FedRAMP Documentation Release
- Making continuous monitoring processes more efficient and providing additional specific guidance on them
- Clarifying language in the Readiness Assessment Report (RAR) templates, and
- Incorporating new requirements and guidance in the System Security Plan (SSP) templates and baseline of controls.
These updates are part of a new quarterly documentation release cadence the PMO has put in place to ensure our stakeholders know in advance when changes to documents and templates will occur and when updates will be released.
Below is a summary of the 11 documents/templates we’ve updated or added and a brief description of the revisions and upgrades we’ve made to them. We’ll update this blog with the links to the documents/templates and send out a reminder email when they’re available.
Updated Templates (9):
- Reason for Update: We updated these four SSP templates to align with the updated NIST SP 800-63 and Digital Identity (formerly E-Authentication) requirements. Additionally, we added remediation requirements for Low vulnerabilities and made minor updates to enhance control guidance and functional issues.
- Implementation Requirement: Upon request, FedRAMP can provide redlined versions of the templates to assist CSPs with the changes. Rather than swapping all content to the new template, CSPs may alternatively incorporate the changes into their version of the SSP. These changes must be incorporated before the CSP’s next annual assessment (for annual assessments after Oct 31, 2018).
- Reason for Update: We clarified the language throughout the RAR templates and included expectations around the use of external services.
- Implementation Requirement: To facilitate the PMO’s review of the RAR, 3PAOs are strongly encouraged to transition to the new template now, even for assessments that are in progress. Beginning September 30, 2018, all RARs must be developed using the new templates.
- Reason for Update: We saw an opportunity to clarify the approval process for the FedRAMP New Cloud Service Offering (CSO) or Feature Onboarding process, and conducted a thorough update of almost the entire template. This template should be used in conjunction with the new Significant Change Policies and Procedures.
- Implementation Requirement: This template should be used immediately for any CSO that is interested in using the New Cloud Service Offering (CSO) or Feature Onboarding process. The new Significant Change Request Policies and Procedures document should be reviewed before use of this template.
- Reason for Update: We updated this template form to correct minor grammatical and functional issues. Additionally, we added a requirement for the 3PAO’s signature on the form, to verify they have reviewed and approved the control list. This template form should be used in conjunction with the new Significant Change Policies and Procedures document.
- Implementation Requirement: This template form is available for use now, and must be used for all new significant change requests submitted on or after September 30, 2018.
- Reason for Update: We heard from our stakeholders that there was a need for easier automation, so we converted this template form from a PDF to an Excel spreadsheet.
- Implementation Requirement: CSPs are free to use the old (PDF) version of the Vulnerability Deviation Request Form through September 30, 2018. However, due to ease of completion and automation, FedRAMP strongly suggests migrating to this new Excel version of the template form as soon as possible.
Updated Document (1):
- Reason for Update: We heard from our stakeholders that there was an opportunity to make it easier to navigate and compare the different control requirements - previously contained in four separate documents/templates. To address this, we combined the FedRAMP Low, Moderate, High, and LI-SaaS baselines into a single Excel workbook.
New Document (1):
- Reason for Development: We heard from our stakeholders that the significant change process was unclear. To address this, we developed a document to walk our stakeholders through the significant change process by 1) describing the significant change process, 2) delineating the appropriate forms to use, and 3) providing baseline control sets to be tested by 3PAOs for specific significant changes.
We hope you find these document and template updates useful! If you have any questions or feedback, please reach out to firstname.lastname@example.org.