Skip to content

Certification Data Sharing

The Certification Data Sharing rules allow providers to store and share FedRAMP certification information through the platform they choose as long as it follows FedRAMP rules for access, accuracy, and transparency. This helps customers and the public review consistent, current security and compliance information while recognizing that the information usually remains the provider's intellectual property and is not federal information.

Rule Sections

General Provider Responsibilities

These rules apply to providers for FedRAMP Certifications of any type.

Public Information

CDS-CSO-PUB

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST publicly share up-to-date information about the cloud service offering in both human-readable and machine-readable formats, including at least:

  1. Direct link to the FedRAMP Marketplace for the offering
  2. Service Model
  3. Deployment Model
  4. Business Category
  5. UEI Number
  6. Contact Information
  7. Overall Service Description
  8. Detailed list of specific services and their security categories (see CDS-CSO-SVC)
  9. Summary of customer responsibilities and secure configuration guidance (if applicable, see the FedRAMP Secure Configuration Guide process)
  10. Process for accessing information in the trust center (if applicable)
  11. Availability status and recent disruptions for the trust center (if applicable)
  12. Customer support information for the trust center (if applicable)
  13. Next Ongoing Certification Report date (see CCM-OCR-NRD)

Note: Generally, this information should be available on a public webpage.

Terms: Cloud Service Offering, Machine-Readable, Ongoing Certification, Ongoing Certification Report (OCR), Security Category, Trust Center

Service List

CDS-CSO-SVC

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST publicly share a detailed list of specific services and their security categories that are included in the cloud service offering using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP Minimum Assessment Scope without requesting access to underlying FedRAMP Certification Data.

Terms: Certification Data, Cloud Service Offering, Security Category

Use Trust Centers

CDS-CSO-UTC

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST use a FedRAMP-compatible trust center to store and share FedRAMP Certification Data with all necessary parties.

Note: Rules for FedRAMP-Compatible Trust Centers are explained in the Certification Data Sharing Rules under the FedRAMP-Compatible Trust Centers section (id: CDS-TRC).

Terms: All Necessary Parties, Certification Data, Trust Center

Consistency Between Formats

CDS-CSO-CBF

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST use automation to ensure information remains consistent between human-readable and machine-readable formats when FedRAMP Certification Data is provided in both formats.

Terms: Certification Data, Machine-Readable

Responsible Information Sharing

CDS-CSO-RIS

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST provide sufficient information in FedRAMP Certification Data to support agency authorization decisions but SHOULD NOT include sensitive information that would likely enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the cloud service offering.

Note: This is not a license to exclude accurate risk information, but specifics that would likely lead to compromise should be abstracted. A breach of confidentiality with FedRAMP Certification Data should be anticipated by a secure cloud service provider.

Tips on sensitive information in FedRAMP Certification Data

Key Tests:

  • Passwords, API keys, access credentials, etc.

  • Excessive detail about methodology that exposes weaknesses

  • Personally identifiable information about employees

Examples:

  • DON'T: "In an emergency, an administrator with physical access to a system can log in using "secretadmin" with the password "pleasewutno""

  • DO: "In an emergency, administrators with physical access can log in directly."

  • DON'T: "All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office."

  • DO: "All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access."

  • DON'T: "During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)..."

  • DO: "During an incident, the incident response team will coordinate over secure channels."

Terms: Certification Data, Cloud Service Offering, Likely

Historical FedRAMP Certification Data

CDS-CSO-HAD

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST make historical versions of FedRAMP Certification Data available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP rules; deltas between versions MAY be consolidated quarterly.

Effective Date(s): - Obtain: 2027-05-04 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Note: Consolidating changes quarterly means that the historical status at the end of each quarter or at the time of the Ongoing Authorization Report or Quarterly Review is sufficient, instead of maintaining separate versions with every single change that took place throughout the quarter.

Terms: All Necessary Parties, Certification Data, Quarterly Review

Per-Service Certification Materials

CDS-CSO-PSM

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers of Class A offerings MAY supply per-service FedRAMP Certification materials.

Providers of Class B offerings MAY supply per-service FedRAMP Certification materials.

Providers of Class C offerings MAY supply per-service FedRAMP Certification materials.

Providers of Class D offerings MUST supply per-service FedRAMP Certification materials.

Effective Date(s): - Obtain: 2027-05-04 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Notes:

  • Providers determine what they consider to be separate services, based on maximizing the customer experience for agencies who may only adopt some services and not others.
  • Providers are encouraged to provide a single comprehensive set of materials for all shared aspects of the service offering and only provide separate materials for unique aspects of each service to minimize the burden on providers and agencies.

FedRAMP-Compatible Trust Centers

These rules apply to trust centers that are FedRAMP-compatible.

Uninterrupted Sharing

CDS-TRC-USH

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers MUST share FedRAMP Certification Data with all necessary parties without interruption.

Note: "Without interruption" means that parties should not have to request manual approval each time they need to access FedRAMP Certification Data or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning.

Terms: All Necessary Parties, Certification Data, Trust Center

Programmatic Access

CDS-TRC-PAC

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers MUST provide documented programmatic access to all FedRAMP Certification Data, including programmatic access to human-readable materials.

Terms: Certification Data, Trust Center

Agency Access Inventory

CDS-TRC-AAI

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers MUST maintain an inventory and history of federal agency users or systems with access to FedRAMP Certification Data and MUST make this information available to FedRAMP upon request.

Terms: Certification Data, Trust Center

Access Logging

CDS-TRC-ACL

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers MUST log access to FedRAMP Certification Data and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.

Terms: Certification Data, Trust Center

Human and Machine-Readable

CDS-TRC-HMR

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers SHOULD make FedRAMP Certification Data available to view and download in both human-readable and machine-readable formats.

Terms: Certification Data, Machine-Readable, Trust Center

Self-Service Access Management

CDS-TRC-SSM

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Trust centers SHOULD include features that encourage all necessary parties to provision and manage access to FedRAMP Certification Data for their users and services directly.

Terms: All Necessary Parties, Certification Data, Trust Center

Using a Trust Center

These rules apply to providers that are using a FedRAMP-compatible trust center instead of USDA Connect; they DO NOT apply to providers using USDA Connect.

Public Guidance

CDS-UTC-PGD

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to FedRAMP Certification Data stored in the trust center.

Terms: All Necessary Parties, Certification Data, Trust Center

Agency Access

CDS-UTC-AGA

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers SHOULD share the FedRAMP Certification package with agencies upon request.

Terms: Certification Package

Agency Access Denial

CDS-UTC-AAD

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

This FRR includes a notification requirement!

  • Notify FedRAMP by email using info@fedramp.gov.

Providers MUST notify FedRAMP by email to info@fedramp.gov within 5 business days of denying an agency access request for FedRAMP Certification Data.

Timeframe: 5 business days

Terms: Certification Data

Rev5-Specific Provider Responsibilities

These rules apply to providers for FedRAMP Rev5 Certifications.

Trust Center Migration

CDS-CSL-TCM

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

This FRR includes a notification requirement!

  • Notify all necessary parties by update using FedRAMP Certification Data.

Providers MUST notify all necessary parties when migrating to a trust center and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the trust center to obtain FedRAMP Certification Data.

Terms: All Necessary Parties, Certification Data, Trust Center

Structured Certification Data

CDS-CSL-SCD

Changelog:

  • 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.

Providers of Class A offerings MUST supply semi-structured text-based FedRAMP Certification Data.

Effective Date(s): - Obtain: 2027-01-01 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Providers of Class B offerings MUST supply semi-structured text-based FedRAMP Certification Data.

Effective Date(s): - Obtain: 2027-01-01 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Providers of Class C offerings MUST supply semi-structured text-based FedRAMP Certification Data.

Effective Date(s): - Obtain: 2027-01-01 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Providers of Class D offerings MUST supply comprehensive machine-readable FedRAMP Certification Data.

Effective Date(s): - Obtain: 2027-05-04 - Maintain: 2027-05-04 - Grace By Assessment Months: 2

Terms: Certification Data, Machine-Readable

Comments