Skip to main content

Templates

The table below is sortable by columns. The Category, Document, and Description columns will sort alphabetically, and the Last Updated column will sort by date. Click on the column header to sort, and click again to sort in reverse order. To return the table to its original order, simply refresh the web page.

Category Document Description Type Last Updated
Readiness Assessment Phase FedRAMP High Readiness Assessment Report (RAR) Template The FedRAMP High RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP’s system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

WORD

8/28/2018
Readiness Assessment Phase FedRAMP Moderate Readiness Assessment Report (RAR) Template The FedRAMP Moderate RAR Template and its underlying assessment are intended to enable FedRAMP to reach a FedRAMP Ready decision for a specific CSP’s system based on organizational processes and the security capabilities of the system. FedRAMP grants a FedRAMP Ready designation when the information in this report template indicates the CSP is likely to achieve a JAB P-ATO or Agency ATO for the system.

WORD

8/28/2018
Initial Authorization Phase- Initial Authorization Package Checklist FedRAMP Initial Authorization Package Checklist This checklist details the documents required for a complete FedRAMP initial authorization package. CSPs must submit this checklist along with their authorization package so that the FedRAMP PMO can verify their package is complete prior to conducting reviews.

EXCEL

3/9/2017
Initial Authorization Phase- Document: System Security Plan (SSP) FedRAMP System Security Plan (SSP) High Baseline Template The FedRAMP SSP High Baseline Template provides the FedRAMP High baseline security control requirements for High impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the High baseline controls required for the system.

WORD

8/28/2018
Initial Authorization Phase- Document: System Security Plan (SSP) FedRAMP System Security Plan (SSP) Moderate Baseline Template The FedRAMP SSP Moderate Baseline Template provides the FedRAMP Moderate baseline security control requirements for Moderate impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the Moderate baseline controls required for the system.

WORD

8/28/2018
Initial Authorization Phase- Document: System Security Plan (SSP) FedRAMP System Security Plan (SSP) Low Baseline Template The FedRAMP SSP Low Baseline Template provides the FedRAMP Low baseline security control requirements for Low impact cloud systems. The template provides the framework to capture the system environment, system responsibilities, and the current status of the Low baseline controls required for the system.

WORD

8/28/2018
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 4 - FedRAMP Privacy Impact Assessment (PIA) Template The FedRAMP PIA Template is used to determine if a system collects and/or stores Personally Identifiable Information (PII) as defined in OMB Memorandum M-07-16.

WORD

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 5 - FedRAMP Rules of Behavior (RoB) Template The FedRAMP RoB Template describes security controls associated with user responsibilities and specific expectations of behavior for following security policies, standards, and procedures.

WORD

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 6 - FedRAMP Information System Contingency Plan (ISCP) Template This template supports the ISCP requirements for FedRAMP. An ISCP denotes interim measures to recover information system services following an unprecedented emergency or system disruption.

WORD

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 9 - FedRAMP High Control Implementation Summary (CIS) Workbook Template The FedRAMP High CIS Workbook Template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system.

EXCEL

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 9 - FedRAMP Low or Moderate Control Implementation Summary (CIS) Workbook Template The FedRAMP Low or Moderate CIS Workbook Template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system.

EXCEL

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 10 - FedRAMP Federal Information Processing Standard (FIPS) 199 Categorization Template The FedRAMP FIPS 199 Categorization Template provides the determination of the security impact level for a cloud environment that may host any or all of the service models, which include IaaS, PaaS, and SaaS. The security categorization shows the CSP which FedRAMP security controls are applicable to its environment.

WORD

6/6/2017
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 12 - FedRAMP Laws and Regulations Template The FedRAMP Laws and Regulations Template provides a single source for applicable FedRAMP laws, regulations, standards, and guidance.

EXCEL

8/28/2018
Initial Authorization Phase- Document: System Security Plan (SSP) SSP ATTACHMENT 13 - FedRAMP Integrated Inventory Workbook Template The FedRAMP Integrated Inventory Workbook Template consolidates all of the inventory information previously required in five FedRAMP templates that included the SSP, ISCP, SAP, SAR, and POA&M.

EXCEL

6/6/2017
Initial Authorization Phase- Assess: Security Assessment Plan (SAP) FedRAMP Security Assessment Plan (SAP) Template The FedRAMP SAP Template is intended for 3PAOs to plan CSP security assessment testing. Once completed, this template constitutes as a plan for testing security controls.

WORD

6/6/2017
Initial Authorization Phase- Assess: Security Assessment Plan (SAP) SAP APPENDIX A - FedRAMP High Security Test Case Procedures Template The FedRAMP High Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

EXCEL

3/10/2017
Initial Authorization Phase- Assess: Security Assessment Plan (SAP) SAP APPENDIX A - FedRAMP Moderate Security Test Case Procedures Template The FedRAMP Moderate Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

EXCEL

3/10/2017
Initial Authorization Phase- Assess: Security Assessment Plan (SAP) SAP APPENDIX A - FedRAMP Low Security Test Case Procedures Template The FedRAMP Low Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

EXCEL

3/10/2017
Initial Authorization Phase- Authorize: Security Assessment Report (SAR) FedRAMP Security Assessment Report (SAR) Template The FedRAMP SAR Template provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP.

WORD

6/6/2017
Initial Authorization Phase- Authorize: Security Assessment Report (SAR) SAR APPENDIX A - FedRAMP Risk Exposure Table Template The FedRAMP Risk Exposure Table Template is designed to capture all security weaknesses and deficiencies identified during security assessment testing.

EXCEL

3/9/2017
Initial Authorization Phase- Authorize: Plan of Action and Milestones (POA&M) FedRAMP Plan of Action and Milestones (POA&M) Template The FedRAMP POA&M Template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts. This template is intended to be used as a tracking tool for risk mitigation in accordance with CSP priorities.

EXCEL

3/9/2017
Initial Authorization Phase- Authorize: Authority to Operate (ATO) Letter FedRAMP Agency ATO Review Template The PMO uses this template to review Agency ATO packages.

PDF

7/17/2017
Initial Authorization Phase- Authorize: Authority to Operate (ATO) Letter FedRAMP ATO Letter Template The FedRAMP ATO Letter Template is optional for Agencies to use when granting authorizations for CSOs that meet the FedRAMP requirements.

WORD

3/9/2017
Continuous Monitoring Phase FedRAMP Annual Security Assessment Plan (SAP) Template The FedRAMP Annual SAP Template is intended for 3PAOs to plan a cloud system’s annual assessment and constitutes as a plan for testing once completed.

WORD

6/6/2017
Continuous Monitoring Phase FedRAMP Annual Security Assessment Report (SAR) Template The FedRAMP Annual SAR Template provides a framework for 3PAOs to evaluate a cloud system’s implementation of and compliance with system-specific, baseline security controls required by FedRAMP. The template is intended for 3PAOs to report annual security assessment findings for CSPs.

WORD

6/16/2017
Continuous Monitoring Phase FedRAMP New Cloud Service Offering (CSO) or Feature Onboarding Request Template The FedRAMP CSO or Feature Onboarding Request Template is used to capture an accredited 3PAO's assessment and attestation for onboarding a service or feature to an existing CSP’s system.

WORD

8/28/2018
Continuous Monitoring Phase FedRAMP Vulnerability Deviation Request Form This form provides a standardized method to document deviation requests and is used to document Risk Adjustments, False Positives, and Operational Requirements.

EXCEL

8/28/2018
Continuous Monitoring Phase FedRAMP Significant Change Form Template This document was developed to capture the type(s) of system changes requested and the supporting details surrounding requested system changes, including FIPS 199. It can be used to request a significant change within an existing ATO.

PDF

8/28/2018
Continuous Monitoring Phase Continuous Monitoring Monthly Executive Summary Template This form provides the JAB reviewers and PMO with an executive summary of the monthly continuous monitoring submission from a CSP. It should detail all files that should be reviewed with that submission. It should be filled out and submitted with every monthly continuous monitoring submission by the CSP or their 3PAO.

EXCEL

1/31/2018
Continuous Monitoring Phase FedRAMP FIPS-199 Categorization Change Form Template The FedRAMP FIPS-199 Categorization Change Form Template is used to capture a system categorization change request from a FedRAMP Moderate system to a FedRAMP High System and the supporting details surrounding the requested system change.

WORD

8/16/2017
FedRAMP Tailored FedRAMP Tailored LI-SaaS Requirements FedRAMP Tailored Security Requirements for Low Impact Software as a Service (LI-SaaS) provides the minimum security control requirements for authorizing a LI-SaaS.

WORD

9/28/2017
FedRAMP Tailored APPENDIX A - FedRAMP Tailored Security Controls Baseline Appendix A: FedRAMP Tailored Security Controls Baseline provides the LI-SaaS Baseline controls that CSPs must address. This template is also contained within the FedRAMP Security Controls Baseline, located on the Documents page.

EXCEL

11/14/2017
FedRAMP Tailored APPENDIX B - FedRAMP Tailored LI-SaaS Template Appendix B: FedRAMP Tailored LI-SaaS Framework Template shows CSPs how to describe the security risk posture of their cloud-based SaaS application, based on the FedRAMP Tailored LI-SaaS security control baseline.

WORD

8/28/2018
FedRAMP Tailored APPENDIX C - FedRAMP Tailored LI-SaaS ATO Letter Template Appendix C: FedRAMP Tailored LI-SaaS ATO Letter Template is a resource for Agencies to use when granting authorizations for CSOs that meet the FedRAMP LI-SaaS requirements.

WORD

9/28/2017
FedRAMP Tailored APPENDIX D - FedRAMP Tailored LI - SaaS Continuous Monitoring Guide Appendix D: FedRAMP Tailored LI-SaaS Continuous Monitoring Guide provides guidance on continuous monitoring and ongoing authorization to maintain a security authorization that meets the FedRAMP Tailored LI-SaaS requirements.

WORD

9/28/2017
FedRAMP Tailored APPENDIX E - FedRAMP Tailored LI - SaaS Self-Attestation Requirements Appendix E: FedRAMP Tailored LI-SaaS Self-Attestation Requirements provides the system requirements that the CSP must attest to for their CSO.

WORD

9/28/2017