SCN-ADP-NTFMUSTAll frameworksImplementation guide coming soonNotification Requirements
Significant Change Notifications (SCN) · Adaptive Changes
Applies to: ProvidersTimeframe: 10 business days
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- 10 business days
Reviewed implementation guidance for SCN-ADP-NTF is not published yet. The official source below remains complete and authoritative.
Information required
- Summary of any new risks identified and/or vulnerabilities resulting from the change (if applicable)
Examples
Tips on adaptive changes
- Requires minimal changes to security plans or procedures
- Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes
- Requires verification of existing functionality and secure configuration after implementation
Notification
- Notify All Necessary Parties via update:
FedRAMP Certification Data
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST notify all necessary parties within 10 business days after finishing adaptive changes, also including the following information:
Defined terms in this requirement
Notes
- Activities that match the adaptive significant change type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.
- In general, most changes that do not happen regularly will be adaptive changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration.
Change history
2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.