A FedRAMP security package is a comprehensive documentation of a Cloud Service Offering’s (CSO) system security. A FedRAMP security package provides a:
- Complete system description,
- Complete detail of the system’s security control implementation,
- Overview of the system’s assessment and assessment methodology, and
- Risk assessment that identifies the offering's risk posture, to be used by a Federal customer to make a risk-based authorization decision.
Security packages can be exhaustive documents and require effective project management and resourcing from CSPs to see through completion from start to finish. Below is a list of documents included in a standard FedRAMP security package:
- System Security Plan (SSP) (and attachments)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of Actions & Milestones (POA&M)
- Continuous Monitoring Plan
- Signed Provisional Authority to Operate (P-ATO) for JAB or signed Authority to Operate (ATO) for Agency Authorizations
The documents, templates, and blogs below should be read before beginning security documentation and should help stakeholders grasp a better understanding of what the PMO will be looking for in the documentation phase.