Skip to main content

Online Courses

These online courses consist of on-demand modules designed for specific stakeholder groups. Each course provides an in-depth focus around a specific step in the FedRAMP authorization process. Throughout each course, stakeholders will gain a better understanding of roles and responsibilities, security requirements, and best practices.

FedRAMP's Online Course Paths

image alt text

Path 1: All Stakeholders

The first education path provides an overview of the FedRAMP program.

100-A: Welcome to FedRAMP

Description: This is an introductory course about FedRAMP intended for all stakeholders who are not familiar with the program. This module provides an overview and is designed for anyone who would like to learn more about the program’s origin, goals, and the NIST Risk Management Framework.

Duration: 1 hour

Sign-in to attend this course.

Download a "PDF version" of this course.

Path 2: Cloud Service Providers (CSPs)

These online modules are designed to help CSPs understand the requirements of security package development and give a detailed overview of the required templates and their supporting documentation.

200-A: FedRAMP System Security Plan (SSP) Required Documents

Description: This course provides CSPs with a deeper understanding of the detail and rigor required to complete the System Security Plan (SSP). The SSP is the main document of a security package in which a CSP describes all of the security controls in use on the information system and their implementation. This course will familiarize the CSP with the required documentation for initial package submission and give a detailed overview of FedRAMP’s SSP template and its supporting documents.

Duration: 1 hour

Sign-in to attend this course.

Download a PDF version of the "FedRAMP System Security (SSP) Required Documents" training course.

200-B: Security Assessment Plan (SAP)

Description: This module is designed to help FedRAMP Assessors understand how to write specific sections of the Security Assessment Plan (SAP) documents which contain the test plan to assess the security controls of a system. In addition, this course will cover the program’s reporting requirements for the SAP.

Duration: 1 hour

Sign-in to attend this course.

Download a PDF version of the "Security Assessment Plan (SAP)" training course.

200-C: Security Assessment Report (SAR)

Description: This course is designed to help FedRAMP Assessors understand how to write specific sections of the Security Assessment Report (SAR). The SAR is required by FedRAMP to evaluate the system’s implementation of, and compliance with, the FedRAMP baseline security controls, and thus the system’s compliance with FISMA security mandates.

Duration: 1 hour

Sign-in to attend this course.

Download a PDF version of the "Security Assessment Report (SAR)" training course.

200-D: Continuous Monitoring (ConMon) Overview

Description: This course provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. This course is structured for a CSP going through the JAB path with a Third Party Assessment Organization (3PAO), or a 3PAO, conducting an assessment of the cloud system.

Duration: 1 hour

Sign-in to attend this course.

Download a PDF version of the "Continuous Monitoring (ConMon) Overview" training course.

201-B: How to Write a Control

Description: This course gives an overview for a CSP of how to properly write a control that will satisfy the program’s requirements. This course is designed for a CSP pursuing a JAB authorization with a 3PAO, or a 3PAO conducting an assessment of the cloud system.

Duration: 1 hour

Sign-in to attend this course.

Download a PDF version of the "How to Write a Control" training course.

Path 3: Third Party Assessors (3PAOs)

These online modules are required for all 3PAOs and focus on specific functions, processes, procedures, policies, and/or guidance needed for 3PAOs to successfully complete their assessment of a CSP. At the end of each course, there is a mandatory quiz and a certificate of completion is provided to attendees who complete the course and pass the final quiz.

Updated 3PAO Requirements

This webinar replaces the previous 300-A course.

FedRAMP, in partnership with the American Association for Laboratory Accreditation (A2LA), updated the “R311 - Specific Requirements: FedRAMP,” which includes new and strengthened qualifications for existing and new 3PAOs.

In this recorded webinar on updated 3PAO requirements from November 2018, the PMO covered the following key updates:

  • Incorporation of the R346 – Specific Requirements: Baltimore Cyber Range (BCR) Cybersecurity Technical Proficiency Activity Information, which requires all 3PAO assessors to take a hands-on proficiency exercise, conducted by the Baltimore Cyber Range (BCR), at initial accreditation and annually thereafter
  • Accreditation to ISO/IEC 17020, under the A2LA Cybersecurity Inspection Body Program, for a period of one year as evidence of implementation of a 3PAO’s quality management system
  • Forty hours of Continuing Professional Education (CPE) or equivalent for each 3PAO assessment team member
  • Regular FedRAMP PMO touch-points with 3PAOs and CSPs for feedback on deliverables and customer experience
  • Guidance for non U.S. based 3PAO personnel and/or OCONUS operations

Duration: 30 minutes

Released: November 15, 2018

Resource: R311 - Specific Requirements: FedRAMP (PDF)

300-B: 3PAO Security Assessment Plan (SAP) Guidance

This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAP. A SAP contains the test plan to assess the security controls of a system and functions as a detailed roadmap of the approach and methodology for the assessment of a CSP’s cloud service offering.

Duration: 1 hour

Sign-in to attend this course.

300-C: 3PAO Security Assessment Report (SAR) Guidance

This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAR.

Duration: 1 hour

Sign-in to attend this course.

300-D: 3PAO Documenting Evidence Procedures

This course provides 3PAOs with guidance on FedRAMP requirements for documenting evidence collected during the assessment and how to populate the SAR.

Duration: 1 hour

Sign-in to attend this course.

300-E: 3PAO Vulnerability Scanning Methodology and Documentation

This course describes the FedRAMP Vulnerability Scanning and the Testing Criteria, including Timeliness/Accuracy of Testing requirements. Identifies CSP and 3PAO requirements for vulnerability scanning on a system and teaches how to document results to meet FedRAMP requirements for initial authorization assessments and annual assessments. Discusses the inter-relationships between the vulnerability scanning methodology, Continuous Monitoring requirements, and the FedRAMP Continuous Monitoring performance management guide.

Duration: 1 hour

Sign-in to attend this course.

300-F: 3PAO Review of Security Assessment Report (SAR) Tables

This course provides 3PAOs with a detailed description of each SAR table and the information required to correctly populate each table. Populating FedRAMP SAR Tables can be a challenge and this course identifies five common SAR table mistakes, how to avoid making them, and how to accurately document and total deficiencies and findings.

Duration: 1 hour

Sign-in to attend this course.

300-G: Readiness Assessment Report (RAR) Preparation

This course provides an overview of how the FedRAMP security requirements must align with a CSP’s system security capabilities before the CSP system can be approved as FedRAMP Ready.

Duration: 1 hour

Sign-in to attend this course.

Path 4: Federal Agencies

Coming soon

These online modules provide Agency stakeholders with step-by-step guidance, best practices, and tips to successfully implement the FedRAMP authorization process. At the end of the training, there is an optional quiz and a certificate of completion is provided to attendees who take the course and pass the final quiz.

400-A: ISSO On-Demand Modules

Description: This training is designed for Information System Security Officers (ISSOs) based on FedRAMP’s Agency Authorization Playbook and includes a deep dive into each authorization phase. This course provides ISSOs the knowledge necessary to effectively review FedRAMP authorization packages for cloud services and understand the FedRAMP framework and available resources.

Instructions for completing online courses:

New users:

  1. Go to the training platform home page using Chrome or Firefox
  2. Complete the user information to set up an account (password length must be between 16 and 32 characters) and click “View”
  3. Select the course you’d like to view and complete

Returning users:

  1. Navigate to the training platform home page
  2. Log in using Chrome or Firefox
  3. Enter your user name and password and you’ll resume where you left off in the training

Upcoming Learning events

Please email info@fedramp.gov with any ideas around additional training topics.