FRC-CLA-MFRMUSTAll frameworksImplementation guide coming soonMandatory FedRAMP Rules for Class A
FedRAMP Certification (FRC) · FedRAMP Class A Certification Rules
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for FRC-CLA-MFR is not published yet. The official source below remains complete and authoritative.
Information required
- FedRAMP Certification: FRC-CSO-PKG (FedRAMP Certification Package)
- FedRAMP Certification: FRC-CSO-JSN (FedRAMP JSON Schemas)
- FedRAMP Certification: FRC-CSO-POP (Pick One Program Certification Type)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
- Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
- Addressing FedRAMP Communication: AFC-CSO-INB (Maintain a FedRAMP Security Inbox)
- Addressing FedRAMP Communication: AFC-CSO-RCV (Receive Email Without Disruption)
- Addressing FedRAMP Communication: AFC-CSO-CRA (Complete Required Actions)
- Incident Evaluation and Communication: IEC-CSO-EFR (Evaluate FedRAMP Reportability)
- Incident Evaluation and Communication: IEC-CSO-FIR (Final Incident Report)
- Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
- Collaborative Continuous Monitoring: CCM-OCR-AVL (Report Availability)
- Collaborative Continuous Monitoring: CCM-OCR-NRD (Next Report Date)
- Independent Verification and Validation: IVV-CSX-AIA (Annual Independent Assessments for 20x)
- Key Security Indicators: KSI-CMT-LMC (Logging Changes)
- Key Security Indicators: KSI-CNA-RNT (Restricting Network Traffic)
- Key Security Indicators: KSI-CED-RAT (Reviewing All Training)
- Key Security Indicators: KSI-IAM-AAM (Automating Account Management)
- Key Security Indicators: KSI-IAM-APM (Adopting Passwordless Methods)
- Key Security Indicators: KSI-INR-RIR (Reviewing Incident Response Procedures)
- Key Security Indicators: KSI-SVC-SIN (Securing Information)
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers seeking a Class A FedRAMP Certification MUST address all rules in this FedRAMP Class A Certification subset (FRC-CLA) AND the following additional FedRAMP Class A rules; the appropriate artifacts or information mapping for all rules MUST be supplied in the FedRAMP Certification Package.
Defined terms in this requirement
AgencyArtifactsCertification DataCertification PackageCertification TypeFedRAMP Security InboxFinal Incident Report (FIR)IncidentInformation ResourceInitial Incident Report (IIR)Ongoing Certification Report (OCR)ProviderTrust CenterValidationVerificationVulnerabilityVulnerability DetectionVulnerability Response
Notes
- Some of these specific FedRAMP rules may not have similar counterparts in external frameworks and providers will need to implement new processes to follow these rules.
- In general, for each of these FedRAMP requirements, providers should include a sufficiently detailed summary that reviewers will not need to dig into the related security framework materials to understand the related decisions - just saying "see SOC 2 report" is not particularly helpful.
- Information about how the provider addresses the included Key Security Indicators are required for both Rev5 and 20x Class A Certifications.
Change history
2026-07-01Removed reference to Independent Verification and Validation: IVV-CSF-AIA (Annual Independent Assessments for Rev5); Removed CDS-CSO-AVR (Availability Reporting) since this rule is defined as SHOULD and included in FRC-CLA-RFR (Recommended FedRAMP Rules for Class A)2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.