Skip to main content
Pricing
Sign inRequest demo
CPO-CSO-OVRMUSTAll frameworksImplementation guide coming soon

Overview of the Cloud Service Offering

Certification Package Overview (CPO) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for CPO-CSO-OVR is not published yet. The official source below remains complete and authoritative.

Information required

  • Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
  • Certification Data Sharing: CDS-CSO-PUB (Public Information)
  • Certification Data Sharing: CDS-CSO-SVC (Public Service List)
  • Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
  • Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
  • Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
  • Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
  • Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
  • Independent Verification and Validation: IVV-CSO-ICP (Inclusion in Certification Package)

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like CPO-CSO-OVR into assigned evidence, remediation work, and validation workflows.

Request demo

Notes

  • For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
  • This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.