Security Decision Record¶
The Security Decision Record replaced a traditional System Security Plan with a persistently maintained, verified, and validated record of the security decisions made by the cloud service provider over the lifecycle of their cloud service offering.
Subsets
- General Provider Responsibilities
- 20x-Specific Provider Responsibilities
- Rev5-Specific Provider Responsibilities
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-08-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-08-01
General Provider Responsibilities¶
These rules apply to providers for FedRAMP Certifications of any type.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
FedRAMP Rules¶
SDR-CSO-FRR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Security Decision Record Schema
Providers MUST supply a Security Decision Record, in both human-readable and JSON formats, that includes at least all of the following information for each applicable FedRAMP rule:
- Explanation of how the rule is followed, or an explanation of the reason and resulting risk to customers for not following the rule.
- Verification that the implementation is appropriate for the rule, or that the reason for not implementing is accepted by a senior official.
- Validation that the implementation is in place and working as intended, or that the reason for not implementing is accepted by a senior official.
- Independent verification.
- Independent validation.
- Any responses or clarifications to the comments in the independent verification or validation.
- Rule-specific artifacts (if applicable).
Terms: Artifacts, Security Decision Record (SDR), Validation, Verification
Security Decision Record Metadata¶
SDR-CSO-MTD
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST also include the following basic metadata in their Security Decision Record:
- Version
- Date and time of last update
- Source of update
20x-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP 20x Certifications.
Path: Program
Class: Class BClass CClass D
Audience: Providers
Key Security Indicators¶
SDR-CSX-KSI
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Security Decision Record Schema
Providers MUST also include short and simple high-level summaries of at least the following for each applicable Key Security Indicator:
- Explanation of measures (and their objectives) that demonstrate the Key Security Indicator, or an explanation of the reason and resulting risk to customers for not having measures available for that Key Security Indicator.
- Explanation of the cycle for any measures that are implemented persistently (if applicable).
- Verification that the measures demonstrate the Key Security Indicator, or that the reason for not having them is accepted.
- Verification that the automation in place is accurate and sufficient to demonstrate appropriate measures for the Key Security Indicator, or that automation is not necessary for each measure.
- Validation that the measures are accurately produced and are in place and working as intended, or that the reason for not having them is valid.
Terms: Persistently, Validation, Verification
Key Security Indicator Metrics¶
SDR-CSX-KMT
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Security Decision Record Schema
Providers with 20x Class A Certifications MAY also include historical metrics in their Security Decision Record.
Providers with 20x Class B Certifications MUST also include historical metrics in their Security Decision Record, supplying at least the following information for each applicable Key Security Indicator:
- Summary of each metric over the past 30 days
- Summary of metric up to the past year (where available)
Providers with 20x Class C Certifications MUST also include historical metrics in their Security Decision Record, supplying at least the following information for each applicable Key Security Indicator:
- Summary of each metric over the past 30 days
- Summary of metric up to the past year (where available)
- All daily metric data up to the past year (where available)
Providers with 20x Class D Certifications MUST significantly supersede the minimum requirements for lower Classes, with specifics to be set during the 20x Phase 4 Pilot.
Rev5-Specific Provider Responsibilities¶
These rules apply to providers for FedRAMP Rev5 Certifications.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Rev5 Controls¶
SDR-CSF-CTF
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST also include short and simple high-level summaries of at least the following for each applicable Rev5 Control:
- Any organization-defined parameter values.
- Implementation status, one of Implemented, Partially Implemented, Planned, Alternative Implementation, or Not Applicable.
- The mechanisms or activities that address the control, including inheritance from another cloud service offering if applicable.
- The verification that is in place to ensure the implementation is appropriate for the control.
- The validation that is in place to ensure the implementation is working as intended.
- Independent verification.
- Independent validation.
- Any responses or clarifications to the comments in the independent verification or validation.
- Control-specific artifacts (if applicable).
Terms: Artifacts, Cloud Service Offering, Validation, Verification