Skip to main content
Pricing
Sign inRequest demo
IVV-CSX-AIA20x onlyImplementation guide coming soon

Annual Independent Assessments for 20x

Independent Verification and Validation (IVV) · CSX

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for IVV-CSX-AIA is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

MUST
Providers with 20x Class A Certifications MUST meet the expectations of their underlying alternative security framework as part of their persistent independent verification and validation assessment.

Class B

MUST 1 years
Providers with 20x Class B Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

Class C

MUST 1 years
Providers with 20x Class C Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

Class D

MUST 1 years
Providers with 20x Class D Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like IVV-CSX-AIA into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.