|
| 1 | +{ |
| 2 | + "$schema": "https://json-schema.org/draft/2020-12/schema", |
| 3 | + "$id": "FedRAMP.schema.json", |
| 4 | + "info": { |
| 5 | + "name": "FedRAMP Definitions", |
| 6 | + "short_name": "FRD", |
| 7 | + "current_release": "25.08A", |
| 8 | + "types": ["FRR"], |
| 9 | + "releases": [ |
| 10 | + { |
| 11 | + "id": "25.08A", |
| 12 | + "published_date": "2025-08-24", |
| 13 | + "description": "Initial release of compiled FedRAMP definitions as a standalone document.", |
| 14 | + "public_comment": true, |
| 15 | + "effective": { |
| 16 | + "20x": { |
| 17 | + "timeline": { |
| 18 | + "pilot": { |
| 19 | + "start_date": "2025-06-01", |
| 20 | + "designator": "20x", |
| 21 | + "comment": "These definitions apply to all FedRAMP 20x documents, standards, requirements, and other materials." |
| 22 | + } |
| 23 | + }, |
| 24 | + "specific_release": "20x.FRD.P1.25.08A", |
| 25 | + "is_optional": false, |
| 26 | + "comment": "" |
| 27 | + }, |
| 28 | + "Rev5": { |
| 29 | + "timeline": { |
| 30 | + "wide_release": { |
| 31 | + "start_date": "2025-06-01", |
| 32 | + "is_tentative": false, |
| 33 | + "designator": "R5.FRD.WR", |
| 34 | + "comment": "These definitions apply to all FedRAMP Rev5 documents, standard, requirements, and other materials that have been included in updates to Rev5 under Balance Improvement Releases." |
| 35 | + } |
| 36 | + }, |
| 37 | + "is_optional": false, |
| 38 | + "specific_release": "R5.FRD.WR.25.08A", |
| 39 | + "comment": "" |
| 40 | + } |
| 41 | + } |
| 42 | + } |
| 43 | + ], |
| 44 | + "front_matter": { |
| 45 | + "authority": [ |
| 46 | + { |
| 47 | + "reference": "FedRAMP Authorization Act (44 USC \u00a7 3608)", |
| 48 | + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609", |
| 49 | + "description": "requires that the Administrator of the General Services Administration shall \"establish a Government- wide program that provides a standardized, reusable approach to security assessment and authorization for cloud computing products and services that process unclassified information used by agencies\"", |
| 50 | + "delegation": "These responsibilities are delegated to the FedRAMP Director", |
| 51 | + "delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp" |
| 52 | + } |
| 53 | + ], |
| 54 | + "purpose": "This document consolidates formal FedRAMP definitions for terms used in FedRAMP standards.", |
| 55 | + "expected_outcomes": [ |
| 56 | + "All stakeholders will have a common understanding of key terms used in FedRAMP standards." |
| 57 | + ] |
| 58 | + } |
| 59 | + }, |
| 60 | + "FRD": { |
| 61 | + "ALL": [ |
| 62 | + { |
| 63 | + "id": "FRD-ALL-01", |
| 64 | + "term": "Federal Information", |
| 65 | + "definition": "Has the meaning from OMB Circular A-130 and any successor documents. As of Apr 2025, this means \"information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the federal government, in any medium or form.\"", |
| 66 | + "note": "This typically does not include information that a cloud service provider produces outside of a government contract or agreement. Review FedRAMP's Technical Assistance and consult qualified legal experts for additional assistance identifying federal information.", |
| 67 | + "reference": "OMB Circular A-130", |
| 68 | + "reference_url": "https://whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf" |
| 69 | + }, |
| 70 | + { |
| 71 | + "id": "FRD-ALL-02", |
| 72 | + "term": "Information Resource", |
| 73 | + "definition": "Has the meaning from 44 USC § 3502 (6): \"information and related resources, such as personnel, equipment, funds, and information technology.\"", |
| 74 | + "note": "This applies to any aspect of the _cloud service offering_, both technical and managerial, including everything that makes up the business of the offering from organizational policies and procedures to hardware, software, and code.", |
| 75 | + "reference": "44 USC § 3502 (6)", |
| 76 | + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502", |
| 77 | + "referenced_fr": ["FRD-ALL-06"] |
| 78 | + }, |
| 79 | + { |
| 80 | + "id": "FRD-ALL-03", |
| 81 | + "term": "Handle", |
| 82 | + "definition": "Has the plain language meaning inclusive of any possible action taken with information, such as access, collect, control, create, display, disclose, disseminate, dispose, maintain, manipulate, process, receive, review, store, transmit, use... etc." |
| 83 | + }, |
| 84 | + { |
| 85 | + "id": "FRD-ALL-04", |
| 86 | + "term": "Likely", |
| 87 | + "definition": "A reasonable degree of probability based on context." |
| 88 | + }, |
| 89 | + { |
| 90 | + "id": "FRD-ALL-05", |
| 91 | + "term": "Third-party Information Resource", |
| 92 | + "definition": "Any _information resource_ that is not entirely included in the assessment for the _cloud service offering_ seeking authorization.", |
| 93 | + "referenced_fr": ["FRD-ALL-02", "FRD-ALL-06"] |
| 94 | + }, |
| 95 | + { |
| 96 | + "id": "FRD-ALL-06", |
| 97 | + "term": "Cloud Service Offering", |
| 98 | + "definition": "A specific, packaged cloud computing product or service provided by a cloud service provider that can be used by a customer. FedRAMP assessment and authorization of the cloud computing product or service is based on the Minimum Assessment Standard." |
| 99 | + }, |
| 100 | + { |
| 101 | + "id": "FRD-ALL-07", |
| 102 | + "term": "Regularly", |
| 103 | + "definition": "Performing the activity on a consistent, predictable, and repeated basis, at set intervals, automatically if possible, following a documented plan. These intervals may vary as appropriate between different requirements." |
| 104 | + }, |
| 105 | + { |
| 106 | + "id": "FRD-ALL-08", |
| 107 | + "term": "Significant change", |
| 108 | + "definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is _likely_ to substantively affect the security or privacy posture of a system.\"", |
| 109 | + "reference": "NIST SP 800-37 Rev. 2", |
| 110 | + "reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final", |
| 111 | + "referenced_fr": ["FRD-ALL-04"] |
| 112 | + }, |
| 113 | + { |
| 114 | + "id": "FRD-ALL-09", |
| 115 | + "term": "Routine Recurring", |
| 116 | + "definition": "The type of _significant change_ that _regularly_ and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation.", |
| 117 | + "referenced_fr": ["FRD-ALL-08", "FRD-ALL-07"] |
| 118 | + }, |
| 119 | + { |
| 120 | + "id": "FRD-ALL-10", |
| 121 | + "term": "Adaptive", |
| 122 | + "definition": "The type of _significant change_ that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.", |
| 123 | + "note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation.", |
| 124 | + "referenced_fr": ["FRD-ALL-08"] |
| 125 | + }, |
| 126 | + { |
| 127 | + "id": "FRD-ALL-11", |
| 128 | + "term": "Transformative", |
| 129 | + "definition": "The type of _significant change_ that introduces substantive potential security risks that are _likely_ to affect existing risk determinations and must be assessed in depth.", |
| 130 | + "note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation.", |
| 131 | + "referenced_fr": ["FRD-ALL-08", "FRD-ALL-04"] |
| 132 | + }, |
| 133 | + { |
| 134 | + "id": "FRD-ALL-12", |
| 135 | + "term": "Impact Categorization", |
| 136 | + "definition": "The type of _significant change_ that is _likely_ to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate).", |
| 137 | + "referenced_fr": ["FRD-ALL-08", "FRD-ALL-04"] |
| 138 | + }, |
| 139 | + { |
| 140 | + "id": "FRD-ALL-13", |
| 141 | + "term": "Interim Requirement", |
| 142 | + "definition": "A temporary requirement included as part of a FedRAMP Pilot or Beta Test that will _likely_ be replaced, updated, or removed prior to the formal wide release of the requirement.", |
| 143 | + "referenced_fr": ["FRD-ALL-04"] |
| 144 | + }, |
| 145 | + { |
| 146 | + "id": "FRD-ALL-14", |
| 147 | + "term": "Authorization Package", |
| 148 | + "definition": "Has meaning from 44 USC § 3607 (b)(8) which is \"the essential information that can be used by an agency to determine whether to authorize the operation of an information system or the use of a designated set of common controls for all cloud computing products and services authorized by FedRAMP.\"", |
| 149 | + "reference": "44 USC § 3607 (b)(8)", |
| 150 | + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3607", |
| 151 | + "note": "In FedRAMP documentation, _authorization package_ always refers to a FedRAMP _authorization package_ unless otherwise specified." |
| 152 | + }, |
| 153 | + { |
| 154 | + "id": "FRD-ALL-15", |
| 155 | + "term": "Authorization data", |
| 156 | + "definition": "The collective information required by FedRAMP for initial and ongoing assessment and authorization of a _cloud service offering_, including the _authorization package_. ", |
| 157 | + "note": "In FedRAMP documentation, _authorization data_ always refers to FedRAMP _authorization data_ unless otherwise specified.", |
| 158 | + "referenced_fr": [ |
| 159 | + "FRD-ALL-06", |
| 160 | + "FRD-ALL-09", |
| 161 | + "FRD-ALL-14", |
| 162 | + "FRD-ALL-15" |
| 163 | + ] |
| 164 | + }, |
| 165 | + { |
| 166 | + "id": "FRD-ALL-16", |
| 167 | + "term": "Trust Center", |
| 168 | + "definition": "A secure repository or service used by cloud service providers to store and share _authorization data_. _Trust centers_ are the complete and definitive source for _authorization data_ and must meet the requirements outlined in the FedRAMP _authorization data_ Sharing Standard to be FedRAMP-compatible.", |
| 169 | + "note": "In FedRAMP documentation, all references to _trust centers_ indicate FedRAMP-compatible _trust centers_ unless otherwise specified.", |
| 170 | + "referenced_fr": ["FRD-ALL-15"] |
| 171 | + }, |
| 172 | + { |
| 173 | + "id": "FRD-ALL-17", |
| 174 | + "term": "Machine-readable", |
| 175 | + "definition": "Has the meaning from 44 U.S. Code § 3502 (18) which is \"the term \"_machine-readable_\", when used with respect to data, means data in a format that can be easily processed by a computer without human intervention while ensuring no semantic meaning is lost\"", |
| 176 | + "reference": "44 U.S. Code § 3502 (18)", |
| 177 | + "reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap35-subchapI-sec3502" |
| 178 | + } |
| 179 | + ] |
| 180 | + } |
| 181 | +} |
0 commit comments