Skip to content

Key Security Indicators

Effective Date(s) & Overall Applicability for 20x

  • Required (Phase 2 Pilot)
  • Phase 1 pilot authorizations have one year from authorization to fully address this process but must demonstrate continuous quarterly progress.
  • Phase 2 Pilot participants must demonstrate significant progress towards addressing this process prior to submission for authorization review.
Background & Authority
  • OMB Circular A-130 Appendix I states "Agencies may also develop overlays for specific types of information or communities of interest (e.g., all web-based applications, all health care-related systems) as part of the security control selection process. Overlays provide a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information as part of the tailoring process, that is intended to complement (and further refine) security control baselines. The overlay may be more stringent or less stringent than the original security control baseline and can be applied to multiple information systems."
  • NIST SP 800-53B Section 2.5 states "As the number of controls in [SP 800-53] grows in response to an increasingly sophisticated threat space, it is important for organizations to have the ability to describe key capabilities needed to protect organizational missions and business functions, and to subsequently select controls that—if properly designed, developed, and implemented—produce such capabilities. The use of capabilities simplifies how the protection problem is viewed conceptually. Using the construct of a capability provides a method of grouping controls that are employed for a common purpose or to achieve a common objective." This section later states "Ultimately, authorization decisions (i.e., risk acceptance decisions) are made based on the degree to which the desired capabilities have been effectively achieved."
  • NIST SP 800-53A Section 3.5 states "When organizations employ the concept of capabilities, automated and manual assessments account for all security and privacy controls that comprise the security and privacy capabilities. Assessors are aware of how the controls work together to provide such capabilities."
  • FedRAMP Authorization Act (44 USC § 3609 (a) (1)) requires that the Administrator of the General Services Administration shall "in consultation with the [DHS] Secretary, develop, coordinate, and implement a process to support agency review, reuse, and standardization, where appropriate, of security assessments of cloud computing products and services..." 44 USC § 3609 (c) (2) further states that "the [GSA] Administrator shall establish a means for the automation of security assessments and reviews."

Modern cloud services use automated or code-driven configuration management and control planes to ensure predictable, repeatable, reliable, and secure outcomes during deployment and operation. The majority of a service security assessment can take place continuously via automated validation for simple cloud-native services if the need for a traditional control-by-control narrative approach is removed.

20x-Specific Provider Responsibilities

These requirements and recommendations apply to all cloud service offerings following the 20x path.

Implementation Summaries

KSI-CSX-SUM

Former ID: FRR-KSI-02

Changelog:

  • 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Providers MUST maintain simple high-level summaries of at least the following for each Key Security Indicator:

  1. Goals for how it will be implemented and validated, including clear pass/fail criteria and traceability

  2. The consolidated information resources that will be validated (this should include consolidated summaries such as "all employees with privileged access that are members of the Admin group")

  3. The machine-based processes for validation and the persistent cycle on which they will be performed (or an explanation of why this doesn't apply)

  4. The non-machine-based processes for validation and the persistent cycle on which they will be performed (or an explanation of why this doesn't apply)

  5. Current implementation status

  6. Any clarifications or responses to the assessment summary

Terms: Machine-Based (information resources), Persistent Validation

Application within MAS

KSI-CSX-MAS

Former ID: FRR-KSI-01

Changelog:

  • 2026-02-04: Removed unnecessary cloud service at the beginning; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

Providers SHOULD apply ALL Key Security Indicators to ALL aspects of their cloud service offering that are within the FedRAMP Minimum Assessment Scope.

Terms: Cloud Service Offering

AFR Order of Criticality

KSI-CSX-ORD

Changelog:

  • 2026-02-04: This recommendation is new in v-0.9.0 to clarify expectations.

Providers MAY use the following order of criticality for approaching Authorization by FedRAMP Key Security Indicators for an initial authorization package:

  1. Minimum Assessment Scope (MAS)

  2. Authorization Data Sharing (ADS)

  3. Using Cryptographic Modules (UCM)

  4. Vulnerability Detection and Response (VDR)

  5. Significant Change Notifications (SCN)

  6. Persistent Validation and Assessment (PVA)

  7. Secure Configuration Guide (RSC)

  8. Collaborative Continuous Monitoring (CCM)

  9. FedRAMP Security Inbox (FSI)

  10. Incident Communications Procedures (ICP)

Terms: Authorization Package, Authorization data, FedRAMP Security Inbox, Incident, Persistent Validation, Persistently, Significant change, Vulnerability, Vulnerability Detection, Vulnerability Response

Key Security Indicator Themes

Key Security Indicators (KSIs) apply to all cloud service offerings following the 20x path; each KSI must be addressed as specified in the KSI requirements and recommendations above.

Key Security Indicators are grouped into themes for ease of review. Each theme is displayed on a separate page to simplify transition between themes and finding specific KSIs.

Authorization by FedRAMP

A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.

Change Management

A secure cloud service provider will ensure that all changes are properly documented and configuration baselines are updated accordingly.

Cloud Native Architecture

A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the confidentiality, integrity and availability of the system.

Cybersecurity Education

A secure cloud service provider will educate their employees on cybersecurity measures, testing them persistently to ensure their knowledge is satisfactory.

Identity and Access Management

A secure cloud service offering will protect user data, control access, and apply zero trust principles.

Incident Response

A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement.

Monitoring, Logging, and Auditing

A secure cloud service offering will monitor, log, and audit all important events, activity, and changes.

Policy and Inventory

A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured.

Recovery Planning

A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss during incidents and contingencies.

Service Configuration

A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources.

Supply Chain Risk

A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources.