Accessing a CSP’s FedRAMP Materials through OMB Max- A Guide for Agencies
The FedRAMP PMO frequently encounters questions from Agencies about how to gain access to a CSP’s FedRAMP materials. A common misperception exists that Federal Agencies should contact Cloud Service Providers (CSPs) directly to obtain these security package documents.
Agencies that are currently using or who want to evaluate specific FedRAMP authorized Cloud Service Offerings (CSOs) are able to access FedRAMP security packages directly through the FedRAMP Secure Repository, located on OMB MAX. In this blog post, we outline the process for obtaining FedRAMP materials through OMB MAX.
Registration for OMB MAX can be completed at https://omb.max.gov. Agency employees and contractors must use their .gov or .mil email address when registering for access. Once registered, agency employees and contractors must request access to CSP-specific FedRAMP security packages using the FedRAMP Package Request Form. Once completed, this form should be submitted directly to the FedRAMP Program Management Office (PMO) at email@example.com. The FedRAMP PMO will then review the accuracy and completeness of the submitted form and upon approval will notify the agency when access to the FedRAMP secure repository is granted.
All FedRAMP authorized CSPs are required to upload their FedRAMP security package, including monthly continuous monitoring updates, to OMB MAX. Furthermore, CSPs are required to ensure this information is kept up to date. FedRAMP security packages will include artifacts such as:
- System Security Plan
- Plan of Actions and Milestones (POA&M)
- Security Assessment Report
The full list of artifacts that must be included in the FedRAMP security package can be viewed in the FedRAMP Initial Authorization Package Checklist.
If you have any additional questions, feedback, or can’t find what you’re looking for when accessing the FedRAMP Secure Repository, please don’t hesitate to reach out to firstname.lastname@example.org.