FedRAMP 20x for cloud service providers
Know what is required. Build it. Prove it.
Search every KSI and the 148 rules addressed to providers. See the requirement, implementation guidance, and evidence context without sorting through obligations owned by agencies, assessors, or FedRAMP.
Based on FedRAMP/rules 2026.06.04.01-preview, updated 2026-06-04
CSP implementation explorer
Showing 148 of 254 CSP resources
Provider ruleCCMMUST
CCM-OCR-AFSAnonymized Feedback Summary
All service classesOfficial source
Provider ruleCCMMUST
CCM-OCR-AVLReport Availability
All service classesOfficial source
Provider ruleCCMMUST
CCM-OCR-FBMFeedback Mechanism
All service classesOfficial source
Provider ruleCCMMUST NOT
CCM-OCR-LSILimit Sensitive Information
All service classesOfficial source
Provider ruleCCMMUST
CCM-OCR-NRDNext Report Date
All service classesOfficial source
Provider ruleCCMMAY
CCM-OCR-RPSResponsible Public Certification Report Sharing
All service classesOfficial source
Provider ruleCCMSHOULD
CCM-OCR-SORSpread Out Reports
All service classesOfficial source
Provider ruleCCMSHOULD
CCM-QTR-ACTAdditional Content
All service classesOfficial source
Provider ruleCCM
CCM-QTR-MTGQuarterly Review Meeting
Classes A, B, C, DOfficial source
Provider ruleCCMMUST NOT
CCM-QTR-NIDNo Irresponsible Disclosure
All service classesOfficial source
Provider ruleCCMMUST
CCM-QTR-NRDNext Review Date
All service classesOfficial source
Provider ruleCCMMUST
CCM-QTR-REGMeeting Registration Info
All service classesOfficial source
Provider ruleCCMSHOULD NOT
CCM-QTR-RTPRestrict Third Parties
All service classesOfficial source
Provider ruleCCMSHOULD
CCM-QTR-RTRRecord/Transcribe Reviews
All service classesOfficial source
Provider ruleCCMSHOULD
CCM-QTR-SARSchedule Around Reports
All service classesOfficial source
Provider ruleCCMMAY
CCM-QTR-SCRShare Content Responsibly
All service classesOfficial source
Provider ruleCCMMAY
CCM-QTR-SRRShare Recordings Responsibly
All service classesOfficial source
Provider ruleCDS
CDS-CSO-AVRAvailability Reporting
Classes A, B, C, DOfficial source
Provider ruleCDSMUST
CDS-CSO-CBFConsistency Between Formats
All service classesOfficial source
Provider ruleCDSMUST
CDS-CSO-HADHistorical FedRAMP Certification Data
All service classesOfficial source
Provider ruleCDS
CDS-CSO-PSMPer-Service Certification Materials
Classes A, B, C, DOfficial source
Provider ruleCDSMUST
CDS-CSO-PUBPublic Information
All service classesOfficial source
Provider ruleCDSMUST
CDS-CSO-RISResponsible Information Sharing
All service classesOfficial source
Provider ruleCDSMAY
CDS-CSO-RPSResponsible Public Package Sharing
All service classesOfficial source
Provider ruleCDSMUST
CDS-CSO-SVCService List
All service classesOfficial source
Provider ruleCDSMUST
CDS-CSO-UTCUse Trust Centers
All service classesOfficial source
Provider ruleCDSMUST
CDS-TRC-AAIAgency Access Inventory
All service classesOfficial source
Provider ruleCDSMUST
CDS-TRC-ACLAccess Logging
All service classesOfficial source
Provider ruleCDSSHOULD
CDS-TRC-HMRHuman and Machine-Readable Certification Data
All service classesOfficial source
Provider ruleCDSMUST
CDS-TRC-PACProgrammatic Access
All service classesOfficial source
Provider ruleCDSSHOULD
CDS-TRC-SSMSelf-Service Access Management
All service classesOfficial source
Provider ruleCDSMUST
CDS-TRC-USHUninterrupted Sharing
All service classesOfficial source
Provider ruleCDSMUST
CDS-UTC-AADAgency Access Denial
All service classesOfficial source
Provider ruleCDSSHOULD
CDS-UTC-AGAAgency Access
All service classesOfficial source
Provider ruleFRAMAY
FRA-CSO-RAAReceiving Assessor Advice
All service classesOfficial source
Provider ruleFRASHOULD
FRA-CSO-STESupply Technical Evidence
All service classesOfficial source
Provider ruleFSISHOULD
FSI-CSO-ACKAcknowledge Receipt
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-CRAComplete Required Actions
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-EMREmergency Message Routing
All service classesOfficial source
Provider ruleFSISHOULD
FSI-CSO-IMAImportant Message Actions
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-INBMaintain a FedRAMP Security Inbox
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-NOCNotification of Changes
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-RCVReceive Email Without Disruption
All service classesOfficial source
Provider ruleFSIMUST
FSI-CSO-TFGTrust @fedramp.gov and @gsa.gov
All service classesOfficial source
Provider ruleICPSHOULD
ICP-CSO-AIRAutomated Incident Reporting
All service classesOfficial source
Provider ruleICPMUST
ICP-CSO-DPRDefault PAIN Rating
All service classesOfficial source
Provider ruleICPSHOULD
ICP-CSO-EFIEstimate Federal Impact
All service classesOfficial source
Provider ruleICPMUST
ICP-CSO-EFREvaluate FedRAMP Reportability
All service classesOfficial source
Provider ruleICP
ICP-CSO-FIRFinal Incident Report
Classes A, B, C, DOfficial source
Provider ruleICP
ICP-CSO-IIRInitial Incident Report
Classes A, B, C, DOfficial source
Provider ruleICP
ICP-CSO-OIROngoing Incident Reports
Classes A, B, C, DOfficial source
Provider ruleIFRMUST
IFR-APP-AFCApplying for FedRAMP Certification
All service classesOfficial source
Provider ruleIFRMUST
IFR-APP-FCPFresh FedRAMP Certification Package
All service classesOfficial source
Provider ruleIFRMUST
IFR-APP-FIAFresh Independent Assessment
All service classesOfficial source
Provider ruleIFRMUST
IFR-APP-MLFMarketplace Listing First
All service classesOfficial source
Provider ruleIFRMUST
IFR-APS-ATOAgency Authorization to Operate
All service classesOfficial source
Provider ruleIFRMUST
IFR-CLA-AFRAddress FedRAMP Rules
All service classesOfficial source
Provider ruleIFRMUST
IFR-CLA-ASFApproved Alternative Security Frameworks
All service classesOfficial source
Provider ruleIFRMUST
IFR-CLA-EAMExternal Assessment Materials
All service classesOfficial source
Provider ruleIFRMAY
IFR-CLA-IVVOptional Independent Verification and Validation
All service classesOfficial source
Provider ruleIFRMUST
IFR-CLA-KSMKey Security Indicator Mapping
All service classesOfficial source
Provider ruleIFR
IFR-CSO-PKGFedRAMP Certification Package
Classes A, B, C, DOfficial source
Provider ruleIFRMUST NOT
IFR-CSO-POPPick One Program Certification Type
All service classesOfficial source
Provider ruleIFRSHOULD
IFR-CSX-MASApplication within MAS
All service classesOfficial source
Provider ruleIFRMUST
IFR-CSX-SUMInitial Implementation Summaries
All service classesOfficial source
Provider ruleMASMUST
MAS-CSO-FLOInformation Flows and Security Categories
All service classesOfficial source
Provider ruleMASMUST
MAS-CSO-IIRIdentify Information Resources
All service classesOfficial source
Provider ruleMASMUST
MAS-CSO-MDIMetadata Inclusion
All service classesOfficial source
Provider ruleMASMAY
MAS-CSO-SUPSupplemental Information
All service classesOfficial source
Provider ruleMASMUST
MAS-CSO-TPRThird-Party Information Resources
All service classesOfficial source
Provider ruleMKTMUST
MKT-CSO-AGUAgency Use Cases
All service classesOfficial source
Provider ruleMKTMUST
MKT-CSO-LRQListing Requests for Providers
All service classesOfficial source
Provider ruleMKTMUST
MKT-PRE-DCPDemonstrating Continuous Progress
All service classesOfficial source
Provider ruleMKTMUST
MKT-PRE-DLADeadline for Assessment
All service classesOfficial source
Provider ruleMKTMUST
MKT-PRE-REQPreparation Phase Requirements
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-CCMCollaborative Continuous Monitoring
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-CDSFedRAMP Certification Data Sharing
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-FSIFedRAMP Security Inbox
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-ICPIncident Communications Procedures
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-MASMinimum Assessment Scope
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-SCGSecure Configuration Guide
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-SCNSignificant Change Notifications
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-UCMUsing Cryptographic Modules
All service classesOfficial source
Provider ruleOFRMUST
OFR-AFR-VDRVulnerability Detection and Response
All service classesImplementation guidance
Provider ruleOFR
OFR-CSO-IVVIndependent Verification and Validation
Classes A, B, C, DOfficial source
Provider ruleSCGMUST
SCG-CSO-AUPUse Instructions
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-CSO-PUBPublic Secure Configuration Guidance
All service classesOfficial source
Provider ruleSCGMUST
SCG-CSO-RSCRecommended Secure Configuration
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-CSO-SDFSecure Defaults
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-ENH-APIAPI Capability
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-ENH-CMPComparison Capability
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-ENH-EXPExport Capability
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-ENH-MRGMachine-Readable Guidance
All service classesOfficial source
Provider ruleSCGSHOULD
SCG-ENH-VRHVersioning and Release History
All service classesOfficial source
Provider ruleSCNMUST
SCN-ADP-NTFNotification Requirements
All service classesOfficial source
Provider ruleSCNMAY
SCN-CSO-ARIAdditional Relevant Information
All service classesOfficial source
Provider ruleSCNMAY
SCN-CSO-EMGEmergency Changes
All service classesOfficial source
Provider ruleSCNMUST
SCN-CSO-EVAEvaluate Changes
All service classesOfficial source
Provider ruleSCNMUST
SCN-CSO-HISHistorical Notifications
All service classesOfficial source
Provider ruleSCNMUST
SCN-CSO-HRMHuman and Machine-Readable Notifications
All service classesOfficial source
Provider ruleSCNMUST
SCN-CSO-INFRequired Information
All service classesOfficial source
Provider ruleSCNMUST
SCN-CSO-MARMaintain Audit Records
All service classesOfficial source
Provider ruleSCNMAY
SCN-CSO-NOMNotification Mechanisms
All service classesOfficial source
Provider ruleSCNSHOULD NOT
SCN-RTR-NNRNo Notification Requirements
All service classesOfficial source
Provider ruleSCNMUST
SCN-TRF-NAFNotification After Finishing
All service classesOfficial source
Provider ruleSCNMUST
SCN-TRF-NAVNotification After Verification
All service classesOfficial source
Provider ruleSCNMUST
SCN-TRF-NFPNotification of Final Plans
All service classesOfficial source
Provider ruleSCNMUST
SCN-TRF-NIPNotification of Initial Plans
All service classesOfficial source
Provider ruleSCNSHOULD
SCN-TRF-TPRThird-Party Review
All service classesOfficial source
Provider ruleSCNMUST
SCN-TRF-UPDUpdate Documentation
All service classesOfficial source
Provider ruleUCMSHOULD
UCM-CSO-CATConfiguration of Agency Tenants
All service classesOfficial source
Provider ruleUCMMUST
UCM-CSO-CMDCryptographic Module Documentation
All service classesOfficial source
Provider ruleUCM
UCM-CSO-UVMUsing Validated Cryptographic Modules
Classes A, B, C, DOfficial source
Provider ruleVDRSHOULD
VDR-BST-ADTAutomate Detection
All service classesOfficial source
Provider ruleVDRSHOULD NOT
VDR-BST-AKEAvoid KEVs
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-BST-DACDetect After Changes
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-BST-DFRDesign For Resilience
All service classesOfficial source
Provider ruleVDRSHOULD NOT
VDR-BST-MSPMaintain Security
All service classesOfficial source
Provider ruleVDRMAY
VDR-BST-SIRSampling
All service classesOfficial source
Provider ruleVDRMUST
VDR-CSO-DETVulnerability Detection
All service classesOfficial source
Provider ruleVDRMUST
VDR-CSO-FAVFailures Are Vulnerabilities
All service classesOfficial source
Provider ruleVDRMUST
VDR-CSO-RESVulnerability Response
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-EVA-EFAEvaluation Factors
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-EVA-EFPEvaluate False Positives
All service classesOfficial source
Provider ruleVDRMUST
VDR-EVA-EIREvaluate Internet-Reachability
All service classesOfficial source
Provider ruleVDRMUST
VDR-EVA-ELXEvaluate Exploitability
All service classesOfficial source
Provider ruleVDRMUST
VDR-EVA-EPAEstimate Potential Adverse Impact
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-EVA-GRVGroup Vulnerabilities
All service classesOfficial source
Provider ruleVDRMUST
VDR-RPT-AVIAccepted Vulnerability Info
All service classesOfficial source
Provider ruleVDRSHOULD
VDR-RPT-HLOHigh-Level Overviews
All service classesOfficial source
Provider ruleVDRMUST NOT
VDR-RPT-NIDResponsible Disclosure
All service classesOfficial source
Provider ruleVDRMUST
VDR-RPT-PERPersistent Reporting
All service classesOfficial source
Provider ruleVDRMAY
VDR-RPT-RPDResponsible Public Disclosure
All service classesOfficial source
Provider ruleVDRMUST
VDR-RPT-VDTVulnerability Details
All service classesOfficial source
Provider ruleVDR
VDR-TFR-EVUEvaluate Vulnerabilities Quickly
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-IRIInternet-Reachable Incidents
Classes A, B, C, DOfficial source
Provider ruleVDRSHOULD
VDR-TFR-KEVRemediate KEVs
All service classesOfficial source
Provider ruleVDRMUST
VDR-TFR-MAVMark Accepted Vulnerabilities
All service classesOfficial source
Provider ruleVDRMUST
VDR-TFR-MHRMonthly Activity Report
All service classesOfficial source
Provider ruleVDR
VDR-TFR-MRHHistorical Activity
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-MVXPersistent Machine Verification and Validation for 20x
Classes A, B, COfficial source
Provider ruleVDRMUST
VDR-TFR-NMVNon-Machine Verification and Validation
All service classesOfficial source
Provider ruleVDR
VDR-TFR-NRINon-Internet-Reachable Incidents
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-PCDPersistently Complete Detection
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-PDDPersistent Drift Detection
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-PSDPersistent Sample Detection
Classes A, B, C, DOfficial source
Provider ruleVDR
VDR-TFR-PVRMitigation and Remediation Expectations
Classes A, B, C, DOfficial source
Provider ruleVDRSHOULD
VDR-TFR-RMNRemaining Vulnerabilities
All service classesOfficial source