SCG-CSO-RSCMUSTAll frameworksImplementation guide coming soon

Recommended Secure Configuration

Secure Configuration Guide (SCG) · General Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for SCG-CSO-RSC is not published yet. The official source below remains complete and authoritative.

Information required

Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:

Defined terms in this requirement

Cloud Service Offering Privileged Account Provider Top-Level Administrative Account

Notes

These rules refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.
This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering.

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.