Independent Verification and Validation¶
This ruleset explains the expectations for independent verification and validation assessments.
Subsets
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
General Provider Responsibilities¶
These rules apply to cloud service providers obtaining and maintaining any FedRAMP Certification.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
FedRAMP Independent Assessments¶
IVV-CSO-FIA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers with Class A Certifications MAY persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.
Timeframe: 1 year
Providers with Class B Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.
Timeframe: 1 year
Providers with Class C Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.
Timeframe: 1 year
Providers with Class D Certifications MUST persistently complete an independent verification and validation assessment of all applicable FedRAMP rules with a FedRAMP Recognized independent assessment service OR FedRAMP at least once per year; this is a FedRAMP independent assessment.
Timeframe: 1 year
Notes:
- The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
- The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
- The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council; this is _extremely rare._
- FedRAMP Recognized independent assessment services are listed on the FedRAMP Marketplace.
Terms: Certification Class, FedRAMP Independent Assessment, FedRAMP Recognized, Persistently, Validation, Verification
Supply Evidence of Implementation¶
IVV-CSO-SEI
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST supply evidence to all necessary assessors of the implementation of the measures that have been documented to meet FedRAMP Practices; this evidence is the result of verification.
Note: For example, if the documentation says that firewall rules are used to block traffic then the cloud service provider would verify that firewall rules are in place to block traffic and supply that evidence to assessors (preferably by allowing them to see how firewall configurations are deployed from a source of truth).
Terms: All Necessary Assessors, FedRAMP Practices, Verification
Supply Evidence of Effectiveness¶
IVV-CSO-SEE
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST supply evidence to all necessary assessors of the effectiveness of the measures that have been implemented to meet FedRAMP Practices; this evidence is the result of validation.
Note: For example, after verifying that firewalls are configured to block traffic following IVV-CSO-SEI (Supply Evidence of Implementation), the provider would validate that traffic is actually being blocked and supply evidence of that validation to assessors (such as by allowing them to see metrics on the traffic that is blocked vs not).
Terms: All Necessary Assessors, FedRAMP Practices, Validation
Inclusion in Certification Package¶
IVV-CSO-ICP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST supply the results of FedRAMP independent assessments in their FedRAMP Certification Package without inappropriate modification.
Notes:
- Inappropriate modification in this context means changing the underlying intent/etc. of the content provided by the independent assessment service - the content itself may be modified for presentation, formatting, etc. as needed.
- This rule is related to IVV-IAS-VIP (Verify Inclusion in Certification Package).
Terms: Certification Package, FedRAMP Independent Assessment, Verification
Document Use of Representative Samples¶
IVV-CSO-DUS
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST document and explain the use of representative samples during verification and validation when using representative samples as allowed by IVV-CSO-USR (Use Representative Samples).
Terms: Validation, Verification
Supply Technical Explanations¶
IVV-CSO-STE
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD supply all necessary assessors with technical explanations, demonstrations, and other relevant supporting information about the technical capabilities they employ to address FedRAMP rules; this SHOULD be supplied as necessary to ensure the assessor can effectively complete verification and validation.
Use Representative Samples¶
IVV-CSO-USR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MAY use representative samples as appropriate during verification and validation.
Note: Many modern cloud services using effective automation do not need to use representative sampling and are capable of persistently verifying and validating the majority of their security measures automatically.
Terms: Persistently, Validation, Verification
Receiving Assessor Advice¶
IVV-CSO-RAA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.
Terms: Likely, Validation, Verification
Rev5-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP Rev5 Certifications.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Annual Independent Assessments for Rev5¶
IVV-CSF-AIA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers with Rev5 Class B Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:
Timeframe: 1 year
Rev5 Control List
- Access Control (AC)
AC-02(Account Management)AC-03(Access Enforcement)
- Audit and Accountability (AU)
AU-02(Event Logging)AU-03(Content of Audit Records)AU-04(Audit Log Storage Capacity)AU-05(Response to Audit Logging Process Failures)AU-06(Audit Record Review, Analysis, and Reporting)AU-08(Time Stamps)AU-11(Audit Record Retention)AU-12(Audit Record Generation)
- Assessment, Authorization, and Monitoring (CA)
CA-08(Penetration Testing)
- Configuration Management (CM)
CM-05(Access Restrictions for Change)CM-06(Configuration Settings)CM-07(Least Functionality)CM-08(System Component Inventory)
- Contingency Planning (CP)
CP-04(Contingency Plan Testing)
- Identification and Authentication (IA)
IA-02(Identification and Authentication (Organizational Users))IA-02 (01)(Multi-factor Authentication to Privileged Accounts)IA-02 (02)(Multi-factor Authentication to Non-privileged Accounts)IA-02 (08)(Access to Accounts — Replay Resistant)IA-02 (12)(Acceptance of PIV Credentials)IA-04(Identifier Management)IA-05(Authenticator Management)
- Incident Response (IR)
IR-04(Incident Handling)
- Physical and Environmental Protection (PE)
PE-03(Physical Access Control)
- Risk Assessment (RA)
RA-05(Vulnerability Monitoring and Scanning)RA-05 (02)(Update Vulnerabilities to Be Scanned)
- System and Services Acquisition (SA)
SA-09(External System Services)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
SI-03(Malicious Code Protection)
Providers with Rev5 Class C Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:
Timeframe: 1 year
Rev5 Control List
- Access Control (AC)
AC-02(Account Management)AC-02 (01)(Automated System Account Management)AC-02 (02)(Automated Temporary and Emergency Account Management)AC-02 (03)(Disable Accounts)AC-02 (04)(Automated Audit Actions)AC-02 (05)(Inactivity Logout)AC-02 (07)(Privileged User Accounts)AC-02 (09)(Restrictions on Use of Shared and Group Accounts)AC-02 (12)(Account Monitoring for Atypical Usage)AC-02 (13)(Disable Accounts for High-risk Individuals)AC-03(Access Enforcement)AC-06(Least Privilege)AC-06 (02)(Non-privileged Access for Nonsecurity Functions)AC-06 (05)(Privileged Accounts)AC-06 (10)(Prohibit Non-privileged Users from Executing Privileged Functions)AC-17 (02)(Protection of Confidentiality and Integrity Using Encryption)
- Audit and Accountability (AU)
AU-02(Event Logging)AU-03(Content of Audit Records)AU-03 (01)(Additional Audit Information)AU-04(Audit Log Storage Capacity)AU-05(Response to Audit Logging Process Failures)AU-06(Audit Record Review, Analysis, and Reporting)AU-06 (01)(Automated Process Integration)AU-06 (03)(Correlate Audit Record Repositories)AU-08(Time Stamps)AU-11(Audit Record Retention)AU-12(Audit Record Generation)
- Assessment, Authorization, and Monitoring (CA)
CA-08 (01)(Independent Penetration Testing Agent or Team)CA-08 (02)(Red Team Exercises)
- Configuration Management (CM)
CM-05(Access Restrictions for Change)CM-06(Configuration Settings)CM-06 (01)(Automated Management, Application, and Verification)CM-07(Least Functionality)CM-07 (01)(Periodic Review)CM-07 (02)(Prevent Program Execution)CM-07 (05)(Authorized Software — Allow-by-exception)CM-08(System Component Inventory)
- Contingency Planning (CP)
CP-04(Contingency Plan Testing)
- Identification and Authentication (IA)
IA-02(Identification and Authentication (Organizational Users))IA-02 (01)(Multi-factor Authentication to Privileged Accounts)IA-02 (02)(Multi-factor Authentication to Non-privileged Accounts)IA-02 (05)(Individual Authentication with Group Authentication)IA-02 (06)(Access to Accounts —separate Device)IA-02 (08)(Access to Accounts — Replay Resistant)IA-02 (12)(Acceptance of PIV Credentials)IA-04(Identifier Management)IA-05(Authenticator Management)
- Incident Response (IR)
IR-03(Incident Response Testing)IR-04(Incident Handling)IR-04 (01)(Automated Incident Handling Processes)
- Maintenance (MA)
MA-03 (02)(Inspect Media)
- Physical and Environmental Protection (PE)
PE-03(Physical Access Control)
- Risk Assessment (RA)
RA-05(Vulnerability Monitoring and Scanning)RA-05 (02)(Update Vulnerabilities to Be Scanned)RA-05 (03)(Breadth and Depth of Coverage)
- System and Services Acquisition (SA)
SA-09(External System Services)SA-11 (01)(Static Code Analysis)
- System and Communications Protection (SC)
SC-07(Boundary Protection)SC-07 (03)(Access Points)SC-07 (04)(External Telecommunications Services)SC-07 (05)(Deny by Default — Allow by Exception)SC-07 (07)(Split Tunneling for Remote Devices)SC-07 (08)(Route Traffic to Authenticated Proxy Servers)SC-07 (12)(Host-based Protection)SC-07 (18)(Fail Secure)SC-08(Transmission Confidentiality and Integrity)SC-12(Cryptographic Key Establishment and Management)SC-13(Cryptographic Protection)SC-21(Secure Name/Address Resolution Service (Recursive or Caching Resolver))SC-28(Protection of Information at Rest)SC-45 (01)(Synchronization with Authoritative Time Source)
- System and Information Integrity (SI)
SI-03(Malicious Code Protection)SI-04 (01)(System-wide Intrusion Detection System)SI-04 (02)(Automated Tools and Mechanisms for Real-time Analysis)SI-04 (16)(Correlate Monitoring Information)SI-04 (23)(Host-based Devices)SI-06(Security and Privacy Function Verification)SI-07(Software, Firmware, and Information Integrity)SI-07 (01)(Integrity Checks)SI-10(Information Input Validation)
Providers with Rev5 Class D Certifications MUST include the following Rev5 Controls in a FedRAMP independent assessment at least once per year:
Timeframe: 1 year
Rev5 Control List
- Access Control (AC)
AC-02(Account Management)AC-02 (01)(Automated System Account Management)AC-02 (02)(Automated Temporary and Emergency Account Management)AC-02 (03)(Disable Accounts)AC-02 (04)(Automated Audit Actions)AC-02 (05)(Inactivity Logout)AC-02 (07)(Privileged User Accounts)AC-02 (09)(Restrictions on Use of Shared and Group Accounts)AC-02 (11)(Usage Conditions)AC-02 (12)(Account Monitoring for Atypical Usage)AC-02 (13)(Disable Accounts for High-risk Individuals)AC-03(Access Enforcement)AC-06(Least Privilege)AC-06 (02)(Non-privileged Access for Nonsecurity Functions)AC-06 (03)(Network Access to Privileged Commands)AC-06 (05)(Privileged Accounts)AC-06 (08)(Privilege Levels for Code Execution)AC-06 (10)(Prohibit Non-privileged Users from Executing Privileged Functions)AC-17 (02)(Protection of Confidentiality and Integrity Using Encryption)
- Audit and Accountability (AU)
AU-02(Event Logging)AU-03(Content of Audit Records)AU-03 (01)(Additional Audit Information)AU-04(Audit Log Storage Capacity)AU-05(Response to Audit Logging Process Failures)AU-05 (01)(Storage Capacity Warning)AU-05 (02)(Real-time Alerts)AU-06(Audit Record Review, Analysis, and Reporting)AU-06 (01)(Automated Process Integration)AU-06 (03)(Correlate Audit Record Repositories)AU-06 (04)(Central Review and Analysis)AU-06 (05)(Integrated Analysis of Audit Records)AU-06 (06)(Correlation with Physical Monitoring)AU-06 (07)(Permitted Actions)AU-08(Time Stamps)AU-10(Non-repudiation)AU-11(Audit Record Retention)AU-12(Audit Record Generation)AU-12 (01)(System-wide and Time-correlated Audit Trail)AU-12 (03)(Changes by Authorized Individuals)
- Assessment, Authorization, and Monitoring (CA)
CA-08 (01)(Independent Penetration Testing Agent or Team)CA-08 (02)(Red Team Exercises)
- Configuration Management (CM)
CM-05(Access Restrictions for Change)CM-06(Configuration Settings)CM-06 (01)(Automated Management, Application, and Verification)CM-06 (02)(Respond to Unauthorized Changes)CM-07(Least Functionality)CM-07 (01)(Periodic Review)CM-07 (02)(Prevent Program Execution)CM-07 (05)(Authorized Software — Allow-by-exception)CM-08(System Component Inventory)
- Contingency Planning (CP)
CP-04(Contingency Plan Testing)
- Identification and Authentication (IA)
IA-02(Identification and Authentication (Organizational Users))IA-02 (01)(Multi-factor Authentication to Privileged Accounts)IA-02 (02)(Multi-factor Authentication to Non-privileged Accounts)IA-02 (05)(Individual Authentication with Group Authentication)IA-02 (06)(Access to Accounts —separate Device)IA-02 (08)(Access to Accounts — Replay Resistant)IA-02 (12)(Acceptance of PIV Credentials)IA-04(Identifier Management)IA-05(Authenticator Management)
- Incident Response (IR)
IR-03(Incident Response Testing)IR-04(Incident Handling)IR-04 (01)(Automated Incident Handling Processes)IR-04 (02)(Dynamic Reconfiguration)IR-04 (04)(Information Correlation)IR-04 (06)(Insider Threats)
- Maintenance (MA)
MA-03 (02)(Inspect Media)
- Physical and Environmental Protection (PE)
PE-03(Physical Access Control)
- Risk Assessment (RA)
RA-05(Vulnerability Monitoring and Scanning)RA-05 (02)(Update Vulnerabilities to Be Scanned)RA-05 (03)(Breadth and Depth of Coverage)
- System and Services Acquisition (SA)
SA-09(External System Services)SA-11 (01)(Static Code Analysis)
- System and Communications Protection (SC)
SC-07(Boundary Protection)SC-07 (03)(Access Points)SC-07 (04)(External Telecommunications Services)SC-07 (05)(Deny by Default — Allow by Exception)SC-07 (07)(Split Tunneling for Remote Devices)SC-07 (08)(Route Traffic to Authenticated Proxy Servers)SC-07 (12)(Host-based Protection)SC-07 (18)(Fail Secure)SC-07 (20)(Dynamic Isolation and Segregation)SC-07 (21)(Isolation of System Components)SC-08(Transmission Confidentiality and Integrity)SC-12(Cryptographic Key Establishment and Management)SC-13(Cryptographic Protection)SC-21(Secure Name/Address Resolution Service (Recursive or Caching Resolver))SC-28(Protection of Information at Rest)SC-45 (01)(Synchronization with Authoritative Time Source)
- System and Information Integrity (SI)
SI-03(Malicious Code Protection)SI-04 (01)(System-wide Intrusion Detection System)SI-04 (02)(Automated Tools and Mechanisms for Real-time Analysis)SI-04 (10)(Visibility of Encrypted Communications)SI-04 (16)(Correlate Monitoring Information)SI-04 (19)(Risk for Individuals)SI-04 (20)(Privileged Users)SI-04 (23)(Host-based Devices)SI-06(Security and Privacy Function Verification)SI-07(Software, Firmware, and Information Integrity)SI-07 (01)(Integrity Checks)SI-10(Information Input Validation)
Mandatory Control Assessment¶
IVV-CSF-MCA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST have all applicable Rev5 Controls included in FedRAMP independent assessments every 3 years but are not required to have all Rev5 Controls included in the same FedRAMP independent assessment.
Note: Traditionally this has been done by reviewing a rotating selection of Rev5 Controls at each annual assessment, however this requirement is a ceiling and not a floor. See IVV-CSF-PCA (Preferred Control Assessment) for FedRAMP's recommended approach to Rev5 control assessments.
Assessment of Rev5 Controls with Findings¶
IVV-CSF-ACF
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST have Rev5 Controls with negative findings from the previous FedRAMP independent assessment included in the next FedRAMP independent assessment.
Preferred Control Assessment¶
IVV-CSF-PCA
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD include all applicable Rev5 Controls in each FedRAMP independent assessment.