Authorization by FedRAMP¶
A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.
Authorization Data Sharing¶
KSI-AFR-ADS
Former ID: KSI-AFR-03
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.
Related SP 800-53 Controls: AC-3, AC-4, AU-2, AU-3, AU-6, CA-2, IR-4, RA-5, SC-8
Reference: Authorization Data Sharing
Terms: All Necessary Parties, Authorization data, Persistently
Collaborative Continuous Monitoring¶
KSI-AFR-CCM
Former ID: KSI-AFR-06
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations.
Reference: Collaborative Continuous Monitoring
Terms: All Necessary Parties, Persistently, Quarterly Review
FedRAMP Security Inbox¶
KSI-AFR-FSI
Former ID: KSI-AFR-08
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.
Reference: FedRAMP Security Inbox
Terms: FedRAMP Security Inbox, Persistently
Incident Communications Procedures¶
KSI-AFR-ICP
Former ID: KSI-AFR-10
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Integrate FedRAMP's Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.
Reference: Incident Communications Procedures
Terms: Incident, Persistently, Vulnerability Response
Minimum Assessment Scope¶
KSI-AFR-MAS
Former ID: KSI-AFR-01
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.
Related SP 800-53 Controls: AC-1, AC-21, AT-1, AU-1, CA-1, CM-1, CP-1, CP-2.1, CP-2.8, CP-4.1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PL-2, PL-4, PL-4.1, PS-1, RA-1, RA-9, SA-1, SC-1, SI-1, SR-1, SR-2, SR-3, SR-11
Reference: Minimum Assessment Scope
Terms: Cloud Service Offering, Persistently
Persistent Validation and Assessment¶
KSI-AFR-PVA
Former ID: KSI-AFR-09
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations.
Reference: Persistent Validation and Assessment
Terms: Cloud Service Offering, Persistent Validation, Persistently
Secure Configuration Guide¶
KSI-AFR-SCG
Former ID: KSI-AFR-07
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process and persistently address all related requirements and recommendations.
Reference: Secure Configuration Guide
Terms: Cloud Service Offering, Persistently
Significant Change Notifications¶
KSI-AFR-SCN
Former ID: KSI-AFR-05
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.
Related SP 800-53 Controls: CA-7.4, CM-3.4, CM-4, CM-7.1, AU-5, CA-5, CA-7, RA-5, RA-5.2, SA-22, SI-2, SI-2.2, SI-3, SI-5, SI-7.7, SI-10, SI-11
Reference: Significant Change Notifications
Terms: All Necessary Parties, Persistently, Significant change
Using Cryptographic Modules¶
KSI-AFR-UCM
Former ID: KSI-AFR-11
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.
Reference: Using Cryptographic Modules
Terms: Federal Customer Data, Persistently
Vulnerability Detection and Response¶
KSI-AFR-VDR
Former ID: KSI-AFR-04
Changelog:
- 2026-02-04: Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.
Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.
Related SP 800-53 Controls: CA-2, CA-7, CA-7.6, IR-1, IR-4, IR-4.1, IR-5, IR-5.1, IR-6, IR-6.1, IR-6.2, PM-3, PM-5, PM-31, RA-2, RA-2.1, RA-3, RA-3.3, RA-5, RA-5.2, RA-5.3, RA-5.4, RA-5.5, RA-5.6, RA-5.7, RA-5.11, RA-9, RA-10, SI-2, SI-2.1, SI-2.2, SI-2.4, SI-2.5, SI-3, SI-3.1, SI-3.2, SI-4, SI-4.2, SI-4.3, SI-4.7, CA-7.4, RA-5, RA-7
Reference: Vulnerability Detection and Response
Terms: Cloud Service Offering, Persistently, Vulnerability, Vulnerability Detection, Vulnerability Response