Skip to main content

Understanding Security Package Development

A FedRAMP security package is a comprehensive documentation of a Cloud Service Offering’s (CSO) system security. A FedRAMP security package provides a:

  • Complete system description,
  • Complete detail of the system’s security control implementation,
  • Overview of the system’s assessment and assessment methodology, and
  • Risk assessment that identifies the offering's risk posture, to be used by a Federal customer to make a risk-based authorization decision.

Security packages can be exhaustive documents and require effective project management and resourcing from CSPs to see through completion from start to finish. Below is a list of documents included in a standard FedRAMP security package:

  • System Security Plan (SSP) (and attachments)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Plan of Actions & Milestones (POA&M)
  • Continuous Monitoring Plan
  • Signed Provisional Authority to Operate (P-ATO) for JAB or signed Authority to Operate (ATO) for Agency Authorizations

The documents, templates, and blogs below should be read before beginning security documentation and should help stakeholders grasp a better understanding of what the PMO will be looking for in the documentation phase.

Documents Templates Blogs