{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "FedRAMP.schema.json", "info": { "name": "Authorization Data Sharing", "short_name": "ADS", "effective": { "rev5": { "is": "optional", "signup_url": "https://docs.google.com/forms/d/e/1FAIpQLSdOH7qeJ9uPlb3zYN35qDPNOm_pXQ8sHanAZIIh5tdgjnubVw/viewform", "current_status": "Open Beta", "start_date": "2026-02-02", "end_date": "2026-05-22", "comments": [ "**Providers MUST notify FedRAMP of intent to participate in the Authorization Data Sharing Rev5 Open Beta by submitting a sign-up form to FedRAMP.**", "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 if they are also participating in the Significant Change Notification and Vulnerability Detection and Response betas.", "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.", "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta." ] }, "20x": { "is": "required", "signup_url": "https://www.fedramp.gov/20x/phase-two/participate/", "current_status": "Phase 2 Pilot", "start_date": "2025-11-18", "end_date": "2026-03-31", "comments": [ "Phase 1 pilot authorizations have one year from authorization to fully address this policy but must demonstrate continuous quarterly progress.", "Phase 2 Pilot participants must demonstrate significant progress towards addressing this policy prior to submission for authorization review." ] } }, "releases": [ { "id": "25.11C", "published_date": "2025-12-01", "description": "No material changes to content; replaced references to \"standard\" with \"process\" or \"documentation\" as appropriate.", "public_comment": false }, { "id": "25.11B", "published_date": "2025-11-24", "description": "No material changes to content; updated JSON structure with additional information about Rev5 application added.", "public_comment": false }, { "id": "25.11A", "published_date": "2025-11-18", "description": "Updates for the FedRAMP 20x Phase Two pilot, including minor clarifications and improvements based on pilot feedback.", "public_comment": false }, { "id": "25.10A", "published_date": "2025-10-17", "description": "Minor updates to improve clarity; switch from federal information to federal customer data; add impact level metadata; no substantive changes.", "public_comment": false }, { "id": "25.08A", "published_date": "2025-08-24", "description": "Initial release of the Authorization Data Sharing Standard", "public_comment": true, "related_rfcs": [ { "start_date": "2025-05-23", "end_date": "2025-06-22", "id": "0012", "url": "https://www.fedramp.gov/rfcs/0012/", "discussion_url": "https://github.com/FedRAMP/community/discussions/8", "short_name": "rfc-0011-standard-for-storing-and-sharing", "full_name": "FedRAMP RFC-0011: FedRAMP Pilot Standard for Storing and Sharing Authorization Data" } ] } ], "front_matter": { "authority": [ { "reference": "44 USC § 3609 (a)(8)", "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609", "description": "The FedRAMP Authorization Act directs the Administrator of the General Services Administration to \"provide a secure mechanism for storing and sharing necessary data, including FedRAMP authorization packages, to enable better reuse of such packages across agencies, including making available any information and data necessary for agencies...\"", "delegation": "This responsibility is delegated to the FedRAMP Director", "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" }, { "reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP", "reference_url": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf", "description": "Section 6 states that \"In general, to encourage both security and agility, Federal agencies should use the same infrastructure relied on by the rest of CSPs' commercial customer base.\"" } ], "purpose": "Modern cloud services store and share security and compliance information in convenient repositories that allow customers to rapidly review security information and gain access to additional information as needed. These services often include automated integration with cloud service infrastructure to remove manual burden and ensure information is accurate and up to date.\n\nThis security and compliance information (including FedRAMP authorization data) is the intellectual property of the cloud service provider and is not _federal customer data_ in most cases.* The federal government benefits when the same security information is shared among all customers and even the public to ensure maximum transparency and accountability of cloud service providers.\n\nFedRAMP's Authorization Data Sharing process provides a process or mechanism for cloud service providers to store and share authorization data on their preferred platform of choice if it meets certain FedRAMP requirements.\n\nAt the initial release of this process there will not be many platforms that directly support the requirements in this process. FedRAMP anticipates this will change rapidly in response to market demand as platforms work to provide innovative solutions to these requirements.\n\n_* Providers with questions about this should consult with a lawyer who specializes in procurement law. Typically a contract with the government granting ownership of information is required to transfer ownership to the government._", "expected_outcomes": [ "Cloud service providers will be able to manage authorization data in the same platforms used for commercial customers, reusing data as appropriate", "Federal agencies will be able to access necessary authorization data via API or other automated mechanisms integrated into agency authorization systems to simplify the burden of review and continuous monitoring", "Trust center providers and GRC automation tool providers will develop innovative solutions and improvements to ensure standardized automated data sharing and validation within the FedRAMP ecosystem" ] } }, "FRR": { "ADS": { "base": { "id": "FRR-ADS", "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this document.", "name": "Requirements & Recommendations", "requirements": [ { "id": "FRR-ADS-01", "statement": "Providers MUST publicly share up-to-date information about the _cloud service offering_ in both human-readable and _machine-readable_ formats, including at least:", "affects": ["Providers"], "name": "Public Information", "primary_key_word": "MUST", "following_information": [ "Direct link to the FedRAMP Marketplace for the offering", "Service Model", "Deployment Model", "Business Category", "UEI Number", "Contact Information", "Overall Service Description", "Detailed list of specific services and their impact levels (see FRR-ADS-03)", "Summary of customer responsibilities and secure configuration guidance", "Process for accessing information in the _trust center_ (if applicable)", "Availability status and recent disruptions for the _trust center_ (if applicable)", "Customer support information for the _trust center_ (if applicable)" ], "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-02", "statement": "Providers MUST use automation to ensure information remains consistent between human-readable and _machine-readable_ formats when _authorization data_ is provided in both formats; Providers SHOULD generate human-readable and _machine-readable_ data from the same source at the same time OR generate human-readable formats directly from _machine-readable_ data.", "affects": ["Providers"], "name": "Consistency Between Formats", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-03", "statement": "Providers MUST share a detailed list of specific services and their impact levels that are included in the _cloud service offering_ using clear feature or service names that align with standard public marketing materials; this list MUST be complete enough for a potential customer to determine which services are and are not included in the FedRAMP authorization without requesting access to underlying _authorization data_.", "affects": ["Providers"], "name": "Detailed Service List", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-04", "statement": "Providers MUST share _authorization data_ with all necessary parties without interruption, including at least FedRAMP, CISA, and agency customers. ", "affects": ["Providers"], "name": "Uninterrupted Sharing", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-05", "statement": "Providers MUST provide sufficient information in _authorization data_ to support authorization decisions but SHOULD NOT include sensitive information that would _likely_ enable a threat actor to gain unauthorized access, cause harm, disrupt operations, or otherwise have a negative adverse impact on the _cloud service offering_. ", "affects": ["Providers"], "name": "Responsible Information Sharing", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-06", "statement": "Providers of FedRAMP Rev5 Authorized _cloud service offerings_ MUST share _authorization data_ via the USDA Connect Community Portal UNLESS they use a FedRAMP-compatible _trust center_.", "affects": ["Providers"], "name": "USDA Connect Community Portal", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-07", "statement": "Providers of FedRAMP 20x Authorized _cloud service offerings_ MUST use a FedRAMP-compatible _trust center_ to store and share _authorization data_ with all necessary parties.", "affects": ["Providers"], "name": "FedRAMP-Compatible Trust Centers", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-08", "statement": "Providers MUST notify all necessary parties when migrating to a _trust center_ and MUST provide information in their existing USDA Connect Community Portal secure folders explaining how to use the _trust center_ to obtain _authorization data_.", "affects": ["Providers"], "name": "Trust Center Migration Notification", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-09", "statement": "Providers MUST make historical versions of _authorization data_ available for three years to all necessary parties UNLESS otherwise specified by applicable FedRAMP requirements; deltas between versions MAY be consolidated quarterly.", "affects": ["Providers"], "name": "Historical Authorization Data", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-10", "statement": "Providers SHOULD follow FedRAMP’s best practices and technical assistance for sharing _authorization data_ where applicable.", "affects": ["Providers"], "name": "Best Practices and Technical Assistance", "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true, "high": true } } ] }, "access_control": { "application": "These requirements for managing access apply to cloud service providers who establish FedRAMP-compatible _trust centers_ for storing and sharing _authorization data_.", "id": "FRR-ADS-AC", "name": "Access Control", "requirements": [ { "id": "FRR-ADS-AC-01", "statement": "Providers MUST publicly provide plain-language policies and guidance for all necessary parties that explains how they can obtain and manage access to _authorization data_ stored in the _trust center_.", "affects": ["Providers"], "primary_key_word": "MUST", "name": "Public Guidance", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-AC-02", "statement": "Providers SHOULD share at least the _authorization package_ with prospective agency customers upon request and MUST notify FedRAMP within five business days if a prospective agency customer request is denied. ", "affects": ["Providers"], "name": "Prospective Customer Access", "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true, "high": true } } ] }, "trust_center": { "application": "These requirements apply to FedRAMP-compatible _trust centers_ used to store and share _authorization data_.", "id": "FRR-ADS-TC", "name": "Trust Centers", "requirements": [ { "id": "FRR-ADS-TC-01", "statement": "_Trust centers_ MUST be included as an _information resource_ included in the _cloud service offering_ for assessment if FRR-MAS-01 applies. ", "affects": ["Providers"], "name": "Trust Center Assessment", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-02", "statement": "_Trust centers_ SHOULD make _authorization data_ available to view and download in both human-readable and _machine-readable_ formats", "affects": ["Providers"], "name": "Human and Machine-Readable", "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-03", "statement": "_Trust centers_ MUST provide documented programmatic access to all _authorization data_, including programmatic access to human-readable materials.", "affects": ["Providers"], "name": "Programmatic Access", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-04", "statement": "_Trust centers_ SHOULD include features that encourage all necessary parties to provision and manage access to _authorization data_ for their users and services directly.", "affects": ["Providers"], "name": "Self-Service Access Management", "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-05", "statement": "_Trust centers_ MUST maintain an inventory and history of federal agency users or systems with access to _authorization data_ and MUST make this information available to FedRAMP without interruption. ", "affects": ["Providers"], "name": "Access Inventory", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-06", "statement": "_Trust centers_ MUST log access to _authorization data_ and store summaries of access for at least six months; such information, as it pertains to specific parties, SHOULD be made available upon request by those parties.", "affects": ["Providers"], "name": "Access Logging", "primary_key_word": "MUST", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRR-ADS-TC-07", "statement": "_Trust centers_ SHOULD deliver responsive performance during normal operating conditions and minimize service disruptions.", "affects": ["Providers"], "name": "Responsive Performance", "primary_key_word": "SHOULD", "impact": { "low": true, "moderate": true, "high": true } } ] }, "exceptions": { "application": "These exceptions MAY override some or all of the FedRAMP requirements for this standard.", "id": "FRR-ADS-EX", "name": "Exceptions", "requirements": [ { "id": "FRR-ADS-EX-01", "statement": "Providers of FedRAMP Rev5 Authorized _cloud service offerings_ at FedRAMP High using a legacy self-managed repository for _authorization data_ MAY ignore the requirements in this Authorization Data Sharing document until future notice.", "affects": ["Providers"], "name": "Legacy Self-Managed Repository Exception", "primary_key_word": "MAY", "impact": { "low": true, "moderate": true, "high": true } } ] } } }, "FRA": { "ADS": { "id": "FRA-ADS", "disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.", "purpose": "This Technical Assistance helps stakeholders understand the intent behind the requirements in the FedRAMP Authorization Data Sharing process.", "requirements": [ { "id": "FRA-ADS-04", "applies_to": "FRR-ADS-04", "statement": "\"Without interruption\" means that parties should not have to request manual approval each time they need to access _authorization data_ or go through a complicated process. The preferred way of ensuring access without interruption is to use on-demand just-in-time access provisioning.", "impact": { "low": true, "moderate": true, "high": true } }, { "id": "FRA-ADS-05", "applies_to": "FRR-ADS-05", "statement": "This is not a license to exclude accurate risk information, but specifics that would _likely_ lead to compromise should be abstracted. A breach of confidentiality with _authorization data_ should be anticipated by a secure cloud service provider.", "impact": { "low": true, "moderate": true, "high": true }, "examples": [ { "id": "Examples of unnecessary sensitive information in _authorization data_", "key_tests": [ "Passwords, API keys, access credentials, etc.", "Excessive detail about methodology that exposes weaknesses", "Personally identifiable information about employees" ], "examples": [ "DON'T: \"In an emergency, an administrator with physical access to a system can log in using \"secretadmin\" with the password \"pleasewutno\"\" DO: \"In an emergency, administrators with physical access can log in directly.\"", "DON'T: \"All backup MFA credentials are stored in a SuperSafe Series 9000 safe in the CEOs office.\" DO: \"All backup MFA credentials are stored in a UL Class 350 safe in a secure location with limited access.\"", "DON'T: \"During an incident, the incident response team lead by Jim Smith (555-0505) will open a channel at the conference line (555-0101 #97808 passcode 99731)...\" DO: \"During an incident, the incident response team will coordinate over secure channels.\"" ] } ] } ] } } }