Knowledge sharing is a primary goal for FedRAMP® to ensure all stakeholders understand the FedRAMP requirements and the authorization process.
Training is available in a couple different ways, either by pre-recorded courses on our Youtube page, or via live virtual training. Some courses are mandatory for specific roles in the program, but we urge all stakeholders to review the training materials available. FedRAMP creates training to help stakeholders obtain the knowledge and skills necessary to successfully navigate the FedRAMP process and meet its requirements.
Cloud Service Providers
200-A: FedRAMP System Security Plan (SSP) Required Documents (Revised July 2021)
This course provides CSPs with a deeper understanding of the detail and rigor required to complete a System Security Plan (SSP). A SSP is the main document of a security package in which a CSP describes all of the security controls, in use on the information system, and their implementation. This course will familiarize a CSP with the required documentation, for initial package submission, and give a detailed overview of FedRAMP’s SSP template and its supporting documents.
200-B: Security Assessment Plan (SAP)
This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Plan (SAP) document, which contains the test plan to assess the security controls of a system. In addition, this course will cover the program’s reporting requirements for a SAP.
200-C: Security Assessment Report (SAR)
This course is designed to help FedRAMP recognized 3PAO assessors understand how to write specific sections of a Security Assessment Report (SAR). The SAR is required by FedRAMP to evaluate a system’s implementation of, and compliance with, FedRAMP’s baseline security controls.
200-D: Continuous Monitoring Overview
This course provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets FedRAMP requirements.
201-B: How to Write a Control
This course gives an overview to a CSP of how to properly write a control that will satisfy the program’s requirements. This course is designed for a CSP pursuing a FedRAMP authorization, or a FedRAMP recognized 3PAO conducting an assessment of a cloud system.
Third Party Assessors
Steps to Watch Training Videos
- STEP 1: Select a training link below and watch the training course video on YouTube.
- We recommend that you start with 300-0 and proceed sequentially with the subsequent training (300-00 through 300-F) once these courses are made available.
- STEP 2: If you wish to take the quiz, please return to this page after watching the video and follow the steps below to take the quiz.
Steps to Take Training Quizzes
- STEP 3: Once you have completed the video training course, please select the quiz link below that corresponds to the training course you watched. From there, you will be taken to a Qualtrics page.
- STEP 4: Prior to starting the quiz, you will be asked to:
- Fill out your first and last name
- Provide your work email address
- STEP 5: Click enter and then begin the quiz.
- STEP 6: Once you complete the quiz:
- A certificate of completion will be sent to the email address provided if a score of 80% or higher is achieved.
- If the score is below 80%, the participant may retake the quiz again.
- STEP 7: Save the certificate for your records.
Note: 3PAO training requirements can be found in the American Association for Laboratory Accreditation (A2LA) R311- Specific Requirements: Federal Risk and Authorization Management Program (FedRAMP). This policy document outlines the requirements for all FedRAMP recognized 3PAOs and organizations seeking A2LA accreditation to be recognized by FedRAMP. To learn more please visit A2LA’s Website.
300-0: 3PAO Obligations and Performance Guide
The 300-0 level training provides an overview of the 3PAO responsibilities, obligations, and performance standards and intends to achieve the following learning objectives:
- Define the scope of a 3PAO’s roles and responsibilities relating to the FedRAMP assessment process
- Describe the importance of FedRAMP’s 3PAO obligations and performance standards as outlined in the 3PAO Obligations and Performance Standards document
- Recall the process required for an Independent Assessment Organization (IAO) to become a FedRAMP recognized 3PAO
Updated Training Coming Soon!
300-A Readiness Assessment Report (RAR) Guidance
300-B Security Assessment Plan (SAP) Guidance
300-C Security Assessment Report (SAR) Guidance
300-D Documenting Evidence Procedures
300-E 3PAO Vulnerability Scanning Methodology and Documentation
300-F Review of Security Assessment Report (SAR) Tables
400-A: ISSO On-Demand Modules
This training is designed for Information System Security Officers (ISSOs) based on FedRAMP’s Agency Authorization Playbook and includes a deep dive into each authorization phase. This course provides ISSOs the knowledge necessary to effectively review FedRAMP Authorization packages for cloud services and understand the FedRAMP framework and available resources.
This course is currently unavailable
Connect with FedRAMP
To view videos about general FedRAMP information and both required and optional FedRAMP training, tune into the FedRAMP YouTube channel.