Secure Configuration Guide¶
The Secure Configuration Guide rules help agencies and other customers understand how to configure a cloud service offering securely. These rules require providers to clearly explain the security impact of common settings so customers can make informed configuration choices.
Subsets
Effective Date(s) & Overall Applicability for 20x and Rev5
- Required (Consolidated Rules for 2026)
- Obtain: 2026-03-01
- Maintain: 2026-03-01
- Grace Ends: 2026-07-01
General Provider Responsibilities¶
These rules apply to providers with FedRAMP Certifications of any type.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Recommended Secure Configuration¶
SCG-CSO-RSC
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Certification Overview Package (FRC-CSO-PKG)
Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information:
- Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
- Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications.
- Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications.
Notes:
- These rules refer to this guidance as a Secure Configuration Guide but cloud service providers may make this guidance available in various appropriate forms that provide the best customer experience.
- This guidance should explain how top-level administrative accounts and privileged accounts are named and referred to in the cloud service offering.
Terms: Cloud Service Offering, Privileged Account, Top-Level Administrative Account
Use Instructions¶
SCG-CSO-AUP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST include instructions in the FedRAMP Certification Package that explain how to obtain and use the Secure Configuration Guide.
Note: These instructions may appear in a variety of ways; it is up to the provider to do so in the most appropriate and effective ways for their specific customer needs.
Terms: Certification Package
Public Secure Configuration Guidance¶
SCG-CSO-PUB
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD make the Secure Configuration Guide available publicly.
Secure Defaults¶
SCG-CSO-SDF
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.
Enhanced Capabilities¶
These recommendations apply to providers with FedRAMP Certifications of any type.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Comparison Capability¶
SCG-ENH-CMP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.
Export Capability¶
SCG-ENH-EXP
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD offer the capability to export all security settings in a machine-readable format.
Terms: Machine-Readable
API Capability¶
SCG-ENH-API
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.
Machine-Readable Guidance¶
SCG-ENH-MRG
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings.
Terms: Machine-Readable
Versioning and Release History¶
SCG-ENH-VRH
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.