FRC-CLA-OFRMAYAll frameworksImplementation guide coming soonAddress Optional FedRAMP Rules for Class A
FedRAMP Certification (FRC) · FedRAMP Class A Certification Rules
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MAY
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for FRC-CLA-OFR is not published yet. The official source below remains complete and authoritative.
Information required
- Collaborative Continuous Monitoring: CCM-QTR-MTG (Quarterly Review Meeting)
- Certification Data Sharing: CDS-CSO-PSM (Per-Service Certification Materials)
- Cryptographic Module Use: CMU-CSO-UVM (Using Validated Cryptographic Modules)
- FedRAMP Certification: FRC-APP-FIA (Fresh Independent Assessment)
- Independent Verification and Validation: IVV-CSO-FIA (FedRAMP Independent Assessments)
- Security Decision Record: SDR-CSX-KMT (Key Security Indicator Metrics)
- Vulnerability Evaluation and Reporting: VER-TFR-IRI (Internet-Reachable Incidents)
- Vulnerability Evaluation and Reporting: VER-TFR-MRH (Historical Activity)
- Vulnerability Evaluation and Reporting: VER-TFR-NRI (Non-Internet-Reachable Incidents)
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers seeking a Class A FedRAMP Certification MAY address the following additional optional FedRAMP Class A rules (if applicable):
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.