All Items (39)
3PAO Obligations and Performance Guide
Provides guidance for 3PAOs on the quality, independence, personnel, and FedRAMP knowledge standards required to become a FedRAMP recognized 3PAO and how to maintain recognition
3PAO Readiness Assessment Report Guide
Provides 3PAOs with guidance on how best to utilize the FedRAMP Readiness Assessment Report (RAR) Template
Agency Authorization Playbook
Compilation of best practices, tips, and step-by-step guidance for agencies seeking FedRAMP authorization
Annual Assessment Controls Selection Worksheet
Provides a matrix to assist CSPs, 3PAOs, and federal agencies in assessing and tracking controls for their annual assessment
Branding Guidance
Provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP-related marketing and collateral materials
Continuous Monitoring Monthly Executive Summary Template
Provides FedRAMP and agency authorizing officials (AOs) with an executive summary of a CSP's monthly continuous monitoring submission
Continuous Monitoring Playbook
Provides an overview of FedRAMP Rev 5 continuous monitoring (ConMon) requirements and activities, along with guidance and best practices
CSP Authorization Playbook
Provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP
FedRAMP ATO Letter Template
An optional template for agencies to use when granting authorizations for CSOs
FedRAMP Authorization Boundary Guidance
Provides CSPs guidance for developing the authorization boundary for their offering(s)
FedRAMP Continuous Monitoring Deliverables Template
Used to identify the schedule and location for monthly and annual continuous monitoring deliverables
FedRAMP High Readiness Assessment Report (RAR) Template
Used to evaluate a CSO's organizational processes and security capabilities at the High impact level
FedRAMP High, Moderate, Low, LI-SaaS Baseline System Security Plan (SSP)
Provides the framework to describe a CSO; the service offering's components and features; and its security posture
FedRAMP Initial Authorization Package Checklist
Details the documents required for a complete FedRAMP initial authorization package
FedRAMP Moderate Readiness Assessment Report (RAR) Template
Used to evaluate a CSO's organizational processes and security capabilities at the Moderate impact level
FedRAMP Package Access Request Form
Used by federal agencies to gain access to a FedRAMP Authorized packages
FedRAMP Plan of Action and Milestones (POA&M) Template
Provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts
FedRAMP Policy for Cryptographic Module Selection v1.1.0
Outlines requirements and recommendations for CSPs, 3PAOs, designated leads, and package reviewers regarding the selection and use of cryptographic modules to protect federal information
FedRAMP SAR Appendix B - High Security Requirements Traceability Matrix Template
Provides a standard risk and controls template for assessing High baseline controls and helps to drive consistency in 3PAO annual assessment testing
FedRAMP SAR Appendix B - Low Security Requirements Traceability Matrix Template
Provides a standard risk and controls template for assessing Low baseline controls and helps to drive consistency in 3PAO annual assessment testing
FedRAMP SAR Appendix B - Moderate Security Requirements Traceability Matrix Template
Provides a standard risk and controls template for assessing Moderate baseline controls and helps to drive consistency in 3PAO annual assessment testing
FedRAMP Security Assessment Plan (SAP) Template
Designed for 3PAOs to plan CSP security assessment testing associated with initial authorization assessments, annual assessments, and SCRs
FedRAMP Security Assessment Report (SAR) Template
Provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP
FedRAMP Security Controls Baseline
Provides the catalog of FedRAMP High, Moderate, Low, and LI-SaaS baseline security controls along with additional guidance and requirements
FedRAMP Vulnerability Deviation Request Form
Provides a standardized method to document deviation requests and is used to document risk adjustments, false positives, and operational requirements
Penetration Test Guidance
Provides guidelines for organizations on how to plan and conduct penetration testing
Reusing Authorizations for Cloud Products Quick Guide
Outlines steps and guidance to help agencies quickly and efficiently reuse authorized cloud offerings within the FedRAMP Marketplace
SAR Appendix A - FedRAMP Risk Exposure Table (RET) Template
The FedRAMP Risk Exposure Table Template is designed to capture all security weaknesses and deficiencies identified during security assessment testing.
SSP Appendix A - High FedRAMP Security Controls
Provides the FedRAMP High baseline security control requirements for High impact CSOs
SSP Appendix A - LI-SaaS FedRAMP Security Controls
Provides the FedRAMP baseline security control requirements for LI-SaaS impact cloud systems
SSP Appendix A - Low FedRAMP Security Controls
Provides the FedRAMP Low baseline security control requirements for Low impact cloud systems
SSP Appendix A - Moderate FedRAMP Security Controls
Provides the FedRAMP Moderate baseline security control requirements for Moderate impact CSOs
SSP Appendix F - Rules of Behavior (RoB) Template
Describes the security controls associated with user responsibilities and specific expectations of behavior for following security policies, standards, and procedures
SSP Appendix G - Information System Contingency Plan (ISCP) Template
Supports the ISCP requirements for FedRAMP
SSP Appendix J - CIS and CRM Workbook
Delineates the control responsibilities of CSPs and agencies and provides a summary of all required controls and enhancements across a CSO
SSP Appendix M - Integrated Inventory Workbook Template
Consolidates all of the inventory information previously required in five FedRAMP templates that included the SSP, ISCP, SAP, SAR, and POA&M
SSP Appendix Q - Cryptographic Modules Table
Documents the encryption status of all areas/flows of data associated with a CSO
Timeliness and Accuracy of Testing Requirements
Describes the timeliness and accuracy of testing requirements for CSPs seeking a FedRAMP authorization
Vulnerability Scanning Requirements for Containers
Addresses FedRAMP compliance pertaining to the processes, architecture, and security considerations specific to vulnerability scanning for CSOs using container technology
