Skip to content

Persistent Validation and Assessment

FedRAMP 20x is built around the core concept that secure cloud service providers will persistently and automatically validate that their security decisions and policies are being implemented as expected within their cloud service offering. The activities of a secure service should be intentional, documented, and in a state that is always known and understood by the provider.

Secure providers will design their business processes and technical procedures to maximize the use of automation, persistent validation, and reporting across the entirety of their cloud service offering. This reduces cost by increasing efficiency, enables fast agile delivery of new capabilities and prevents unintended drift between the deployed cloud service offering and the business goals for the offering. Secure providers leverage automated and independent audits to evaluate the validity and effectiveness of their secure practices.

All FedRAMP 20x Authorized providers are expected to implement persistent validation programs as part of their core engineering workflow. These programs should be optimized to deliver value to the provider and their engineering teams first and foremost, though agencies and other customers will benefit from the improved security and insight resulting from high quality persistent validation programs.

To obtain and maintain a FedRAMP 20x authorization, providers will be required to have their persistent validation programs assessed regularly for effectiveness and completeness.

Effective Date(s) & Overall Applicability
  • Release: 25.11A
  • Published: 2025-11-18
  • Designator: PVA
  • Description: Initial release of the Persistent Validation and Assessment standard for the FedRAMP 20x Phase Two pilot.
  • FedRAMP 20x:
    • This release is effective 2025-11-17 for 20x.
    • This policy applies to all FedRAMP 20x authorizations.
    • Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress.
    • Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to submission for authorization review.
  • FedRAMP Rev5:
    • This standard DOES NOT apply to FedRAMP Rev5 authorizations.
Background & Authority
  • OMB Circular A-130: Managing Information as a Strategic Resource defines continuous monitoring as "maintaining ongoing awareness of information security, vulnerabilities, threats, and incidents to support agency risk management decisions."
  • The FedRAMP Authorization Act (44 USC ยง 3609 (a) (7)) directs the Administrator of the General Services Administration to "coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the Director and the Secretary, to establish and regularly update a framework for continuous monitoring..."

Requirements & Recommendations

These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services and those seeking authorization based on the current Effective Date(s) and Overall Applicability of this standard.

FRR-PVA-01 Persistent Validation

Providers MUST persistently perform validation of their Key Security Indicators following the processes and cycles documented for their cloud service offering per FRR-KSI-02; this process is called persistent validation and is part of vulnerability detection.

Applies to: Low, Moderate, High

FRR-PVA-02 Failures As Vulnerabilities

Providers MUST treat failures detected during persistent validation and failures of the persistent validation process as vulnerabilities, then follow the requirements and recommendations in the FedRAMP Vulnerability Detection and Response Standard for such findings.

Applies to: Low, Moderate, High

FRR-PVA-03 Report Persistent Validation

Providers MUST include persistent validation activity in the reports on vulnerability detection and response activity required by the FedRAMP Vulnerability Detection and Response Standard.

Applies to: Low, Moderate, High

FRR-PVA-04 Track Significant Changes

Providers MUST track significant changes that impact their Key Security Indicator goals and validation processes while following the requirements and recommendations in the FedRAMP Significant Change Notification Standard; if such significant changes are not properly tracked and supplied to all necessary assessors then a full Initial FedRAMP Assessment may be required in place of the expected Persistent FedRAMP Assessment.

Applies to: Low, Moderate, High

FRR-PVA-05 Independent Assessment

Providers MUST have the implementation of their goals and validation processes assessed by a FedRAMP-recognized independent assessor OR by FedRAMP directly AND MUST include the results of this assessment in their authorization data without modification.

Notes:

  • The option for assessment by FedRAMP directly is limited to cloud services that are explicitly prioritized by FedRAMP, in consultation with the FedRAMP Board and the federal Chief Information Officers Council. During 20x Phase Two this includes AI services that meet certain criteria as shown at https://fedramp.gov/ai.

  • FedRAMP recognized assessors are listed on the FedRAMP Marketplace.

Applies to: Low, Moderate, High

FRR-PVA-06 Complete Validation Assessment

Providers MUST ensure a complete assessment of validation procedures (including underlying code, pipelines, configurations, automation tools, etc.) for the cloud service offering by all necessary assessors.

Applies to: Low, Moderate, High

FRR-PVA-07 Provide Technical Evidence

Providers SHOULD provide technical explanations, demonstrations, and other relevant supporting information to all necessary assessors for the technical capabilities they employ to meet Key Security Indicators and to provide validation.

Applies to: Low, Moderate, High

FRR-PVA-08 Receiving Assessor Advice

Providers MAY ask for and accept advice from their assessor during assessment regarding techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-09).

Note: The related A2LA requirements are waived for FedRAMP 20x Phase Two assessments.

Applies to: Low, Moderate, High

FRR-PVA-09 Assessors May Advise

Assessors MAY share advice with providers they are assessing about techniques and procedures that will improve their security posture or the effectiveness, clarity, and accuracy of their validation and reporting procedures for Key Security Indicators, UNLESS doing so might compromise the objectivity and integrity of the assessment (see also FRR-PVA-08).

Applies to: Low, Moderate, High

FRR-PVA-10 Evaluate Validation Processes

Assessors MUST evaluate the underlying processes (both machine-based and non-machine-based) that providers use to validate Key Security Indicators; this evaluation should include at least:

  1. The effectiveness, completeness, and integrity of the automated processes that perform validation of the cloud service offering's security posture.

  2. The effectiveness, completeness, and integrity of the human processes that perform validation of the cloud service offering's security posture

  3. The coverage of these processes within the cloud service offering, including if all of the consolidated information resources listed are being validated.

Applies to: Low, Moderate, High

FRR-PVA-11 Assess Process Implementation

Assessors MUST evaluate the implementation of processes derived from Key Security Indicators to determine whether or not the provider has accurately documented their process and goals.

Applies to: Low, Moderate, High

FRR-PVA-12 Assess Outcome Consistency

Assessors MUST evaluate whether or not the underlying processes are consistently creating the desired security outcome documented by the provider.

Applies to: Low, Moderate, High

FRR-PVA-13 Mixed Methods Evaluation

Assessors MUST perform evaluation using a combination of quantitative and expert qualitative assessment as appropriate AND document which is applied to which aspect of the assessment.

Applies to: Low, Moderate, High

FRR-PVA-14 Engage Provider Experts

Assessors SHOULD engage provider experts in discussion to understand the decisions made by the provider and inform expert qualitative assessment, and SHOULD perform independent research to test such information as part of the expert qualitative assessment process.

Applies to: Low, Moderate, High

FRR-PVA-15 Avoid Static Evidence

Assessors MUST NOT rely on screenshots, configuration dumps, or other static output as evidence EXCEPT when evaluating the accuracy and reliability of a process that generates such artifacts.

Applies to: Low, Moderate, High

FRR-PVA-16 Verify Procedure Adherence

Assessors MUST assess whether or not procedures are consistently followed, including the processes in place to ensure this occurs, without relying solely on the existence of a procedure document for assessing if appropriate processes and procedures are in place.

Note: Note: This includes evaluating tests or plans for activities that may occur in the future but have not yet occurred.

Applies to: Low, Moderate, High

FRR-PVA-17 Deliver Assessment Summary

Assessors MUST deliver a high-level summary of their assessment process and findings for each Key Security Indicator; this summary will be included in the authorization data for the cloud service offering.

Applies to: Low, Moderate, High

FRR-PVA-18 No Overall Recommendation

Assessors MUST NOT deliver an overall recommendation on whether or not the cloud service offering meets the requirements for FedRAMP authorization.

Note: FedRAMP will make the final authorization decision based on the assessor's findings and other relevant information.

Applies to: Low, Moderate, High

Timeframes - Low

This section provides guidance on timeframes that apply specifically to FedRAMP Low authorizations for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.

FRR-PVA-TF-LO-01 Quarterly Non-Machine Validation

Providers MUST complete the validation processes for Key Security Indicators of non-machine-based information resources at least once every 3 months.

Applies to: Low

FRR-PVA-TF-LO-02 Weekly Machine Validation

Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 7 days.

Applies to: Low

Timeframes - Moderate

This section provides guidance on timeframes that apply specifically to FedRAMP Moderate authorizations for activities required or recommended in this standard; these timeframes are thresholds that secure providers should consistently strive to exceed by significant margins.

FRR-PVA-TF-MO-01 Quarterly Non-Machine Validation

Providers MUST complete the validation processes for Key Security Indicators of non-machine-based information resources at least once every 3 months.

Applies to: Moderate

FRR-PVA-TF-LM-02 3-Day Machine Validation

Providers MUST complete the validation processes for Key Security Indicators of machine-based information resources at least once every 3 days.

Applies to: Moderate