{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://fedramp.gov/schemas/fedramp-ongoing-certification-report-schema-2026-06-24.json","$schemaVersion":"0.0.1","type":"object","title":"FedRAMP Ongoing Certification Report (CCM-OCR-AVL)","description":"Quarterly Ongoing Certification Report (OCR) per CCM-OCR-AVL, covering the entire period since the previous report.","required":["certificationPackageOverviewUri","reportPeriod","certificationDataChanges","plannedCertificationDataChanges","acceptedVulnerabilities","transformativeChanges","updatedRecommendations","activeAgencies","reportableIncidents"],"properties":{"certificationPackageOverviewUri":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/certificationPackageOverviewUri"},"reportPeriod":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/reportPeriodDate","title":"Report Period","description":"The 3-month period covered by this report."},"certificationDataChanges":{"type":"array","title":"Changes to FedRAMP Certification Data","description":"High-level summaries of changes to FedRAMP Certification Data since the previous report.","items":{"type":"string"}},"plannedCertificationDataChanges":{"type":"object","title":"Planned Changes to FedRAMP Certification Data","description":"High-level summaries of planned changes to FedRAMP Certification Data for at least the next 3 months.","required":["planningHorizonThrough","changes"],"properties":{"planningHorizonThrough":{"type":"string","format":"date","title":"Planning Horizon Through","description":"Date through which planned changes are covered (at least 3 months from report end)."},"changes":{"type":"array","title":"Changes","items":{"type":"string"}}}},"acceptedVulnerabilities":{"type":"string","title":"Accepted Vulnerabilities","description":"Summary of accepted vulnerabilities. Full records are reported per VER-RPT-AVI."},"transformativeChanges":{"type":"array","title":"Transformative Changes","description":"High-level summaries of transformative changes during this period.","items":{"type":"string"}},"updatedRecommendations":{"type":"array","title":"Updated Recommendations","description":"Updated recommendations or best practices for security, configuration, usage, or similar aspects of the cloud service offering.","items":{"type":"string"}},"activeAgencies":{"type":"array","title":"Active Agencies","description":"List of all agencies directly using the product.","items":{"type":"string","title":"Agency"}},"reportableIncidents":{"type":"object","title":"FedRAMP Reportable Incidents","description":"FedRAMP Reportable Incidents during this period, or an attestation that none occurred.","properties":{"incidents":{"type":"array","title":"Incidents","description":"Summary of each incident.","items":{"$ref":"#/$defs/incidentSummary"}}}}},"$defs":{"incidentSummary":{"type":"object","title":"Incident Summary","properties":{"summary":{"type":"string","title":"Summary"},"occurredAt":{"type":"string","format":"date-time","title":"Occurred At"},"resolvedAt":{"type":"string","format":"date-time","title":"Resolved At"},"incidentLessonsLearned":{"type":"array","title":"Incident Lessons Learned","description":"Lessons learned and changes planned or made as a result of FedRAMP Reportable Incidents.","items":{"type":"string"}}}}}}