FedRAMP 20x Certification Rules¶
FedRAMP 20x Certification Rules replace long traditional narrative descriptions and web pages with simple declarative statements that are intended to be easy to follow and address one by one. All applicable rules must be followed to obtain and maintain a FedRAMP Certification.
In general, most cloud service providers will approach the FedRAMP 20x Certification Rules as follows:
-
Marketplace Listing helps you get listed on the FedRAMP Marketplace.
-
FedRAMP Certification explains the high level requirements for FedRAMP Certification.
-
Boundary Rulesets tell you how to establish, maintain, and protect the information resources that will be within the scope of your FedRAMP Certification.
-
Assurance Rulesets list of all of the special expectations that are necessary for assuring government customers that you are protecting their information.
Assurance Rulesets will require new engineering and product work!
Government customers expect a significant amount of additional ongoing assurance about the confidentiality, integrity, and availability of federal information than private sector companies do. You will almost certainly need to design and build new capabilities to provide this assurance.
FedRAMP has established a minimum set of assurance that should be adequate for federal agencies, but specific customers may require additional assurance due to risk and complexity of their use case.
-
Package Rulesets outline how all of this information should be supplied for FedRAMP.
-
Key Security Indicators summarize the security capabilities that a high quality cloud service offering will prove and measure to maintain its own security and assure their government customers they are doing so.