When moving in the direction of FedRAMP compliance, all applicants must use specific templates whether or not the CSP intends to pursue a JAB Provisional Authorization; private clouds must also use FedRAMP templates. Cloud systems that have ATOs are required to migrate existing security package documents to the FedRAMP templates. Templates for all documents are available under the Knowledge Center.
The following FedRAMP supplied templates are mandatory:
- Control Tailoring Workbook (CTW)
- Control Information Summary (CIS)
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
Agencies may use their own templates for the other documents, as long as the agency templates contain the same information as that exists in the FedRAMP templates.
A summary of the templates that are available on the FedRAMP website are listed below:
|Template Name||FedRAMP Template Available ?||FedRAMP Supplied Template Required ?|
|Control Tailoring Workbook||Yes||Yes|
|Control Information Summary||Yes||Yes|
|FIPS 199 Template||Yes||Yes|
|System Security Plan||Yes||Yes|
|Rules of Behavior||Yes||No|
|Configuration Management Plan||No||No|
|Information System Security Policies||No||No|
|IT Contingency Plan||Yes||No|
|Incident Response Plan||No||No|
|Privacy Threshold Assessment / Impact Assessment||Yes||No|
|Security Assessment Plan||Yes||Yes|
|Security Assessment Report||Yes||Yes|
|Plan of Action & Milestones||Yes||No|
Quzara’s Policy and Procedure team understands the art behind the long and complex process of documenting and developing a System Security Plan (SSP) as well as assisting in creating any documentation required to establish the system boundary through walkthroughs and review sessions with control owners and SMEs. We calibrate documentation to the appropriate level of detail required for key controls while understanding and tailoring it to what 3PAOs and Agencies look for in testing controls and implementation details.
Outside of core FedRAMP artifacts, we can support you with the process of properly documenting implementations of controls, system inventories, Key Security Policies and Procedure, Key Processes Security Control Documentation, Technical Diagrams and Process Flows.