Skip to main content
Pricing
Sign inRequest demo
FRC-CSX-MOT20x onlyImplementation guide coming soon

Metrics Over Time for Key Security Indicators

FedRAMP Certification (FRC) · CSX

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for FRC-CSX-MOT is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

MAY
Providers seeking 20x Class A Certification MAY supply historical metrics for Key Security Indicators.

Class B

SHOULD
Providers seeking 20x Class B Certification SHOULD supply historical metrics for Key Security Indicators.

Class C

MUST
Providers seeking 20x Class C Certification MUST supply historical metrics including status from persistent validation over at least the past 6 months for all Key Security Indicators.

Class D

MUST
Providers seeking 20x Class D Certification MUST provide historical metrics including status from persistent validation over at least the past 18 months for all Key Security Indicators.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like FRC-CSX-MOT into assigned evidence, remediation work, and validation workflows.

Request demo

Notes

  • For initial FedRAMP Certification, providers will need to have mechanisms in place and agree to meet this requirement in the event the cloud service has not been operating with related metrics available for the required period prior to applying for initial certification.

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.