Skip to main content
Pricing
Sign inRequest demo
SDR-CSO-FRRMUSTAll frameworksImplementation guide coming soon

FedRAMP Rules

Security Decision Record (SDR) · General Provider Responsibilities

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for SDR-CSO-FRR is not published yet. The official source below remains complete and authoritative.

Information required

  • Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
  • Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
  • Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
  • Independent verification.
  • Independent validation.
  • Any responses or clarifications to the comments in the independent verification or validation.
  • Rule-specific artifacts (if applicable).

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP rule:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like SDR-CSO-FRR into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.