Preparation Outline
- Readiness Assessment: Optional, but highly recommended
- RAR Development
- FedRAMP Review of RAR
- Remediation (if needed)
- Marketplace Designation-- Ready
- Pre-Authorization:
- Partnership Establishment
- Authorization Planning
- Kickoff Meeting
- Marketplace Designation-- In Process
1. Preparation
Readiness Assessment
In the Readiness Assessment step, a CSP may elect to pursue the FedRAMP Ready designation, which is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with an accredited Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP's capability to meet federal security requirements. More information regarding steps to achieve FedRAMP Ready can be found on the About FedRAMP Marketplace page.
Pre-Authorization
During the Pre-Authorization step, a CSP formalizes its partnership with an agency via the requirements outlined on the About FedRAMP Marketplace page. A CSP also prepares to undergo the authorization process. They make any necessary technical and procedural adjustments to address federal security requirements and prepare the security deliverables required for authorization.
By this stage, a CSP should:
- Have a system that is fully built and functional
- Have a leadership team that is committed and fully on board with the FedRAMP process
- Submit a CSP Information Form
- Determine the security categorization of the data that will be placed within the system using the FedRAMP Federal Information Processing Standards (FIPS) 199 Categorization Template (located in Appendix K of the System Security Plan (SSP) template, along with the guidance of FIPS Pub 199 [PDF - 78KB] and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on the systems
The final step in Pre-Authorization is to prepare for and conduct a Kickoff Meeting . During the Kickoff Meeting, a CSP and agency will discuss:
- The background and functionality of the cloud service
- The technical security of the cloud service, including the system architecture, the authorization boundary, data flows, and core security capabilities
- Customer responsible controls that must be implemented and tested by the Agency
- Compliance gaps and remediation plans
- A work breakdown structure, milestones, and next step
Resources
The resources below provide additional guidance on the Agency Authorization path. Additional technical guidance as well as FedRAMP templates are located on our Documents & Templates page under resources.
CSP Authorization Playbook
An overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP.
Agency Authorization Playbook
A compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs.
Authorization Boundary Guidance
This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP authorization package.
FedRAMP Security Controls Baseline
This document provides the catalog of FedRAMP High, Moderate, Low, and Tailored LI-SaaS baseline security controls, along with additional guidance and requirements.