FedRAMP Certification¶
The FedRAMP Certification rules define how cloud service offerings obtain and maintain FedRAMP Certification across certification classes and paths. They give providers, assessors, agencies, and FedRAMP a common set of expectations for required rule sets, current evidence, independent verification and validation, and ongoing certification decisions.
FedRAMP Responsibilities¶
These rules apply to FedRAMP.
Minimum Continuous Monitoring¶
FRC-FRP-MCM
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
FedRAMP MUST perform a minimum level of continuous monitoring for cloud service offerings with FedRAMP Program Certification, including at least reviewing Ongoing Certification Reports.
Exemptions from Certification Rules¶
FRC-FRP-ECR
Changelog:
- 2026-05-04: Initial reset for the Consolidated Rules for 2026 Public Preview.
FedRAMP MAY approve exemptions from some FedRAMP Certification rules in rare circumstances by supplying an explicit waiver, based on a prioritization and risk assessment completed by FedRAMP.
Notes:
- FedRAMP will determine when such exemptions are appropriate.
- Exemptions will typically be part of a public prioritization process and criteria will be published publicly.
- Do not ask FedRAMP for an exemption unless the publicly published criteria is met.