SDR-CSX-KSIMUST20x onlyImplementation guide coming soonKey Security Indicators
Security Decision Record (SDR) · CSX
Applies to: Providers
- Who this applies to
- Providers
- Service class
- All service classes
- Force
- MUST
- Timeframe
- No fixed timeframe
Reviewed implementation guidance for SDR-CSX-KSI is not published yet. The official source below remains complete and authoritative.
Information required
- Explanation of measures (and their objectives) that demonstrate the Key Security Indicator, or an explanation of the reason and resulting risk to customers for not having measures available for that Key Security Indicator.
- Explanation of the cycle for any measures that are implemented persistently (if applicable).
- Verification that the measures demonstrate the Key Security Indicator, or that the reason for not having them is accepted.
- Verification that the automation in place is accurate and sufficient to demonstrate appropriate measures for the Key Security Indicator, or that automation is not necessary for each measure.
- Validation that the measures are accurately produced and are in place and working as intended, or that the reason for not having them is valid.
Official FedRAMP source
Verbatim from FedRAMP/rules
Providers MUST also include short and simple high-level summaries of at least the following for each applicable Key Security Indicator:
Defined terms in this requirement
Change history
2026-06-24Official launch of the FedRAMP Consolidated Rules for 2026.
Content provenance
Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.