Recommended Secure Configuration Standard¶
All customers benefit from simple, easy to follow, easy to understand instructions for securely configuring a cloud service offering. Cloud service providers often provide a wide range of configuration options to allow individual customers to pick and choose their security posture based on their individual customer needs and are best positioned to provide instructions about the overall security impacts of many of these choices.
This standard outlines simple requirements for FedRAMP authorized cloud service providers to effectively communicate the security impact of common settings to new and current agency customers.
Effective Date(s) & Overall Applicability
- Release: 25.11A
- Published: 2025-11-18
- Designator: RSC
- Description: Initial release of the Recommended Secure Configuration Standard (RSC) for the FedRAMP 20x Phase Two pilot.
-
FedRAMP 20x:
- This release is effective 2025-11-18 for 20x.
- This policy applies to all FedRAMP 20x authorizations.
- Phase One Pilot participants have one year from authorization to fully implement this standard but must demonstrate continuous quarterly progress.
- Phase Two Pilot participants must demonstrate significant progress towards implementing this standard prior to submission for authorization review.
-
FedRAMP Rev5:
- This release is effective 2026-03-01 for Rev5 (Wide Release).
- This policy applies to all FedRAMP Rev5 authorizations as a supplement to SSP Appendix J: CSO CIS and CRM Workbook (both are required).
- All cloud service offerings seeking FedRAMP Rev5 authorization MUST implement the Recommended Secure Configuration Standard (RSC) starting on the Effective Date for Rev5 authorizations.
- All cloud service offerings with an active FedRAMP Rev5 authorization MUST implement the Recommended Secure Configuration Standard (RSC) no later than their next annual assessment that begins after the Effective Date for Rev5 authorizations.
Background & Authority
- Executive Order 14144 Strengthening and Promoting Innovation in the Nation’s Cybersecurity Section 3 (d), as amended by Executive Order 14306 Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 to Section 3 (b), states "the Administrator of General Services, acting through the Director of the Federal Risk and Authorization Management Program (FedRAMP), in coordination with the Secretary of Commerce, acting through the Director of NIST, and the Secretary of Homeland Security, acting through the Director of CISA, shall develop FedRAMP policies and practices to incentivize or require cloud service providers in the FedRAMP Marketplace to produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements."
Requirements & Recommendations¶
These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.
FRR-RSC-01 Top-Level Administrative Accounts Guidance¶
Providers MUST create and maintain guidance that includes instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering.
Note: This guidance should explain how top-level administrative accounts are named and referred to in the cloud service offering.
Applies to: Low, Moderate, High
FRR-RSC-02 Top-Level Administrative Accounts Security Settings Guidance¶
Providers MUST create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications.
Applies to: Low, Moderate, High
FRR-RSC-03 Privileged Accounts Security Settings Guidance¶
Providers SHOULD create and maintain guidance that explains security-related settings that can be operated only by privileged accounts and their security implications.
Applies to: Low, Moderate, High
FRR-RSC-04 Secure Defaults on Provisioning¶
Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned.
Applies to: Low, Moderate, High
FRR-RSC-05 Comparison Capability¶
Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults.
Applies to: Low, Moderate, High
FRR-RSC-06 Export Capability¶
Providers SHOULD offer the capability to export all security settings in a machine-readable format.
Applies to: Low, Moderate, High
FRR-RSC-07 API Capability¶
Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability.
Applies to: Low, Moderate, High
FRR-RSC-08 Machine-Readable Guidance¶
Providers SHOULD provide recommended secure configuration guidance in a machine-readable format that can be used by customers or third-party tools to compare against current settings.
Applies to: Low, Moderate, High
FRR-RSC-09 Publish Guidance¶
Providers SHOULD make recommended secure configuration guidance available publicly.
Applies to: Low, Moderate, High
FRR-RSC-10 Versioning and Release History¶
Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time.
Applies to: Low, Moderate, High