Guidance Template Word
Zina Perko
The FedRAMP POA&M Template provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts. This template is intended to be used as a tracking tool for risk mitigation in accordance with CSP priorities.
This CSP Authorization Playbook provides an overview of all of the partners involved in a FedRAMP authorization, things to consider when determining your authorization strategy, the types of authorizations, and important considerations for your offering when working with FedRAMP.
The FedRAMP Annual Assessment Guidance provides guidance to assist CSPs, 3PAOs, and Federal Agencies in determining the scope of an annual assessment based on NIST SP 800-53, revision 4, FedRAMP baseline security requirements, and FedRAMP continuous monitoring requirements.
The FedRAMP High, Moderate, Low, LI-SaaS Baseline SSP Template provides the framework to describe the system, the service offering components and features, and its security posture in the relevant diagrams, tables, and security controls of the High, Moderate, Low, or LI-SaaS impact cloud system.
The purpose of this document is to describe the general document acceptance criteria for FedRAMP to both writers and reviewers. This acceptance criterion applies to all documents FedRAMP reviews that do not have special checklists or acceptance criteria predefined for them.
This document replaces the P-ATO Management and Revocation Guide and explains the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. It lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to meet the requirements of the P-ATO. It also specifically addresses FedRAMP P-ATOs maintained by the JAB and enables FedRAMP to provide effective oversight of the CSP Continuous Monitoring programs.
The SSP Appendix J CIS and CRM Workbook template delineates the control responsibilities of CSPs and Federal Agencies and provides a summary of all required controls and enhancements across the system. The template provides the necessary workbooks for High, Moderate, Low, or LI-SaaS impact cloud systems.
The SSP Appendix Q Cryptographic Modules Table template documents the encryption status of all areas/flows of all data, to include: data at rest, data in transit across the boundary, data in transit within the boundary, remote access mechanisms (e.g., IPSec VPN), key management, key generation, underlying system config (e.g., running in FIPS mode), authentication, and digital signatures.
The FedRAMP Moderate Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
The FedRAMP Low Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
The FedRAMP High Security Test Case Procedures Template provides a standard risk and controls template for assessing baseline controls and helps to drive consistency in 3PAO annual assessment testing. 3PAOs use this workbook to test selected baseline controls per required test procedures and document any control deficiencies and findings.
The FedRAMP SAP Template is intended for 3PAOs to plan CSP security assessment testing. Once completed, this template constitutes as a plan for testing security controls. This SAP template is used to document the assessment plan associated with Initial Assessments, Annual Assessments, and Significant Change Requests.
This checklist details the documents required for a complete FedRAMP initial authorization package. CSPs must submit this checklist along with their authorization package so that the FedRAMP PMO can verify their package is complete prior to conducting reviews.
This document provides guidelines on the use of the FedRAMP name, logo, and marks on all FedRAMP marketing and collateral materials. General guidelines are provided first, followed by more specific guidelines for the two major uses of FedRAMP marks: Designation of FedRAMP 3PAO accreditation and FedRAMP Security Authorization.
This white paper is to help our stakeholders understand FedRAMP subnetworks (subnets) requirements. The paper covers what are subnets, why do they matter, and actions cloud service providers (CSPs) should take to ensure compliance.
This white paper describes the methodology behind which security controls and capabilities are most effective to protect, detect, and respond to current prevalent threats. The paper outlines the threat-based scoring approach and its potential applications.
This document supports the Incident Communication Procedure for FedRAMP. This Incident Communication Procedure outlines the measures to consider so all parties effectively communicate during a security incident incurred by a FedRAMP authorized CSP.
The purpose of this document is to outline the criteria by which CSPs are prioritized to work with the JAB toward a P-ATO, the JAB prioritization process, and the Business Case requirements for FedRAMP Connect. We ask that CSPs review this document in its entirety before beginning the FedRAMP Connect process.
This document was developed to capture the type(s) of system changes requested and the supporting details surrounding requested system changes, including FIPS 199. It can be used to request a significant change within an existing ATO.
This document defines the FedRAMP policies and procedures for making significant changes. It provides requirements, guidance, and actions the FedRAMP PMO, AO, CSP, and 3PAO will take when a CSP wishes to make a significant change to its provisionally authorized cloud service.
This document provides CSPs with a framework to create and deploy an automated, CVSS-based vulnerability risk adjustment tool for vulnerabilities identified by vulnerability scanning tools. The document is in DRAFT form while FedRAMP pilots this process with CSPs over the next year or so.
This form provides the JAB reviewers and PMO with an executive summary of the monthly continuous monitoring submission from a CSP. It should detail all files that should be reviewed with that submission. It should be filled out and submitted with every monthly continuous monitoring submission by the CSP or their 3PAO.
This memorandum: 1) establishes Federal policy for the protection of Federal information in cloud services; 2) describes the key components of FedRAMP and its operational capabilities; 3) defines Executive department and Agency responsibilities in developing, implementing, operating, and maintaining FedRAMP; and 4) defines the requirements for Executive departments and Agencies using FedRAMP in the acquisition of cloud services.
The systematic allergen nomenclature of the World Health Organization/International Union of Immunological Societies (WHO/IUIS) Allergen Nomenclature Sub-committee should be used for manuscripts that include the description or use of allergenic proteins. For manuscripts describing new allergens, the systematic name of the allergen should be approved by the WHO/IUIS Allergen Nomenclature Sub-Committee prior to manuscript publication. Examples of the systematic allergen nomenclature can be found at the WHO/IUIS Allergen Nomenclature site.
Titles should be written in sentence case (only the first word of the text, proper nouns, and genus names are capitalized). Avoid specialist abbreviations if possible. For clinical trials, systematic reviews, or meta-analyses, the subtitle should include the study design.
If an author has multiple affiliations, enter all affiliations on the title page only. In the submission system, enter only the preferred or primary affiliation. Author affiliations will be listed in the typeset PDF article in the same order that authors are listed in the submission.
If a manuscript is submitted on behalf of a consortium or group, include its name in the manuscript byline. Do not add it to the author list in the submission system. You may include the full list of members in the Acknowledgments or in a supporting information file.
Contributions will be published with the final article, and they should accurately reflect contributions to the work. The submitting author is responsible for completing this information at submission, and we expect that all authors will have reviewed, discussed, and agreed to their individual contributions ahead of this time.
The Materials and Methods section should provide enough detail to allow suitably skilled investigators to fully replicate your study. Specific information and/or protocols for new methods should be included in detail. If materials, methods, and protocols are well established, authors may cite articles where those protocols are described in detail, but the submission should include sufficient information to be understood independent of these references.
Authors should explain how the results relate to the hypothesis presented as the basis of the study and provide a succinct explanation of the implications of the findings, particularly in relation to previous related studies and potential future directions for research.
PLOS ONE editorial decisions do not rely on perceived significance or impact, so authors should avoid overstating their conclusions. See the PLOS ONE Criteria for Publication for more information.
Authors can submit essential supporting files and multimedia files along with their manuscripts. All supporting information will be subject to peer review. All file types can be submitted, but files must be smaller than 20 MB in size.
c80f0f1006