CCM-OCR-AVLMUSTAll frameworksImplementation guide coming soon

Report Availability

Collaborative Continuous Monitoring (CCM) · Ongoing Certification Reports

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for CCM-OCR-AVL is not published yet. The official source below remains complete and authoritative.

Information required

Changes to FedRAMP Certification Data
Planned changes to FedRAMP Certification Data during at least the next 3 months
Accepted vulnerabilities
Transformative changes
Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering
A list of all agencies that are directly using the product
FedRAMP Reportable Incidents or an attestation that no such incidents occurred
Lessons learned and changes planned or made as a result of FedRAMP Reportable Incidents (if such occurred)

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST supply an Ongoing Certification Report to all necessary parties every 3 months, covering the entire period since the previous summary, in a consistent format that is human readable; this report MUST include high-level summaries of at least the following information:

Defined terms in this requirement

Accepted Vulnerability Agency All Necessary Parties Certification Data Cloud Service Offering FedRAMP Reportable Incident Incident Ongoing Certification Ongoing Certification Report (OCR)Provider Transformative Change Vulnerability

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.