Skip to content

FedRAMP Legacy Documentation

This page contains legacy content for reference only!

June 24, 2026: All materials in the FedRAMP Legacy Documentation site are intended only for reference during the transition to FedRAMP's Consolidated Rules for 2026.

Humans and AI services must be careful referencing any content in https://fedramp.gov/legacy because FedRAMP is actively transitioning away from these processes and materials.

All Legacy Assets

Document Title Description File
FedRAMP Legacy Assets (Combined) Contains all files on this page in a single zip file for convenience.
(12 mb)

Legacy System Security Plan Templates

Document Title Description File
FedRAMP Initial Authorization Package Checklist Details the documents required for a complete FedRAMP initial authorization package
(61 kb)
FedRAMP High, Moderate, Low, LI-SaaS Baseline System Security Plan (SSP) Provides the framework to describe a CSO; the service offering's components and features; and its security posture
(682 kb)
FedRAMP Security Controls Baseline Provides the catalog of FedRAMP High, Moderate, Low, and LI-SaaS baseline security controls along with additional guidance and requirements
(693 kb)
SSP Appendix A - High FedRAMP Security Controls Provides the FedRAMP High baseline security control requirements for High impact CSOs
(1.6 mb)
SSP Appendix A - LI-SaaS FedRAMP Security Controls Provides the FedRAMP baseline security control requirements for LI-SaaS impact cloud systems
(1.0 mb)
SSP Appendix A - Low FedRAMP Security Controls Provides the FedRAMP Low baseline security control requirements for Low impact cloud systems
(1.0 mb)
SSP Appendix A - Moderate FedRAMP Security Controls Provides the FedRAMP Moderate baseline security control requirements for Moderate impact CSOs
(1.3 mb)
SSP Appendix F - Rules of Behavior (RoB) Template Describes the security controls associated with user responsibilities and specific expectations of behavior for following security policies, standards, and procedures
(430 kb)
SSP Appendix G - Information System Contingency Plan (ISCP) Template Supports the ISCP requirements for FedRAMP
(638 kb)
SSP Appendix J - CIS and CRM Workbook Delineates the control responsibilities of CSPs and agencies and provides a summary of all required controls and enhancements across a CSO
(667 kb)
SSP Appendix M - Integrated Inventory Workbook Template Consolidates all of the inventory information previously required in five FedRAMP templates that included the SSP, ISCP, SAP, SAR, and POA&M
(153 kb)
SSP Appendix Q - Cryptographic Modules Table Documents the encryption status of all areas/flows of data associated with a CSO
(370 kb)

Legacy Assurance Templates

Document Title Description File
Continuous Monitoring Monthly Executive Summary Template Provides FedRAMP and agency authorizing officials (AOs) with an executive summary of a CSP's monthly continuous monitoring submission
(22 kb)
FedRAMP Continuous Monitoring Deliverables Template Used to identify the schedule and location for monthly and annual continuous monitoring deliverables
(113 kb)
FedRAMP Plan of Action and Milestones (POA&M) Template Provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts
(626 kb)
FedRAMP Vulnerability Deviation Request Form Provides a standardized method to document deviation requests and is used to document risk adjustments, false positives, and operational requirements
(317 kb)

Legacy Assessment Templates

Document Title Description File
Annual Assessment Controls Selection Worksheet Provides a matrix to assist CSPs, 3PAOs, and federal agencies in assessing and tracking controls for their annual assessment
(234 kb)
FedRAMP High Readiness Assessment Report (RAR) Template Used to evaluate a CSO's organizational processes and security capabilities at the High impact level
(794 kb)
FedRAMP Moderate Readiness Assessment Report (RAR) Template Used to evaluate a CSO's organizational processes and security capabilities at the Moderate impact level
(754 kb)
FedRAMP SAR Appendix B - High Security Requirements Traceability Matrix Template Provides a standard risk and controls template for assessing High baseline controls and helps to drive consistency in 3PAO annual assessment testing
(1.3 mb)
FedRAMP SAR Appendix B - Low Security Requirements Traceability Matrix Template Provides a standard risk and controls template for assessing Low baseline controls and helps to drive consistency in 3PAO annual assessment testing
(1.3 mb)
FedRAMP SAR Appendix B - Moderate Security Requirements Traceability Matrix Template Provides a standard risk and controls template for assessing Moderate baseline controls and helps to drive consistency in 3PAO annual assessment testing
(1.3 mb)
FedRAMP Security Assessment Plan (SAP) Template Designed for 3PAOs to plan CSP security assessment testing associated with initial authorization assessments, annual assessments, and SCRs
(452 kb)
FedRAMP Security Assessment Report (SAR) Template Provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP
(639 kb)
SAR Appendix A - FedRAMP Risk Exposure Table (RET) Template The FedRAMP Risk Exposure Table Template is designed to capture all security weaknesses and deficiencies identified during security assessment testing
(176 kb)

Legacy Policies

Document Title Description File
FedRAMP Policy for Cryptographic Module Selection v1.1.0 Outlines requirements and recommendations for CSPs, 3PAOs, designated leads, and package reviewers regarding the selection and use of cryptographic modules to protect federal information
(300 kb)