Skip to main content
Pricing
Sign inRequest demo
FRC-CLA-MFRMUSTAll frameworksImplementation guide coming soon

Mandatory FedRAMP Rules for Class A

FedRAMP Certification (FRC) · FedRAMP Class A Certification Rules

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for FRC-CLA-MFR is not published yet. The official source below remains complete and authoritative.

Information required

  • FedRAMP Certification: FRC-CSO-PKG (FedRAMP Certification Package)
  • FedRAMP Certification: FRC-CSO-JSN (FedRAMP JSON Schemas)
  • FedRAMP Certification: FRC-CSO-POP (Pick One Program Certification Type)
  • Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
  • Certification Data Sharing: CDS-CSO-PUB (Public Information)
  • Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
  • Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
  • Addressing FedRAMP Communication: AFC-CSO-INB (Maintain a FedRAMP Security Inbox)
  • Addressing FedRAMP Communication: AFC-CSO-RCV (Receive Email Without Disruption)
  • Addressing FedRAMP Communication: AFC-CSO-CRA (Complete Required Actions)
  • Incident Evaluation and Communication: IEC-CSO-EFR (Evaluate FedRAMP Reportability)
  • Incident Evaluation and Communication: IEC-CSO-FIR (Final Incident Report)
  • Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
  • Collaborative Continuous Monitoring: CCM-OCR-AVL (Report Availability)
  • Collaborative Continuous Monitoring: CCM-OCR-NRD (Next Report Date)
  • Independent Verification and Validation: IVV-CSX-AIA (Annual Independent Assessments for 20x)
  • Key Security Indicators: KSI-CMT-LMC (Logging Changes)
  • Key Security Indicators: KSI-CNA-RNT (Restricting Network Traffic)
  • Key Security Indicators: KSI-CED-RAT (Reviewing All Training)
  • Key Security Indicators: KSI-IAM-AAM (Automating Account Management)
  • Key Security Indicators: KSI-IAM-APM (Adopting Passwordless Methods)
  • Key Security Indicators: KSI-INR-RIR (Reviewing Incident Response Procedures)
  • Key Security Indicators: KSI-SVC-SIN (Securing Information)

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers seeking a Class A FedRAMP Certification MUST address all rules in this FedRAMP Class A Certification subset (FRC-CLA) AND the following additional FedRAMP Class A rules; the appropriate artifacts or information mapping for all rules MUST be supplied in the FedRAMP Certification Package.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like FRC-CLA-MFR into assigned evidence, remediation work, and validation workflows.

Request demo

Notes

  • Some of these specific FedRAMP rules may not have similar counterparts in external frameworks and providers will need to implement new processes to follow these rules.
  • In general, for each of these FedRAMP requirements, providers should include a sufficiently detailed summary that reviewers will not need to dig into the related security framework materials to understand the related decisions - just saying "see SOC 2 report" is not particularly helpful.
  • Information about how the provider addresses the included Key Security Indicators are required for both Rev5 and 20x Class A Certifications.

Change history

  • 2026-07-01Removed reference to Independent Verification and Validation: IVV-CSF-AIA (Annual Independent Assessments for Rev5); Removed CDS-CSO-AVR (Availability Reporting) since this rule is defined as SHOULD and included in FRC-CLA-RFR (Recommended FedRAMP Rules for Class A)
  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.