Templates

This document supports Information Technology (IT) Contingency Plan requirements for the Federal Risk and Authorization Management Program (FedRAMP). An IT Contingency Plan denotes interim measures to recover IT services following an unprecedented emergency or system disruption. Interim measures include the relocation of IT systems and services to an alternate site or the recovery of IT functions using alternate equipment at the primary site.

This document provides a sample format for preparing the Control Implementation Summary (CIS) Report for the CSP information system. The CSP may modify the format as necessary to comply with its internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements.

This Electronic Authentication template will provide an overview of the authentication level for the CSP system in accordance with OMB Memo M-04-04.

The Federal Information Processing Standard 199 (FIPS-199) Categorization (Security Categorization) report is a key document in the security authorization package developed for submission to the Federal Risk and Authorization Management Program (FedRAMP) authorizing officials. The FIPS-199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models (Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The ultimate goal of the security categorization is for the cloud service provider (CSP) to be able to select and implement the FedRAMP security controls applicable to its environment.

This document is intended to be used by Cloud Service Providers (CSPs) for assessing privacy concerns. Personally Identifiable Information (PII) as defined in OMB Memo M-07-16 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. A CSP performs a Privacy Threshold Analysis annually to determine if PII is collected by any of the system components. A CSP conducts a Privacy Impact Assessment (PIA) to analyze each system component to determine if any components collect PII, the type of PII collected, and the functions that collect it.

Rules of Behavior describe security controls associated with user responsibilities and certain expectations of behavior for following security policies, standards, and procedures. Security control PL-4 requires Cloud Service Providers to implement Rules of Behavior. It is often the case that different Rules of Behavior apply to internal and external users. Internal users are employees of your organizations, including contractors. External users are anyone who has access to a system that you own that is not one of your employees or contractors. External users might be customers or partners, or customer prospects that have been issued demo accounts.

This document details a cloud systems security controls. The plan (template) is written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems. Completion of this SSP, which describes how U.S. federal information will be safeguarded, is a requirement of the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Public Law 100-235, the Computer Security Act of 1987.

This document, released originally in Template format, is designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR).

The workbook provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in the annual assessment testing performed by Third Party Assessor Organizations (3PAOs). 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.

This Electronic Authentication template will provide an overview of the authentication level for the CSP system in accordance with OMB Memo M-04-04.

The purpose of the Plan of Action and Milestones (POA&M) is to facilitate a disciplined and structured approach to mitigating risks in accordance with Cloud Service Providers (CSP’s) priorities. POA&Ms are based on the findings and recommendations of the security assessment report excluding any remediation actions taken.CSP POA&M’s are based on: (i) the security categorization of the cloud information system; (ii) the specific weaknesses or deficiencies in deployed security controls; (iii) the importance of the identified security control weaknesses or deficiencies; and (iv) CSP’s proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of risk mitigation resources).The POA&M identifies: (i) the tasks to be accomplished with a recommendation for completion either before or after information system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meeting the tasks; and (iv) the scheduled completion dates for the milestones.

The POA&M document is a key document in the security authorization package. It describes the specific tasks the CSP has planned to correct any weaknesses or deficiencies in the security controls noted during the assessment and to address the residual vulnerabilities in the information system.

The purpose of this document is to provide the system owner and the cloud service provider (CSP) a security assessment on a cloud system that evaluates the system’s implementation of, and compliance with, the FedRAMP baseline security controls. The implementation of security controls is described in the System Security Plan, and required by FedRAMP to meet Federal Information Security Management Act (FISMA) compliance mandate.

This is a template Authority to Operate (ATO) letter agencies can use when granting authorizations for CSPs that meet the FedRAMP requirements.

This document template is developed for Third-Party Independent Assessors (3PAOs) to report annual security assessment findings for Cloud Service Providers (CSPs). 3PAOs should edit this template to create a Security Assessment Report (SAR).

This document describes the Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Plan (SAP) for a cloud system’s annual assessment. This document has been designed for CSP Third-Party Independent Assessors (3PAOs) to use for planning security testing of CSPs during annual assessment. Once filled out, this document constitutes a plan for testing. Actual findings from the tests are to be recorded in FedRAMP security test procedure workbooks and a Security Assessment Report (SAR) for annual testing.

Template to capture an assessment of significant system changes to a cloud system after the granting of a Joint Authorization Board Provisional Authorization.