Certification Package Overview¶
The Certification Package Overview rules outline the expectations for a simple overview of the cloud service offering that must be included within a FedRAMP Certification Package. This overview replaces the historically required base System Security Plan for FedRAMP Rev5 and is intended to provide a clear, concise, and consistent summary of the offering and the information included in the package to help customers understand the offering at a high level.
Subsets
- General Provider Responsibilities
- 20x-Specific Provider Responsibilities
- Rev5-Specific Provider Responsibilities
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-07-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
General Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications of any type.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Overview of the Cloud Service Offering¶
CPO-CSO-OVR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Certification Package Overview Schema
Providers MUST supply a Certification Package Overview within their FedRAMP Certification Package, in both human-readable and JSON formats, that includes at least all of the information required by the following rules:
- Certification Package Overview: CPO-CSO-MTD (Certification Package Overview Metadata)
- Certification Data Sharing: CDS-CSO-PUB (Public Information)
- Certification Data Sharing: CDS-CSO-SVC (Public Service List)
- Certification Data Sharing: CDS-CSO-IRP (Include Relevant Policies)
- Minimum Assessment Scope: MAS-CSO-IIR (Identify Information Resources)
- Minimum Assessment Scope: MAS-CSO-FLO (Information Flows and Security Categories)
- Minimum Assessment Scope: MAS-CSO-TPR (Third-Party Information Resources)
- Using Cryptographic Modules: CMU-CSO-CMD (Cryptographic Module Documentation)
- Independent Verification and Validation: IVV-CSO-ICP (Inclusion in Certification Package)
Notes:
- For FedRAMP Rev5, the Certification Package Overview replaces the historically required System Security Plan (not including appendices).
- This list of rules may not apply to all FedRAMP Certification Classes or Types - if a rule does not apply then the information is not required.
Terms: Certification Class, Certification Data, Certification Package, Information Resource, Initial Incident Report (IIR), Security Category, Third-Party Information Resource, Validation, Verification
Certification Package Overview Metadata¶
CPO-CSO-MTD
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST also include the following basic metadata in their Certification Package Overview:
- Name, title, and contact information of official that is responsible and accountable for the FedRAMP Certification Package
- Version
- Date and time of last update
- Source of update
Terms: Certification Package
20x-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP 20x Certifications.
Path: Program
Class: Class AClass BClass CClass D
Audience: Providers
Certification Package Maintenance for 20x¶
CPO-CSX-CPM
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers with 20x Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 3 months.
Timeframe: 3 months
Providers with 20x Class B Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every month.
Timeframe: 1 month
Providers with 20x Class C Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every 2 weeks.
Timeframe: 2 weeks
Providers with 20x Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every week.
Timeframe: 1 week
Notes:
- Providers are expected to maintain their FedRAMP Certification Package using automation as changes occur to ensure they are never out of date.
- This rule does not require or expect persistent human review of all materials in this cadence.
Terms: Certification Package, Persistently
Rev5-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP Rev5 Certifications.
Path: ProgramAgency
Class: Class AClass BClass CClass D
Audience: Providers
Certification Package Maintenance for Rev5¶
CPO-CSF-CPM
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers with Rev5 Class A Certifications SHOULD persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.
Timeframe: 1 year
Providers with Rev5 Class B Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.
Timeframe: 1 year
Providers with Rev5 Class C Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every year.
Timeframe: 1 year
Providers with Rev5 Class D Certifications MUST persistently maintain their FedRAMP Certification Package to ensure it is up to date and complete at least once every six months.
Timeframe: 6 months
Notes:
- This maximum timeframe for Rev5 is the absolutely poorest worst case for horrible customer experience and is based on legacy FedRAMP Rev5 allowing providers to leave their packages unmaintained for up to a year. Rev5 providers should maintain their packages far more frequently than this requirement to ensure potential customers have access to up-to-date information, updating it at least after every transformative significant change.
- FedRAMP 20x Certifications expect providers to maintain their FedRAMP Certification Packages as changes occur to ensure they are never out of date.
Terms: Certification Package, Persistently, Significant Change, Transformative Change