Skip to main content

Training

The FedRAMP PMO offers a series of online training courses to provide all stakeholders with a deeper understanding of FedRAMP and the level of effort that is required to successfully complete a FedRAMP assessment. This series consists of free e-learning courses geared towards specific stakeholder groups. The FedRAMP PMO encourages everyone to take these trainings, as the courseware provides participants with a holistic view of the FedRAMP process.

To register for the FedRAMP Training Series Curriculum:

  1. Follow this link: https://meet.gsa.gov/fedramp_training/event/registration.html
  2. Fill out the user information to set up an account (password length must be between 16 and 32 characters) and click “View”
  3. Click on your desired course within the FedRAMP Training Series Curriculum that you would like to view and complete

Once you have registered, you will recieve an e-mail confirmation and returning students can login here.

If you have any questions, comments, or concerns about the FedRAMP Training series, please send them to info@fedramp.gov with the subject line: “Regarding FedRAMP Training.”

Learning Paths for All Populations, including CSPs, 3PAOs, and Agencies

image alt text

Path 1: All Stakeholders

100-A: Welcome to FedRAMP

The "Welcome to FedRAMP Course" provides an overview of the FedRAMP program. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This one-hour introductory course in the FedRAMP Training Series is intended for Cloud Service Providers (CSPs) and Third Party Assessment Organizations (3PAOs) who aren’t well acquainted with FedRAMP. This course also serves as an excellent source of information for anyone in government or the private sector who wants to learn more about the program.

Duration: 1 hour

Download a "PDF version" of the "Welcome to FedRAMP" training course.

Path 2: Designed for CSPs and 3PAOs

200-A: FedRAMP System Security Plan (SSP) Required Documents

"FedRAMP System Security Plan (SSP) Required Documents" course module provides CSPs with a deeper understanding of the detail and rigor required by the FedRAMP PMO. It will familiarize you with required documentation for initial package submission and give a detailed overview of FedRAMP’s SSP template and its supporting documents.

Duration: 1 hour

Download a PDF version of the "FedRAMP System Security (SSP) Required Documents" training course.

200-B: Security Assessment Plan (SAP)

The "Security Assessment Plan (SAP)" course module is designed to help FedRAMP Assessors understand how to write specific sections of these documents and the program’s reporting requirements.

Duration: 1 hour

Download a PDF version of the "Security Assessment Plan (SAP)" training course.

200-C: Security Assessment Report (SAR)

The "Security Assessment Report (SAR)" course module is designed to help FedRAMP Assessors understand how to write specific sections of these documents and the program’s reporting requirements.

Duration: 1 hour

Download a PDF version of the "Security Assessment Report (SAR)" training course.

200-D: Continuous Monitoring (ConMon) Overview

The purpose of the "ConMon Overview" training module is to provide guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. This training module is structured for a CSP going through the JAB path with a Third Party Assessment Organization (3PAO), or a 3PAO, conducting an assessment of the Cloud System.

Duration: 1 hour

Download a PDF version of the "Continuous Monitoring (ConMon) Overview" training course.

201-B: How to Write a Control

The "How to Write a Control" course teaches a CSP how to properly write a control that will satisfy the program’s requirements. This training module is structured for a CSP pursuing a JAB authorization with a 3PAO, or a 3PAO, conducting an assessment of the cloud system.

Duration: 1 hour

Download a PDF version of the "How to Write a Control" training course.

Path 3: Required for 3PAOs

Updated 3PAO Requirements

FedRAMP, in partnership with the American Association for Laboratory Accreditation (A2LA), updated the “R311 - Specific Requirements: FedRAMP,” which includes new and strengthened qualifications for existing and new 3PAOs.

In this recorded webinar on updated 3PAO requirements from November 2018, the PMO covered the following key updates:

  • Incorporation of the R346 – Specific Requirements: Baltimore Cyber Range (BCR) Cybersecurity Technical Proficiency Activity Information, which requires all 3PAO assessors to take a hands-on proficiency exercise, conducted by the Baltimore Cyber Range (BCR), at initial accreditation and annually thereafter
  • Accreditation to ISO/IEC 17020, under the A2LA Cybersecurity Inspection Body Program, for a period of one year as evidence of implementation of a 3PAO’s quality management system
  • Forty hours of Continuing Professional Education (CPE) or equivalent for each 3PAO assessment team member
  • Regular FedRAMP PMO touch-points with 3PAOs and CSPs for feedback on deliverables and customer experience
  • Guidance for non U.S. based 3PAO personnel and/or OCONUS operations

Duration: 30 minutes

Released: November 15, 2018

Resource: R311 - Specific Requirements: FedRAMP (PDF)

300-B: 3PAO Security Assessment Plan (SAP) Guidance

This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAP.

Duration: 1 hour

Released: August 16, 2018

300-C: 3PAO Security Assessment Report (SAR) Guidance

This course provides 3PAOs with guidance on FedRAMP requirements for creating a robust SAR.

Duration: 1 hour

Released: September 21, 2018

300-D: 3PAO Documenting Evidence Procedures

This course provides 3PAOs with guidance on FedRAMP requirements for documenting evidence collected during the assessment and on how to populate the SAR.

Duration: 1 hour

Released: October 30, 2018

300-E: 3PAO Vulnerability Scanning Methodology and Documentation

This course describes the FedRAMP requirements for conducting vulnerability scanning on a system and teaches how to document results to meet FedRAMP requirements for initial authorization assessments and annual assessments.

Duration: 1 hour

Coming soon.

300-F: 3PAO Review of Security Assessment Report (SAR) Tables

This course provides 3PAOs with guidance on FedRAMP requirements for populating SAR tables to ensure that all tables are correctly populated.

Duration: 2 hours

Coming soon.

300-G: Readiness Assessment Report (RAR) Preparation

The "300-G RAR Preparation" course provides a discussion on how the FedRAMP security requirements must align with a CSP’s system security capabilities before the CSP system can be approved as FedRAMP Ready.

Duration: 1 hour

Download a PDF version of the "Readiness Assessment Report (RAR) Preparation" training course.