FRR-IFR

Initial FedRAMP Certification

This ruleset explains how cloud service offerings obtain initial FedRAMP Certification across certification classes and paths.

14 provider requirements across 4 subsets.

CSO

General Provider Responsibilities

These rules apply to cloud service providers obtaining and maintaining any FedRAMP Certification.

IFR-CSO-PKG
FedRAMP Certification Package
IFR-CSO-POP
Pick One Program Certification Type
MUST NOT

CLA

FedRAMP Class A Certification Rules

These rules apply to providers seeking FedRAMP Class A Certifications.

IFR-CLA-ASF
Approved Alternative Security Frameworks
MUST
IFR-CLA-EAM
External Assessment Materials
MUST
IFR-CLA-AFR
Address FedRAMP Rules
MUST
IFR-CLA-IVV
Optional Independent Verification and Validation
MAY
IFR-CLA-KSM
Key Security Indicator Mapping
MUST

APP

Applying for FedRAMP Certification

These rules apply to cloud service providers who have met all other relevant rules and are ready to apply for any FedRAMP Certification.

IFR-APP-MLF
Marketplace Listing First
MUST
IFR-APP-AFC
Applying for FedRAMP Certification
MUST
IFR-APP-FCP
Fresh FedRAMP Certification Package
MUST
IFR-APP-FIA
Fresh Independent Assessment
MUST

APS

Applying for FedRAMP Certification with an Agency Sponsor

These rules apply to cloud service providers with an Agency Sponsor who have met all other relevant rules and are ready to apply for any FedRAMP Certification.

IFR-APS-ATO
Agency Authorization to Operate
MUST