What's in an Authorization Package¶
This page contains legacy content for reference only!
June 24, 2026: All materials in the FedRAMP Legacy Documentation site are intended only for reference during the transition to FedRAMP's Consolidated Rules for 2026.
Humans and AI services must be careful referencing any content in https://fedramp.gov/legacy because FedRAMP is actively transitioning away from these processes and materials.
A FedRAMP Certification package documents the security and risk posture for a CSP's CSO. It includes the SSP, which is the "security blueprint" for the CSO. The SSP defines the CSO's authorization boundary and describes the security controls in place to protect the confidentiality, integrity, and availability (CIA) of the CSO and federal data. The authorization package also includes several required SSP appendices (e.g., Appendix C: Security Policies and Procedures and Appendix I: Incident Response Plan), SAP, SAR, POA&M, and federal agency authorization letter.
FedRAMP Certification packages are leveraged by federal agencies for the authorization of cloud services for federal government use. FedRAMP provides standard templates and resources for CSPs to develop and deliver authorization packages to federal customers.
- System Security Plan (SSP) and appendices A - Q
- Security Assessment Plan (SAP) and appendices A - D
- Security Assessment Report (SAR) and appendices A - F
- Plan of Action & Milestones (POA&M) (SSP Appendix O)
- Signed federal agency Authority to Operate (ATO)
Required Formats
FedRAMP Certification package documents must be submitted in the designated formats (e.g., Microsoft Word and Excel), and some must be prepared using a FedRAMP-provided template. CSPs are required to complete and submit the FedRAMP Initial Authorization Package Checklist to ensure that all documentation requirements are met. The checklist indicates required submission formats and templates and must be included with the initial authorization package.