Need FedRAMP Help?

Get started on your FedRAMP Journey
Contact Us for Readiness and Compliance services

1.800.218.8528

Learn More

Documentation

Program Overview Documents

Document Download Updated

This document provides helpful hints and guidance to make it easier to understand FedRAMP’s requirements. The primary purpose of this document is to act as an aid for Cloud Service Providers and Third-Party Assessment Organizations (3PAOs) to get through the security assessment process quickly.

 46px-MS_word_DOC_icon.svg  6/6/2014
This document describes a general Security Assessment Framework (SAF) for the Federal Risk and Authorization Management Program (FedRAMP).  This document details the security assessment process CSPs must use to achieve compliance with FedRAMP.  This document is intended for Cloud Service Providers (CSPs), Independent Assessors (3PAOs), government agencies and contractors working on FedRAMP projects, and any outside organizations that want to use or understand the FedRAMP assessment process.
 12/4/2015
The FedRAMP readiness process is used to determine a CSP’s eligibility for the Joint Authorization Board (JAB) Process Provisional Authorization process.
PowerPoint-icon  8/1/2014
The purpose of this document is to describe the general document acceptance criteria for the Federal Risk and Authorization Management Program (FedRAMP) to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.
Adobe-PDF-Document-icon  7/30/2015
This document is a master list of FedRAMP acronyms.
Adobe-PDF-Document-icon  9/10/2015

Program Strategy

Document Download Updated

FedRAMP developed “FedRAMP Forward: Two Year Priorities” to share key objectives, continue to expand and enhance the program effectively, and address key program issues critical to continued success.

 Adobe-PDF-Document-icon  12/17/2014

This memorandum:

  • Establishes Federal policy for the protection of Federal information in cloud services;
  • Describes the key components of FedRAMP and its operational capabilities;
  • Defines Executive department and agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and
  • Defines the requirements for Executive departments and agencies using FedRAMP in the acquisition of cloud services.
 Adobe-PDF-Document-icon  12/8/2011
The purpose of this Charter is to define the authority, objectives, membership, roles and responsibilities, meeting schedule, decision making requirements, and establishment of committees for the Federal Risk and Authorization Management Program (FedRAMP) Joint Authorization Board (JAB) in accordance with OMB Memo “Security Authorizations of Information Systems in Cloud Computing Environments.”
 Adobe-PDF-Document-icon  2/28/2012

This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks:

  • Designation of FedRAMP 3PAO accreditation
  • FedRAMP Security Authorization
 Adobe-PDF-Document-icon  12/17/2014

Key Cloud Service Provider (CSP) Documents

Document Download Updated

This document provides a listing of the FedRAMP low and moderate baseline security controls along with additional guidance and requirements.

 table_excel 6/6/2014

This document provides a preface for the FedRAMP Security Controls

Adobe-PDF-Document-icon 6/6/2014
This document details FedRAMP control requirements as detailed in the FedRAMP SSP.
 Adobe-PDF-Document-icon  6/6/2014

This guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisional Authorization. CSPs must continuously monitor their cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. This guide instructs CSPs on the FedRAMP strategy to continuously monitor their systems.

 46px-MS_word_DOC_icon.svg 6/6/2014

This document supports the Incident Communication Procedure for the Federal Risk and Authorization Management Program (FedRAMP). This Incident Communication Procedure outlines the measures to consider in order for all parties to effectively communicate during a security incident incurred by a FedRAMP authorized cloud service provider. The measures described herein include how the FedRAMP Information System Security Officer (ISSO) manages the incident communication process, and identifies who the Cloud Service Providers and federal departments and agencies should call to report an incident, when to contact the United States Computer Emergency Readiness Team (US-CERT) for assistance, and how to ensure that all incidents are communicated to the stakeholders.

 46px-MS_word_DOC_icon.svg 4/8/2013

The FedRAMP Joint Authorization Board updated the FedRAMP security controls baseline to align with the updated NIST SP 800-53 security controls as revised in Revision 4. The FedRAMP program management office (PMO) updated the FedRAMP security control baseline documentation and templates to reflect these changes.

This document provides guidance for Cloud Security Providers (CSPs) and Federal agencies that are currently part of the FedRAMP program, as well as those who are considering entry into the program.

  9/22/2015

This guide describes the requirements for all vulnerability scans of FedRAMP cloud service
provider’s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (PATOs).

6/3/2015

The purpose of this document is to provide guidelines for organizations on planning and conducting Penetration Testing and analyzing and reporting on findings. A Penetration Test is a proactive and authorized exercise to evaluate the security of an IT system. The main objective of a Penetration Test is to determine exploitable security weaknesses in an information system. These vulnerabilities may include service and application flaws, improper configurations, and risky end-user behavior. A Penetration Test may also evaluate an organization’s security policy compliance, its employees’ security awareness, and the organization’s ability to identify and respond to security incidents.

  6/30/2015

This document explains the actions FedRAMP will take when a Cloud Service Provider (CSP) fails to maintain an adequate risk management program.

The document lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to adhere to the requirements of the P-ATO.

 Adobe-PDF-Document-icon  7/29/2015

Key Agency Documents

Document Download Updated

Form that must be completed to gain access to a FedRAMP security assessment package.

Adobe-PDF-Document-icon  9/22/2015

This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.

Adobe-PDF-Document-icon  8/6/2015
This FedRAMP Agency Authorization to Operate (ATO) guide is specific to U.S. Federal Departments and Agencies and provides guidance and the understanding required to authorize an agency’s application when reusing a FedRAMP-compliant cloud service provider. By reusing existing FedRAMP packages, agencies can reap significant financial savings and can implement new systems quickly and securely.
Adobe-PDF-Document-icon  8/5/2015

Quick guide / checklist on what’s included with an Agency ATO submission.

PowerPoint-icon  9/22/2015

FedRAMP has developed a security contract clause template to assist federal agencies in procuring cloud-based services. This template should be reviewed by a Federal agency’s Office of General Counsel (OGC) to ensure it meets all agency requirements, and then incorporated into the security assessment section of a solicitation. The clauses cover FedRAMP requirements for areas like the security assessment process and related ongoing assessment and authorization. The template also provides basic security requirements identifying Cloud Service Provider responsibilities for privacy and security, protection of government data, personnel background screening and security deliverables with associated frequencies.
The FedRAMP process discretely identifies some security control implementations as either the consumer’s responsibility to implement or as a shared responsibility between provider and consumer. Consumer responsibility controls are incumbent upon the agency to implement and agencies are advised to consider security responsibilities in their program planning. Federal agencies must still make a risk-based decision about the applicability of storing and using Federal data in an information system. Ultimately, the security clauses are templates; they should be reviewed against mission requirements and tailored if agency policy warrants modification.

Adobe-PDF-Document-icon  6/27/2012

FedRAMP security control baselines specify control parameter requirements and organizational parameters specific to the provider’s control implementation. Since certain controls may be required to govern agency user interaction, control organizational parameters may need to be included in the task order and specified. The FedRAMP office suggests that agencies review the FedRAMP security control baseline, and that agencies do not contractually specify parameters for controls in the FedRAMP baseline, except from the perspective of a consumer’s implementation of a control.

 46px-MS_word_DOC_icon.svg  6/6/2014

This paper provides Federal agencies specific guidance in effectively implementing the “Cloud First” policy and moving forward with the “Federal Cloud Computing Strategy” by focusing on ways to more effectively procure cloud services within existing regulations and laws.

 Adobe-PDF-Document-icon  2/24/2012

This document outlines the process for Federal agencies to validate FedRAMP compliance of all cloud systems.

   5/21/2015

Key Third-Party Assessment Organization (3PAO) Documents

Document Download Updated

The Federal Risk and Authorization Management Program (FedRAMP) created a conformity assessment process to accredit Third-Party Assessment Organizations (3PAOs) to ensure that 3PAOs meet quality, independence, and knowledge requirements necessary to perform the independent security assessments required for FedRAMP. To maintain accreditation, 3PAOs must continue to demonstrate quality, independence, and FedRAMP knowledge as they perform security assessments on cloud systems.

 Adobe-PDF-Document-icon  7/29/2015