CPO-CSO-OSAAll frameworksImplementation guide coming soonOverall Summary of Assessment in Certification Package
Certification Package Overview (CPO) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- Varies: A, B, C, D
- Force
- Varies by class
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for CPO-CSO-OSA is not published yet. The official source below remains complete and authoritative.
Official FedRAMP source
Verbatim from FedRAMP/rules
This requirement varies by FedRAMP Certification class. Each class has its own statement:
Class A
MAYProviders seeking Class A Certification MAY also include an overall summary of their FedRAMP independent assessment in their Certification Package Overview.
Class B
MUSTProviders seeking Class B Certification MUST also include the overall summary of their FedRAMP independent assessment, supplied by the assessor per IVV-IAS-OSA (Overall Summary of Assessment), in their Certification Package Overview.
Class C
MUSTProviders seeking Class C Certification MUST also include the overall summary of their FedRAMP independent assessment, supplied by the assessor per IVV-IAS-OSA (Overall Summary of Assessment), in their Certification Package Overview.
Class D
MUSTProviders seeking Class D Certification MUST also include the overall summary of their FedRAMP independent assessment, supplied by the assessor per IVV-IAS-OSA (Overall Summary of Assessment), in their Certification Package Overview.
Defined terms in this requirement
Change history
2026-06-25Added after official launch to clarify that the provider is required to supply this artifact.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.