AWS Security ChangesHomeSearch

AWS fedramp documentation change

Service: fedramp · 2026-03-28 · Documentation low

File: fedramp/latest/userguide/introduction.md

Summary

Updated FedRAMP documentation from FRR-RSC framework to SCG framework, changing from 10 controls to 4 CSO requirements and 5 ENH recommendations, and removed OSCAL download section

Security assessment

This change updates documentation to reflect a new FedRAMP framework structure (SCG vs FRR-RSC) but doesn't address any specific security vulnerability or incident. The change adds security documentation by updating compliance requirements and recommendations for secure configuration of AWS services in FedRAMP environments. The removal of the OSCAL download section indicates a change in available automation capabilities but isn't evidence of a security issue.

Diff

diff --git a/fedramp/latest/userguide/introduction.md b/fedramp/latest/userguide/introduction.md
index cd4b93f4e..b78eec279 100644
--- a//fedramp/latest/userguide/introduction.md
+++ b//fedramp/latest/userguide/introduction.md
@@ -3 +3 @@
-CoverageRequirementsAbout FedRAMP Rev5 RSC RequirementsComplete FRR-RSC CoverageGet Started
+CoverageRequirementsAbout FedRAMP Rev5 SCG RequirementsComplete SCG CoverageGet Started
@@ -7 +7 @@ CoverageRequirementsAbout FedRAMP Rev5 RSC RequirementsComplete FRR-RSC Coverage
-Comprehensive security configuration guidance for AWS services aligned with FedRAMP Revision 5 Recommended Secure Configuration (FRR-RSC) requirements. This site contains FedRAMP specific guidance for AWS services as well as access to [OSCAL](https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language) formatted documents for consumption into your own tooling. These guidances are provided as a point in time reference to how to configure AWS services and AWS top-level administration accounts in a secure fashion to align with FedRAMP.
+Comprehensive security configuration guidance for AWS accounts and services aligned with FedRAMP Revision 5 Secure Configuration Guidance (SCG) requirements. This site contains FedRAMP specific guidance for AWS services. These guidances are provided as a point in time reference to how to configure AWS services and AWS top-level administration accounts in a secure fashion to align with FedRAMP.
@@ -18 +18 @@ Comprehensive security configuration guidance for AWS services aligned with FedR
-  * **All 10** FRR-RSC controls
+  * **All 4** SCG Cloud Service Offering (CSO) requirements
@@ -19,0 +20 @@ Comprehensive security configuration guidance for AWS services aligned with FedR
+  * **All 5** SCG Enhanced Capabilities (ENH) recommendations
@@ -23 +23,0 @@ Comprehensive security configuration guidance for AWS services aligned with FedR
-## About FedRAMP Rev5 RSC Requirements
@@ -25 +25,3 @@ Comprehensive security configuration guidance for AWS services aligned with FedR
-FedRAMP Revision 5 introduces 10 new Recommended Secure Configuration (FRR-RSC) requirements that cloud service providers must address to help federal agencies secure their cloud environments. AWS provides comprehensive guidance to align with these requirements.
+## About FedRAMP Rev5 SCG Requirements
+
+FedRAMP Revision 5 introduces Secure Configuration Guide requirements that cloud service providers must address to help federal agencies secure their cloud environments. AWS provides comprehensive guidance to align with these requirements.
@@ -38 +40,3 @@ FedRAMP Revision 5 introduces 10 new Recommended Secure Configuration (FRR-RSC)
-## Complete FRR-RSC Coverage
+## Complete SCG Coverage
+
+### Cloud Service Offering Requirements
@@ -42,10 +46,14 @@ Requirement | Description | AWS Solution
-FRR-RSC-01 |  Top-Level Administrative Accounts Guidance |  Detailed guidance for Root Account, Organizations, IAM Identity Center  
-FRR-RSC-02 |  Administrative Security Settings |  Root-only security settings documentation with API commands  
-FRR-RSC-03 |  Privileged Accounts Security |  IAM best practices, MFA enforcement, least privilege guidance  
-FRR-RSC-04 |  Secure Defaults on Provisioning |  AWS Well-Architected Framework security baselines per service  
-FRR-RSC-05 |  Comparison Capability |  AWS Config integration for drift detection and compliance comparison  
-FRR-RSC-06 |  Export Capability |  JSON, OSCAL, and CloudFormation export formats  
-FRR-RSC-07 |  API Capability |  100% of security settings configurable via AWS CLI/API  
-FRR-RSC-08 |  Machine-Readable Guidance |  OSCAL 1.1.2 component definitions for all services  
-FRR-RSC-09 |  Publish Guidance |  Publicly accessible web interface and downloadable artifacts  
-FRR-RSC-10 |  Versioning and Release History |  Version-controlled guidance with change tracking  
+SCG-CSO-RSC |  Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information: Required: Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering. Required: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications. Recommended: Explanations of security-related settings that can be operated only by privileged accounts and their security implications. |  Create, maintain, and make available recommendations for securely configuring AWS services including: instructions for top-level administrative accounts (access, configure, operate, decommission), security-related settings operated by top-level administrative accounts, and privileged account security settings  
+SCG-CSO-AUP |  Providers MUST include instructions in the FedRAMP authorization package that explain how to obtain and use the Secure Configuration Guide. |  Available  
+SCG-CSO-PUB |  Public Guidance Providers SHOULD make the Secure Configuration Guide available publicly. |  AWS provides these secure configuration guidances available through the AWS documentation to the public for usage.  
+SCG-CSO-SDF |  Providers SHOULD set all settings to their recommended secure defaults for top-level administrative accounts and privileged accounts when initially provisioned. |  AWS builds services with security in mind, we don’t enforce a minimum standard but provide security options to meet customer needs.  
+  
+### Enhanced Capabilities
+
+Recommendation | Description | AWS Solution  
+---|---|---  
+SCG-ENH-CMP |  Comparison Capability Providers SHOULD offer the capability to compare all current settings for top-level administrative accounts and privileged accounts to the recommended secure defaults. |  Leverage AWS Config  
+SCG-ENH-EXP |  Export Capability Providers SHOULD offer the capability to export all security settings in a machine-readable format. |  OSCAL Formats will be available in the future  
+SCG-ENH-API |  API Capability Providers SHOULD offer the capability to view and adjust security settings via an API or similar capability. |  AWS provides API access to AWS services  
+SCG-ENH-MRG |  Machine-Readable Guidance Providers SHOULD also provide the Secure Configuration Guide in a machine-readable format that can be used by customers or third-party tools to compare against current settings. |  AWS Will provide OSCAL formatted guides  
+SCG-ENH-VRH |  Versioning and Release History Providers SHOULD provide versioning and a release history for recommended secure default settings for top-level administrative accounts and privileged accounts as they are adjusted over time |  Each guide includes versioning details  
@@ -59,6 +66,0 @@ Explore security configuration guidance for administrative accounts and all avai
-### Export & Automate
-
-Download OSCAL files to integrate with your compliance automation tools for continued usage
-
-[Download Artifacts](samples/FRR-RSC.zip)
-