General discussion / Q&A on Rev5 improvements and changes in 2026

[pete-gov]

This is a general collection thread for questions and discussions about the FedRAMP Rev5 process as we move towards a full overhaul of the process as part of the FedRAMP Consolidated Rules for 2026.

Feel free to ask any questions related to Rev5 stuff here!

[Cbat001]

Pete - On the call yesterday I brought up the question regarding MAS and how that differs from the current Rev 5 SSP Front matter sections 6 thru 9. I have read the MAS and find it confusing when I have already produced this detail in the SSP Front Matter. Honestly, are you expecting us to eliminate the detailed diagrams and just produce some read-out of all the assets based on the tiers? Really confused. We have already executed on the other Rev 5 Balance Improvement requirements for FSI / SCG / SCN - this MAS one is confusing - based on the fact that we have our authorization boundary detailed in the SSP? Basically, is there an example of what you are asking for?

[pete-gov]

The Minimum Assessment Scope for Rev5 effectively replaces sections 6-9 in a Rev5 SSP. It is entirely possible that a high quality Rev5 SSP already meets all of the requirements in the Minimum Assessment Scope and would not require any rewriting to align with it, but that fairly unlikely since the MAS changes what is expected to be in the boundary and how it should be addressed from historical authorization boundary guidance.

We'll clarify the specific expectations for Rev5 when an updated set of SSP requirements is released with the Consolidated Rules for 2026.

[Cbat001]

Ok -- So we do indeed have a high quality SSP Front Matter that I think we will maintain and re-assess this May. Thank you for the clarification. Cheers

…

On Thu, Apr 2, 2026 at 10:29 AM Pete Waterman ***@***.***> wrote: The Minimum Assessment Scope for Rev5 effectively replaces sections 6-9 in a Rev5 SSP. It is entirely possible that a high quality Rev5 SSP already meets all of the requirements in the Minimum Assessment Scope and would not require any rewriting to align with it, but that fairly unlikely since the MAS changes what is expected to be in the boundary and how it should be addressed from historical authorization boundary guidance. We'll clarify the specific expectations for Rev5 when an updated set of SSP requirements is released with the Consolidated Rules for 2026. — Reply to this email directly, view it on GitHub <#137?email_source=notifications&email_token=BSSZSEIEYI7XRRAM3JJZVYD4T2PQ5A5CNFSNUABIM5UWIORPF5TWS5BNNB2WEL2ENFZWG5LTONUW63SDN5WW2ZLOOQXTCNRUGI3DMNZVUZZGKYLTN5XKOY3PNVWWK3TUUVSXMZLOOSWGM33PORSXEX3DNRUWG2Y#discussioncomment-16426675>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BSSZSEPB5M34EZE3DAUDB5T4T2PQ5AVCNFSM6AAAAACW2DEW3WVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTMNBSGY3DONI> . You are receiving this because you commented.Message ID: ***@***.***>

[meagankwhite]

Hello! I can see that the FedRAMP PMO is using GH for documentation and change management, but the only GH I see on the marketplace is Li-SaaS. This is potentially a foolish question, but is the SSP and appendices considered Li-SaaS data, or is it rated at the level of the offering that is supported? This is all stemming from me trying to find a good way to do content and change management for the new machine-readable documentation package. So if a Moderate offering can use the GH Li-SaaS offering to manage our SSP and appendices that would be an excellent option.

[pete-gov]

It's important to note that templates and documentation for the FedRAMP process are not equivalent in risk to a filled out system security plan for a system, so don't make any assumptions based on how FR makes documentation available!

That said, the Minimum Assessment Scope is designed to allow flexibility in how cloud services leverage third-party independent services based on risk. A key aspect of this is establishing compensating controls with information flows to lower risk.

In general, a responsibly prepared system security plan and related continuous monitoring materials for a secure cloud service should not be high-risk sensitive materials; in fact, generally one should assume at least a loss of confidentiality when preparing those materials and it's impossible for a cloud service provider to maintain control over them once released to a single party. Integrity can very easily be verified (even automatically) with checksums, and lower availability objectives for security materials can be risk accepted as they don't need to be available 99.999% of the time etc.

In an extreme example, there is absolutely nothing against the rules with a Class D (High) Certified offering publicly publishing their security materials for the world to see on a non-FR certified service. Done responsibly, especially with a good Vulnerability Disclosure Policy and similar strong vulnerability detection and response policies, they might even be able to prove that doing so increases the security of their service. It's always important to remember that the most of the widely relied-upon critical software that cloud services uses is open-source (linux, kubernetes, etc.).

Just like people shouldn't check API keys into their open-source code, people shouldn't put sensitive information that would likely to lead to compromise into security materials. 🤷

[meagankwhite]

Thank you for the rapid and thorough explanation!

[lesley-hess]

For the Significant Change Notification, SCN-CSO-EVA lists:

3. If it is not, is it a routine recurring change? --> Follow the Routine Recurring Change process (SCN-CSO-RTR).
4. If it is not, is it a transformative change? --> Follow the Transformative Change process (SCN-CSO-TRF).
5. If it is not, then it is an adaptive change --> Follow the Adaptive Change process (SCN-CSO-ADP).

SCN-CSO-ADP, SCN-CSO-TRF, and SCN-CSO-RTR do not seem to exist anymore in the SCN. Are those now called something else or is there another location we should refer to for those?

[pete-gov]

Oh no! Thank you for pointing this out, I'll do a patch later today.

It should be SCN-RTR, SCN-TRF, and SCN-ADP. They are later sections in the document.