Why How It Works Features Pricing Blog

Sign in Request demo

FedRAMP 20x for cloud service providers

Know what is required. Build it. Prove it.

Search every KSI and the 148 rules addressed to providers. See the requirement, implementation guidance, and evidence context without sorting through obligations owned by agencies, assessors, or FedRAMP.

Understand the 46 KSIs Browse CSP rules Find implementation guidance Find automated checks

Based on FedRAMP/rules 2026.06.04.01-preview, updated 2026-06-04

CSP implementation explorer

Showing 254 of 254 CSP resources

Provider ruleCCMMUST

Anonymized Feedback Summary

All service classesOfficial source

Provider ruleCCMMUST

Report Availability

All service classesOfficial source

Provider ruleCCMMUST

Feedback Mechanism

All service classesOfficial source

Provider ruleCCMMUST NOT

Limit Sensitive Information

All service classesOfficial source

Provider ruleCCMMUST

Next Report Date

All service classesOfficial source

Provider ruleCCMMAY

Responsible Public Certification Report Sharing

All service classesOfficial source

Provider ruleCCMSHOULD

Spread Out Reports

All service classesOfficial source

Provider ruleCCMSHOULD

Additional Content

All service classesOfficial source

Provider ruleCCM

Quarterly Review Meeting

Classes A, B, C, DOfficial source

Provider ruleCCMMUST NOT

No Irresponsible Disclosure

All service classesOfficial source

Provider ruleCCMMUST

Next Review Date

All service classesOfficial source

Provider ruleCCMMUST

Meeting Registration Info

All service classesOfficial source

Provider ruleCCMSHOULD NOT

Restrict Third Parties

All service classesOfficial source

Provider ruleCCMSHOULD

Record/Transcribe Reviews

All service classesOfficial source

Provider ruleCCMSHOULD

Schedule Around Reports

All service classesOfficial source

Provider ruleCCMMAY

Share Content Responsibly

All service classesOfficial source

Provider ruleCCMMAY

Share Recordings Responsibly

All service classesOfficial source

Provider ruleCDS

Availability Reporting

Classes A, B, C, DOfficial source

Provider ruleCDSMUST

Consistency Between Formats

All service classesOfficial source

Provider ruleCDSMUST

Historical FedRAMP Certification Data

All service classesOfficial source

Provider ruleCDS

Per-Service Certification Materials

Classes A, B, C, DOfficial source

Provider ruleCDSMUST

Public Information

All service classesOfficial source

Provider ruleCDSMUST

Responsible Information Sharing

All service classesOfficial source

Provider ruleCDSMAY

Responsible Public Package Sharing

All service classesOfficial source

Provider ruleCDSMUST

Service List

All service classesOfficial source

Provider ruleCDSMUST

Use Trust Centers

All service classesOfficial source

Provider ruleCDSMUST

Agency Access Inventory

All service classesOfficial source

Provider ruleCDSMUST

Access Logging

All service classesOfficial source

Provider ruleCDSSHOULD

Human and Machine-Readable Certification Data

All service classesOfficial source

Provider ruleCDSMUST

Programmatic Access

All service classesOfficial source

Provider ruleCDSSHOULD

Self-Service Access Management

All service classesOfficial source

Provider ruleCDSMUST

Uninterrupted Sharing

All service classesOfficial source

Provider ruleCDSMUST

Agency Access Denial

All service classesOfficial source

Provider ruleCDSSHOULD

Agency Access

All service classesOfficial source

Provider ruleFRAMAY

Receiving Assessor Advice

All service classesOfficial source

Provider ruleFRASHOULD

Supply Technical Evidence

All service classesOfficial source

All Affected Parties

All service classesOfficial source

Accepted Vulnerability

All service classesOfficial source

Adaptive Change

All service classesOfficial source

Agency

All service classesOfficial source

All Necessary Parties

All service classesOfficial source

Artifacts

All service classesOfficial source

Assessor

All service classesOfficial source

Certification Class Change

All service classesOfficial source

Certification Data

All service classesOfficial source

Certification Package

All service classesOfficial source

Cloud Service Offering

All service classesOfficial source

Debilitating Customer Effect

All service classesOfficial source

Disruptive Customer Effect

All service classesOfficial source

Drift

All service classesOfficial source

Federal Customer Data

All service classesOfficial source

FedRAMP Certified

All service classesOfficial source

Final Incident Report (FIR)

All service classesOfficial source

Fully Mitigated Vulnerability

All service classesOfficial source

False Positive Vulnerability

All service classesOfficial source

FedRAMP Recognized

All service classesOfficial source

FedRAMP Reportable Incident

All service classesOfficial source

FedRAMP Security Inbox

All service classesOfficial source

Handle

All service classesOfficial source

Initial Incident Report (IIR)

All service classesOfficial source

Initial Certification

All service classesOfficial source

Incident

All service classesOfficial source

Information Resource

All service classesOfficial source

Internet-Reachable Vulnerability (IRV)

All service classesOfficial source

Known Exploited Vulnerability (KEV)

All service classesOfficial source

Likely Exploitable Vulnerability (LEV)

All service classesOfficial source

Likely

All service classesOfficial source

Machine-Based (Information Resources)

All service classesOfficial source

Minimal Customer Effect

All service classesOfficial source

Machine-Readable

All service classesOfficial source

Narrow Customer Effect

All service classesOfficial source

Ongoing Certification Report (OCR)

All service classesOfficial source

Overdue Vulnerability

All service classesOfficial source

Ongoing Certification

All service classesOfficial source

Privileged Account

All service classesOfficial source

Potential Agency Impact

All service classesOfficial source

Persistently

All service classesOfficial source

Partially Mitigated Vulnerability

All service classesOfficial source

Promptly

All service classesOfficial source

Provider

All service classesOfficial source

Quarterly Review

All service classesOfficial source

Regularly

All service classesOfficial source

Remediated Vulnerability

All service classesOfficial source

Responsibly

All service classesOfficial source

Routine Recurring Change

All service classesOfficial source

Security Category

All service classesOfficial source

Significant Change

All service classesOfficial source

Top-Level Administrative Account

All service classesOfficial source

Third-Party Information Resource

All service classesOfficial source

Trust Center

All service classesOfficial source

Transformative Change

All service classesOfficial source

Vulnerability Detection

All service classesOfficial source

Validation

All service classesOfficial source

Vulnerability Response

All service classesOfficial source

Verification

All service classesOfficial source

Vulnerability

All service classesOfficial source

Provider ruleFSISHOULD

Acknowledge Receipt

All service classesOfficial source

Provider ruleFSIMUST

Complete Required Actions

All service classesOfficial source

Provider ruleFSIMUST

Emergency Message Routing

All service classesOfficial source

Provider ruleFSISHOULD

Important Message Actions

All service classesOfficial source

Provider ruleFSIMUST

Maintain a FedRAMP Security Inbox

All service classesOfficial source

Provider ruleFSIMUST

Notification of Changes

All service classesOfficial source

Provider ruleFSIMUST

Receive Email Without Disruption

All service classesOfficial source

Provider ruleFSIMUST

Trust @fedramp.gov and @gsa.gov

All service classesOfficial source

Provider ruleICPSHOULD

Automated Incident Reporting

All service classesOfficial source

Provider ruleICPMUST

Default PAIN Rating

All service classesOfficial source

Provider ruleICPSHOULD

Estimate Federal Impact

All service classesOfficial source

Provider ruleICPMUST

Evaluate FedRAMP Reportability

All service classesOfficial source

Provider ruleICP

Final Incident Report

Classes A, B, C, DOfficial source

Provider ruleICP

Initial Incident Report

Classes A, B, C, DOfficial source

Provider ruleICP

Ongoing Incident Reports

Classes A, B, C, DOfficial source

Provider ruleIFRMUST

Applying for FedRAMP Certification

All service classesOfficial source

Provider ruleIFRMUST

Fresh FedRAMP Certification Package

All service classesOfficial source

Provider ruleIFRMUST

Fresh Independent Assessment

All service classesOfficial source

Provider ruleIFRMUST

Marketplace Listing First

All service classesOfficial source

Provider ruleIFRMUST

Agency Authorization to Operate

All service classesOfficial source

Provider ruleIFRMUST

Address FedRAMP Rules

All service classesOfficial source

Provider ruleIFRMUST

Approved Alternative Security Frameworks

All service classesOfficial source

Provider ruleIFRMUST

External Assessment Materials

All service classesOfficial source

Provider ruleIFRMAY

Optional Independent Verification and Validation

All service classesOfficial source

Provider ruleIFRMUST

Key Security Indicator Mapping

All service classesOfficial source

Provider ruleIFR

FedRAMP Certification Package

Classes A, B, C, DOfficial source

Provider ruleIFRMUST NOT

Pick One Program Certification Type

All service classesOfficial source

Provider ruleIFRSHOULD

Application within MAS

All service classesOfficial source

Provider ruleIFRMUST

Initial Implementation Summaries

All service classesOfficial source

Reviewing All Training

All service classesOfficial source

Logging Changes

All service classesOfficial source

Redeploying vs Modifying

All service classesOfficial source

Reviewing Change Procedures

All service classesOfficial source

Validating Throughout Deployment

All service classesOfficial source

Defining Functionality and Privileges

All service classesOfficial source

Enforcing Intended State

Classes B, COfficial source

Implementing Best Practices

All service classesOfficial source

Minimizing Attack Surface

All service classesOfficial source

Optimizing for Availability

All service classesOfficial source

Restricting Network Traffic

All service classesOfficial source

Reviewing Protections

All service classesOfficial source

Using Logical Networking

All service classesOfficial source

Automating Account Management

All service classesOfficial source

Adopting Passwordless Methods

All service classesOfficial source

Ensuring Least Privilege

All service classesOfficial source

Authorizing Just-in-Time

All service classesOfficial source

Securing Non-User Authentication

All service classesOfficial source

Responding to Suspicious Activity

All service classesOfficial source

Generating After Action Reports

All service classesOfficial source

Reviewing Incident Response Procedures

All service classesOfficial source

Reviewing Past Incidents

All service classesOfficial source

Authorizing Log Access

Classes B, COfficial source

Evaluating Configurations

All service classesImplementation guidance Automated check

Logging Event Types

All service classesOfficial source

Operating SIEM Capability

All service classesOfficial source

Reviewing Logs

All service classesOfficial source

Generating Inventories

All service classesOfficial source

Reviewing Executive Support

All service classesOfficial source

Reviewing Investments in Security

All service classesOfficial source

Reviewing Security in the SDLC

All service classesOfficial source

Reviewing Vulnerability Disclosures

All service classesOfficial source

Aligning Backups with Objectives

All service classesOfficial source

Aligning Recovery Plan

All service classesOfficial source

Reviewing Recovery Objectives

All service classesOfficial source

Testing Recovery Capabilities

All service classesOfficial source

Mitigating Supply Chain Risk

All service classesOfficial source

Monitoring Supply Chain Risk

All service classesOfficial source

Automating Configuration Management

All service classesOfficial source

Automating Secret Management

All service classesOfficial source

Evaluating and Improving Security

All service classesOfficial source

Preventing Residual Risk

Classes B, COfficial source

Removing Unwanted Data

Classes B, COfficial source

Securing Network Traffic

All service classesOfficial source

Validating Communications

Classes B, COfficial source

Validating Resource Integrity

All service classesOfficial source

Provider ruleMASMUST

Information Flows and Security Categories

All service classesOfficial source

Provider ruleMASMUST

Identify Information Resources

All service classesOfficial source

Provider ruleMASMUST

Metadata Inclusion

All service classesOfficial source

Provider ruleMASMAY

Supplemental Information

All service classesOfficial source

Provider ruleMASMUST

Third-Party Information Resources

All service classesOfficial source

Provider ruleMKTMUST

Agency Use Cases

All service classesOfficial source

Provider ruleMKTMUST

Listing Requests for Providers

All service classesOfficial source

Provider ruleMKTMUST

Demonstrating Continuous Progress

All service classesOfficial source

Provider ruleMKTMUST

Deadline for Assessment

All service classesOfficial source

Provider ruleMKTMUST

Preparation Phase Requirements

All service classesOfficial source

Provider ruleOFRMUST

Collaborative Continuous Monitoring

All service classesOfficial source

Provider ruleOFRMUST

FedRAMP Certification Data Sharing

All service classesOfficial source

Provider ruleOFRMUST

FedRAMP Security Inbox

All service classesOfficial source

Provider ruleOFRMUST

Incident Communications Procedures

All service classesOfficial source

Provider ruleOFRMUST

Minimum Assessment Scope

All service classesOfficial source

Provider ruleOFRMUST

Secure Configuration Guide

All service classesOfficial source

Provider ruleOFRMUST

Significant Change Notifications

All service classesOfficial source

Provider ruleOFRMUST

Using Cryptographic Modules

All service classesOfficial source

Provider ruleOFRMUST

Vulnerability Detection and Response

All service classesImplementation guidance

Provider ruleOFR

Independent Verification and Validation

Classes A, B, C, DOfficial source

Provider ruleSCGMUST

Use Instructions

All service classesOfficial source

Provider ruleSCGSHOULD

Public Secure Configuration Guidance

All service classesOfficial source

Provider ruleSCGMUST

Recommended Secure Configuration

All service classesOfficial source

Provider ruleSCGSHOULD

Secure Defaults

All service classesOfficial source

Provider ruleSCGSHOULD

API Capability

All service classesOfficial source

Provider ruleSCGSHOULD

Comparison Capability

All service classesOfficial source

Provider ruleSCGSHOULD

Export Capability

All service classesOfficial source

Provider ruleSCGSHOULD

Machine-Readable Guidance

All service classesOfficial source

Provider ruleSCGSHOULD

Versioning and Release History

All service classesOfficial source

Provider ruleSCNMUST

Notification Requirements

All service classesOfficial source

Provider ruleSCNMAY

Additional Relevant Information

All service classesOfficial source

Provider ruleSCNMAY

Emergency Changes

All service classesOfficial source

Provider ruleSCNMUST

Evaluate Changes

All service classesOfficial source

Provider ruleSCNMUST

Historical Notifications

All service classesOfficial source

Provider ruleSCNMUST

Human and Machine-Readable Notifications

All service classesOfficial source

Provider ruleSCNMUST

Required Information

All service classesOfficial source

Provider ruleSCNMUST

Maintain Audit Records

All service classesOfficial source

Provider ruleSCNMAY

Notification Mechanisms

All service classesOfficial source

Provider ruleSCNSHOULD NOT

No Notification Requirements

All service classesOfficial source

Provider ruleSCNMUST

Notification After Finishing

All service classesOfficial source

Provider ruleSCNMUST

Notification After Verification

All service classesOfficial source

Provider ruleSCNMUST

Notification of Final Plans

All service classesOfficial source

Provider ruleSCNMUST

Notification of Initial Plans

All service classesOfficial source

Provider ruleSCNSHOULD

Third-Party Review

All service classesOfficial source

Provider ruleSCNMUST

Update Documentation

All service classesOfficial source

Provider ruleUCMSHOULD

Configuration of Agency Tenants

All service classesOfficial source

Provider ruleUCMMUST

Cryptographic Module Documentation

All service classesOfficial source

Provider ruleUCM

Using Validated Cryptographic Modules

Classes A, B, C, DOfficial source

Provider ruleVDRSHOULD

Automate Detection

All service classesOfficial source

Provider ruleVDRSHOULD NOT

Avoid KEVs

All service classesOfficial source

Provider ruleVDRSHOULD

Detect After Changes

All service classesOfficial source

Provider ruleVDRSHOULD

Design For Resilience

All service classesOfficial source

Provider ruleVDRSHOULD NOT

Maintain Security

All service classesOfficial source

Provider ruleVDRMAY

Sampling

All service classesOfficial source

Provider ruleVDRMUST

Vulnerability Detection

All service classesOfficial source

Provider ruleVDRMUST

Failures Are Vulnerabilities

All service classesOfficial source

Provider ruleVDRMUST

Vulnerability Response

All service classesOfficial source

Provider ruleVDRSHOULD

Evaluation Factors

All service classesOfficial source

Provider ruleVDRSHOULD

Evaluate False Positives

All service classesOfficial source

Provider ruleVDRMUST

Evaluate Internet-Reachability

All service classesOfficial source

Provider ruleVDRMUST

Evaluate Exploitability

All service classesOfficial source

Provider ruleVDRMUST

Estimate Potential Adverse Impact

All service classesOfficial source

Provider ruleVDRSHOULD

Group Vulnerabilities

All service classesOfficial source

Provider ruleVDRMUST

Accepted Vulnerability Info

All service classesOfficial source

Provider ruleVDRSHOULD

High-Level Overviews

All service classesOfficial source

Provider ruleVDRMUST NOT

Responsible Disclosure

All service classesOfficial source

Provider ruleVDRMUST

Persistent Reporting

All service classesOfficial source

Provider ruleVDRMAY

Responsible Public Disclosure

All service classesOfficial source

Provider ruleVDRMUST

Vulnerability Details

All service classesOfficial source

Provider ruleVDR

Evaluate Vulnerabilities Quickly

Classes A, B, C, DOfficial source

Provider ruleVDR

Internet-Reachable Incidents

Classes A, B, C, DOfficial source

Provider ruleVDRSHOULD

Remediate KEVs

All service classesOfficial source

Provider ruleVDRMUST

Mark Accepted Vulnerabilities

All service classesOfficial source

Provider ruleVDRMUST

Monthly Activity Report

All service classesOfficial source

Provider ruleVDR

Historical Activity

Classes A, B, C, DOfficial source

Provider ruleVDR

Persistent Machine Verification and Validation for 20x

Classes A, B, COfficial source

Provider ruleVDRMUST

Non-Machine Verification and Validation

All service classesOfficial source

Provider ruleVDR

Non-Internet-Reachable Incidents

Classes A, B, C, DOfficial source

Provider ruleVDR

Persistently Complete Detection

Classes A, B, C, DOfficial source

Provider ruleVDR

Persistent Drift Detection

Classes A, B, C, DOfficial source

Provider ruleVDR

Persistent Sample Detection

Classes A, B, C, DOfficial source

Provider ruleVDR

Mitigation and Remediation Expectations

Classes A, B, C, DOfficial source

Provider ruleVDRSHOULD

Remaining Vulnerabilities

All service classesOfficial source