Skip to main content

Training

Knowledge sharing is a primary goal for FedRAMP® to ensure all stakeholders understand the FedRAMP requirements and the authorization process.

Training is available in a couple different ways, either by pre-recorded courses on our Youtube page, or via live virtual training. Some courses are mandatory for specific roles in the program, but we urge all stakeholders to review the training materials available. FedRAMP creates training to help stakeholders obtain the knowledge and skills necessary to successfully navigate the FedRAMP process and meet its requirements.

Cloud Service Providers

These courses are designed to help cloud service providers (CSPs) understand the requirements of security package development as well as give a detailed overview of the required templates and supporting documentation.

See below for an overview of each of the CSP 200 level courses.

200-A: FedRAMP System Security Plan (SSP) Required Documents (Revised July 2021)

This course provides CSPs with a deeper understanding of the detail and rigor required to complete a System Security Plan (SSP). A SSP is the main document of a security package in which a CSP describes all of the security controls, in use on the information system, and their implementation. This course will familiarize a CSP with the required documentation, for initial package submission, and give a detailed overview of FedRAMP’s SSP template and its supporting documents.

200-B: Security Assessment Plan (SAP)

This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Plan (SAP) document, which contains the test plan to assess the security controls of a system. In addition, this course will cover the program’s reporting requirements for a SAP.

200-C: Security Assessment Report (SAR)

This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Report (SAR). The SAR is required by FedRAMP to evaluate a system’s implementation of, and compliance with, FedRAMP’s baseline security controls.

200-D: Continuous Monitoring Overview

This course provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets FedRAMP requirements.

201-B: How to Write a Control

This course gives an overview to a CSP of how to properly write a control that will satisfy the program’s requirements. This course is designed for a CSP pursuing a FedRAMP authorization, or a FedRAMP recognized 3PAO conducting an assessment of a cloud system.

Third Party Assessors

FedRAMP recognized third party assessment organizations (3PAOs) provide the insight and expertise necessary to successfully complete a FedRAMP assessment of a cloud service offering (CSO). These online modules are mandatory for all FedRAMP recognized 3PAO assessment team members; however, other stakeholders can use these modules as an excellent source to brush up on FedRAMP assessment review processes and requirements.

FedRAMP recognized 3PAO assessment team members are required to take these trainings and successfully pass the quizzes at the end of each course. A certificate of completion is provided to participants who pass each quiz with an 80% or higher. If the score is below 80%, the participant may retake the quiz.

Outlined below are the steps to view the 3PAO training courses:

Steps to Watch Training Videos

  1. STEP 1: Select a training link below and watch the training course video on YouTube.
    1. We recommend that you start with 300-0 and proceed sequentially with the subsequent training (300-00 through 300-F) once these courses are made available.
  2. STEP 2: If you wish to take the quiz, please return to this page after watching the video and follow the steps below to take the quiz.

Steps to Take Training Quizzes

  1. STEP 3: Once you have completed the video training course, please select the quiz link below that corresponds to the training course you watched. From there, you will be taken to a Qualtrics page.
  2. STEP 4: Prior to starting the quiz, you will be asked to:
    1. Fill out your first and last name
    2. Provide your work email address
  3. STEP 5: Click enter and then begin the quiz.
  4. STEP 6: Once you complete the quiz:
    1. A certificate of completion will be sent to the email address provided if a score of 80% or higher is achieved.
    2. If the score is below 80%, the participant may retake the quiz again.
  5. STEP 7: Save the certificate for your records.

Note: 3PAO training requirements can be found in the American Association for Laboratory Accreditation (A2LA) R311- Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP). This policy document outlines the requirements for all FedRAMP recognized 3PAOs and organizations seeking A2LA accreditation to be recognized by FedRAMP. To learn more please visit A2LA’s Website.

300-0: 3PAO Obligations and Performance Guide

The 300-0 level training provides an overview of the 3PAO responsibilities, obligations, and performance standards and intends to achieve the following learning objectives:

  • Define the scope of a 3PAO’s roles and responsibilities relating to the FedRAMP assessment process
  • Describe the importance of FedRAMP’s 3PAO obligations and performance standards as outlined in the 3PAO Obligations and Performance Standards document
  • Recall the process required for an Independent Assessment Organization (IAO) to become a FedRAMP recognized 3PAO

Updated Training Coming Soon!

300-A Readiness Assessment Report (RAR) Guidance

300-B Security Assessment Plan (SAP) Guidance

300-C Security Assessment Report (SAR) Guidance

300-D Documenting Evidence Procedures

300-E 3PAO Vulnerability Scanning Methodology and Documentation

300-F Review of Security Assessment Report (SAR) Tables

Federal Agencies

These training videos provide agency stakeholders with tips and best practices to successfully implement the FedRAMP Authorization process.

400-A: ISSO On-Demand Modules

This training is designed for Information System Security Officers (ISSOs) based on FedRAMP’s Agency Authorization Playbook and includes a deep dive into each authorization phase. This course provides ISSOs the knowledge necessary to effectively review FedRAMP Authorization packages for cloud services and understand the FedRAMP framework and available resources.

This course is currently unavailable

Connect with FedRAMP

YouTube

To view videos about general FedRAMP information and both required and optional FedRAMP training, tune into the FedRAMP YouTube channel.

Browse Videos

Newsletter

To receive immediate notification when blogs, the monthly PMO Newsletter, and any important announcements or program updates are released, join the FedRAMP subscriber list.

Subscribe

GSA logo

FedRAMP.gov

An official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov