SDR-CSO-FRRMUSTAll frameworksImplementation guide coming soonFedRAMP Rules
Security Decision Record (SDR) · General Provider Responsibilities
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for SDR-CSO-FRR is not published yet. The official source below remains complete and authoritative.
Information required
- Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
- Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
- Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
- Independent verification.
- Independent validation.
- Any responses or clarifications to the comments in the independent verification or validation.
- Rule-specific artifacts (if applicable).
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP rule:
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.