Generated from the official FedRAMP/docs GitHub repo. Source path: FRMR.documentation.json on main at blob 5c6bfee74029. FRMR version: 0.9.43-beta · upstream last_updated: 2026-04-08. The official FedRAMP/rules repo exists, but grclanker still treats FedRAMP/docs as the active source until structured rules land there.

Authorization by FedRAMP

Domain code: AFR · Domain ID: KSI-AFR · Web slug: authorization-by-fedramp

Theme

A secure cloud service provider seeking FedRAMP authorization will address all FedRAMP 20x requirements and recommendations, including government-specific requirements for maintaining a secure system and reporting on activities to government customers.

Indicators

KSI-AFR-ADS (formerly KSI-AFR-03) — Authorization Data Sharing

Determine how authorization data will be shared with all necessary parties in alignment with the FedRAMP Authorization Data Sharing (ADS) process and persistently address all related requirements and recommendations.

Reference: Authorization Data Sharing

Mapped Rev5 controls: ac-3, ac-4, au-2, au-3, au-6, ca-2, ir-4, ra-5, sc-8

Terms: All Necessary Parties, Authorization data, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-CCM (formerly KSI-AFR-06) — Collaborative Continuous Monitoring

Maintain a plan and process for providing Ongoing Authorization Reports and Quarterly Reviews for all necessary parties in alignment with the FedRAMP Collaborative Continuous Monitoring (CCM) process and persistently address all related requirements and recommendations.

Reference: Collaborative Continuous Monitoring

Terms: All Necessary Parties, Persistently, Quarterly Review

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-FSI (formerly KSI-AFR-08) — FedRAMP Security Inbox

Operate a secure inbox to receive critical communication from FedRAMP and other government entities in alignment with FedRAMP Security Inbox (FSI) requirements and persistently address all related requirements and recommendations.

Reference: FedRAMP Security Inbox

Terms: FedRAMP Security Inbox, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-ICP (formerly KSI-AFR-10) — Incident Communications Procedures

Integrate FedRAMP’s Incident Communications Procedures (ICP) into incident response procedures and persistently address all related requirements and recommendations.

Reference: Incident Communications Procedures

Terms: Incident, Persistently, Vulnerability Response

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-MAS (formerly KSI-AFR-01) — Minimum Assessment Scope

Apply the FedRAMP Minimum Assessment Scope (MAS) to identify and document the scope of the cloud service offering to be assessed for FedRAMP authorization and persistently address all related requirements and recommendations.

Reference: Minimum Assessment Scope

Mapped Rev5 controls: ac-1, ac-21, at-1, au-1, ca-1, cm-1, cp-1, cp-2.1, cp-2.8, cp-4.1, ia-1, ir-1, ma-1, mp-1, pe-1, pl-1, pl-2, pl-4, pl-4.1, ps-1, ra-1, ra-9, sa-1, sc-1, si-1, sr-1, sr-2, sr-3, sr-11

Terms: Cloud Service Offering, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-PVA (formerly KSI-AFR-09) — Persistent Validation and Assessment

Persistently validate, assess, and report on the effectiveness and status of security decisions and policies that are implemented within the cloud service offering in alignment with the FedRAMP 20x Persistent Validation and Assessment (PVA) process, and persistently address all related requirements and recommendations.

Reference: Persistent Validation and Assessment

Terms: Cloud Service Offering, Persistent Validation, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-SCG (formerly KSI-AFR-07) — Secure Configuration Guide

Develop secure by default configurations and provide guidance for secure configuration of the cloud service offering to customers in alignment with the FedRAMP Secure Configuration Guide (SCG) process and persistently address all related requirements and recommendations.

Reference: Secure Configuration Guide

Terms: Cloud Service Offering, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-SCN (formerly KSI-AFR-05) — Significant Change Notifications

Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.

Reference: Significant Change Notifications

Mapped Rev5 controls: ca-7.4, cm-3.4, cm-4, cm-7.1, au-5, ca-5, ca-7, ra-5, ra-5.2, sa-22, si-2, si-2.2, si-3, si-5, si-7.7, si-10, si-11

Terms: All Necessary Parties, Persistently, Significant change

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-UCM (formerly KSI-AFR-11) — Using Cryptographic Modules

Ensure that cryptographic modules used to protect potentially sensitive federal customer data are selected and used in alignment with the FedRAMP 20x Using Cryptographic Modules (UCM) guidance and persistently address all related requirements and recommendations.

Reference: Using Cryptographic Modules

Terms: Federal Customer Data, Persistently

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.

KSI-AFR-VDR (formerly KSI-AFR-04) — Vulnerability Detection and Response

Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.

Reference: Vulnerability Detection and Response

Mapped Rev5 controls: ca-2, ca-7, ca-7.6, ir-1, ir-4, ir-4.1, ir-5, ir-5.1, ir-6, ir-6.1, ir-6.2, pm-3, pm-5, pm-31, ra-2, ra-2.1, ra-3, ra-3.3, ra-5, ra-5.2, ra-5.3, ra-5.4, ra-5.5, ra-5.6, ra-5.7, ra-5.11, ra-9, ra-10, si-2, si-2.1, si-2.2, si-2.4, si-2.5, si-3, si-3.1, si-3.2, si-4, si-4.2, si-4.3, si-4.7, ca-7.4, ra-7

Terms: Cloud Service Offering, Persistently, Vulnerability, Vulnerability Detection, Vulnerability Response

Recent update: 2026-02-04 — Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes.