Skip to main content

Documents & Templates

Refine Your Results

Partners
Document Type
File Format
Date

Search a topic by selecting a “Tag” listed beneath a document.

FedRAMP Program Documents

May 30, 2023

FedRAMP Security Controls Baseline

This document provides the catalog of FedRAMP High, Moderate, Low, and Tailored LI-SaaS baseline security controls, along with additional guidance and requirements.

[File Info: excel - 674KB]

Key Assessor Documents

April 6, 2023

3PAO Obligations and Performance Guide

This document provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.

[File Info: PDF - 208KB]

FedRAMP Program Documents

September 1, 2022

Branding Guidance

This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization.

[File Info: PDF - 916KB]

Key Agency Documents

July 26, 2022

Reusing Authorizations for Cloud Products Quick Guide

This quick guide outlines steps and guidance to help agencies quickly and efficiently reuse authorized cloud products within the FedRAMP Marketplace.

[File Info: PDF - 74KB]

Continuous Monitoring Phase

June 30, 2022

Penetration Test Guidance

The purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings.

[File Info: PDF - 1MB]

Authorization Phase

June 28, 2022

FedRAMP Plan of Action and Milestones (POA&M) Template

The FedRAMP POA&M Template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts. This template is intended to be used as a tracking tool for risk mitigation in accordance with CSP priorities.

[File Info: excel - 68KB]

FedRAMP Program Documents

June 21, 2022

Subnets White Paper

This white paper is to help our stakeholders understand FedRAMP subnetworks (subnets) requirements. The paper covers what are subnets, why do they matter, and actions cloud service providers (CSPs) should take to ensure compliance.

[File Info: PDF - 506KB]

Key Agency Documents

March 11, 2022

FedRAMP Package Access Request Form

Form that must be completed to gain access to a FedRAMP security assessment package.

[File Info: PDF - 285KB]

FedRAMP Program Documents

February 15, 2022

Threat-Based Risk Profiling Methodology White Paper

This white paper describes the methodology behind which security controls and capabilities are most effective to protect, detect, and respond to current prevalent threats. The paper outlines the threat-based scoring approach and its potential applications.

[File Info: PDF - 506KB]

Key Assessor Documents

January 28, 2022

3PAO Readiness Assessment Report Guide

This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR’s intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.

[File Info: PDF - 342KB]

Preparation Phase

January 18, 2022

CSP Authorization Playbook: Getting Started with FedRAMP

This first volume of the CSP Authorization Playbook provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP.

[File Info: PDF - 959KB]

Preparation Phase

January 4, 2022

FedRAMP Moderate Readiness Assessment Report (RAR) Template

The FedRAMP Moderate RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP’s system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

[File Info: word - 244KB]

Preparation Phase

January 4, 2022

FedRAMP High Readiness Assessment Report (RAR) Template

The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP’s system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

[File Info: word - 246KB]

Key Cloud Service Provider Documents

November 23, 2021

Plan of Action and Milestones (POA&M) Template Completion Guide

The FedRAMP POA&M Template Completion Guide provides explicit guidance on how to complete the POA&M Template and provides guidance to ensure that the CSP is meeting POA&M requirements.

[File Info: PDF - 532KB]

FedRAMP Program Documents

October 28, 2021

FedRAMP Marketplace Designations for Cloud Service Providers

This document outlines the requirements for listing FedRAMP designations on the FedRAMP Marketplace for Cloud Service Providers (CSPs). This includes achieving, maintaining, and removing a designation for a Cloud Service Offering (CSO) and supersedes the FedRAMP In Process requirements.

[File Info: PDF - 668KB]

Key Agency Documents

October 20, 2021

Agency Authorization Playbook

A compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs.

[File Info: PDF - 1.3MB]

Authorization Phase

September 1, 2021

SSP ATTACHMENT 13 - FedRAMP Integrated Inventory Workbook Template

The FedRAMP Integrated Inventory Workbook Template consolidates all of the inventory information previously required in five FedRAMP templates that included the SSP, ISCP, SAP, SAR, and POA&M.

[File Info: excel - 299KB]

Key Cloud Service Provider Documents

July 13, 2021

FedRAMP Authorization Boundary Guidance

This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP authorization package.

[File Info: PDF - 293KB]

Authorization Phase

May 18, 2021

FedRAMP System Security Plan (SSP) Moderate Baseline Template

The FedRAMP SSP Moderate Baseline Template provides the FedRAMP Moderate baseline security control requirements for Moderate impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the Moderate baseline controls required for the system.

[File Info: word - 726KB]

Authorization Phase

May 18, 2021

FedRAMP System Security Plan (SSP) Low Baseline Template

The FedRAMP SSP Low Baseline Template provides the FedRAMP Low baseline security control requirements for Low impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the Low baseline controls required for the system.

[File Info: word - 478KB]

Authorization Phase

May 18, 2021

FedRAMP System Security Plan (SSP) High Baseline Template

The FedRAMP SSP High Baseline Template provides the FedRAMP High baseline security control requirements for High impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the High baseline controls required for the system.

[File Info: word - 848KB]

Authorization Phase

May 18, 2021

FedRAMP Moderate Authorization Toolkit

This zip file contains files that will help all partners get a better understanding of the FedRAMP authorization process for those seeking a Moderate Authorization.

[File Info: zip - 3.2MB]

Authorization Phase

May 18, 2021

FedRAMP Low Authorization Toolkit

This zip file contains files that will help all partners get a better understanding of the FedRAMP authorization process for those seeking a Low Authorization.

[File Info: zip - 2.9MB]

Authorization Phase

May 18, 2021

FedRAMP High Authorization Toolkit

This zip file contains files that will help all partners get a better understanding of the FedRAMP authorization process for those seeking a High Authorization.

[File Info: zip - 3.1MB]

Continuous Monitoring Phase

April 15, 2021

Incident Communications Procedures

This document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP.

[File Info: PDF - 328KB]

Authorization Phase

April 7, 2021

FedRAMP Agency Authorization Review Report Sample Template

The PMO uses this template to review Agency ATO packages.

[File Info: PDF - 91KB]

Authorization Phase

March 26, 2021

FedRAMP Initial Authorization Package Checklist

This checklist details the documents required for a complete FedRAMP initial authorization package. CSPs must submit this checklist along with their authorization package so that the FedRAMP PMO can verify their package is complete prior to conducting reviews.

[File Info: excel - 35KB]

FedRAMP Program Documents

March 16, 2021

Vulnerability Scanning Requirements for Containers

This document addresses FedRAMP compliance pertaining to the processes, architecture, and security considerations specific to vulnerability scanning for cloud systems using container technology.

[File Info: PDF - 164KB]

Key Cloud Service Provider Documents

December 11, 2020

Timeliness and Accuracy of Testing Requirements

This document outlines the timeliness and accuracy of testing requirements for evidence associated with an authorization package prior to a CSP entering the FedRAMP JAB P-ATO process.

[File Info: PDF - 390KB]

Key Agency Documents

December 11, 2020

FedRAMP Guide for Multi-Agency Continuous Monitoring

This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

[File Info: PDF - 431KB]

Authorization Phase

December 7, 2020

FedRAMP Tailored Authorization Toolkit

This zip file contains files that will help all partners get a better understanding of the FedRAMP authorization process for those seeking a Tailored Authorization.

[File Info: zip - 1.4MB]

Authorization Phase

August 6, 2020

SSP ATTACHMENT 9 - FedRAMP Low or Moderate Control Implementation Summary (CIS) Workbook Template

The FedRAMP Low or Moderate CIS Workbook Template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system.

[File Info: excel - 339KB]

Authorization Phase

August 6, 2020

SSP ATTACHMENT 9 - FedRAMP High Control Implementation Summary (CIS) Workbook Template

The FedRAMP High CIS Workbook Template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system.

[File Info: excel - 314KB]

Authorization Phase

July 23, 2020

SSP ATTACHMENT 12 - FedRAMP Laws and Regulations Template

The FedRAMP Laws and Regulations Template provides a single source for applicable FedRAMP laws, regulations, standards, and guidance.

[File Info: excel - 292KB]

Preparation Phase

March 26, 2020

JAB Prioritization Criteria and Guidance

The purpose of this document is to outline the criteria by which CSPs are prioritized to work with the JAB toward a P-ATO, the JAB prioritization process, and the Business Case requirements for FedRAMP Connect. We ask that CSPs review this document in its entirety before beginning the FedRAMP Connect process.

[File Info: PDF - 398KB]

Authorization Phase

June 20, 2019

FedRAMP ATO Letter Template

The FedRAMP ATO Template is optional for Agencies to use when granting authorizations for CSOs that meet the FedRAMP requirements.

[File Info: word - 25KB]

Continuous Monitoring Phase

August 28, 2018

FedRAMP Vulnerability Deviation Request Form

This form provides a standardized method to document deviation requests and is used to document Risk Adjustments, False Positives, and Operational Requirements.

[File Info: excel - 375KB]

Continuous Monitoring Phase

August 28, 2018

FedRAMP Significant Change Form Template

This document was developed to capture the type(s) of system changes requested and the supporting details surrounding requested system changes, including FIPS 199. It can be used to request a significant change within an existing ATO.

[File Info: PDF - 2.1MB]

Continuous Monitoring Phase

August 28, 2018

FedRAMP New Cloud Service Offering (CSO) or Feature Onboarding Request Template

The FedRAMP CSO or Feature Onboarding Request Template is used to capture an accredited 3PAO’s assessment and attestation for onboarding a service or feature to an existing CSP’s system.

[File Info: word - 379KB]

Continuous Monitoring Phase

August 28, 2018

Significant Change Policies and Procedures

This document defines the FedRAMP policies and procedures for making significant changes. It provides requirements, guidance, and actions the FedRAMP PMO, AO, CSP, and 3PAO will take when a CSP wishes to make a significant change to its provisionally authorized cloud service.

[File Info: word - 563KB]

FedRAMP Tailored

August 28, 2018

APPENDIX B - FedRAMP Tailored LI-SaaS Template

Appendix B: FedRAMP Tailored LI-SaaS Framework Template shows CSPs how to describe the security risk posture of their cloud-based SaaS application, based on the FedRAMP Tailored LI-SaaS security control baseline.

[File Info: word - 616KB]

FedRAMP Program Documents

July 13, 2018

Joint Authorization Board Charter

The purpose of this Charter is to define the authority, objectives, membership, roles and responsibilities, meeting schedule, decision making requirements, and establishment of committees for the FedRAMP Joint Authorization Board (JAB) in accordance with OMB Memo “Security Authorizations of Information Systems in Cloud Computing Environments.”

[File Info: PDF - 248KB]

FedRAMP Program Documents

June 13, 2018

FedRAMP General Document Acceptance Criteria

The purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.

[File Info: PDF - 315KB]

Continuous Monitoring Phase

April 4, 2018

Continuous Monitoring Strategy Guide

This document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.

[File Info: PDF - 1.2MB]

FedRAMP Program Documents

March 29, 2018

FedRAMP Accelerated: A Case Study for Change Within Government

This document captures FedRAMP’s experience with redesigning its JAB Authorization process based on stakeholder feedback and shares its insights on creating change within the Government.

[File Info: PDF - 1.2MB]

Key Cloud Service Provider Documents

March 20, 2018

Vulnerability Scanning Requirements

This guide describes the requirements for all vulnerability scans of FedRAMP Cloud Service Provider’s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (PATOs).

[File Info: PDF - 320KB]

Key Cloud Service Provider Documents

March 20, 2018

Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans

This document provides guidance for CSPs on sampling representative system components rather than scanning every component.

[File Info: PDF - 325KB]

Key Cloud Service Provider Documents

March 20, 2018

Automated Vulnerability Risk Adjustment Framework Guidance

This document provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools. The document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so.

[File Info: PDF - 349KB]

Continuous Monitoring Phase

February 23, 2018

Annual Assessment Controls Selection Worksheet

The FedRAMP Annual Assessment Controls Selection Worksheet provides a matrix to assist CSPs, 3PAOs, and Federal Agencies in assessing and tracking control their annual assessment.

[File Info: excel - 19KB]

Continuous Monitoring Phase

February 21, 2018

Continuous Monitoring Performance Management Guide

This document replaces the P-ATO Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs.

[File Info: PDF - 819KB]

Continuous Monitoring Phase

January 31, 2018

Continuous Monitoring Monthly Executive Summary Template

This form provides the JAB reviewers and PMO with an executive summary of the monthly continuous monitoring submission from a CSP. It should detail all files that should be reviewed with that submission. It should be filled out and submitted with every monthly continuous monitoring submission by the CSP or their 3PAO.

[File Info: excel - 26KB]

Key Agency Documents

December 8, 2017

Control Specific Clauses

FedRAMP security control baselines specify control parameter requirements and organizational parameters specific to the provider’s control implementation. Since certain controls may be required to govern Agency user interaction, control organizational parameters may need to be included in the task order and specified. The FedRAMP PMO suggests that agencies review the FedRAMP security control baseline, and that agencies do not contractually specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumer’s implementation of a control.

[File Info: PDF - 362KB]

Continuous Monitoring Phase

November 24, 2017

Annual Assessment Guidance

The FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements.

[File Info: PDF - 460KB]

FedRAMP Tailored

November 14, 2017

APPENDIX A - FedRAMP Tailored Security Controls Baseline

Appendix A: FedRAMP Tailored Security Controls Baseline provides the LI-SaaS Baseline controls that CSPs must address. This template is also contained within the FedRAMP Security Controls Baseline, located on the Documents page.

[File Info: excel - 99KB]

FedRAMP Tailored

September 28, 2017

FedRAMP Tailored LI-SaaS Requirements

FedRAMP Tailored Security Requirements for Low Impact Software as a Service (LI-SaaS) provides the minimum security control requirements for authorizing a LI-SaaS.

[File Info: word - 123KB]

FedRAMP Tailored

September 28, 2017

APPENDIX E - FedRAMP Tailored LI - SaaS Self-Attestation Requirements

Appendix E: FedRAMP Tailored LI-SaaS Self-Attestation Requirements provides the system requirements that the CSP must attest to for their CSO.

[File Info: word - 48KB]

FedRAMP Tailored

September 28, 2017

APPENDIX D - FedRAMP Tailored LI - SaaS Continuous Monitoring Guide

Appendix D: FedRAMP Tailored LI-SaaS Continuous Monitoring Guide provides guidance on continuous monitoring and ongoing authorization to maintain a security authorization that meets the FedRAMP Tailored LI-SaaS requirements.

[File Info: word - 339KB]

FedRAMP Tailored

September 28, 2017

APPENDIX C - FedRAMP Tailored LI-SaaS ATO Letter Template

Appendix C: FedRAMP Tailored LI-SaaS ATO Letter Template is a resource for Agencies to use when granting authorizations for CSOs that meet the FedRAMP LI-SaaS requirements.

[File Info: word - 29KB]

Continuous Monitoring Phase

June 16, 2017

FedRAMP Annual Security Assessment Report (SAR) Template

The FedRAMP Annual SAR Template provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP. The template is intended for 3PAOs to report annual security assessment findings for CSPs.

[File Info: word - 474KB]

Authorization Phase

June 6, 2017

SSP ATTACHMENT 6 - FedRAMP Information System Contingency Plan (ISCP) Template

This template supports the ISCP requirements for FedRAMP. An ISCP denotes interim measures to recover information system services following an unprecedented emergency or system disruption.

[File Info: word - 452KB]

Authorization Phase

June 6, 2017

SSP ATTACHMENT 5 - FedRAMP Rules of Behavior (RoB) Template

The FedRAMP RoB Template describes security controls associated with user responsibilities and specific expectations of behavior for following security policies, standards, and procedures.

[File Info: word - 366KB]

Authorization Phase

June 6, 2017

SSP ATTACHMENT 4 - FedRAMP Privacy Impact Assessment (PIA) Template

The FedRAMP PIA Template is used to determine if a system collects and/or stores Personally Identifiable Information (PII) as defined in OMB Memorandum M-07-16.

[File Info: word - 275KB]

Authorization Phase

June 6, 2017

FedRAMP Security Assessment Report (SAR) Template

The FedRAMP SAR Template provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP.

[File Info: word - 360KB]

Authorization Phase

June 6, 2017

FedRAMP Security Assessment Plan (SAP) Template

The FedRAMP SAP Template is intended for 3PAOs to plan CSP security assessment testing. Once completed, this template constitutes as a plan for testing security controls.

[File Info: word - 318KB]

Continuous Monitoring Phase

June 6, 2017

FedRAMP Annual Security Assessment Plan (SAP) Template

The FedRAMP Annual SAP Template is intended for 3PAOs to plan a cloud system’s annual assessment and constitutes as a plan for testing once completed.

[File Info: word - 341KB]

Key Cloud Service Provider Documents

May 18, 2017

CSP JAB P-ATO Roles and Responsibilities

This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.

[File Info: PDF - 243KB]

Authorization Phase

March 10, 2017

SAP APPENDIX A - FedRAMP Moderate Security Test Case Procedures Template

The FedRAMP Moderate Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

[File Info: excel - 336KB]

Authorization Phase

March 10, 2017

SAP APPENDIX A - FedRAMP Low Security Test Case Procedures Template

The FedRAMP Low Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

[File Info: excel - 213KB]

Authorization Phase

March 10, 2017

SAP APPENDIX A - FedRAMP High Security Test Case Procedures Template

The FedRAMP High Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

[File Info: excel - 395KB]

Authorization Phase

March 9, 2017

SAR APPENDIX A - FedRAMP Risk Exposure Table Template

The FedRAMP Risk Exposure Table Template is designed to capture all security weaknesses and deficiencies identified during security assessment testing.

[File Info: excel - 20KB]

FedRAMP Program Documents

December 8, 2011

FedRAMP Policy Memo

This memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services.

[File Info: PDF - 208KB]