Skip to main content
WhyHow It WorksFeaturesPricingBlog
Sign inRequest demo
OFR-CSO-IVVAll frameworksImplementation guide coming soon

Independent Verification and Validation

Ongoing FedRAMP Certification (OFR) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
Varies: A, B, C, D
Force
Varies by class
Timeframe
No fixed timeframe

Reviewed implementation guidance for OFR-CSO-IVV is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

This requirement varies by FedRAMP Certification class. Each class has its own statement:

Class A

MAY 1 years
Providers with Class A Certifications MAY persistently complete an independent verification and validation assessment at least once per year; these assessments MAY be performed by a FedRAMP Recognized independent assessor OR by FedRAMP directly; the results of these assessments MAY be included in their FedRAMP Certification Data without inappropriate modification.

Class B

MUST 1 years
Providers with Class B Certifications MUST persistently complete an independent verification and validation assessment at least once per year; these assessments MUST be performed by a FedRAMP Recognized independent assessor OR by FedRAMP directly; the results of these assessments MUST be included in their FedRAMP Certification Data without inappropriate modification.

Class C

MUST 1 years
Providers with Class C Certifications MUST persistently complete an independent verification and validation assessment at least once per year; these assessments MUST be performed by a FedRAMP Recognized independent assessor OR by FedRAMP directly; the results of these assessments MUST be included in their FedRAMP Certification Data without inappropriate modification.

Class D

MUST 1 years
Providers with Class D Certifications MUST persistently complete an independent verification and validation assessment at least once per year; these assessments MUST be performed by a FedRAMP Recognized independent assessor OR by FedRAMP directly; the results of these assessments MUST be included in their FedRAMP Certification Data without inappropriate modification.

Defined terms in this requirement

AssessorCertification DataFedRAMP RecognizedPersistentlyProviderValidationVerification

Notes

  • The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
  • The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
  • The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council.
  • FedRAMP Recognized independent assessors are listed on the FedRAMP Marketplace.

Change history

  • 2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.