Skip to content

What's in an Authorization Package

A FedRAMP authorization package documents the security and risk posture for a CSP's CSO. It includes the SSP, which is the "security blueprint" for the CSO. The SSP defines the CSO's authorization boundary and describes the security controls in place to protect the confidentiality, integrity, and availability (CIA) of the CSO and federal data. The authorization package also includes several required SSP appendices (e.g., Appendix C: Security Policies and Procedures and Appendix I: Incident Response Plan), SAP, SAR, POA&M, and federal agency authorization letter.

FedRAMP authorization packages are leveraged by federal agencies for the authorization of cloud services for federal government use. FedRAMP provides standard templates and resources for CSPs to develop and deliver authorization packages to federal customers.

  • System Security Plan (SSP) and appendices A - Q
  • Security Assessment Plan (SAP) and appendices A - D
  • Security Assessment Report (SAR) and appendices A - F
  • Plan of Action & Milestones (POA&M) (SSP Appendix O)
  • Signed federal agency Authority to Operate (ATO)

Required Formats

FedRAMP authorization package documents must be submitted in the designated formats (e.g., Microsoft Word and Excel), and some must be prepared using a FedRAMP-provided template. CSPs are required to complete and submit the FedRAMP Initial Authorization Package Checklist to ensure that all documentation requirements are met. The checklist indicates required submission formats and templates and must be included with the initial authorization package.

Altering Content

CSPs and 3PAOs are prohibited from altering or removing content in the SSP, SAP, and SAR templates; however, CSPs and 3PAOs should remove the italicized instructional text before submitting the final versions of the SSP, SAP, and SAR. Federal agency-specific requirements, above and beyond the FedRAMP baseline, must be documented in an appendix to the SSP.