FRC-CSX-MOT20x onlyImplementation guide coming soonMetrics Over Time for Key Security Indicators
FedRAMP Certification (FRC) · CSX
Applies to: Providers
- Who this applies to
- Providers
- Service class
- Varies: A, B, C, D
- Force
- Varies by class
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for FRC-CSX-MOT is not published yet. The official source below remains complete and authoritative.
Official FedRAMP source
Verbatim from FedRAMP/rules
This requirement varies by FedRAMP Certification class. Each class has its own statement:
Class A
MAYProviders seeking 20x Class A Certification MAY supply historical metrics for Key Security Indicators.
Class B
SHOULDProviders seeking 20x Class B Certification SHOULD supply historical metrics for Key Security Indicators.
Class C
MUSTProviders seeking 20x Class C Certification MUST supply historical metrics including status from persistent validation over at least the past 6 months for all Key Security Indicators.
Class D
MUSTProviders seeking 20x Class D Certification MUST provide historical metrics including status from persistent validation over at least the past 18 months for all Key Security Indicators.
Defined terms in this requirement
Notes
- For initial FedRAMP Certification, providers will need to have mechanisms in place and agree to meet this requirement in the event the cloud service has not been operating with related metrics available for the required period prior to applying for initial certification.
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.