Skip to main content

February 2015 Newsletter

In this month’s newsletter:

  1. New FedRAMP Compliant CSPs.
  2. Additional 3PAOs
  3. POA&M Template User Guide
  4. Rev 3 to Rev 4 Transition Guide
  5. Release for Public Comment


With the addition of new cloud systems last month, FedRAMP now has a total of 32 compliant cloud systems! Listed below are the cloud systems that recently became FedRAMP Compliant

JAB Provisional Authorization

  • HP - Fortify on Demand (FoD)
  • VMware - VMware vCloud Government Service provided by Carpathia

CSP Supplied

  • Esri - Esri Managed Cloud Services (EMCS)

Details about each FedRAMP compliant cloud can be found here.


There are currently 34 independent assessors who have received a FedRAMP 3PAO accreditation through the FedRAMP PMO and the American Association for Laboratory Accreditation (A2LA). The official list of all Accredited 3PAOs can be found here.

Of the 34 accredited FedRAMP 3PAOs, 3 received their accreditation this month:

  • First Information Technology Services, Inc.
  • Network Specialty Groups, Inc.
  • TalaTek, LLC


The Plan of Actions and Milestones (POA&M) document is a key resource in the FedRAMP process. It describes the specific vulnerabilities in the security controls of the cloud service and the specific tasks that the CSP has planned to correct those vulnerabilities. The POA&M template provides the Cloud Service Providers (CSP) with a structured approach to mitigating risk within the cloud service.

In order to assist with continuous monitoring and POA&M management, the FedRAMP PMO has published the POA&M Template User Guide. This document provides CSPs applying for a FedRAMP Authority to Operate (ATO) with the guidance to complete the Plan of Actions and Milestones (POA&M) Template.

Please review the POA&M Template User Guide prior to creating a POA&M for your cloud service security authorization package.


As you already may know, FedRAMP requires cloud systems to transition from the NIST 800-53 Rev. 3 baseline to the NIST 800-53 Rev 4 baseline as outlined in the NIST SP 800-53 Rev 4 FedRAMP Transition Plan. The FedRAMP PMO will be releasing a NIST 800-53 Rev 3 to Rev 4 Transition Guide in March 2015.

Additionally, FedRAMP developed a security control spreadsheet identifying the following categories of NIST 800-53 Rev. 4 controls for those CSPs with current P-ATOs based on NIST 800-53 Rev. 3 controls:

  • Core controls , Controls required to be assessed annually based on the June 6, 2014 FedRAMP Continuous Monitoring Strategy Guide.
  • New controls , New controls introduced in Revision 4 of NIST 800-53 requiring  assessment.
  • Conditional Controls , Controls that may or may not be required for assessment based on 3PAO responses in the “Conditional Controls” tab of the worksheet.

Look for the security control spreadsheet to be published next week.


FedRAMP High Baseline

REMINDER: the FedRAMP High Baseline draft for cloud systems at the high impact level has been released for public comment. This document was released on January 27, 2015 and will be available for public comment until March 13, 2015. FedRAMP will provide the stakeholders with a second public comment period before finalizing the baseline. The baseline is expected to be finalized prior to the end of CY15.

The FedRAMP High Baseline draft is mapped to the security controls from the NIST SP 800-53, Rev. 4 and presents the High/High/High categorization level for confidentiality, integrity, and availability. The FedRAMP PMO worked closely with key government stakeholders to develop the baseline draft.

The structure of the FedRAMP High Baseline spreadsheet is not to be altered and any direct edits to the spreadsheet will be discarded. ​All comments should be provided to with the subject title FedRAMP High Baseline Comments.

Page of