Skip to main content

Documents

Columns in the table below are sortable. The Category, Document, and Description columns sort alphabetically, and the Last Updated column sorts by date. Click on the column header to sort, and click again to sort in reverse order. To return the table to its original order, simply refresh the web page.

Category Document Description Download Last Updated
FedRAMP Program Documents Security Assessment Framework This document describes a general Security Assessment Framework (SAF) for FedRAMP. This document details the security assessment process CSPs must use to achieve compliance with FedRAMP. This document is intended for Cloud Service Providers (CSPs), Independent Assessors (3PAOs), Agencies and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process.

PDF

6/6/2017
FedRAMP Program Documents FedRAMP Security Controls Baseline This document provides the catalog of FedRAMP High, Moderate, Low, and Tailored LI-SaaS baseline security controls, along with additional guidance and requirements.

EXCEL

8/28/2018
FedRAMP Program Documents FedRAMP General Document Acceptance Criteria The purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.

PDF

6/13/2018
FedRAMP Program Documents FedRAMP Accelerated: A Case Study for Change Within Government This document captures FedRAMP's experience with redesigning its JAB Authorization process based on stakeholder feedback and shares its insights on creating change within the Government.

PDF

3/29/2018
FedRAMP Program Documents FedRAMP Policy Memo This memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services.

PDF

12/8/2011
FedRAMP Program Documents Joint Authorization Board Charter The purpose of this Charter is to define the authority, objectives, membership, roles and responsibilities, meeting schedule, decision making requirements, and establishment of committees for the FedRAMP Joint Authorization Board (JAB) in accordance with OMB Memo "Security Authorizations of Information Systems in Cloud Computing Environments."

PDF

7/13/2018
FedRAMP Program Documents FedRAMP Master Acronym & Glossary This document is a master list of FedRAMP acronyms and program definitions.

PDF

10/31/2017
FedRAMP Program Documents Branding Guidance This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents CSP Authorization Playbook: Getting Started with FedRAMP This first volume of the CSP Authorization Playbook provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP.

PDF

4/3/2018
Key Cloud Service Provider (CSP) Documents Agency Authorization - Best Practices for CSPs Geared towards CSPs interested in or beginning the Agency Authorization process, this document helps CSPs understand how to partner with an Agency and engage with the PMO during the authorization process.

PDF

10/12/2017
Key Cloud Service Provider (CSP) Documents CSP JAB P-ATO Roles and Responsibilities This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process.

PDF

5/18/2017
Key Cloud Service Provider (CSP) Documents FedRAMP Authorization Boundary Guidance This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP authorization package.

PDF

5/10/2018
Key Cloud Service Provider (CSP) Documents JAB Prioritization Criteria and Guidance The purpose of this document is to outline the criteria by which CSPs are prioritized to work with the JAB toward a P-ATO, the JAB prioritization process, and the Business Case requirements for FedRAMP Connect. We ask that CSPs review this document in its entirety before beginning the FedRAMP Connect process.

PDF

6/14/2018
Key Cloud Service Provider (CSP) Documents Digital Identity Requirements This document has been developed to provide guidance on Digital Identity requirements in support of achieving and maintaining a security authorization that meets FedRAMP requirements. FedRAMP is following NIST guidance and this document describes how FedRAMP intends to implement it.

PDF

2/21/2018
Key Cloud Service Provider (CSP) Documents Transport Layer Security (TLS) Requirements This document summarizes NIST and Department of Homeland Security (DHS) Binding Operational Directive (BOD) 18-01 requirements to implement current Transport Layer Security (TLS) protocols and restrict the use of older protocols. FedRAMP is following NIST guidance and this document describes how FedRAMP intends to implement it.

PDF

2/21/2018
Key Cloud Service Provider (CSP) Documents Timeliness and Accuracy of Testing Requirements This document outlines the timeliness and accuracy of testing requirements for evidence associated with an authorization package prior to a CSP entering the FedRAMP JAB P-ATO process.

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents Automated Vulnerability Risk Adjustment Framework Guidance This document provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools. The document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so.

PDF

3/20/2018
Key Cloud Service Provider (CSP) Documents Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans This document provides guidance for CSPs on sampling representative system components rather than scanning every component.

PDF

3/20/2018
Key Cloud Service Provider (CSP) Documents Vulnerability Scanning Requirements This guide describes the requirements for all vulnerability scans of FedRAMP Cloud Service Provider’s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (PATOs).

PDF

3/20/2018
Key Cloud Service Provider (CSP) Documents Penetration Test Guidance The purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings.

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents Plan of Action and Milestones (POA&M) Template Completion Guide The FedRAMP POA&M Template Completion Guide provides explicit guidance on how to complete the POA&M Template and provides guidance to ensure that the CSP is meeting POA&M requirements.

PDF

4/3/2018
Key Cloud Service Provider (CSP) Documents Continuous Monitoring Strategy Guide This document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.

PDF

2/21/2018
Key Cloud Service Provider (CSP) Documents Continuous Monitoring Performance Management Guide This document replaces the P-ATO Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs.

PDF

2/21/2018
Key Cloud Service Provider (CSP) Documents Significant Change Policies and Procedures This document defines the FedRAMP policies and procedures for making significant changes. It provides requirements, guidance, and actions the FedRAMP PMO, AO, CSP, and 3PAO will take when a CSP wishes to make a significant change to its provisionally authorized cloud service.

WORD

8/28/2018
Key Cloud Service Provider (CSP) Documents Incident Communications Procedures This document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP.

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents Annual Assessment Guidance The FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements.

PDF

6/6/2017
Key Cloud Service Provider (CSP) Documents Annual Assessment Controls Selection Worksheet The FedRAMP Annual Assessment Controls Selection Worksheet provides a matrix to assist CSPs, 3PAOs, and Federal Agencies in assessing and tracking control their annual assessment.

EXCEL

2/23/2018
Key Agency Documents Package Request Form Form that must be completed to gain access to a FedRAMP security assessment package.

PDF

2/23/2017
Key Agency Documents Agency Authorization Playbook A compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs.

PDF

11/28/2017
Key Agency Documents Agency Authorization: Obtaining In Process Designation This document provides guidance to agencies and CSPs on requirements for CSPs to be listed as “In Process” on the FedRAMP Marketplace.

PDF

11/20/2017
Key Agency Documents Agency Authorization - Roles and Responsibilities for FedRAMP, CSPs, and Agencies This document provides a summary review of the roles and responsibilities of the Agency, CSP, and FedRAMP PMO during the Agency authorization process.

PDF

10/12/2017
Key Agency Documents Agency Authorization - Best Practices for Agencies A two-page document developed to provide a concise view of best practices specific to an Agency’s role in the authorization process.

PDF

10/12/2017
Key Agency Documents FedRAMP Guide for Multi-Agency Continuous Monitoring This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

PDF

6/6/2017
Key Agency Documents Agency Guide for Reuse of FedRAMP Authorizations This document is specific to Federal Departments and Agencies and provides guidance and the understanding required to authorize an Agency’s application when reusing a FedRAMP-compliant cloud service.

PDF

6/6/2017
Key Agency Documents Acquisition FAQS FAQ resource, developed in conjunction with OMB, that agencies can reference when developing their solicitations.

PDF

9/26/2017
Key Agency Documents Control Specific Clauses FedRAMP security control baselines specify control parameter requirements and organizational parameters specific to the provider’s control implementation. Since certain controls may be required to govern Agency user interaction, control organizational parameters may need to be included in the task order and specified. The FedRAMP PMO suggests that agencies review the FedRAMP security control baseline, and that agencies do not contractually specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumer’s implementation of a control.

PDF

6/6/2017
Key Agency Documents Cloud Procurement Best Practices This paper provides Federal agencies specific guidance in effectively implementing the “Cloud First” policy and moving forward with the “Federal Cloud Computing Strategy” by focusing on ways to more effectively procure cloud services within existing regulations and laws.

PDF

2/24/2012
Key Assessor Documents 3PAO JAB P-ATO Roles and Responsibilities This document provides an overview of a 3PAO’s roles and responsibilities in the JAB P-ATO Process.

PDF

5/18/2017
Key Assessor Documents 3PAO Obligations and Performance Guide This document provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.

PDF

6/6/2017
Key Assessor Documents 3PAO Readiness Assessment Report Guide This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR’s intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR.

PDF

6/6/2017