Types of Resources Available
Learning is a core component of FedRAMP. FedRAMP provides online courses and videos to inform our stakeholders every step of the way. This page captures the various learning opportunities FedRAMP provides to the community.
Deep-dive courses on various elements of the authorization process and what’s required of specific stakeholder groups. These online courses are available to all stakeholders to better understand the FedRAMP Authorization process.
In-Person Trainings and Events
The FedRAMP Program Management Office (PMO) provides hands-on training opportunities on specific topics for all audiences. To receive announcements for in-person trainings, please subscribe for email updates.
These online courses consist of on-demand modules designed for specific stakeholder groups. Each course provides an in-depth focus around a specific step in the FedRAMP Authorization process. Throughout each course, stakeholders will gain a better understanding of roles and responsibilities, security requirements, and best practices.
Cloud Service Providers
200-A: FedRAMP System Security Plan (SSP) Required Documents
This course provides CSPs with a deeper understanding of the detail and rigor required to complete the System Security Plan (SSP). The SSP is the main document of a security package in which a CSP describes all of the security controls in use on the information system and their implementation. This course will familiarize the CSP with the required documentation for initial package submission and give a detailed overview of FedRAMP’s SSP template and its supporting documents.
200-B: Security Assessment Plan (SAP)
This module is designed to help FedRAMP Assessors understand how to write specific sections of the Security Assessment Plan (SAP) documents which contain the test plan to assess the security controls of a system. In addition, this course will cover the program’s reporting requirements for the SAP.
200-C: Security Assessment Report (SAR)
This course is designed to help FedRAMP Assessors understand how to write specific sections of the Security Assessment Report (SAR). The SAR is required by FedRAMP to evaluate the system’s implementation of, and compliance with, the FedRAMP baseline security controls, and thus the system’s compliance with Federal Information Security Modernization Act (FISMA) security mandates.
200-D: Continuous Monitoring Overview
This course provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. This course is structured for a CSP going through the JAB path with a Third Party Assessment Organization (3PAO), or a 3PAO, conducting an assessment of the cloud system.
201-B: How to Write a Control
This course gives an overview for a CSP of how to properly write a control that will satisfy the program’s requirements. This course is designed for a CSP pursuing a JAB Authorization with a 3PAO, or a 3PAO conducting an assessment of the cloud system.
Third Party Assessors
Instructions for Accessing the 3PAO Modules
For detailed instructions to register and access the courses, reference the GSA Learning Academy User Guide. This guide includes instructions around how to register, set up two factor authentication, enroll in courses, and how to access the platform.
- STEP 1: Go to the GSA Learning Academy User Registration
- STEP 2: Select my programs on the top navigation, then request enrollment
- STEP 1: Under program enrollment, select Federal Authorization and Management (FedRAMP) Training, from the drop down
- Please use answer the following questions in the Remarks section and use the following answers:
Question Answer Are you a Federal Employee or Contractor? N/A Who is your Program POC? N/A Why are you requesting access to this program? FedRAMP Recognized 3PAO
- Click “request to enroll”
Accessing the courses after approval:
After your request to register for a GSA Learning Academy program has been approved, you will receive an additional email from the GSA Learning Academy in approximately three business days. This email will contain a link you will use to create a password. Use these credentials to log into the GSA Learning Academy and begin the 3PAO modules. You will have access to the modules for 60 days.
Note: The GSA Learning Academy (where you will complete the courses) is separate from the User Registration System. Therefore, you will need to create a new password to log into the GSA Learning Academy to begin the courses.
Updated 3PAO Requirements (replaces 300-A course)
FedRAMP, in partnership with the American Association for Laboratory Accreditation (A2LA), updated the “R311 - Specific Requirements: FedRAMP,” which includes new and strengthened qualifications for existing and new 3PAOs.
In this recorded webinar on updated 3PAO requirements from November 2018, the Program Management Office (PMO) covered the following key updates:
- Incorporation of the R346 – Specific Requirements: Baltimore Cyber Range (BCR) Cybersecurity Technical Proficiency Activity Information, which requires all 3PAO assessors to take a hands-on proficiency exercise, conducted by the Baltimore Cyber Range (BCR), at initial accreditation and annually thereafter
- Accreditation to ISO/IEC 17020, under the A2LA Cybersecurity Inspection Body Program, for a period of one year as evidence of implementation of a 3PAO’s quality management system
- Forty hours of Continuing Professional Education (CPE) or equivalent for each 3PAO assessment team member
- Regular FedRAMP PMO touch-points with 3PAOs and CSPs for feedback on deliverables and customer experience
- Guidance for non U.S. based 3PAO personnel and/or OCONUS operations
300-B: 3PAO Security Assessment Plan (SAP) Guidance
This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAP. A SAP contains the test plan to assess the security controls of a system and functions as a detailed roadmap of the approach and methodology for the assessment of a CSP’s cloud service offering.
300-C: 3PAO Security Assessment Report (SAR) Guidance
This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAR.
300-D: 3PAO Documenting Evidence Procedures
This course provides 3PAOs with guidance on FedRAMP requirements for documenting evidence collected during the assessment and how to populate the SAR.
300-E: 3PAO Vulnerability Scanning Methodology and Documentation
This course describes the FedRAMP Vulnerability Scanning and the Testing Criteria, including Timeliness/Accuracy of Testing requirements. Identifies CSP and 3PAO requirements for vulnerability scanning on a system and teaches how to document results to meet FedRAMP requirements for initial authorization assessments and annual assessments. Discusses the inter-relationships between the vulnerability scanning methodology, continuous monitoring, and the FedRAMP Continuous Monitoring Performance Management Guide.
300-F: 3PAO Review of Security Assessment Report (SAR) Tables
This course provides 3PAOs with a detailed description of each SAR table and the information required to correctly populate each table. Populating FedRAMP SAR Tables can be a challenge and this course identifies five common SAR table mistakes, how to avoid making them, and how to accurately document and total deficiencies and findings.
300-G: Readiness Assessment Report (RAR) Preparation
This course provides an overview of how the FedRAMP security requirements must align with a CSP’s system security capabilities before the CSP system can be approved as FedRAMP Ready.
400-A: ISSO On-Demand Modules
This training is designed for Information System Security Officers (ISSOs) based on FedRAMP’s Agency Authorization Playbook and includes a deep dive into each authorization phase. This course provides ISSOs the knowledge necessary to effectively review FedRAMP Authorization packages for cloud services and understand the FedRAMP framework and available resources.
This course is currently unavailable