Significant Change Notifications¶

Providers MUST maintain auditable records of the significant change evaluation activities required by SCN-CSO-EVA (Evaluate Changes) and make them available to FedRAMP.

Note: These audit records must be available to FedRAMP on request; these records do not need to be included in the FedRAMP Certification package by default.

Terms: Certification Package, Significant Change

Providers MUST include at least the following information in Significant Change Notifications:

1. Service Offering FedRAMP ID
2. Assessor Name (if applicable)
3. Related Vulnerability (if applicable)
4. Significant Change type and explanation of categorization
5. Short description of change
6. Reason for change
7. Summary of customer impact, including changes to services and customer configuration responsibilities
8. Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls
9. Copy of the business or security impact analysis
10. Name and title of approver

Note: Structure of the information may vary depending on how the provider tracks this internally.

Terms: Significant Change, Validation, Verification, Vulnerability

Providers MUST keep 12 months of historical Significant Change Notifications available with their FedRAMP Certification Data.

Terms: Certification Data, Significant Change

Providers MUST make ALL Significant Change Notifications and related audit records available in human-readable and machine-readable formats.

Note: During the SCN beta, many cloud service providers met this requirement by using carefully structured and organized csv files to meet human-readable and machine-readable requirements simultaneously.

Terms: Machine-Readable, Significant Change

Providers MAY include additional relevant information in Significant Change Notifications.

Note: This allows providers to convey whatever additional information they think is relevant without worrying about negative consequences from not following an exact template.

Terms: Significant Change

Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented in the FedRAMP Certification package and easily accessible.

Notes:

• The sharing mechanism should be designed based on the needs of the provider and their customers and may vary between providers.
• The default sharing mechanism for most providers during the SCN beta was to send an email to agency customers and upload a copy of the notification to the provider's secure sharing location.

Terms: Certification Package

Providers MAY execute significant changes (including transformative changes) during an emergency or incident without following the Significant Change Notification rules in advance. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.

Note: Procedures for emergency changes should be documented in the FedRAMP Certification package.

Terms: All Necessary Parties, Certification Package, Incident, Significant Change, Transformative Change

Providers MUST evaluate all potential significant changes to determine the type of significant change and follow the appropriate Significant Change Notification rules.

1. Is it a significant change? --> Continue evaluation and follow the Significant Change Notification rules.
2. If it is, is it an FedRAMP Certification class change? --> This requires a new assessment and cannot be done under the Significant Change Notification rules.
3. If it is not, is it a routine recurring change? --> Follow the Routine Recurring Change rules (SCN-RTR Routine Recurring Changes).
4. If it is not, is it a transformative change? --> Follow the Transformative Change rules (SCN-TRF Transformative Changes).
5. If it is not, then it is an adaptive change --> Follow the Adaptive Change rules (SCN-ADP Adaptive Changes).

Terms: Adaptive Change, Certification Class Change, Routine Recurring Change, Significant Change, Transformative Change

Providers MUST notify all necessary parties within 10 business days after finishing adaptive changes, also including the following information:

Timeframe: 10 business days

1. Summary of any new risks identified and/or vulnerabilities resulting from the change (if applicable)

Notes:

• Activities that match the adaptive significant change type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.
• In general, most changes that do not happen regularly will be adaptive changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration.

Terms: Adaptive Change, All Necessary Parties, Regularly, Significant Change, Vulnerability

Providers SHOULD NOT make formal Significant Change Notifications for routine recurring changes; this type of change is exempted from notification requirements.

Notes:

• Activities that match the routine recurring significant change type are performed regularly and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.
• These changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.
• If the activity does not occur regularly and routinely then it cannot be a significant change of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine).

Terms: Incident, Regularly, Routine Recurring Change, Significant Change, Vulnerability

Providers MUST notify all necessary parties of initial plans for transformative changes at least 30 business days before starting transformative changes, including a summary of any likely security impacts or changes in risk.

Timeframe: 30 business days

Terms: All Necessary Parties, Likely, Transformative Change

Providers MUST notify all necessary parties of final plans for transformative changes at least 10 business days before starting transformative changes, including updates to all previously sent information.

Timeframe: 10 business days

Terms: All Necessary Parties, Transformative Change

Providers MUST notify all necessary parties within 5 business days after finishing transformative changes, including updates to all previously sent information.

Timeframe: 5 business days

Terms: All Necessary Parties, Transformative Change

Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of transformative changes, also including the following information:

Timeframe: 5 business days

1. Updates to all previously sent information
2. Summary of any new risks identified and/or vulnerabilities resulting from the change (if applicable)
3. Copy of the security assessment report (if applicable)

Terms: All Necessary Parties, Transformative Change, Validation, Verification, Vulnerability

Providers MUST publish updated service documentation and other materials to reflect transformative changes within 30 business days after finishing transformative changes.

Timeframe: 30 business days

Note: This requirement is focused on service documentation like user guides, information listed in the marketplace, and other such materials; it does not require updating the system security plan or FedRAMP Certification package.

Terms: Certification Package, Transformative Change

Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting transformative changes if human validation is necessary; such reviews SHOULD be limited to security decisions that require human validation.

Note: Activities that match the transformative significant change type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without transformative changes, while hyperscale providers may release multiple transformative changes per year.

Terms: Cloud Service Offering, Significant Change, Transformative Change, Validation