Rev5 Training
Knowledge sharing is a primary goal for FedRAMP® to ensure all stakeholders understand the FedRAMP requirements and the authorization process.
Training is available in a couple different ways, either by pre-recorded courses on our Youtube page, or via live virtual training. Some courses are mandatory for specific roles in the program, but we urge all stakeholders to review the training materials available. FedRAMP creates training to help stakeholders obtain the knowledge and skills necessary to successfully navigate the FedRAMP process and meet its requirements.
Cloud Service Providers
These courses are designed to help cloud service providers (CSPs) understand the requirements of security package development as well as give a detailed overview of the required templates and supporting documentation.
See below for an overview of each of the CSP 200 level courses.
| Course | Description | Duration | Course Resources |
|---|---|---|---|
| 200-A: FedRAMP System Security Plan (SSP) Required Documents (Revised July 2021) | This course provides CSPs with a deeper understanding of the detail and rigor required to complete a System Security Plan (SSP). A SSP is the main document of a security package in which a CSP describes all of the security controls, in use on the information system, and their implementation. This course will familiarize a CSP with the required documentation, for initial package submission, and give a detailed overview of FedRAMP’s SSP template and its supporting documents. | 32 mins | Course PDF |
| 200-B: Security Assessment Plan (SAP) | This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Plan (SAP) document, which contains the test plan to assess the security controls of a system. In addition, this course will cover the program’s reporting requirements for a SAP. | 32 mins | Course PDF |
| 200-C: Security Assessment Report (SAR) | This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Report (SAR). The SAR is required by FedRAMP to evaluate a system’s implementation of, and compliance with, FedRAMP’s baseline security controls. | 36 mins | Course PDF |
| 200-D: Continuous Monitoring Overview | This course provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets FedRAMP requirements. | 33 mins | Course PDF |
| 201-B: How to Write a Control | This course gives an overview to a CSP of how to properly write a control that will satisfy the program’s requirements. This course is designed for a CSP pursuing a FedRAMP authorization, or a FedRAMP recognized 3PAO conducting an assessment of a cloud system. | 42 mins | Course PDF |
Third Party Assessors
FedRAMP recognized third party assessment organizations (3PAOs) provide the insight and expertise necessary to successfully complete a FedRAMP assessment of a cloud service offering (CSO). These online modules are mandatory for all FedRAMP recognized 3PAO assessment team members; however, other stakeholders can use these modules as an excellent source to brush up on FedRAMP assessment review processes and requirements.
FedRAMP recognized 3PAO assessment team members are required to take these trainings and successfully pass the quizzes at the end of each course. A certificate of completion is provided to participants who pass each quiz with an 80% or higher. If the score is below 80%, the participant may retake the quiz.
Outlined below are the steps to view the 3PAO training courses:
Steps to Watch Training Videos
- Select a training link below and watch the training course video on YouTube. We recommend that you start with 300-0 and proceed sequentially with the subsequent training (300-00 through 300-F) once these courses are made available.
- If you wish to take the quiz, please return to this page after watching the video and follow the steps below to take the quiz.
Steps to Take Training Quizzes
- Once you have completed the video training course, please select the quiz link below that corresponds to the training course you watched. From there, you will be taken to a Qualtrics page.
- Prior to starting the quiz, you will be asked to fill out your first and last name and provide your work email address
- Click enter and then begin the quiz.
- Once you complete the quiz, a certificate of completion will be sent to the email address provided if a score of 80% or higher is achieved. If the score is below 80%, the participant may retake the quiz.
- Save the certificate for your records.
Note: 3PAO training requirements can be found in the American Association for Laboratory Accreditation (A2LA) R311- Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP). This policy document outlines the requirements for all FedRAMP recognized 3PAOs and organizations seeking A2LA accreditation to be recognized by FedRAMP. To learn more please visit A2LA’s Website.
| Course | Description | Duration | Course Resources |
|---|---|---|---|
| 300-0: 3PAO Obligations and Performance Guide | The 300-0 level training provides an overview of the 3PAO responsibilities, obligations, and performance standards and intends to define the scope of a 3PAO’s roles and responsibilities relating to the FedRAMP assessment process, describe the importance of FedRAMP’s 3PAO obligations and performance standards as outlined in the 3PAO Obligations and Performance Standards document, and detail the process required for an Independent Assessment Organization (IAO) to become a FedRAMP recognized 3PAO | 41 mins | Course PDF |
Federal Agencies
These training videos provide agency stakeholders with tips and best practices to successfully implement the FedRAMP Authorization process.
These courses are currently unavailable.
