U.S. flag

An official website of the United States government

Rev5 Agency Authorization

Pursuing a FedRAMP® Agency Authorization

In the Agency Authorization path, agencies work directly with a Cloud Service Provider (CSP) for authorization. CSPs that make a business decision to work directly with an agency to pursue an Authority to Operate (ATO) will work with the agency throughout the FedRAMP Authorization process.

Documents and Templates

DateResource NameDescription
2025-01-17CSP Authorization PlaybookThis CSP Authorization Playbook provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP.
2025-01-16FedRAMP Policy for Cryptographic Module SelectionThis FedRAMP policy outlines requirements and recommendations for cloud service providers (CSPs), independent assessors (IAs), designated leads, and package reviewers regarding the selection and use of cryptographic modules to protect federal information
2024-12-06SSP Appendix M - Integrated Inventory Workbook TemplateThe FedRAMP Integrated Inventory Workbook Template consolidates all of the inventory information previously required in five FedRAMP templates that included the SSP, ISCP, SAP, SAR, and POA&M.
2024-12-06SSP Appendix G - Information System Contingency Plan (ISCP) TemplateThis template supports the ISCP requirements for FedRAMP. An ISCP denotes interim measures to recover information system services following an unprecedented emergency or system disruption.
2024-12-06FedRAMP Security Assessment Report (SAR) TemplateThe FedRAMP SAR Template provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP. This SAR template is used to document assessment results associated with Initial Assessments, Annual Assessments, and Significant Change Requests.
2024-12-06Agency Authorization PlaybookA compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs.
2024-12-04FedRAMP Continuous Monitoring Deliverables TemplateThis template is used to identify the schedule and location for monthly and annual continuous monitoring deliverables.
2024-11-19Continuous Monitoring Monthly Executive Summary TemplateThis form provides FedRAMP and Agency Authorizing Officials (AOs) with an executive summary of the monthly continuous monitoring submission from a CSP. It includes references to all files that should be reviewed with that submission. The ConMon Executive Summary is updated and submitted with every monthly continuous monitoring submission by the CSP.
2024-11-08FedRAMP SAR Appendix B - Moderate Security Requirements Traceability Matrix TemplateThe FedRAMP Moderate Security Requirements Traceability Matrix Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
2024-11-08FedRAMP SAR Appendix B - Low Security Requirements Traceability Matrix TemplateThe FedRAMP Low Security Requirements Traceability Matrix Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
2024-11-08FedRAMP SAR Appendix B - High Security Requirements Traceability Matrix TemplateThe FedRAMP High Security Requirements Traceability Matrix Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
2024-10-173PAO Readiness Assessment Report GuideThis document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR’s intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.
2024-09-30SSP Appendix A - High FedRAMP Security ControlsThe SSP Appendix A High FedRAMP Security Controls template provides the FedRAMP High baseline security control requirements for High impact cloud systems.
2024-09-30Incident Communications ProceduresThis document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP.
2024-08-08FedRAMP Vulnerability Deviation Request FormThis form provides a standardized method to document deviation requests and is used to document Risk Adjustments, False Positives, and Operational Requirements.
2024-08-08FedRAMP H-M-L-Li Review Report Template - Rev. 4FedRAMP uses this template to review Agency ATO packages.
2024-05-31FedRAMP High Readiness Assessment Report (RAR) TemplateThe FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a cloud service offering based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a FedRAMP authorization for the cloud service offering.
2024-05-31FedRAMP Moderate Readiness Assessment Report (RAR) TemplateThe FedRAMP Moderate RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a cloud service offering based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a FedRAMP authorization for the cloud service offering.
2024-04-30FedRAMP Package Access Request FormForm that must be completed to gain access to a FedRAMP security assessment package.
2024-03-29SAR Appendix A - FedRAMP Risk Exposure Table (RET) TemplateThe FedRAMP Risk Exposure Table Template is designed to capture all security weaknesses and deficiencies identified during security assessment testing.
2024-03-29FedRAMP Plan of Action and Milestones (POA&M) TemplateThe FedRAMP POA&M Template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts. This template is intended to be used as a tracking tool for risk mitigation in accordance with CSP priorities.
2024-03-04Annual Assessment Controls Selection WorksheetThe FedRAMP Annual Assessment Controls Selection Worksheet provides a matrix to assist CSPs, 3PAOs, and Federal Agencies in assessing and tracking control their annual assessment.
2024-02-15SSP Appendix A - Moderate FedRAMP Security ControlsThe SSP Appendix A Moderate FedRAMP Security Controls template provides the FedRAMP Moderate baseline security control requirements for Moderate impact cloud systems.
2024-02-15FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection TemplateThe FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template is used by CSPs to determine the scope of the assessment associated with the Rev. 4 to Rev. 5 transition.
2024-02-15Annual Assessment GuidanceThe FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements.
2024-02-15Vulnerability Scanning RequirementsThis guide describes the vulnerability scan requirements for CSPs that are FedRAMP Authorized, or are seeking a FedRAMP authorization for a cloud service offering.
2023-10-13FedRAMP High, Moderate, Low, LI-SaaS Baseline System Security Plan (SSP)The FedRAMP High, Moderate, Low, LI-SaaS Baseline SSP Template provides the framework to describe the system, the service offering components and features, and its security posture in the relevant diagrams, tables, and security controls of the High, Moderate, Low, or LI-SaaS impact cloud system.
2023-08-30FedRAMP General Document Acceptance CriteriaThe purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.
2023-08-30FedRAMP Collaborative ConMon Quick GuideThis document provides CSPs with a recommended framework for establishing a Collaborative ConMon approach.
2023-08-30SSP Appendix A - LI-SaaS FedRAMP Security ControlsThe SSP Appendix A LI-SaaS FedRAMP Security Controls template provides the FedRAMP baseline security control requirements for LI-SaaS impact cloud systems.
2023-08-30SSP Appendix A - Low FedRAMP Security ControlsThe SSP Appendix A Low FedRAMP Security Controls template provides the FedRAMP Low baseline security control requirements for Low impact cloud systems.
2023-08-30Continuous Monitoring Performance Management GuideThis document explains the actions FedRAMP or Agency Authorizing Officials (AOs) may take when a CSP fails to maintain an adequate risk management program for is FedRAMP-authorized cloud service offering. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP or Agency AOs will take when a CSP fails to meet the requirements of the authorization.
2023-07-13SSP Appendix J - CSO CIS and CRM WorkbookThe SSP Appendix J CIS and CRM Workbook template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system. The template provides the necessary workbooks for High, Moderate, Low, or LI-SaaS impact cloud systems.
2023-06-30FedRAMP Laws, Regulations, Standards and Guidance ReferenceThe FedRAMP Laws and Regulations Template provides a single source for applicable FedRAMP laws, regulations, standards, and guidance.
2023-06-30SSP Appendix F - Rules of Behavior (RoB) TemplateThe FedRAMP RoB Template describes security controls associated with user responsibilities and specific expectations of behavior for following security policies, standards, and procedures.
2023-06-30FedRAMP Security Assessment Plan (SAP) TemplateThe FedRAMP SAP Template is intended for 3PAOs to plan CSP security assessment testing. Once completed, this template constitutes as a plan for testing security controls. This SAP template is used to document the assessment plan associated with Initial Assessments, Annual Assessments, and Significant Change Requests.
2023-06-30FedRAMP Initial Authorization Package ChecklistThis checklist details the documents required for a complete FedRAMP initial authorization package. CSPs must submit this checklist along with their authorization package so that the FedRAMP PMO can verify their package is complete prior to conducting reviews.
2023-06-30SSP Appendix Q - Cryptographic Modules TableThe SSP Appendix Q Cryptographic Modules Table template documents the encryption status of all areas/flows of all data, to include: data at rest, data in transit across the boundary, data in transit within the boundary, remote access mechanisms (e.g., IPSec VPN), key management, key generation, underlying system config (e.g., running in FIPS mode), authentication, and digital signatures.
2023-05-30FedRAMP Security Controls BaselineThis document provides the catalog of FedRAMP High, Moderate, Low, and Tailored LI-SaaS baseline security controls, along with additional guidance and requirements.
2023-04-063PAO Obligations and Performance GuideThis document provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.
2022-09-01Branding GuidanceThis document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization.
2022-07-26Reusing Authorizations for Cloud Products Quick GuideThis quick guide outlines steps and guidance to help agencies quickly and efficiently reuse authorized cloud products within the FedRAMP Marketplace.
2022-06-30Penetration Test GuidanceThe purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings.
2022-06-21Subnets White PaperThis white paper is to help our stakeholders understand FedRAMP subnetworks (subnets) requirements. The paper covers what are subnets, why do they matter, and actions cloud service providers (CSPs) should take to ensure compliance.
2022-02-15Threat-Based Risk Profiling Methodology White PaperThis white paper describes the methodology behind which security controls and capabilities are most effective to protect, detect, and respond to current prevalent threats. The paper outlines the threat-based scoring approach and its potential applications.
2021-11-23Plan of Action and Milestones (POA&M) Template Completion GuideThe FedRAMP POA&M Template Completion Guide provides explicit guidance on how to complete the POA&M Template and provides guidance to ensure that the CSP is meeting POA&M requirements.
2021-07-13FedRAMP Authorization Boundary GuidanceThis document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP authorization package.
2021-03-16Vulnerability Scanning Requirements for ContainersThis document addresses FedRAMP compliance pertaining to the processes, architecture, and security considerations specific to vulnerability scanning for cloud systems using container technology.
2020-12-11Timeliness and Accuracy of Testing RequirementsThis document describes the timeliness and accuracy of testing requirements for CSPs seeking a FedRAMP authorization.
2019-06-20FedRAMP ATO Letter TemplateThe FedRAMP ATO Template is optional for Agencies to use when granting authorizations for CSOs that meet the FedRAMP requirements.
2018-08-28FedRAMP New Cloud Service Offering (CSO) or Feature Onboarding Request TemplateThe FedRAMP CSO or Feature Onboarding Request Template is used to capture an accredited 3PAO's assessment and attestation for onboarding a service or feature to an existing CSP’s system.
2018-08-28Significant Change Policies and ProceduresThis document defines the FedRAMP policies and procedures for making significant changes. It provides requirements, guidance, and actions the FedRAMP PMO, AO, CSP, and 3PAO will take when a CSP wishes to make a significant change to its provisionally authorized cloud service.
2018-08-28FedRAMP Significant Change Form TemplateThis document was developed to capture the type(s) of system changes requested and the supporting details surrounding requested system changes, including FIPS 199. It can be used to request a significant change within an existing ATO.
2018-04-04Continuous Monitoring Strategy GuideThis document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.
2018-03-20Automated Vulnerability Risk Adjustment Framework GuidanceThis document provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools. The document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so.
2018-03-20Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability ScansThis document provides guidance for CSPs on sampling representative system components rather than scanning every component.
2017-05-18CSP JAB P-ATO Roles and ResponsibilitiesThis document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.
2011-12-08FedRAMP Policy MemoThis memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services.