Columns in the table below are sortable. The Category, Document, and Description columns sort alphabetically, and the Last Updated column sorts by date. Click on the column header to sort, and click again to sort in reverse order. To return the table to its original order, simply refresh the web page.
| Category | Document | Description | Download | Last Updated |
|---|---|---|---|---|
| FedRAMP Program Documents | Security Assessment Framework | This document describes a general Security Assessment Framework (SAF) for FedRAMP. This document details the security assessment process CSPs must use to achieve compliance with FedRAMP. This document is intended for Cloud Service Providers (CSPs), Independent Assessors (3PAOs), Agencies and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process. |
|
11/15/2017 |
| FedRAMP Program Documents | FedRAMP Security Controls Baseline | This document provides the catalog of FedRAMP High, Moderate, Low, and Tailored LI-SaaS baseline security controls, along with additional guidance and requirements. |
EXCEL |
7/31/2020 |
| FedRAMP Program Documents | FedRAMP General Document Acceptance Criteria | The purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them. |
|
6/13/2018 |
| FedRAMP Program Documents | FedRAMP Accelerated: A Case Study for Change Within Government | This document captures FedRAMP's experience with redesigning its JAB Authorization process based on stakeholder feedback and shares its insights on creating change within the Government. |
|
3/29/2018 |
| FedRAMP Program Documents | FedRAMP Policy Memo | This memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services. |
|
12/8/2011 |
| FedRAMP Program Documents | Joint Authorization Board Charter | The purpose of this Charter is to define the authority, objectives, membership, roles and responsibilities, meeting schedule, decision making requirements, and establishment of committees for the FedRAMP Joint Authorization Board (JAB) in accordance with OMB Memo "Security Authorizations of Information Systems in Cloud Computing Environments." |
|
7/13/2018 |
| FedRAMP Program Documents | FedRAMP Master Acronym & Glossary | This document is a master list of FedRAMP acronyms and program definitions. |
|
7/23/2020 |
| FedRAMP Program Documents | FedRAMP Marketplace Designations for Cloud Service Providers | This document outlines the requirements for listing FedRAMP designations on the FedRAMP Marketplace for Cloud Service Providers (CSPs). This includes achieving, maintaining, and removing a designation for a Cloud Service Offering (CSO) and supersedes the FedRAMP In Process requirements. |
|
6/20/2019 |
| FedRAMP Program Documents | Branding Guidance | This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization |
|
2/1/2018 |
| Key Cloud Service Provider (CSP) Documents | CSP Authorization Playbook: Getting Started with FedRAMP | This first volume of the CSP Authorization Playbook provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP. |
|
7/1/2018 |
| Key Cloud Service Provider (CSP) Documents | CSP JAB P-ATO Roles and Responsibilities | This document provides an overview of a CSP’s roles and responsibilities in the JAB P-ATO Process. |
|
5/18/2017 |
| Key Cloud Service Provider (CSP) Documents | FedRAMP Authorization Boundary Guidance | This document provides CSPs guidance for developing the authorization boundary for their offering(s) which is required for their FedRAMP authorization package. |
|
5/10/2018 |
| Key Cloud Service Provider (CSP) Documents | JAB Prioritization Criteria and Guidance | The purpose of this document is to outline the criteria by which CSPs are prioritized to work with the JAB toward a P-ATO, the JAB prioritization process, and the Business Case requirements for FedRAMP Connect. We ask that CSPs review this document in its entirety before beginning the FedRAMP Connect process. |
|
3/26/2020 |
| Key Cloud Service Provider (CSP) Documents | Timeliness and Accuracy of Testing Requirements | This document outlines the timeliness and accuracy of testing requirements for evidence associated with an authorization package prior to a CSP entering the FedRAMP JAB P-ATO process. |
|
11/20/2017 |
| Key Cloud Service Provider (CSP) Documents | Automated Vulnerability Risk Adjustment Framework Guidance | This document provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools. The document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so. |
|
3/20/2018 |
| Key Cloud Service Provider (CSP) Documents | Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans | This document provides guidance for CSPs on sampling representative system components rather than scanning every component. |
|
3/20/2018 |
| Key Cloud Service Provider (CSP) Documents | Vulnerability Scanning Requirements | This guide describes the requirements for all vulnerability scans of FedRAMP Cloud Service Provider’s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (PATOs). |
|
3/20/2018 |
| Key Cloud Service Provider (CSP) Documents | Penetration Test Guidance | The purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings. |
|
11/24/2017 |
| Key Cloud Service Provider (CSP) Documents | Plan of Action and Milestones (POA&M) Template Completion Guide | The FedRAMP POA&M Template Completion Guide provides explicit guidance on how to complete the POA&M Template and provides guidance to ensure that the CSP is meeting POA&M requirements. |
|
4/3/2018 |
| Key Cloud Service Provider (CSP) Documents | Continuous Monitoring Strategy Guide | This document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements. |
|
4/4/2018 |
| Key Cloud Service Provider (CSP) Documents | Continuous Monitoring Performance Management Guide | This document replaces the P-ATO Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs. |
|
2/21/2018 |
| Key Cloud Service Provider (CSP) Documents | Significant Change Policies and Procedures | This document defines the FedRAMP policies and procedures for making significant changes. It provides requirements, guidance, and actions the FedRAMP PMO, AO, CSP, and 3PAO will take when a CSP wishes to make a significant change to its provisionally authorized cloud service. |
WORD |
8/28/2018 |
| Key Cloud Service Provider (CSP) Documents | Incident Communications Procedures | This document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP. |
|
12/8/2017 |
| Key Cloud Service Provider (CSP) Documents | Annual Assessment Guidance | The FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements. |
|
11/24/2017 |
| Key Cloud Service Provider (CSP) Documents | Annual Assessment Controls Selection Worksheet | The FedRAMP Annual Assessment Controls Selection Worksheet provides a matrix to assist CSPs, 3PAOs, and Federal Agencies in assessing and tracking control their annual assessment. |
EXCEL |
2/23/2018 |
| Key Agency Documents | Package Request Form | Form that must be completed to gain access to a FedRAMP security assessment package. |
|
3/1/2017 |
| Key Agency Documents | Agency Authorization Playbook | A compilation of best practices, tips, and step-by-step guidance for Agencies seeking to implement ATOs. |
|
11/28/2017 |
| Key Agency Documents | FedRAMP Guide for Multi-Agency Continuous Monitoring | This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs. |
|
11/24/2017 |
| Key Agency Documents | Agency Guide for Reuse of FedRAMP Authorizations | This document is specific to Federal Departments and Agencies and provides guidance and the understanding required to authorize an Agency’s application when reusing a FedRAMP-compliant cloud service. |
|
12/7/2017 |
| Key Agency Documents | Reusing Authorizations for Cloud Products Quick Guide | This quick guide outlines steps and guidance to help agencies quickly and efficiently reuse authorized cloud products within the FedRAMP Marketplace. |
|
5/7/2020 |
| Key Agency Documents | Acquisition FAQS | FAQ resource, developed in conjunction with OMB, that agencies can reference when developing their solicitations. |
|
9/26/2017 |
| Key Agency Documents | Control Specific Clauses | FedRAMP security control baselines specify control parameter requirements and organizational parameters specific to the provider’s control implementation. Since certain controls may be required to govern Agency user interaction, control organizational parameters may need to be included in the task order and specified. The FedRAMP PMO suggests that agencies review the FedRAMP security control baseline, and that agencies do not contractually specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumer’s implementation of a control. |
|
12/8/2017 |
| Key Assessor Documents | 3PAO JAB P-ATO Roles and Responsibilities | This document provides an overview of a 3PAO’s roles and responsibilities in the JAB P-ATO Process. |
|
5/18/2017 |
| Key Assessor Documents | 3PAO Obligations and Performance Guide | This document provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems. |
|
9/1/2020 |
| Key Assessor Documents | 3PAO Readiness Assessment Report Guide | This document provides 3PAOs with guidance on how best to utilize the Readiness Assessment Report (RAR). It provides a shared understanding of the RAR’s intent, process, and best practices in service of improving the likelihood of 3PAOs successfully completing the RAR. |
|
6/6/2017 |