SCN-CSO-INFMUSTAll frameworksImplementation guide coming soonRequired Information
Significant Change Notifications (SCN) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for SCN-CSO-INF is not published yet. The official source below remains complete and authoritative.
Information required
- Service Offering FedRAMP ID
- Assessor Name (if applicable)
- Related Vulnerability (if applicable)
- Significant Change type and explanation of categorization
- Short description of change
- Reason for change
- Summary of customer impact, including changes to services and customer configuration responsibilities
- Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls
- Copy of the business or security impact analysis
- Name and title of approver
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST include at least the following information in Significant Change Notifications:
Defined terms in this requirement
Notes
- Structure of the information may vary depending on how the provider tracks this internally.
Change history
2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.