CPO-CSO-OVRMUSTAll frameworksImplementation guide coming soonOverview of the Cloud Service Offering
Certification Package Overview (CPO) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for CPO-CSO-OVR is not published yet. The official source below remains complete and authoritative.
Information required
- Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-SVC (Public Service List)
- Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
- Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
- Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
- Independent Verification and Validation: IVV-CSO-ICP (Inclusion in Certification Package)
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:
Defined terms in this requirement
Notes
- For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
- This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.