Skip to main content
Pricing
Sign inRequest demo
SDR-CSX-KSIMUST20x onlyImplementation guide coming soon

Key Security Indicators

Security Decision Record (SDR) · CSX

Applies to: Providers
Who this applies to
Providers
Service class
All service classes
Force
MUST
Timeframe
No fixed timeframe

Reviewed implementation guidance for SDR-CSX-KSI is not published yet. The official source below remains complete and authoritative.

Information required

  • Explanation of measures (and their objectives) that demonstrate the Key Security Indicator, or an explanation of the reason and resulting risk to customers for not having measures available for that Key Security Indicator.
  • Explanation of the cycle for any measures that are implemented persistently (if applicable).
  • Verification that the measures demonstrate the Key Security Indicator, or that the reason for not having them is accepted.
  • Verification that the automation in place is accurate and sufficient to demonstrate appropriate measures for the Key Security Indicator, or that automation is not necessary for each measure.
  • Validation that the measures are accurately produced and are in place and working as intended, or that the reason for not having them is valid.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST also include short and simple high-level summaries of at least the following for each applicable Key Security Indicator:

Defined terms in this requirement

Operationalize this rule

Boundera turns FedRAMP 20x requirements like SDR-CSX-KSI into assigned evidence, remediation work, and validation workflows.

Request demo

Change history

  • 2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.