SCG-CSO-SDFSHOULDAll frameworksImplementation guide coming soon

Secure Defaults

Secure Configuration Guide (SCG) · General Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: SHOULD
Timeframe: No fixed timeframe

Reviewed implementation guidance for SCG-CSO-SDF is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.

Defined terms in this requirement

Privileged Account Provider Top-Level Administrative Account

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.