Standard Operating Procedure – FedRAMP Compliance

Standard Operating Procedures & Checklists

Below is a list of the primary, standard operating procedures (SOPs) the FedRAMP Program Management Office (PMO) uses to review and approve P-ATO, Agency ATO or CSP Supplied packages. In hopes to increase an understanding of FedRAMP’s requirements and compliance standards, these SOPs are provided to give transparency to FedRAMP’s evaluation processes and procedures. As with many organizations, the FedRAMP PMO is constantly engaged in process improvement and the SOPs below will continue to change and evolve. These files are subject to change without notice.

FedRAMP Standard Operating Procedures

Document	Download	Updated
FedRAMP Initial Review SOP This document outlines the process and procedures taken by the FedRAMP PMO to complete an Initial Review. The Initial Review determines if the Authorization Package documents are complete, free of “showstoppers”, and readable (clear, concise, and consistent). Showstoppers are missing, incomplete, or weak critical security controls that must be addressed before the documents can continue through the FedRAMP review process. Initial Reviews also include a high-level security compliance review.		8/27/2015
Detailed Review SOP This document outlines the process and procedures taken by the FedRAMP PMO to complete a Detailed Review. Detailed Reviews determine whether the CSP is in compliance with the Information Technology (IT) security requirements defined by the Federal Information Security Management Act (FISMA), National Institutes of Standard and Technology (NIST) Special Publications (SP) 800- 53 Revision 4, and FedRAMP. The Detailed Review determines if the Authorization Package documentation demonstrates the CSP’s implementation of security controls.		8/27/2015
Review & Approve SOP This document describes the Review and Approve (R&A) process for Authorization Packages for the Federal Risk and Authorization Management Program (FedRAMP) from the first contact by an Applicant (Cloud Service Provider [CSP] or Agency) through posting of the Authorization Package in the FedRAMP Secure Repository. This document serves as a framework for development and integration of a series of subsidiary SOP.		8/27/2015
Review & Approve Process Flow This diagram visually explains the Review and Approve (R&A) process for Authorization Packages for the Federal Risk and Authorization Management Program (FedRAMP) from the first contact by an Applicant (Cloud Service Provider [CSP] or Agency) through posting of the Authorization Package in the FedRAMP Secure Repository.		8/12/2015

Initial Review Checklists

Document	Download	Updated
FedRAMP Initial Review Results Template This document displays the results of a Cloud Service Provider’s (CSP) Initial Review.		8/7/2015
FedRAMP System Security Plan (SSP) Initial Checklist Template This checklist details the requirements of the System Security Plan (SSP) for the Initial Review.		8/7/2015
FedRAMP Security Assessment Report (SAR) Initial Checklist Template This checklist details the requirements of the Security Assessment Report (SAR) for the Initial Review.		11/16/2015
FedRAMP Security Assessment Plan (SAP) Initial Checklist Template This checklist details the requirements of the Security Assessment Plan (SAP) for the Initial Review.		8/7/2015
FedRAMP Plan of Action & Milestones (POA&M) Initial Checklist Template This checklist details the requirements of the Plan of Action and Milestones (POA&M) for the Initial Review.		8/7/2015
FedRAMP Readability Initial Review Template This checklist details the readability requirements for the Initial Review.		8/7/2015

Detailed Review Checklists

Document	Download	Updated
FedRAMP Control Implementation Summary (CIS) Detailed Review Checklist This checklist details the requirements of the Control Implementation Summary (CIS) for the Detailed Review.		11/20/2015
FedRAMP Configuration Management (CM) Plan Detailed Review Checklist This checklist details the requirements of the Configuration Management (CM) Plan for the Detailed Review.		11/20/2015
FedRAMP Continuous Monitoring Plan Detailed Review Checklist This checklist details the requirements of the Continuous Monitoring Plan for the Detailed Review.		11/20/2015
FedRAMP e-Authentication Detailed Review Checklist This checklist details the requirements of the e-Authentication for the Detailed Review.		11/20/2015
FedRAMP Incident Response (IR) Plan Detailed Review Checklist This checklist details the requirements of the Incident Response (IR) for the Detailed Review.		11/20/2015
FedRAMP IT Contingency Plan Detailed Review Checklist This checklist details the requirements of the IT Contingency Plan for the Detailed Review.		11/20/2015
FedRAMP Plan of Action & Milestones (POA&M) Detailed Review Checklist This checklist details the requirements of the Plan of Action & Milestones (POA&M) for the Detailed Review.		11/20/2015
FedRAMP PTA-PIA Detailed Review Checklist This checklist details the requirements of the PTA-PIA for the Detailed Review.		11/20/2015
FedRAMP Rules of Behavior (ROB) Detailed Review Checklist This checklist details the requirements of the Rules of Behavior (ROB) for the Detailed Review.		11/20/2015
FedRAMP Security Assessment Plan (SAP) Detailed Review Checklist This checklist details the requirements of the System Assessment Plan (SAP) for the Detailed Review.		11/20/2015
FedRAMP Security Assessment Report (SAR) Detailed Review Checklist This checklist details the requirements of the Security Assessment Report (SAR) for the Detailed Review.		11/20/2015
FedRAMP Security Policies & Procedures (P&P) Detailed Review Checklist This checklist details the requirements of the Security Policies & Procedures (P&P) for the Detailed Review.		11/20/2015
FedRAMP System Security Plan (SSP) Detailed Review Checklist This checklist details the requirements of the System Security Plan (SSP) for the Detailed Review.		11/20/2015
FedRAMP User Guide Detailed Review Checklist This checklist details the requirements of the User Guide for the Detailed Review.		11/20/2015