Agency Processes
Federal agencies must use the baseline controls and accompanying FedRAMP requirements (templates, test cases, guidance) when leveraging assessments and authorizations or initiating assessments for cloud services.
Prior to procuring a new cloud service or conducting an assessment and authorization of an existing cloud service, check the FedRAMP repository to see if it already contains an assessment package for a cloud system an Agency is using or might procure. If a cloud service is in the FedRAMP repository, Federal agencies can then leverage the security assessment package to make their make their own risk-based decision regarding whether or not to use that cloud system.
If an Agency selects a cloud service not listed in the FedRAMP repository, the Agency must follow the FedRAMP approved security assessment process as the path to grant an Authority to Operate (ATO). Federal agencies may do this through initiating the process with the FedRAMP PMO and JAB or by completing the FedRAMP process within their respective agency.
Once an agency has completed the assessment of the cloud service and granted an ATO, the Agency must submit the completed security assessment package to the FedRAMP PMO for inclusion in the FedRAMP repository. The repository provides a central location of security assessment packages for cloud solutions meeting FedRAMP requirements that can be leveraged by other Federal agencies.
Complete FedRAMP templates can be accessed here:
FedRAMP templates can be individually viewed and downloaded here:
