The Master Guide to the FedRAMP Secure Configuration Guide (SCG)
The Secure Configuration Guide is a mandatory artifact for all FedRAMP Rev5 CSPs, effective March 1, 2026. It empowers agency customers to securely configure, operate, and manage their cloud instance. Here's everything you need to know to stay compliant.
What Is the SCG?
The Secure Configuration Guide is a CSP-authored document that tells agency customers exactly how to securely configure, operate, and manage their instance of your cloud service. It is not a template — FedRAMP intentionally does not prescribe a format, giving providers flexibility to present their guidance in whatever way best serves their customers.
Important: The SCG supplements — it does not replace — the existing Customer Responsibilities Matrix and other Rev5 materials. All existing artifacts must still be maintained.
Three-Strike Enforcement Timeline
Applies to all FedRAMP Rev5 cloud services listed in the FedRAMP Marketplace.
Public "Non-Compliant" notification in the FedRAMP Marketplace.
Revocation of FedRAMP authorization and downgrade to "FedRAMP Ready."
Complete removal from the FedRAMP Marketplace and a mandatory 3-month ban on authorization.
Core Requirements (CSO)
Recommended Secure Configuration
Provide a recommended secure configuration for your cloud service offering that customers can use as a baseline.
Admin User Procedures
Provide instructions to securely access, configure, and decommission top-level administrative accounts.
Public Guidance
Make the guide publicly available on a website or portal to assist agency customers.
Secure Defaults
Ensure all settings are set to their most secure posture upon initial provisioning.
Enhanced Capabilities (ENH)
20x pathComparison Capability
Allow customers to compare current settings against the recommended secure defaults.
Export Capability
Allow customers to export security settings in a machine-readable format for auditing.
API Capability
Allow customers to view and adjust security settings via a programmatic interface (API).
Machine-Readable Guidance
Provide the SCG itself in a data format like JSON or OSCAL.
Versioning & History
Provide a detailed release history for all changes to recommended secure defaults.
Auditor's Perspective
Independent commentary — not official FedRAMP guidance
"In a formal 3PAO assessment, the Admin User Procedures (AUP) is the primary point of failure. CSPs must clearly define every role that has 'top-level' permissions. If your guide does not explicitly explain how to secure the accounts that control your MFA, logging, and SSO settings, it will be rejected. Think of it as the 'God-Mode' rule — document everything that touches God-Mode or plan to resubmit."
How to Implement
Draft the Admin User Procedures
Explicitly document the full lifecycle of privileged accounts — creation, configuration, MFA enrollment, SSO integration, and decommission. This is your highest-risk section.
Define and Audit Secure Defaults
Audit your platform's out-of-the-box state. Every setting that ships with your service must match the recommended secure configuration in your guide.
Publish at a Stable URL
Host the guide at a permanent, publicly accessible URL to satisfy SCG-CSO-PUB. Link to it from your FedRAMP authorization package.
Automate for Enhanced Requirements
Use OSCAL mapping to fulfill the ENH requirements for machine-readability (SCG-ENH-MRG) and build API or export capabilities to satisfy SCG-ENH-API and SCG-ENH-EXP.
Sources
Based on FedRAMP documentation v0.9.0-beta. Last reviewed February 21, 2026. Always verify against the official source.