forked from FedRAMP/docs-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathFRMR.SCN.significant-change-notifications.json
More file actions
443 lines (443 loc) · 26.5 KB
/
Copy pathFRMR.SCN.significant-change-notifications.json
File metadata and controls
443 lines (443 loc) · 26.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "FedRAMP.schema.json",
"info": {
"name": "Significant Change Notification Requirements",
"short_name": "SCN",
"current_release": "25.06A",
"types": ["FRR", "FRD", "FRA"],
"releases": [
{
"id": "25.06A",
"published_date": "2025-06-17",
"description": "Initial release of Significant Change Notification Requirements",
"public_comment": true,
"effective": {
"20x": {
"timeline": {
"pilot": {
"start_date": "2025-06-17",
"designator": "20xP1",
"comment": "These requirements apply to all participants in the FedRAMP 20x Phase One pilot."
}
},
"specific_release": "20x.SCN.P1.25.06A",
"is_optional": false,
"comment": "Key Security Indicators for Configuration Management (KSI-CMT) should be updated in alignment with the Significant Change Notification Standard."
},
"Rev5": {
"timeline": {
"closed_beta": {
"start_date": "2025-07-07",
"is_tentative": true,
"designator": "R5.SCN.B1",
"comment": "These requirements will be initially tested and evaluated for Rev5 in the SCN Closed Beta (B1)."
}
},
"is_optional": true,
"specific_release": "R5.SCN.B1.25.06A",
"comment": "Providers MUST participate in a Balance Improvement Test to transition from the Significant Change Request process to the new Significant Change Notification process prior to wide release of this process for Rev5. Providers should participate in the FedRAMP Rev5 Community Working Group at https://www.fedramp.gov/community/ to follow this process."
}
},
"related_rfcs": [
{
"start_date": "2025-04-24",
"end_date": "2025-05-25",
"id": "0007",
"url": "https://www.fedramp.gov/rfcs/0007/",
"discussion_url": "https://github.com/FedRAMP/community/discussions/4",
"short_name": "rfc-0007-significant-change-notification",
"full_name": "FedRAMP RFC-0007: Significant Change Notification Standard"
},
{
"start_date": "2025-05-15",
"end_date": "2025-06-15",
"id": "0009",
"url": "https://www.fedramp.gov/rfcs/0009/",
"discussion_url": "https://github.com/FedRAMP/community/discussions/6",
"short_name": "rfc-0009-scn-technical-assistance",
"full_name": "FedRAMP RFC-0009: Significant Change Notification Technical Assistance"
}
]
}
],
"front_matter": {
"authority": [
{
"reference": "FedRAMP Authorization Act (44 USC § 3609 (a) (7))",
"reference_url": "https://www.govinfo.gov/app/details/USCODE-2023-title44/USCODE-2023-title44-chap36-sec3609",
"description": "directs the Administrator of the General Services Administration to \"coordinate with the FedRAMP Board, the Director of the Cybersecurity and Infrastructure Security Agency, and other entities identified by the Administrator, with the concurrence of the [OMB] Director and the [DHS] Secretary, to establish and regularly update a framework for continuous monitoring...\"",
"delegation": "This responsibility is delegated to the FedRAMP Director",
"delegation_url": "https://www.gsa.gov/directives-library/gsa-delegations-of-authority-fedramp"
},
{
"reference": "OMB Memorandum M-24-15 on Modernizing FedRAMP",
"reference_url": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Policy_Memo.pdf",
"description": "section VI states \"FedRAMP should seek input from CSPs and develop processes that enable CSPs to maintain an agile deployment lifecycle that does not require advance Government approval, while giving the Government the visibility and information it needs to maintain ongoing confidence in the FedRAMP-authorized system and to respond timely and appropriately to incidents.\""
}
],
"purpose": "The Significant Change Notification (SCN) standard establishes conditions for FedRAMP authorized cloud service providers to make most significant changes without requiring advance government approval. Agency authorizing officials who authorize the use of FedRAMP authorized cloud services are expected to account for the risk of cloud service providers making changes to improve the service.\n\nThis standard broadly identifies four types of significant changes, from least impactful to most impactful:\n1. Routine Recurring\n2. Adaptive\n3. Transformative\n4. Impact Categorization\n\nThese categories, and the resulting requirements, apply only to significant changes.",
"expected_outcomes": [
"Cloud service providers will securely deliver new features and capabilities for government customers at the same speed and pace of delivery for commercial customers, without needing advance government approval",
"Federal agencies will have equal access to features and capabilities as commercial customers without sacrificing the visibility and information they need to maintain ongoing confidence in the service"
]
}
},
"FRD": {
"SCN": [
{
"id": "FRD-SCN-01",
"term": "Significant change",
"definition": "Has the meaning given in NIST SP 800-37 Rev. 2 which is \"a change that is _likely_ to substantively affect the security or privacy posture of a system.\"",
"reference": "NIST SP 800-37 Rev. 2",
"reference_url": "https://csrc.nist.gov/pubs/sp/800/37/r2/final",
"referenced_fr": ["FRD-MAS-04"]
},
{
"id": "FRD-SCN-02",
"term": "Routine Recurring",
"definition": "The type of _significant change_ that _regularly_ and routinely recurs as part of ongoing operations, vulnerability mitigation, or vulnerability remediation.",
"referenced_fr": ["FRD-SCN-01", "FRD-KSI-01"]
},
{
"id": "FRD-SCN-03",
"term": "Adaptive",
"definition": "The type of _significant change_ that does not routinely recur but does not introduce substantive potential security risks that need to be assessed in depth.",
"note": "Adaptive changes typically require careful planning that focuses on engineering execution instead of customer adoption, can be verified with minor changes to existing automated validation procedures, and do not require large changes to operational procedures, deployment plans, or documentation.",
"referenced_fr": ["FRD-SCN-01"]
},
{
"id": "FRD-SCN-04",
"term": "Transformative",
"definition": "The type of _significant change_ that introduces substantive potential security risks that are _likely_ to affect existing risk determinations and must be assessed in depth.",
"note": "Transformative changes typically introduce major features or capabilities that may change how a customer uses the service (in whole or in part) and require extensive updates to security assessments, operational procedures, deployment plans, and documentation.",
"referenced_fr": ["FRD-SCN-01", "FRD-MAS-04"]
},
{
"id": "FRD-SCN-05",
"term": "Impact Categorization",
"definition": "The type of _significant change_ that is _likely_ to increase or decrease the impact level categorization for the entire cloud service offering (e.g. from low to moderate or from high to moderate).",
"referenced_fr": ["FRD-SCN-01", "FRD-MAS-04"]
},
{
"id": "FRD-SCN-06",
"term": "Interim Requirement",
"definition": "A temporary requirement included as part of a FedRAMP Pilot or Beta Test that will _likely_ be replaced, updated, or removed prior to the formal wide release of the requirement.",
"referenced_fr": ["FRD-MAS-04"]
}
]
},
"FRR": {
"SCN": {
"base": {
"id": "FRR-SCN",
"application": "These requirements apply ALWAYS to ALL _significant changes_ based on current Effective Date(s) and Overall Applicability",
"referenced_fr": ["FRD-SCN-01"],
"requirements": [
{
"id": "FRR-SCN-01",
"statement": "Providers MUST notify all necessary parties when Significant Change Notifications are required, including at least FedRAMP and all agency customers. Providers MAY share Significant Change Notifications publicly or with other parties.",
"affects": ["Providers"],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-02",
"statement": "Providers MUST follow the procedures documented in their security plan to plan, evaluate, test, perform, assess, and document changes.",
"affects": ["Providers"],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-03",
"statement": "Providers MUST evaluate and type label all _significant changes_, then follow FedRAMP requirements for the type.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-01"]
},
{
"id": "FRR-SCN-04",
"statement": "Providers MUST maintain auditable records of these activities and make them available to all necessary parties.",
"affects": ["Providers"],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-05",
"statement": "Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment.",
"affects": ["Providers"],
"primary_key_word": "MUST"
},
{
"id": "FRR-SCN-06",
"statement": "All parties SHOULD follow FedRAMP's best practices and technical assistance on _significant change_ assessment and notification where applicable.",
"affects": ["Providers", "Agencies", "3PAOs"],
"primary_key_word": "SHOULD",
"referenced_fr": ["FRD-SCN-01"]
},
{
"id": "FRR-SCN-07",
"statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.",
"affects": ["Providers"],
"primary_key_word": "MAY",
"is_interim": true
},
{
"id": "FRR-SCN-08",
"statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible machine-readable formats.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"is_interim": true
},
{
"id": "FRR-SCN-09",
"statement": "Providers MUST include at least the following information in Significant Change Notifications:",
"following_information": [
"Service Offering FedRAMP ID",
"3PAO Name (if applicable)",
"Related POA&M (if applicable)",
"Significant Change type and explanation of categorization",
"Short description of change",
"Reason for change",
"Summary of customer impact, including changes to services and customer configuration responsibilities",
"Plan and timeline for the change, including for the verification, assessment, and/or validation of impacted Key Security Indicators or controls",
"Copy of the business or security impact analysis",
"Name and title of approver"
],
"affects": ["Providers"],
"primary_key_word": "MUST",
"is_interim": true
},
{
"id": "FRR-SCN-10",
"statement": "Providers MAY include additional relevant information in Significant Change Notifications.",
"affects": ["Providers"],
"primary_key_word": "MAY",
"is_interim": true
}
]
},
"exceptions": {
"application": "These exceptions MAY override some or all of the FedRAMP requirements for this standard.",
"id": "FRR-SCN-EX",
"requirements": [
{
"id": "FRR-SCN-EX-01",
"statement": "Providers MAY be required to delay _significant changes_ beyond the standard Significant Change Notification period and/or submit _significant changes_ for approval in advance as a condition of a formal FedRAMP Corrective Action Plan or other agreement.",
"affects": ["Providers"],
"primary_key_word": "MAY",
"referenced_fr": ["FRD-SCN-01"]
},
{
"id": "FRR-SCN-EX-02",
"statement": "Providers MAY execute _significant changes_ (including _transformative_ changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.",
"affects": ["Providers"],
"primary_key_word": "MAY",
"referenced_fr": ["FRD-SCN-01"]
}
]
},
"routine_recurring": {
"application": "These requirements apply ONLY to _significant changes_ of type _routine recurring_.",
"id": "FRR-SCN-RR",
"referenced_fr": ["FRD-SCN-01", "FRD-SCN-02"],
"requirements": [
{
"id": "FRR-SCN-RR-01",
"statement": "Providers SHOULD NOT make formal Significant Change Notifications for _routine recurring_ changes; this type of change is exempted from the notification requirements of this standard.",
"affects": ["Providers"],
"primary_key_word": "SHOULD NOT",
"referenced_fr": ["FRD-SCN-02"]
}
]
},
"adaptive": {
"application": "These requirements apply ONLY to _significant changes_ of type _adaptive_.",
"id": "FRR-SCN-AD",
"referenced_fr": ["FRD-SCN-01", "FRD-SCN-03"],
"requirements": [
{
"id": "FRR-SCN-AD-01",
"statement": "Providers MUST notify all necessary parties within ten business days after finishing _adaptive_ changes, also including the following information:",
"following_information": [
"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)"
],
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-03"]
}
]
},
"transformative": {
"application": "These requirements apply ONLY to _significant changes_ of type _transformative_.",
"id": "FRR-SCN-TF",
"referenced_fr": ["FRD-SCN-01", "FRD-SCN-04"],
"requirements": [
{
"id": "FRR-SCN-TF-01",
"statement": "Providers SHOULD engage a third-party assessor to review the scope and impact of the planned change before starting _transformative_ changes if human validation is necessary. This review SHOULD be limited to security decisions that require human validation. Providers MUST document this decision and justification.",
"affects": ["Providers"],
"primary_key_word": "SHOULD",
"is_interim": true,
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-02",
"statement": "Providers MUST notify all necessary parties of initial plans for _transformative_ changes at least 30 business days before starting _transformative_ changes.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-03",
"statement": "Providers MUST notify all necessary parties of final plans for _transformative_ changes at least 10 business days before starting _transformative_ changes.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-04",
"statement": "Providers MUST notify all necessary parties within 5 business days after finishing _transformative_ changes, also including the following information:",
"following_information": [
"Updates to all previously sent information"
],
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-05",
"statement": "Providers MUST notify all necessary parties within 5 business days after completing the verification, assessment, and/or validation of _transformative_ changes, also including the following information:",
"following_information": [
"Updates to all previously sent information",
"Summary of any new risks identified and/or POA&Ms resulting from the change (if applicable)",
"Copy of the security assessment report (if applicable)"
],
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-06",
"statement": "Providers MUST publish updated service documentation and other materials to reflect _transformative_ changes within 30 business days after finishing _transformative_ changes.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
},
{
"id": "FRR-SCN-TF-07",
"statement": "Providers MUST allow agency customers to OPT OUT of _transformative_ changes whenever feasible.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"referenced_fr": ["FRD-SCN-04"]
}
]
},
"impact": {
"application": "These requirements apply ONLY to _significant changes_ of type _impact categorization_.",
"id": "FRR-SCN-IM",
"referenced_fr": ["FRD-SCN-01", "FRD-SCN-05"],
"requirements": [
{
"id": "FRR-SCN-IM-01",
"statement": "Providers MUST follow the legacy Significant Change Request process or full re-authorization for _impact categorization_ changes, with advance approval from an identified lead agency, until further notice.",
"affects": ["Providers"],
"primary_key_word": "MUST",
"is_interim": true,
"referenced_fr": ["FRD-SCN-05"]
}
]
}
}
},
"FRA": {
"SCN": {
"id": "FRA-SCN",
"disclaimer": "Every cloud service provider is different, every architecture is different, and every environment is different. Best practices and technical assistance MUST NOT be used as a checklist. All examples are for discussion purposes ONLY.",
"purpose": "This Technical Assistance helps stakeholders evaluate and label _significant changes_ by type as required by _FRR-SCN-03_. This assistance is designed for the 20x Phase One Pilot and Rev5 Closed Beta Balance Improvement Test. The Significant Change Notification Requirements will be tested, evaluated, and improved in partnership with stakeholders based on real-world experience.",
"requirements": [
{
"id": "FRA-SCN-03",
"applies_to": "FRR-SCN-03",
"statement": "Once a change has been identified as a _significant change_ in general, FedRAMP recommends next determining if a change is of the type _routine recurring_. If it is not, work down from the highest impact to lowest to identify the type of change.\n\n1. Is it a _significant change_?\n2. If it is, is it a _routine recurring_ change?\n3. If it is not, is it an _impact categorization_ change?\n4. If it is not, is it a _transformative_ change?\n5. If it is not, then it is an _adaptive_ change."
},
{
"id": "FRA-SCN-RR",
"applies_to": "FRR-SCN-RR",
"statement": "Activities that match the _routine recurring_ _significant change_ type are performed _regularly_ and routinely by cloud service providers to address flaws or vulnerabilities, address incidents, and generally perform the typical maintenance and service delivery changes expected during day-to-day operations.\n\nThese changes leverage mature processes and capabilities to identify, mitigate, and remediate risks as part of the change. They are often entirely automated and may occur without human intervention, even though they have an impact on security of the service.\n\nIf the activity does not occur _regularly_ and routinely then it cannot be a _significant change_ of this type (e.g., replacing all physical firewalls to remediate a vulnerability is obviously not regular or routine).",
"examples": [
{
"id": "Ongoing operations",
"key_tests": [
"Routine care and feeding by staff during normal duties",
"No major impact to service availability",
"Does not require executive approval"
],
"examples": [
"Provisioning or deprovisioning capacity to support service elasticity",
"Changing or tuning performance configurations for instances or services",
"Updating and maintaining operational handling of information flows and protection across physical and logical networks (e.g., updating firewall rules)",
"Generating or refreshing API or access tokens"
]
},
{
"id": "Vulnerability Management",
"key_tests": [
"Minor, incremental patching or updates",
"Significant refactoring or migration process NOT required",
"No breaking changes"
],
"examples": [
"Updating security service or endpoint signatures",
"Routine patching of devices, operating systems, software or libraries",
"Updating and deploying code that applies normal fixes and improvements as part of a regular development cycle",
"Vulnerability remediation activity that simply replaces a known-bad component(s) with a better version of the exact same thing, running in the exact same way with no changes to processes"
]
}
]
},
{
"id": "FRA-SCN-TF",
"applies_to": "FRR-SCN-TF",
"statement": "Activities that match the _transformative_ _significant change_ type are rare for a cloud service offering, adjusted for the size, scale, and complexity of the service. Small cloud service offerings may go years without _transformative_ changes, while hyperscale providers may release multiple _transformative_ changes per year.",
"examples": [
{
"id": "Transformative changes",
"key_tests": [
"Alters the service risk profile or require new or significantly different actions to address customer responsibilities",
"Requires significant new design, development and testing with discrete associated project planning, budget, marketing, etc.",
"Requires extensive updates to security assessments, documentation, and how a large number of security requirements are met and validated"
],
"examples": [
"The addition, removal, or replacement of a critical third party service that handles a significant portion of information (e.g., IaaS change)",
"Increasing the security categorization of a service within the offering that actively handles federal information (does NOT include impact change of entire offering - see impact categorization change)",
"Replacement of underlying management planes or paradigm shift in workload orchestration (e.g., bare-metal servers or virtual machines to containers, migration to kubernetes)",
"Datacenter migration where large amounts of federal information is moved across boundaries different from normal day-to-day operations",
"Adding a new AI-based capability that impacts federal information in a different way than existing services or capabilities (such as integrating a new third-party service or training on federal information)"
]
}
]
},
{
"id": "FRA-SCN-AD",
"applies_to": "FRR-SCN-AD",
"statement": "Activities that match the _adaptive_ _significant change_ type are a frequent and normal part of iteratively improving a service by deploying new functionality or modifying existing functionality in a way that is typically transparent to customers and does not introduce significant new security risks.\n\nIn general, most changes that do not happen _regularly_ will be _adaptive_ changes. This change type deliberately covers a wide range of activities in a way that requires assessment and consideration.",
"examples": [
{
"id": "Service adjustments",
"key_tests": [
"Requires minimal changes to security plans or procedures",
"Requires some careful planning and project management to implement, but does not rise to the level of planning required for transformative changes",
"Requires verification of existing functionality and secure configuration after implementation"
],
"examples": [
"Updates to operating systems, containers, virtual machines, software or libraries with known breaking changes, complex steps, or service disruption",
"Deploying larger than normal incremental feature improvements in code or libraries that are the work of multiple weeks of development efforts but are not considered a major new service",
"Changing cryptographic modules where the new module meets the same standards and characteristics of the former",
"Replacing a like-for-like component where some security plan or procedure adjustments are required (e.g., scanning tool or managed database swap)",
"Adding models to existing approved AI services without exposing federal information to new services"
]
}
]
}
]
}
}
}