AWS fedramp documentation change
Summary
Updated control reference from FRR-RSC-02 to SCG-CSO-RSC, expanded requirements section to include detailed Secure Configuration Guide requirements for top-level administrative accounts, updated version and date.
Security assessment
This change updates the control framework reference and expands security documentation requirements for root/top-level administrative accounts. It adds specific requirements for secure configuration guides but doesn't indicate a specific security incident or vulnerability. The change improves security documentation by providing more structured requirements for root account security.
Diff
diff --git a/fedramp/latest/userguide/root-security-guidance.md b/fedramp/latest/userguide/root-security-guidance.md index 5d15f3c1d..8cbe7aa9f 100644 --- a//fedramp/latest/userguide/root-security-guidance.md +++ b//fedramp/latest/userguide/root-security-guidance.md @@ -3 +3 @@ -Document InformationFRR-RSC-02: Root Security Settings GuidanceRequirementComponent Implementation (OSCAL)Executive SummaryRoot-Only Security OperationsManagement Account Exclusive Security OperationsRoot Account Specific Security Operations +Document InformationSCG-CSO-RSC: Recommended Secure Configuration - Part 2RequirementComponent Implementation (OSCAL)Executive SummaryRoot-Only Security OperationsManagement Account Exclusive Security OperationsRoot Account Specific Security Operations @@ -15 +15 @@ This topic discusses root security guidance. -Version | 1.0.0 +Version | 1.0.2 @@ -17 +17 @@ Version | 1.0.0 -Last Updated | 2026-01-09 +Last Updated | 2026-03-26 @@ -19 +19 @@ Last Updated | 2026-01-09 -## FRR-RSC-02: Root Security Settings Guidance +## SCG-CSO-RSC: Recommended Secure Configuration - Part 2 @@ -23 +23 @@ Last Updated | 2026-01-09 -**OSCAL Control ID: FRR-RSC-02** +**OSCAL Control ID: SCG-CSO-RSC** @@ -25 +25 @@ Last Updated | 2026-01-09 -**UUID: frr-rsc-02-control** +**UUID: scg-cso-rsc-control** @@ -29 +29,12 @@ Last Updated | 2026-01-09 -Providers MUST create and maintain guidance that explains security-related settings that can be operated only by top-level administrative accounts and their security implications. +This guidance addresses Part 2 of SCG-CSO-RSC: Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications. + +Providers MUST create, maintain, and make available recommendations for securely configuring their cloud services (the Secure Configuration Guide) that includes at least the following information: + + 1. **Required** : Instructions on how to securely access, configure, operate, and decommission top-level administrative accounts that control enterprise access to the entire cloud service offering. + + 2. **Required** : Explanations of security-related settings that can be operated only by top-level administrative accounts and their security implications. + + 3. **Recommended** : Explanations of security-related settings that can be operated only by privileged accounts and their security implications. + + +