IFR-CLA-AFRMUSTAll frameworksImplementation guide coming soonAddress FedRAMP Rules
Initial FedRAMP Certification (IFR) · FedRAMP Class A Certification Rules
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for IFR-CLA-AFR is not published yet. The official source below remains complete and authoritative.
Information required
- FedRAMP Certification: IFR-CSO-POP (Pick One Program Certification Type)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-UTC (Use Trust Centers)
- Certification Data Sharing: CDS-UTC-AAD (Agency Access Denial)
- FedRAMP Security Inbox: FSI-CSO-INB (Maintain a FedRAMP Security Inbox)
- FedRAMP Security Inbox: FSI-CSO-RCV (Receive Email Without Disruption)
- FedRAMP Security Inbox: FSI-CSO-CRA (Complete Required Actions)
- Incident Communications Procedures: ICP-CSO-EFR (Evaluate FedRAMP Reportability)
- Vulnerability Detection and Response: VDR-CSO-DET (Vulnerability Detection)
- Continuous Collaborative Monitoring: CCM-OCR-AVL (Report Availability)
- Continuous Collaborative Monitoring: CCM-OCR-NRD (Next Report Date)
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers seeking a Class A FedRAMP Certification MUST address the following FedRAMP rules and supply the appropriate artifacts or information mapping in the FedRAMP Certification Package:
Defined terms in this requirement
Notes
- If the alternative security framework has existing rules that align with these FedRAMP rules then a mapping to the alternative security framework content may be supplied instead of generating new artifacts.
Change history
2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.