Update SCN, remove SCN-TRF-OPT, clarify optional BIRs

Author: pete-gov

FRMR.documentation.json

@@ -2,8 +2,8 @@
   "info": {
     "title": "FedRAMP Machine-Readable Documentation",
     "description": "This datafile contains FedRAMP documentation for cloud service providers seeking FedRAMP Authorization. This includes definitions, requirements, recommendations, and key security indicators.",
-    "version": "0.9.2-beta",
-    "last_updated": "2026-02-11"
+    "version": "0.9.3-beta",
+    "last_updated": "2026-02-20"
   },
   "FRD": {
     "info": {
@@ -3074,11 +3074,11 @@
             "end_date": "2027-12-22",
             "comments": [
               "Rev5 Authorized providers or those seeking FedRAMP authorization MAY adopt this process in place of the traditional FedRAMP Significant Change Request process after February 27, 2026.",
-              "Providers MUST address all requirements and recommendations in this process prior to full adoption.",
               "Rev5 Authorized Providers who switch to the Significant Change Notification process MUST notify FedRAMP via the Sign-up Form.",
+              "Providers MUST address all requirements and recommendations in their authorization data - either in their System Security Plan with the appropriate controls or via an addendum.",
               "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's adoption of this process.",
-              "Providers seeking FedRAMP authorization who plan to follow the Significant Change Notification process must clearly note this in their authorization package",
-              "The FedRAMP Marketplace will include a section that indicates if a cloud service offering is following this process."
+              "Providers seeking FedRAMP authorization who plan to follow the Significant Change Notification process must clearly note this in their authorization package.",
+              "The FedRAMP Marketplace will eventually include a section that indicates if a cloud service offering is following this process."
             ]
           },
           "20x": {
@@ -3152,6 +3152,7 @@
                   "comment": "Moved to FRP; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
               ],
+              "note": "The circumstances and conditions of such a Corrective Action Plan will vary and be documented in the Correcive Action Plan.",
               "terms": ["Significant change"]
             }
           },
@@ -3186,10 +3187,15 @@
             "SCN-CSO-MAR": {
               "fka": "FRR-SCN-04",
               "name": "Maintain Audit Records",
-              "statement": "Providers MUST maintain auditable records of significant change evaluation activities and make them available to all necessary parties.",
+              "statement": "Providers MUST maintain auditable records of the significant change evaluation activities required by SCN-CSO-EVA (Evaluate Changes) and make them available to FedRAMP.",
               "affects": ["Providers"],
               "primary_key_word": "MUST",
+              "note": "These audit records must be available to FedRAMP on request; these records do not need to be included in the authorization package by default.",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Clarified that this applies to SCN-CSO-EVA evaluation activities."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Clarified wording; removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
@@ -3221,15 +3227,20 @@
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
               ],
+              "note": "Structure of the information may vary depending on how the provider tracks this internally.",
               "terms": ["Persistent Validation", "Significant change"]
             },
             "SCN-CSO-HIS": {
               "fka": "FRR-SCN-05",
               "name": "Historical Notifications",
-              "statement": "Providers MUST keep historical Significant Change Notifications available to all necessary parties at least until the service completes its next annual assessment.",
+              "statement": "Providers MUST keep 12 months of historical Significant Change Notifications available with their authorization data.",
               "affects": ["Providers"],
               "primary_key_word": "MUST",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Updated requirement to specify 12 months of retention to showcase historical performance."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
@@ -3240,15 +3251,20 @@
             "SCN-CSO-HRM": {
               "fka": "FRR-SCN-08",
               "name": "Human and Machine-Readable",
-              "statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in similar human-readable and compatible machine-readable formats.",
+              "statement": "Providers MUST make ALL Significant Change Notifications and related audit records available in human-readable and machine-readable formats.",
               "affects": ["Providers"],
               "primary_key_word": "MUST",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Clarified wording and added note."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
               ],
+              "note": "During the SCN beta, many cloud service providers met this requirement by using carefully structured and organized csv files to meet human-readable and machine-readable requirements simultaneously.",
               "terms": ["Machine-Readable", "Significant change"]
             },
             "SCN-CSO-ARI": {
@@ -3258,33 +3274,50 @@
               "affects": ["Providers"],
               "primary_key_word": "MAY",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Added note."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
               ],
+              "note": "This allows providers to convey whatever additional information they think is relevant without worrying about negative consequences from not following an exact template.",
               "terms": ["Significant change"]
             },
             "SCN-CSO-NOM": {
               "fka": "FRR-SCN-07",
               "name": "Notification Mechanisms",
-              "statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented and easily accessible.",
+              "statement": "Providers MAY notify necessary parties in a variety of ways as long as the mechanism for notification is clearly documented in the authorization package and easily accessible.",
               "affects": ["Providers"],
               "primary_key_word": "MAY",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Clarified wording and added notes."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
+              ],
+              "notes": [
+                "The sharing mechanism should be designed based on the needs of the provider and their customers and may vary between providers.",
+                "The default sharing mechanism for most providers during the SCN beta was to send an email to agency customers and upload a copy of the notification to the provider's secure sharing location."
               ]
             },
             "SCN-CSO-EMG": {
               "fka": "FRR-SCN-EX-02",
               "name": "Emergency Changes",
-              "statement": "Providers MAY execute significant changes (including transformative changes) during an emergency or incident without meeting Significant Change Notification requirements in advance ONLY if absolutely necessary. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.",
+              "statement": "Providers MAY execute significant changes (including transformative changes) during an emergency or incident without meeting Significant Change Notification requirements in advance. In such emergencies, providers MUST follow all relevant procedures, notify all necessary parties, retroactively provide all Significant Change Notification materials, and complete appropriate assessment after the incident.",
               "affects": ["Providers"],
               "primary_key_word": "MAY",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Clarified wording and added note."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
@@ -3295,7 +3328,8 @@
                 "Incident",
                 "Significant change",
                 "Transformative"
-              ]
+              ],
+              "note": "Procedures for emergency changes should be documented in the authorization package."
             }
           },
           "RTR": {
@@ -3399,20 +3433,6 @@
             }
           },
           "TRF": {
-            "SCN-TRF-OPT": {
-              "fka": "FRR-SCN-TR-07",
-              "name": "Option to Opt Out",
-              "statement": "Providers MUST allow agency customers to OPT OUT of transformative changes whenever feasible.",
-              "affects": ["Providers"],
-              "primary_key_word": "MUST",
-              "updated": [
-                {
-                  "date": "2026-02-04",
-                  "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
-                }
-              ],
-              "terms": ["Agency", "Transformative"]
-            },
             "SCN-TRF-NIP": {
               "fka": "FRR-SCN-TR-02",
               "name": "Notification of Initial Plans",
@@ -3526,12 +3546,17 @@
               "timeframe_num": 30,
               "primary_key_word": "MUST",
               "updated": [
+                {
+                  "date": "2026-02-20",
+                  "comment": "Added note."
+                },
                 {
                   "date": "2026-02-04",
                   "comment": "Removed italics and changed the ID as part of new standardization in v0.9.0-beta; no material changes."
                 }
               ],
-              "terms": ["Transformative"]
+              "terms": ["Transformative"],
+              "note": "This requirement is focused on service documentation like user guides, information listed in the marketplace, and other such materials; it does not require updating the system security plan or authorization package."
             },
             "SCN-TRF-TPR": {
               "fka": "FRR-SCN-TR-01",
@@ -3677,7 +3702,7 @@
               "Rev5 Authorized providers MAY adopt this process beginning February 2, 2026 as part of the Open Beta.",
               "Providers MUST plan to address all requirements and recommendations in this process by the end of the Open Beta on May 22, 2026.",
               "It is up to providers to coordinate with their active agency customers to ensure agency customers will not be negatively impacted by the provider's participation in this beta.",
-              "FedRAMP recommends that participants in the Vulnerability Detection and Response beta also adopt the Authorization Data Sharing process and the Significant Change Notifications process."
+              "FedRAMP recommends that participants in the Vulnerability Detection and Response beta also adopt the Collaborative Continuous Monitoring process and the Significant Change Notifications process."
             ]
           },
           "20x": {

tools/site/content/rev5/balance/index.md

@@ -19,14 +19,16 @@ These policies apply directly to Rev5 cloud service offerings and are **mandator
 
 These policies may be adopted by Rev5 cloud service offerings following the Rev5-specific process outlined in the policy.
 
-!!! warning "Do not adopt these policies without FedRAMP review!"
-    Providers MUST work with FedRAMP while adopting these policies, following all relevant instructions. Providers MUST NOT adopt any optional policy without a plan to address all requirements and obtain concurrence from all active agency customers.
+!!! warning "Optional Implementation"
+    All requirements in optional Balance Improvement Releases **only apply to providers that are adopting the Balance Improvement Release.** 
 
+    Providers MUST notify FedRAMP via the appropriate mechanism documented in the Balance Improvement Release **prior** to adopting optional Balance Improvement Releases.
+    
 ### Wide Releases
 
 | Process | Overall Balance Status |
 | -- | -- |
-| [Minimum Assessment Scope](minimum-assessment-scope) | Optional Wide Release begins January 12, 2026|
+| [Minimum Assessment Scope](minimum-assessment-scope) | Optional Wide Release began January 12, 2026|
 | [Significant Change Notifications](significant-change-notifications) | Optional Wide Release begins February 27, 2026 (tentative)|
 
 ### Betas
@@ -35,7 +37,7 @@ These policies may be adopted by Rev5 cloud service offerings following the Rev5
 | -- | -- |
 | [Authorization Data Sharing](authorization-data-sharing) | Open Beta will run from February 2 to May 22, 2026|
 | [Vulnerability Detection and Response](vulnerability-detection-and-response) | Open Beta will run from February 2 to May 22, 2026|
-| [Collaborative Continuous Monitoring](collaborative-continuous-monitoring) | Closed Beta will run from February 2 to May 22, 2026|
+| [Collaborative Continuous Monitoring](collaborative-continuous-monitoring) | Open Beta will run from February 2 to May 22, 2026|
 
 ---