Need FedRAMP Help?

Get started on your FedRAMP Journey
Contact Us for Readiness and Compliance services


Learn More

FedRAMP Documentation

When moving in the direction of FedRAMP compliance, all applicants must use specific templates whether or not the CSP intends to pursue a JAB Provisional Authorization; private clouds must also use FedRAMP templates.  Cloud systems that have ATOs are required to migrate existing security package documents to the FedRAMP templates.  Templates for all documents are available under the Knowledge Center.

The following FedRAMP supplied templates are mandatory:

  • Control Tailoring Workbook (CTW)
  • Control Information Summary (CIS)
  • System Security Plan (SSP)
  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)

Agencies may use their own templates for the other documents, as long as the agency templates contain the same information as that exists in the FedRAMP templates.

A summary of the templates that are available on the FedRAMP website are listed below:


Template Name FedRAMP Template Available ? FedRAMP Supplied Template Required ?
Control Tailoring Workbook Yes Yes
Control Information Summary Yes Yes
FIPS 199 Template Yes Yes
eAuthentication Template Yes No
System Security Plan Yes Yes
Rules of Behavior Yes No
Configuration Management Plan No No
Information System Security Policies No No
IT Contingency Plan Yes No
Incident Response Plan No No
Privacy Threshold Assessment / Impact Assessment Yes No
Security Assessment Plan Yes Yes
Security Assessment Report Yes Yes
Plan of Action & Milestones Yes No

Quzara’s Policy and Procedure team understands the art behind the long and complex process of documenting and developing a System Security Plan (SSP) as well as assisting in creating any documentation required to establish the system boundary through walkthroughs and review sessions with control owners and SMEs.  We calibrate documentation to the appropriate level of detail required for key controls while understanding and tailoring it to what 3PAOs and Agencies look for in testing controls and implementation details.

Outside of core FedRAMP artifacts, we can support you with the process of properly documenting implementations of controls, system inventories, Key Security Policies and Procedure, Key Processes Security Control Documentation, Technical Diagrams and Process Flows.