{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "FedRAMP.schema.json", "info": { "name": "FedRAMP Definitions", "short_name": "FRD", "effective": { "rev5": { "is": "optional", "signup_url": "", "current_status": "Wide Release", "start_date": "2025-09-01", "end_date": "2027-12-22", "comments": [ "Rev5 Authorized providers MUST apply these definitions for Rev5 Balance Improvement Release materials; these definitions do not always apply in legacy Rev5 materials." ] }, "20x": { "is": "required", "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", "current_status": "Phase 2 Pilot", "start_date": "2025-11-18", "end_date": "2026-03-31", "comments": [ "Phase 1 pilot authorizations have one year from authorization to fully address this policy but must demonstrate continuous quarterly progress.", "Phase 2 Pilot participants must demonstrate significant progress towards addressing this policy prior to submission for authorization review." ] } }, "releases": [ { "id": "25.11B", "published_date": "2025-11-24", "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", "public_comment": false }, { "id": "25.11A", "published_date": "2025-11-18", "description": "Updates and new definitions added for the FedRAMP 20x Phase Two pilot.", "public_comment": false }, { "id": "25.10A", "published_date": "2025-10-17", "description": "Minor updates to improve clarity; switch from federal information to federal customer data; no substantive changes.", "public_comment": false }, { "id": "25.09A", "published_date": "2025-09-10", "description": "Added FRD-ALL-18 through FRD-ALL-39 aligned with the Vulnerability Detection and Response standard.", "public_comment": true } ], "front_matter": { "authority": [ { "reference": "FedRAMP Authorization Act (44 USC § 3608)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609", "description": "requires that the Administrator of the General Services Administration shall \"establish a Government- wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies\"", "delegation": "These responsibilities are delegated to the FedRAMP Director", "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" } ], "purpose": "This document consolidates formal FedRAMP definitions for terms used in FedRAMP standards.", "expected_outcomes": [ "All stakeholders will have a common understanding of key terms used in FedRAMP standards." ] } }, "FRD": { "ALL": [ { "id": "FRD-ALL-01", "term": "Federal Customer Data", "alts": [ "federal customer data" ], "definition": "All electronic information, content, and materials that an _agency_ or its authorized users upload, store, or otherwise provide to a cloud service for processing or storage. This does NOT include account information, service metadata, analytics, telemetry, or other similar metadata generated by the cloud service provider.", "note": "In the context of FedRAMP authorization, \"federal customer data\" ONLY ever refers to data owned by federal agency customers. Agreements and contracts with specific _agencies_ may require providers to protect additional data or even transfer ownshership of telemetry or usage data to the _agency_; always consult a lawyer that is familiar with company agreements and contracts when determining the scope of federal customer data." }, { "id": "FRD-ALL-02", "term": "Information Resource", "alts": [ "information resource", "information resources" ], "definition": "Has the meaning from 44 USC § 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\" This includes any aspect of the _cloud service offering_, both technical and managerial, including everything that makes up the business of the offering from non-_machine-based_ _information resources_ like organizational policies, procedures, employees, etc. to _machine-based_ _information resources_ like hardware, software, cloud services, code, etc.", "note": "_Information resources_ are either _machine-based_ or non-_machine-based_; any requirement or recommendation that references _information resources_ without specifying a type is inclusive of all _information resources_.", "reference": "44 USC § 3502 (6)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" }, { "id": "FRD-ALL-03", "term": "Handle", "alts": [ "handle", "handles", "handled", "handling" ], "definition": "Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc." }, { "id": "FRD-ALL-04", "term": "Likely", "alts": [ "likely", "likelihood" ], "definition": "A reasonable degree of probability based on context." }, { "id": "FRD-ALL-05", "term": "Third-party Information Resource", "alts": [ "third-party information resource", "third-party information resources" ], "definition": "Any _information resource_ that is not entirely included in the assessment for the _cloud service offering_ seeking authorization." }, { "id": "FRD-ALL-06", "term": "Cloud Service Offering", "alts": [ "cloud service offering", "cloud service offerings" ], "definition": "A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Standard." }, { "id": "FRD-ALL-07", "term": "Regularly", "alts": [ "regularly", "regular" ], "definition": "Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements." }, { "id": "FRD-ALL-08", "term": "Significant change", "alts": [ "significant change", "significant changes" ], "definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is _likely_ to substantively affect the security or privacy posture of a system.\"", "reference": "NIST SP 800-37 Rev. 2", "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final" }, { "id": "FRD-ALL-09", "term": "Routine Recurring", "alts": [ "routine recurring" ], "definition": "The type of _significant change_ that _regularly_ and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation." }, { "id": "FRD-ALL-10", "term": "Adaptive", "alts": [ "adaptive" ], "definition": "The type of _significant change_ that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.", "note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation." }, { "id": "FRD-ALL-11", "term": "Transformative", "alts": [ "transformative" ], "definition": "The type of _significant change_ that introduces substantive potential security risks that are _likely_ to affect existing risk determinations and must be assessed in depth.", "note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation." }, { "id": "FRD-ALL-12", "term": "Impact Categorization", "alts": [ "impact categorization" ], "definition": "The type of _significant change_ that is _likely_ to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate)." }, { "id": "FRD-ALL-13", "term": "Interim Requirement", "definition": "A temporary requirement included as part of a FedRAMP Pilot or Beta Test that will _likely_ be replaced, updated, or removed prior to the formal wide release of the requirement." }, { "id": "FRD-ALL-14", "term": "Authorization Package", "alts": [ "authorization package", "authorization packages" ], "definition": "Has meaning from 44 USC § 3607 (b)(8) which is \"the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.\"", "reference": "44 USC § 3607 (b)(8)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3607", "note": "In FedRAMP documentation, _authorization package_ always refers to a FedRAMP _authorization package_ unless otherwise specified." }, { "id": "FRD-ALL-15", "term": "Authorization data", "alts": [ "authorization data" ], "definition": "The collective information required by FedRAMP for initial and ongoing assessment and authorization of a _cloud service offering_, including the _authorization package_. ", "note": "In FedRAMP documentation, _authorization data_ always refers to FedRAMP _authorization data_ unless otherwise specified." }, { "id": "FRD-ALL-16", "term": "Trust Center", "alts": [ "trust center", "trust centers" ], "definition": "A secure repository or service used by cloud service providers to store and share _authorization data_. _Trust centers_ are the complete and definitive source for _authorization data_ and must meet the requirements outlined in the FedRAMP _authorization data_ Sharing Standard to be FedRAMP-compatible.", "note": "In FedRAMP documentation, all references to _trust centers_ indicate FedRAMP-compatible _trust centers_ unless otherwise specified." }, { "id": "FRD-ALL-17", "term": "Machine-Readable", "alts": [ "machine-readable" ], "definition": "Has the meaning from 44 U.S. Code § 3502 (18) which is \"the term \"_machine-readable_\", when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost\"", "reference": "44 U.S. Code § 3502 (18)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" }, { "id": "FRD-ALL-18", "term": "All Necessary Parties", "alts": [ "all necessary parties" ], "definition": "All entities whose interests are affected directly by activity related to a specific _cloud service offering_ in the context of a FedRAMP authorization. This always includes FedRAMP and any _agency_ customer who is operating the _cloud service offering_, but may include additional parties depending on agreements made by the cloud service provider (such as consultants or third-party assessors). Potential _agency_ customers or third-party cloud service providers should also be included in most cases but this is not a mandatory requirement under FedRAMP as ultimately the cloud service provider may choose who they wish to do business with." }, { "id": "FRD-ALL-19", "term": "Agency", "alts": [ "agency", "agencies" ], "definition": "Has the meaning given in 44 U.S. Code § 3502 (1), which is \"any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency, but does not include—(A) the Government Accountability Office; (B) Federal Election Commission; (C) the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or (D) Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.\"", "reference": "44 U.S. Code § 3502 (1)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" }, { "id": "FRD-ALL-20", "term": "Vulnerability", "alts": [ "vulnerability", "vulnerabilities" ], "definition": "Has the meaning given to \"security vulnerability\" in 6 USC § 650 (25), which is \"any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of [...] management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.\" This includes gaps in Rev5 controls and 20x Key Security Indicators, software vulnerabilities, misconfigurations, exposures, weak credentials, insecure services, and all other such potential weaknesses in protection (intentional or unintentional).", "reference": "6 USC § 650 (25)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2024-title6/USCODE-2024-title6-chap1-subchapXVIII-sec650" }, { "id": "FRD-ALL-21", "term": "Vulnerability Detection", "alts": [ "vulnerability detection", "detect vulnerabilities", "detect", "detection", "detected" ], "definition": "The systematic process of discovering and identifying security vulnerabilities in _information resources_ through assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, supply chain monitoring, and other capabilities. This process includes the initial discovery of a _vulnerability's_ existence and the determination of affected _information resources_ within a _cloud service offering._", "note": "This definition applies to other forms such as \"detect vulnerabilities\" or simply \"detection\" / \"detected\" used in FedRAMP materials." }, { "id": "FRD-ALL-22", "term": "Vulnerability Response", "alts": [ "vulnerability response", "respond to vulnerabilities", "respond", "response", "responded" ], "definition": "The systematic process of tracking, evaluating, mitigating, monitoring, remediating, assessing exploitation, reporting, and otherwise managing _detected vulnerabilities_.", "note": "This definition applies to other forms such as \"respond to vulnerabilities\" or simply \"response\" / \"responded\" used in FedRAMP materials." }, { "id": "FRD-ALL-23", "term": "Likely Exploitable Vulnerability (LEV)", "alts": [ "likely exploitable vulnerability", "likely exploitable vulnerabilities", "LEV", "LEVs", "NLEV", "NLEVs" ], "definition": "A vulnerability that is not _fully mitigated_, AND is reachable by a _likely_ threat actor, AND a _likely_ threat actor with knowledge of the _vulnerability_ would likely be able to gain unauthorized access, cause harm, disrupt operations, or otherwise have an undesired adverse impact within the _cloud service offering_ by exploiting the _vulnerability_.", "notes": [ "The opposite of this is a \"Not Likely Exploitable Vulnerability\" (NLEV).", "At the absolute minimum, any _vulnerability_ that an automated unauthenticated system can exploit over the internet is a _likely exploitable vulnerability_." ] }, { "id": "FRD-ALL-24", "term": "Internet-Reachable Vulnerability (IRV)", "alts": [ "internet-reachable vulnerability", "internet-reachable vulnerabilities", "IRV", "IRVs", "NIRV", "NIRVs" ], "definition": "A _vulnerability_ in a machine-based _information resource_ that might be exploited or otherwise triggered by a payload originating from a source on the public internet; this includes machine-based _information resources_ that have no direct route to/from the internet but receive payloads or otherwise take action triggered by internet activity.", "notes": [ "The opposite of this is a \"Not Internet-reachable Vulnerability\" (NIRV).", "Internet-reachability applies only to the specific vulnerable machine-based _information resources_ processing the payload; please review the relevant FedRAMP technical assistance on _internet-reachable vulnerabilities_ for examples." ] }, { "id": "FRD-ALL-25", "term": "Known Exploited Vulnerability (KEV)", "alts": [ "known exploited vulnerability", "known exploited vulnerabilities", "KEV", "KEVs" ], "definition": "Has the meaning given in CISA Binding Operational Directive 22-01, which is any _vulnerability_ identified in CISA's Known Exploited Vulnerabilities catalog.", "reference": "CISA BOD 22-01", "reference_url": "https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities" }, { "id": "FRD-ALL-26", "term": "Remediated Vulnerability", "alts": [ "remediated vulnerability", "remediated vulnerabilities" ], "definition": "A _vulnerability_ that has been neutralized or eliminated and is no longer _detected_." }, { "id": "FRD-ALL-27", "term": "Partially Mitigated Vulnerability", "alts": [ "partially mitigated vulnerability", "partially mitigated vulnerabilities" ], "definition": "A _vulnerability_ where the likelihood or _potential adverse impact_ of exploitation has been reduced from the original evaluation but the risk of exploitation still exists and the _vulnerability_ is still _detected_." }, { "id": "FRD-ALL-28", "term": "Fully Mitigated Vulnerability", "alts": [ "fully mitigated vulnerability", "fully mitigated vulnerabilities" ], "definition": "A _vulnerability_ where the likelihood of exploitation or _potential adverse impact_ of exploitation has been reduced from the original evaluation until either are negligible, but the _vulnerability_ is still _detected_." }, { "id": "FRD-ALL-29", "term": "False Positive Vulnerability", "alts": [ "false positive vulnerability", "false positive vulnerabilities" ], "definition": "A _detected vulnerability_ that is not actually present in an exploitable state in the _information resource_; this includes situations where vulnerable software or code exist on an machine-based _information resource_ but are not loaded, running, or otherwise in an operating state required for exploitation.", "note": "This only applies if the _vulnerability_ is not and was not present; a _remediated vulnerability_ or a _fully mitigated vulnerability_ cannot also be a _false positive vulnerability_." }, { "id": "FRD-ALL-30", "term": "Overdue Vulnerability", "alts": [ "overdue vulnerability", "overdue vulnerabilities" ], "definition": "A _vulnerability_ that the provider intends to _fully mitigate_ or _remediate_ but has not or will not do so within the time frames recommended or required by FedRAMP.", "note": "" }, { "id": "FRD-ALL-31", "term": "Accepted Vulnerability", "alts": [ "accepted vulnerability", "accepted vulnerabilities" ], "definition": "A _vulnerability_ that the provider does not intend to _fully mitigate_ or _remediate_, OR that has not or will not be _fully mitigated_ or _remediated_ within the maximum overdue period recommended or required by FedRAMP." }, { "id": "FRD-ALL-32", "term": "Catastrophic Adverse Effect", "alts": [ "catastrophic adverse effect", "catastrophic adverse effects" ], "definition": "A severe negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would _likely_: (i) result in a severe degradation in the availability or performance of services within the _cloud service offering_ for 24+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a majority of the _federal customer data_ stored within the _cloud service offering_." }, { "id": "FRD-ALL-33", "term": "Serious Adverse Effect", "alts": [ "serious adverse effect", "serious adverse effects" ], "definition": "A significant negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in intermittent or ongoing degradation in the availability or performance of services within the _cloud service offering_, causing unpredictable interruptions to operations for 12+ hours; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a minority of the _federal customer data_ stored within the _cloud service offering_." }, { "id": "FRD-ALL-34", "term": "Limited Adverse Effect", "alts": [ "limited adverse effect", "limited adverse effects" ], "definition": "A minor negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in degradation of the availability or performance of services within the _cloud service offering_ for a minority of relevant users; OR (ii) directly or indirectly result in unauthorized access, disclosure, or modification of a small amount of the _federal customer data_ stored within the _cloud service offering_ by only a few relevant users." }, { "id": "FRD-ALL-35", "term": "Negligible Adverse Effect", "alts": [ "negligible adverse effect", "negligible adverse effects" ], "definition": "A small negative impact on an organization caused by the loss of confidentiality, integrity, or availability of its information. At a minimum, this includes effects that would likely: (i) result in minor inconvenience when accessing or using services within the _cloud service offering_; OR (ii) result in degradation of the availability or performance of services within the _cloud service offering_ for only a few relevant users." }, { "id": "FRD-ALL-36", "term": "Potential Adverse Impact (of vulnerability exploitation)", "alts": [ "potential adverse impact", "potential adverse impacts" ], "definition": "The estimated cumulative effect of unauthorized access, disruption, harm, or other adverse impact to agencies that _likely_ could result if a threat actor exploits a _vulnerability_ in the _cloud service offering_; as estimated following FedRAMP recommendations and requirements." }, { "id": "FRD-ALL-37", "term": "Promptly", "alts": [ "promptly", "prompt" ], "definition": "Without Unnecessary Delay.", "note": "The use of _promptly_ in FedRAMP materials frames conveys a need for urgent action where the expected time frame will vary by circumstance but earlier action is more likely to improve security outcomes and increase the security posture of a _cloud service offering_." }, { "id": "FRD-ALL-38", "term": "Persistently", "alts": [ "persistently", "persistent" ], "definition": "Occurring in a firm, steady way that is repeated over a long period of time in spite of obstacles or difficulties. Persistent activities may vary between actors, may occur irregularly, and may include interruptions or waiting periods between cycles. These attributes of persistent activities should be intentional, understood, and documented; the status of persistent activities will always be known. ", "note": "The use of _persistently_ indicates a process that may not always occur continuously (without interruption or gaps) or regularly (on a consistent, predictable basis) but will repeat frequently in cycles. It aligns generally with historical misuse of \"continuous\" in federal information security policies." }, { "id": "FRD-ALL-39", "term": "Drift", "alts": [ "drift", "drifts", "drifting" ], "definition": "Changes to _information resources_ that cause deviations from the intended and assessed state; common forms of drift include changes to configurations, deployed software, privileges, running processes, and availability." }, { "id": "FRD-ALL-40", "term": "Incident", "alts": [ "incident", "incidents" ], "definition": "Has the meaning given in 44 USC § 3552 (b)(2) applied to federal customer data, which is \"an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of [federal customer data]; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies [related to federal customer data].\"", "reference": "44 USC § 3552 (b)(2)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapII-sec3552" }, { "id": "FRD-ALL-41", "term": "Top-level administrative account", "alts": [ "top-level administrative account", "top-level administrative accounts" ], "definition": "The most privileged account with the highest level of access within a _cloud service offering_ for a customer organization, typically with complete control over all aspects of the _cloud service offering_, including managing resources, users, access, privileges, and the account itself.", "note": "Any references to _top-level administrative accounts_ in FedRAMP materials should be presumed to apply to top-level administrative roles or other similar capabilities that are used to assign _top-level administrative account_ privileges." }, { "id": "FRD-ALL-42", "term": "Privileged account", "alts": [ "privileged account", "privileged accounts" ], "definition": "An account with elevated privileges that enables administrative functions over some aspect of the _cloud service offering_ that may affect the confidentiality, integrity, or availability of information beyond those given to normal users; levels of privilege may vary wildly.", "note": "Any references to _privileged accounts_ in FedRAMP materials should be presumed to apply to privileged roles or other similar capabilities that are used to assign privileges to _privileged accounts_." }, { "id": "FRD-ALL-43", "term": "Ongoing Authorization Report (OAR)", "alts": [ "ongoing authorization report", "OAR", "OARs" ], "definition": "A _regular_ report that is supplied by FedRAMP Authorized cloud service providers to agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring Standard." }, { "id": "FRD-ALL-44", "term": "Quarterly Review", "alts": [ "quarterly review", "quarterly reviews" ], "definition": "A _regular_ synchronous meeting hosted by a FedRAMP Authorized cloud service provider for agency customers, aligned to the requirements and recommendations in the FedRAMP Collaborative Continuous Monitoring Standard." }, { "id": "FRD-ALL-45", "term": "FedRAMP Security Inbox", "alts": [ "security inbox", "security inboxes", "FSI" ], "definition": "An email address that meets the requirements outlined in the FedRAMP Security Inbox requirements." }, { "id": "FRD-ALL-46", "term": "All Necessary Assessors", "alts": [ "all necessary assessors" ], "definition": "All entities who participate in the FedRAMP assessment of a _cloud service offering_ in the context of a FedRAMP program authorization. This always includes FedRAMP and any FedRAMP recognized independent assessor contracted by the provider to perform a FedRAMP assessment.", "note": "This standard identifies the requirements for an assessment and authorization performed by FedRAMP prior to any _agency_ use of the _cloud service offering_, therefore _agency_ assessment teams are not included in the FedRAMP assessment and authorization. The resulting FedRAMP authorization package will include all the materials _agency_ authorization teams need to assess the _cloud service offering_ for _agency_ use, including evidence. Program authorization is an authorization path defined in Section IV (c) of OMB Memorandum M-24-15." }, { "id": "FRD-ALL-47", "term": "Persistent Validation", "alts": [ "persistent validation", "persistently validate", "persistently validated", "validate", "validated", "validation" ], "definition": "The systematic and persistent process of validating that _information resources_ within a _cloud service offering_ are operating in a secure manner as expected by the goals and objectives outlined by the provider against FedRAMP Key Security Indicators." }, { "id": "FRD-ALL-48", "term": "Initial FedRAMP Assessment", "alts": [ "initial FedRAMP assessment", "IFRA" ], "definition": "The first full assessment of a _cloud service offering_ seeking FedRAMP authorization, coordinated by the provider with _all necessary assessors_, that results in a FedRAMP authorization." }, { "id": "FRD-ALL-49", "term": "Persistent FedRAMP Assessment", "alts": [ "persistent FedRAMP assessment", "PFRA" ], "definition": "Follow-on assessments of a _cloud service offering_ focused on Key Security Indicators, coordinated by the provider with _all necessary assessors_, to maintain a FedRAMP authorization or change its _impact categorization_." }, { "id": "FRD-ALL-50", "term": "Machine-Based (information resources)", "alts": [ "machine-based", "machine based" ], "definition": "Any information technology _information resource_—including systems, processes, software, hardware, services, cloud-native capabilities, and any other such capability, component, or resource—that relies primarily on mechanical or electronic devices (i.e. computers) for operation.", "note": "All other _information resources_ that do not rely on computers are non-_machine-based_ _information resources_." } ] } }