Skip to main content

Completing an Annual Assessment

Completing an annual assessment for a FedRAMP authorized CSO includes:

  • Review and update, as required, of the System Security Plan (SSP) and attachments
  • Completion of a Incident Response Plan Test and provision of the Incident Response Plan Test Report
  • Completion of a Contingency Plan functional test and provision of the Contingency Plan Test Report
  • Completion of the Annual Assessment Security Assessment Plan (SAP)
  • Completion of Annual Assessment testing
  • Completion of the Annual Assessment Security Assessment Report (SAR)
  • Update of the CSOs Plan of Action and Milestones (POA&M)
  • Submission of the completed Annual Assessment package, including the SAR and attachments, updated SSP and attachments, updated SAP, and POA&M to FedRAMP PMO or Agency AO

CSPs are required to engage a 3PAO to complete Annual Assessment testing. All documentation that results from an Annual Assessment should be uploaded to the FedRAMP secure repository, OMB MAX, by the CSP’s ATO date. The Annual Assessment should be reviewed by their agency customer(s) Authorizing Official and approved before being uploaded to OMB MAX. Any updates to an offering’s Impact Level should be reported to the PMO, via info@fedramp.gov, before being uploaded to OMB MAX.

Documents Templates Blogs