IVV-CSX-AIA20x onlyImplementation guide coming soonAnnual Independent Assessments for 20x
Independent Verification and Validation (IVV) · CSX
Applies to: Providers
- Who this applies to
- Providers
- Service class
- Varies: A, B, C, D
- Force
- Varies by class
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for IVV-CSX-AIA is not published yet. The official source below remains complete and authoritative.
Official FedRAMP source
Verbatim from FedRAMP/rules
This requirement varies by FedRAMP Certification class. Each class has its own statement:
Class A
MUSTProviders with 20x Class A Certifications MUST meet the expectations of their underlying alternative security framework as part of their persistent independent verification and validation assessment.
Class B
MUST 1 yearsProviders with 20x Class B Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.
Class C
MUST 1 yearsProviders with 20x Class C Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.
Class D
MUST 1 yearsProviders with 20x Class D Certifications MUST include all Key Security Indicators in a FedRAMP independent assessment at least once per year.
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.