-37 Rev. 2 or any successor document. As of April 2025 that means “a change that is likely to substantively affect the security or privacy posture of a system.”

  1. FedRAMP excludes routine recurring activities that are part of ongoing operations or vulnerability mitigation and remediation from the criteria for determining significant changes. Such changes are NOT considered significant changes for the purposes of this standard.

b. “Adaptive change” means any significant change that adjusts existing components or functionality of the cloud service offering. This is the least impactful type of significant change.

c. “Transformative change” means any significant change that adds, replaces, or removes major components and functionality of the cloud service offering.

d. “Impact categorization change” means any significant change that is likely to increase or decrease the impact level rating for the cloud service (e.g. from low to moderate or from high to moderate). This is the most impactful type of significant change.

Significant Change Notification Standard

The FedRAMP Significant Change Notification (SCN) Standard establishes standard requirements that cloud service providers MUST follow to maintain FedRAMP authorization when making significant changes to FedRAMP authorized cloud services.

(1) Providers MUST NOT make impact categorization changes via the FedRAMP significant change process; security objective changes require re-authorization.

(2) Providers MUST follow the procedures documented in their security plan to plan, test, perform, assess, and document changes.

(3) Providers MUST assess all planned changes to determine if they may be a significant change.

(4) Providers MUST determine if the significant change is an adaptive change, a transformative change, or an impact categorization change, and follow appropriate procedures; providers MUST use the most impactful significant change type that likely applies.

(5) Providers MUST keep historical significant change notifications available to agency customers until the service completes its next annual assessment.

(6) Providers MUST maintain auditable records of these activities and make them available to FedRAMP, agencies, and contracted 3PAOs.

(7) Providers MUST make ALL significant change notifications and related audit records available in similar human-readable and compatible machine-readable formats.

(8) All parties SHOULD follow FedRAMP’s best practices and technical assistance on significant change assessment and notification where applicable.

If the significant change is an adaptive change, also:

(9)) Providers MUST notify FedRAMP and agency customers within 14 calendar days AFTER making adaptive changes.

(10) Providers MUST notify agency customers at the next monthly monitoring meeting AFTER making adaptive changes.

If the significant change is a transformative change, also:

(9) Providers MUST have a 3PAO review the scope and impact of the planned change BEFORE making significant changes; providers MUST NOT proceed with significant changes without 3PAO concurrence.

(10) Providers MUST work with a 3PAO to develop a security assessment plan BEFORE making transformative changes.

(11) Providers MUST discuss the planned change during two sequential monthly monitoring meetings BEFORE making transformative changes.

(12) Providers MUST notify FedRAMP and agency customers at least 14 calendar days in advance of the first monthly monitoring meeting BEFORE discussing planned transformative changes.

(13) Providers MUST notify FedRAMP and agency customers within 1 calendar day AND at the next monthly monitoring meeting AFTER making transformative changes.

(14) Providers MUST have a 3PAO begin assessment of the results no later than 1 calendar day AFTER making transformative changes; this assessment SHOULD be completed within 7 calendar days AFTER making transformative changes.

(15) Providers MUST publish updated service documentation and other materials to reflect transformative changes within 3 calendar days AFTER making transformative changes.

(16) Providers SHOULD automatically OPT OUT agency customers of transformative changes where possible and appropriate.

(17) Providers SHOULD delay or roll back change implementation based on significant increases in unmitigated risk that exceed their documented thresholds.

Application of the Significant Change Notification Standard

Cloud service providers may notify FedRAMP and agencies in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.

A. Providers MUST follow additional requirements related to significant changes that are part of a contractual or other agreement with specific agency customers.

B. Providers SHOULD be responsive to agency customer requests for additional information, standardized formatting, delivery mechanisms, and other requests that improve the agency’s experience and ability to assess the security of a system.

C. Providers and 3PAOs SHOULD follow the guidelines and best practices in any technical assistance provided separately by FedRAMP regarding the application of the Significant Change Notification Standard.

D. 3PAOs MUST independently notify FedRAMP when Providers do not follow this standard appropriately.

E. Agencies SHOULD use the assessment and information provided in the significant change notification to make continuing authorization decisions regarding the cloud service offering.

F. Agencies SHOULD provide concerns directly to the provider during continuous monitoring meetings in advance of transformational changes or in writing after an adaptive change.

Exceptions to the Significant Change Notification Standard

Cloud service providers MAY be required to delay significant changes beyond the standard notification period and/or be required to submit significant changes for review by FedRAMP or an Authorizing Official as a condition of a formal FedRAMP Corrective Action Plan or other agreement with a federal agency.

Significant Change Notification Requirements

All Significant Change Notifications MUST include at least:

  • Service Offering FedRAMP ID
  • 3PAO Name (if applicable)
  • Type of change (CSP definable)
  • Related POA\&M (if applicable)
  • Short description of change
  • Reason for change
  • Summary of service components and controls affected
  • Copy of the business or security impact analysis (including 3PAO concurrence, if applicable)
  • Name and title of approver

Cloud service providers MAY include additional relevant information in Significant Change Notifications.

Adaptive Changes

Significant Change Notifications for adaptive changes MUST ALSO include at least:

  • Date of Change
  • Summary of steps that were taken to verify and assess controls after implementation
  • Summary of any new risks identified and/or POA\&Ms resulting from the change (if applicable)

Transformative Changes

Significant Change Notifications sent BEFORE transformative changes MUST ALSO include at least:

  • Planned change date
  • Rollback plan (high level)
  • If the change is opt in, include the risk associated with the change even if the agency does not opt in
  • How to opt in (if applicable)
  • Steps that will be taken to verify and assess controls after implementation
  • Detail on service components and controls affected
  • Copy of the security assessment plan

Significant Change Notifications sent AFTER transformative changes MUST ALSO include at least:

  • Date of Change
  • Steps that were taken to verify and assess controls after implementation
  • Summary of any new risks identified and/or POA\&Ms resulting from the change (if applicable)
  • Copy of the security assessment report
GSA logo

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov