fedramp

# FedRAMP Certification Skill

A comprehensive guide for helping users navigate FedRAMP authorization — from initial
readiness through ATO and ongoing continuous monitoring.

## Quick Reference: What Does the User Need?

Identify the user's goal and jump to the appropriate section:

| User Goal | Go To |
|---|---|
| "Are we ready for FedRAMP?" / gap assessment | → [Readiness & Gap Assessment](#1-readiness--gap-assessment) |
| Writing SSP, POA&M, SAR, SAP, or other docs | → [ATO Documentation](#2-ato-documentation) |
| "Which controls apply to us?" / control mapping | → [NIST 800-53 Control Mapping](#3-nist-800-53-control-mapping) |
| Cloud architecture / AWS/Azure/GCP config | → [Architecture Guidance](#4-architecture-guidance) |
| Already authorized, ongoing compliance | → [Continuous Monitoring](#5-continuous-monitoring) |

---

## Current FedRAMP State (as of 2025–2026)

- **Baseline**: NIST SP 800-53 **Rev 5** (approved May 2023, fully in effect)
- **Control counts** (Rev 5): Low = ~156, Moderate = 323, High = 421
- **OSCAL mandate**: RFC-0024 requires all CSPs to transition to machine-readable OSCAL packages by **September 2026**
- **Security Inbox**: As of January 5, 2026, all authorized CSPs must maintain a dedicated Security Inbox for urgent vulnerability directives (no CAPTCHAs or barriers)
- **FedRAMP 20x**: A modernization initiative in progress; introduces continuous authorization and modular/API-driven submissions. Traditional SSP/SAP/SAR templates remain required for non-20x paths.
- **Key templates updated**: SSP, SAR, SAP, POA&M, CIS/CRM, IIW, ISCP — all updated to align with Rev 5 (Dec 2024 releases)

---

## 1. Readiness & Gap Assessment

### Approach
1. **Clarify scope** — Ask the user: What is the CSO (Cloud Service Offering)? IaaS/PaaS/SaaS? Target impact level?
2. **Identify authorization path** — Agency Authorization (sponsor needed) vs. JAB P-ATO (Joint Authorization Board — effectively suspended since 2024; verify current status with FedRAMP PMO) vs. FedRAMP 20x pilot
3. **Run through the readiness checklist** — See `references/readiness-checklist.md`
4. **Surface gaps** — Map current state to required controls; flag missing documentation, unimplemented controls, and architectural deficiencies
5. **Prioritize** — Group gaps by: (a) blockers for readiness review, (b) items addressable before 3PAO assessment, (c) POA&M candidates

### Key Readiness Questions to Ask the User
- What cloud platform (AWS GovCloud, Azure Government, GCP, on-prem hybrid)?
- Are you leveraging any existing FedRAMP-authorized IaaS/PaaS (e.g., AWS GovCloud FedRAMP High)?
- Do you have FIPS 140-2/3 validated encryption in place?
- Is your authorization boundary defined and documented?
- Do you have a vulnerability scanning program (OS, DB, web app, container)?
- Are security policies and procedures documented?
- Do you have an Incident Response Plan (IRP) and Contingency Plan (CP) that have been tested?

### Output Format
- Produce a **gap table**: Control Family | Current State | Gap | Priority | Owner
- Summarize top 5–10 high-priority gaps as prose
- Recommend whether to pursue Readiness Assessment Report (RAR) first

---

## 2. ATO Documentation

The core FedRAMP authorization package consists of:

```
Authorization Package
├── System Security Plan (SSP) + Appendices A–Q
├── Security Assessment Plan (SAP) + Appendices A–D  [3PAO-prepared]
├── Security Assessment Report (SAR) + Appendices A–F  [3PAO-prepared]
└── Plan of Action & Milestones (POA&M)  [SSP Appendix O]
```

> **Important**: CSPs must use official FedRAMP PMO templates. Reviewers are trained on
> standardized formats; non-standard submissions risk rejection or delays.
> Templates: https://www.fedramp.gov/rev5/documents-templates/

### Document Guidance

For detailed guidance on each document type, read the appropriate reference file:

- **SSP** → `references/ssp-guide.md`
- **POA&M** → `references/poam-guide.md`
- **SAP / SAR** → `references/sap-sar-guide.md`
- **Supporting appendices** → `references/appendices-guide.md`

### General Writing Principles for All ATO Docs
1. **Describe only what is implemented** — Do not document planned or aspirational controls; these trigger findings and must go in POA&M instead
2. **Be specific** — Reference exact tools, filenames, section numbers, policy names; vague language causes findings
3. **Mind the verbs** — Each control requirement uses specific verbs (track, document, enforce, test). Address each verb explicitly
4. **Shared responsibility** — For any customer-configurable or shared control, create a clear "Customer Responsibility" section
5. **Keep it consistent** — Architecture diagrams, data flows, inventory, and control statements must all be internally consistent

---

## 3. NIST 800-53 Control Mapping

### Control Families (Rev 5)

| ID | Family | Notes |
|---|---|---|
| AC | Access Control | IAM, RBAC, least privilege, remote access |
| AT | Awareness & Training | Security + **privacy** training (new in Rev 5) |
| AU | Audit & Accountability | Log retention, SIEM, audit review |
| CA | Assessment, Authorization & Monitoring | ConMon, 3PAO, ATO |
| CM | Configuration Management | Baselines, change control, CMDB |
| CP | Contingency Planning | BCP/DR, tested annually |
| IA | Identification & Authentication | MFA, PIV, FIPS 140-2/3 crypto |
| IR | Incident Response | IRP, tested annually, reporting SLAs |
| MA | Maintenance | Remote maintenance controls |
| MP | Media Protection | Data at rest, media sanitization |
| PE | Physical & Environmental | Datacenters; often inherited from IaaS |
| PL | Planning | SSP, rules of behavior |
| PM | Program Management | Enterprise-level security program |
| PS | Personnel Security | Screening, termination procedures |
| PT | PII Processing & Transparency | **New family in Rev 5** — privacy controls |
| RA | Risk Assessment | Vulnerability scanning, MITRE ATT&CK scoring |
| SA | System & Services Acquisition | SDLC, supply chain |
| SC | Sy