{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://fedramp.gov/schemas/fedramp-security-decision-record-schema-2026-06-24.json","$schemaVersion":"0.0.1","type":"object","title":"FedRAMP Security Decision Record (SDR-CSO-FRR)","description":"JSON Schema for Cloud Service Provider (CSP) system submission for FedRAMP certification per SDR-CSO-FRR.","required":["certificationPackageOverviewUri","fedRampRequirements"],"properties":{"certificationPackageOverviewUri":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/certificationPackageOverviewUri"},"portsAndProtocols":{"type":"array","title":"Ports and Protocols","description":"Ports and protocols used by the Cloud Service Offering","items":{"type":"object","title":"Port and Protocol","description":"Port and protocol exposed by the Cloud Service Offering"},"properties":{"serviceName":{"type":"string","title":"Service Name","description":"Name of the service exposed on this port."},"portNumber":{"type":"string","title":"Port Number","description":"Port number used by the service. For services that operate on a range of ports, provide the range in the format 'start-end'."},"transportProtocol":{"type":"string","title":"Transport Protocol","description":"Transport protocol used by the service"},"encryption":{"type":"string","title":"Encryption","description":"Encryption method used by the service (e.g., TLS, SSL, None)."},"purpose":{"type":"string","title":"Purpose","description":"Provide a general description of how it is used in the Cloud Service Offering (e.g., Web access, database connection)."}}},"securityControls":{"type":"array","title":"NIST 800-53 Security Controls","description":"Describe the security controls for the system.","items":{"nistSecurityControl":{"type":"object","description":"NIST 800-53 Security Control","properties":{"controlId":{"type":"string","description":"NIST 800-53 Control ID","examples":["AC-1","AC-2","AC-3"],"title":"NIST 800-53 Control ID"},"parameterValues":{"type":"array","title":"Parameter Values","description":"Parameter values for the control","items":{"type":"object","required":["parameterId","parameterValue"],"title":"Parameter Value","description":"Parameter value for the control","properties":{"parameterId":{"type":"string","title":"Parameter ID","description":"The parameter ID as defined in the NIST 800-53 Control Implementation Guide."},"parameterValue":{"type":"string","title":"Parameter Value","description":"The parameter value selected by the Cloud Service Provider. If the parameter is a boolean, provide 'true' or 'false'. If the parameter is a list, provide a comma-separated list of values."}}}},"controlImplementationStatus":{"type":"string","title":"Control Implementation Status","description":"Status of the control implementation","enum":["Implemented","Not Implemented","Partially Implemented"]},"controlImplementationDescription":{"type":"string","title":"Control Implementation Description","description":"Description of the control implementation. May use Markdown for formatting."}}}}},"fedRampRequirements":{"type":"array","title":"FedRAMP Requirements","description":"Describe how any applicable FedRAMP required processes are met.","items":{"fedRAMPRequirement":{"type":"object","title":"FedRAMP Requirement","description":"FedRAMP requirement","required":["frrID","frrImplementation"],"properties":{"frrID":{"type":"string","title":"FedRAMP Requirement ID","description":"FedRAMP requirement ID"},"frrImplementation":{"type":"array","title":"Requirement Implementation Statements","description":"Description of the requirement implementation. May use Markdown for formatting.","items":{"$ref":"#/$defs/implementationStatement"}},"frrValidation":{"type":"array","title":"Requirement Validation Statements","description":"Description of the requirement validation. May use Markdown for formatting.","items":{"$ref":"#/$defs/validationStatement"}},"frrAssesment":{"type":"array","title":"Requirement Assessment Statements","description":"Description of the requirement assessment. May use Markdown for formatting.","items":{"$ref":"#/$defs/assessmentStatement"}}}}}},"keySecurityIndicators":{"title":"FedRAMP Key Security Indicators","type":"array","items":{"keySecurityIndicator":{"type":"object","title":"FedRAMP Key Security Indicator","description":"How the Key Security Indictor objective is achieved and monitored","required":["ksiId","ksiImplementation","ksiValidation","ksiAssesment","ksiTests","ksiEvidence"],"properties":{"ksiId":{"type":"string","title":"FedRAMP KSI ID","description":"FedRAMP KSI ID"},"ksiImplementation":{"type":"array","title":"KSI Implementation Statements","description":"Description of the requirement implementation. May use Markdown for formatting.","items":{"$ref":"#/$defs/implementationStatement"}},"ksiValidation":{"type":"array","title":"KSI Validation Statements","description":"Description of the requirement validation. May use Markdown for formatting.","items":{"$ref":"#/$defs/validationStatement"}},"ksiAssesment":{"type":"array","title":"KSI Assessment Statements","description":"Description of the requirement assessment. May use Markdown for formatting.","items":{"$ref":"#/$defs/assessmentStatement"}},"ksiTests":{"type":"array","items":{"type":"string"}},"ksiEvidence":{"type":"array","items":{"$ref":"#/$defs/evidence"}}}}}}},"$defs":{"evidence":{"type":"object","description":"Results of the security test","title":"Evidence","properties":{"evidenceType":{"type":"string","enum":["Log","Report","Screenshot","Configuration","Policy","Procedure","Audit Record"],"title":"Evidence Type","description":"Type of evidence provided"},"evidenceDescription":{"type":"string","title":"Evidence Description","description":"Detailed description of the evidence."},"evidenceLocation":{"type":"string","format":"uri","title":"Evidence Location","description":"URI or file path to the evidence document"},"evidenceText":{"type":"string","title":"Evidence Content (Text)","description":"Evidence included as plain text such as the output of a command or log."},"lastUpdated":{"type":"string","format":"date","title":"Last Updated","description":"Date when the evidence was last updated"}}},"implementationStatement":{"type":"string","title":"Implementation","description":"Description of how the control/requirement/ksi is implemented. May use Markdown for formatting."},"validationStatement":{"type":"string","title":"Validation","description":"Description of the how the control/requirement/ksi is validated by the CSP internally. May use Markdown for formatting."},"assessmentStatement":{"type":"string","title":"Assessment","description":"Description of how the control/requirement/ksi is assessed by an independent validator. May use Markdown for formatting."}}}