Independent Verification and Validation¶

Notes:

• The first such completed assessment is typically called an "initial assessment" while following assessments are called "annual assessments."
• The specific requirements for independent verification and validation assessments are documented by the FedRAMP Certification Class and Type.
• The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council; this is _extremely rare._
• FedRAMP Recognized independent assessment services are listed on the FedRAMP Marketplace.

Terms: Certification Class, FedRAMP Independent Assessment, FedRAMP Recognized, Persistently, Validation, Verification

Providers MUST supply evidence to all necessary assessors of the implementation of the measures that have been documented to meet FedRAMP Practices; this evidence is the result of verification.

Note: For example, if the documentation says that firewall rules are used to block traffic then the cloud service provider would verify that firewall rules are in place to block traffic and supply that evidence to assessors (preferably by allowing them to see how firewall configurations are deployed from a source of truth).

Terms: All Necessary Assessors, FedRAMP Practices, Verification

Providers MUST supply evidence to all necessary assessors of the effectiveness of the measures that have been implemented to meet FedRAMP Practices; this evidence is the result of validation.

Note: For example, after verifying that firewalls are configured to block traffic following IVV-CSO-SEI (Supply Evidence of Implementation), the provider would validate that traffic is actually being blocked and supply evidence of that validation to assessors (such as by allowing them to see metrics on the traffic that is blocked vs not).

Terms: All Necessary Assessors, FedRAMP Practices, Validation

Providers MUST supply the results of FedRAMP independent assessments in their FedRAMP Certification Package without inappropriate modification.

Notes:

• Inappropriate modification in this context means changing the underlying intent/etc. of the content provided by the independent assessment service - the content itself may be modified for presentation, formatting, etc. as needed.
• This rule is related to IVV-IAS-VIP (Verify Inclusion in Certification Package).

Terms: Certification Package, FedRAMP Independent Assessment, Verification

Providers MUST document and explain the use of representative samples during verification and validation when using representative samples as allowed by IVV-CSO-USR (Use Representative Samples).

Terms: Validation, Verification

Providers SHOULD supply all necessary assessors with technical explanations, demonstrations, and other relevant supporting information about the technical capabilities they employ to address FedRAMP rules; this SHOULD be supplied as necessary to ensure the assessor can effectively complete verification and validation.

Terms: All Necessary Assessors, Validation, Verification

Providers MAY use representative samples as appropriate during verification and validation.

Note: Many modern cloud services using effective automation do not need to use representative sampling and are capable of persistently verifying and validating the majority of their security measures automatically.

Terms: Persistently, Validation, Verification

Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

Terms: Likely, Validation, Verification

Assessors MUST verify that the measures implemented by the cloud service offering matches the measures they documented to meet FedRAMP Practices.

Note: This requires reviewing the actual measures themselves at a technical level, such as reviewing underlying code as appropriate; don't simply review documentation or screenshots.

Terms: Cloud Service Offering, FedRAMP Practices, Verification

Assessors MUST validate the effectiveness of the implemented measures to ensure they have the intended outcome for meeting FedRAMP Practices.

Note: This requires reviewing the actual measures themselves at a technical level, such as reviewing underlying code as appropriate; don't simply review documentation or screenshots.

Terms: FedRAMP Practices, Validation

Assessors MUST supply the provider with a high-level summary of their assessment process and findings for each FedRAMP Practice; this summary will be included by the provider in the FedRAMP Security Decision Record for the cloud service offering.

Note: FedRAMP does not require a separate Security Assessment Plan or Security Assessment Report for FedRAMP 20x or FedRAMP Rev5 Certifications; this information is expected to be included in the Security Decision Record by the cloud service provider.

Terms: Cloud Service Offering, FedRAMP Practices, Security Decision Record (SDR)

Assessors MUST supply the provider with an overall summary of the verification and validation assessment results, including any resulting failures or areas of dispute; this summary will be included by the provider in the FedRAMP Certification Package Overview for the cloud service offering.

Note: FedRAMP does not supply a template for this summary and encourages independent assessment services to optimize for the best customer experience in the creation of these materials.

Terms: Certification Package, Cloud Service Offering, Validation, Verification

Assessors MUST verify that information supplied during a FedRAMP independent assessment is included in the FedRAMP Certification Package by the provider without inappropriate modification.

Note: This rule is related to IVV-CSO-ICP (Inclusion in Certification Package).

Terms: Certification Package, FedRAMP Independent Assessment, Verification

Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.

Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve the provider's security posture or the effectiveness, clarity, and accuracy of their verification, validation and reporting procedures, UNLESS doing so is likely to compromise the objectivity and integrity of the assessment.

Terms: Likely, Validation, Verification

Terms: FedRAMP Independent Assessment

Providers MUST have all applicable Rev5 Controls included in FedRAMP independent assessments every 3 years but are not required to have all Rev5 Controls included in the same FedRAMP independent assessment.

Note: Traditionally this has been done by reviewing a rotating selection of Rev5 Controls at each annual assessment, however this requirement is a ceiling and not a floor. See IVV-CSF-PCA (Preferred Control Assessment) for FedRAMP's recommended approach to Rev5 control assessments.

Terms: FedRAMP Independent Assessment

Providers MUST have Rev5 Controls with negative findings from the previous FedRAMP independent assessment included in the next FedRAMP independent assessment.

Terms: FedRAMP Independent Assessment

Providers SHOULD include all applicable Rev5 Controls in each FedRAMP independent assessment.

Terms: FedRAMP Independent Assessment