Skip to main content

Documents

Document Description Download Last Updated
FedRAMP Program Documents
Security Assessment Framework This document describes a general Security Assessment Framework (SAF) for FedRAMP. This document details the security assessment process CSPs must use to achieve compliance with FedRAMP. This document is intended for Cloud Service Providers (CSPs), Independent Assessors (3PAOs), Agencies and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process.

PDF

6/6/2017
FedRAMP Low Security Controls This document provides a listing of the FedRAMP low baseline security controls along with additional guidance and requirements.

EXCEL

5/18/2017
FedRAMP Moderate Security Controls This document provides a listing of the FedRAMP moderate baseline security controls along with additional guidance and requirements.

EXCEL

5/18/2017
FedRAMP High Security Controls This document provides a listing of the FedRAMP high baseline security controls along with additional guidance and requirements.

EXCEL

5/18/2017
FedRAMP General Document Acceptance Criteria The purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.

PDF

2/7/2018
FedRAMP Policy Memo This memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services.

PDF

12/8/2011
Joint Authorization Board Charter The purpose of this Charter is to define the authority, objectives, membership, roles and responsibilities, meeting schedule, decision making requirements, and establishment of committees for the FedRAMP Joint Authorization Board (JAB) in accordance with OMB Memo "Security Authorizations of Information Systems in Cloud Computing Environments."

PDF

1/26/2016
FedRAMP Master Acronym & Glossary This document is a master list of FedRAMP acronyms and program definitions.

PDF

10/31/2017
Branding Guidance This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents
Agency Authorization - Best Practices for CSPs Geared towards CSPs interested in or beginning the Agency Authorization process, this document helps CSPs understand how to partner with an Agency and engage with the PMO during the authorization process.

PDF

10/12/2017
CSP JAB P-ATO Roles and Responsibilities This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.

PDF

5/18/2017
JAB P-ATO Prioritization Criteria This document defines the criteria by which CSPs are prioritized to work with the JAB for aP-ATO. This Prioritization Criteria is intended to be a living document, and the JAB will review it on a regular basis, updating it as needed to reflect current priorities.

PDF

6/6/2017
JAB Prioritization Guidance The purpose of this document is to outline the changes the FedRAMP PMO has made to the JAB Prioritization Process and Business Case for FedRAMP Connect. We ask that CSPs review this document in its entirety before beginning their submission.

PDF

6/29/2017
Digital Identity Requirements This document has been developed to provide guidance on Digital Identity requirements in support of achieving and maintaining a security authorization that meets FedRAMP requirements. FedRAMP is following NIST guidance and this document describes how FedRAMP intends to implement it.

PDF

1/31/2018
Transport Layer Security (TLS) Requirements This document summarizes NIST and Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-01 requirements to implement current Transport Layer Security (TLS) protocols and restrict the use of older protocols. FedRAMP is following NIST guidance and this document describes how FedRAMP intends to implement it.

PDF

1/31/2018
Timeliness and Accuracy of Testing Requirements This document outlines the timeliness and accuracy of testing requirements for evidence associated with an authorization package prior to a CSP entering the FedRAMP JAB P-ATO process.

PDF

6/6/2017
JAB P-ATO Vulnerability Scan Requirements Guide This guide describes the requirements for all vulnerability scans of FedRAMP CSP's systems for JAB P-ATOs.

PDF

6/6/2017
Penetration Test Guidance The purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings.

PDF

6/6/2017
Plan of Action and Milestones (POA&M) Template Completion Guide The FedRAMP POA&M Template Completion Guide provides explicit guidance on how to complete the POA&M Template and provides guidance to ensure that the CSP is meeting POA&M requirements.

PDF

1/31/2018
Continuous Monitoring Strategy Guide This document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.

PDF

1/31/2018
Continuous Monitoring Performance Management Guide This document replaces the P-ATO Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs.

PDF

1/31/2018
Incident Communications Procedures This document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP.

PDF

6/6/2017
Annual Assessment Guidance The FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements.

PDF

6/6/2017
Key Agency Documents
Package Request Form Form that must be completed to gain access to a FedRAMP security assessment package.

PDF

2/23/2017
Agency Authorization Playbook A compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs.

PDF

11/28/2017
Agency Authorization: Obtaining In Process Designation This document provides guidance to agencies and CSPs on requirements for CSPs to be listed as “In Process” on the FedRAMP Marketplace.

PDF

11/20/2017
Agency Authorization - Roles and Responsibilities for FedRAMP, CSPs, and Agencies This document provides a summary review of the roles and responsibilities of the Agency, CSP, and FedRAMP PMO during the Agency authorization process.

PDF

10/12/2017
Agency Authorization - Best Practices for Agencies A two-page document developed to provide a concise view of best practices specific to an Agency’s role in the authorization process.

PDF

10/12/2017
FedRAMP Guide for Multi-Agency Continuous Monitoring This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

PDF

6/6/2017
Agency Guide for Reuse of FedRAMP Authorizations This document is specific to Federal Departments and Agencies and provides guidance and the understanding required to authorize an Agency’s application when reusing a FedRAMP-compliant cloud service.

PDF

6/6/2017
Acquisition FAQS FAQ resource, developed in conjunction with OMB, that agencies can reference when developing their solicitations.

PDF

9/26/2017
Standard Contract Clauses FedRAMP has developed a security contract clause template to assist Federal Agencies in procuring cloud-based services. This template should be reviewed by an Agency’s Office of General Counsel (OGC) to ensure it meets all Agency requirements, and then incorporated into the security assessment section of a solicitation.

PDF

6/27/2017
Control Specific Clauses FedRAMP security control baselines specify control parameter requirements and organizational parameters specific to the provider’s control implementation. Since certain controls may be required to govern Agency user interaction, control organizational parameters may need to be included in the task order and specified. The FedRAMP PMO suggests that agencies review the FedRAMP security control baseline, and that agencies do not contractually specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumer’s implementation of a control.

PDF

6/6/2017
Cloud Procurement Best Practices This paper provides Federal agencies specific guidance in effectively implementing the “Cloud First” policy and moving forward with the “Federal Cloud Computing Strategy” by focusing on ways to more effectively procure cloud services within existing regulations and laws.

PDF

2/24/2012
Key Assessor Documents
3PAO JAB P-ATO Roles and Responsibilities This document provides an overview of a 3PAO’s roles and responsibilities in the JAB P-ATO Process.

PDF

5/18/2017
3PAO Obligations and Performance Guide This document provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.

PDF

6/6/2017
3PAO Readiness Assessment Report Guide This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR’s intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.

PDF

6/6/2017