CDS-CSO-RISMUSTAll frameworksImplementation guide coming soon

Responsible Information Sharing

Certification Data Sharing (CDS) · General Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for CDS-CSO-RIS is not published yet. The official source below remains complete and authoritative.

Examples

Tips on sensitive information in FedRAMP Certification Data

Passwords, API keys, access credentials, etc.
Excessive detail about methodology that exposes weaknesses
Personally identifiable information about employees

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST provide sufficient information in FedRAMP Certification Data to support agency authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.

Defined terms in this requirement

Agency Certification Data Cloud Service Offering Likely Provider

Notes

This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with FedRAMP Certification Data should be anticipated by a secure cloud service provider.

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.