FedRAMP Certification Skill
A comprehensive guide for helping users navigate FedRAMP authorization — from initial readiness through ATO and ongoing continuous monitoring.
Quick Reference: What Does the User Need?
Identify the user's goal and jump to the appropriate section:
| User Goal | Go To |
|---|---|
| "Are we ready for FedRAMP?" / gap assessment | → Readiness & Gap Assessment |
| Writing SSP, POA&M, SAR, SAP, or other docs | → ATO Documentation |
| "Which controls apply to us?" / control mapping | → NIST 800-53 Control Mapping |
| Cloud architecture / AWS/Azure/GCP config | → Architecture Guidance |
| Already authorized, ongoing compliance | → Continuous Monitoring |
Current FedRAMP State (as of 2025–2026)
- Baseline: NIST SP 800-53 Rev 5 (approved May 2023, fully in effect)
- Control counts (Rev 5): Low = ~156, Moderate = 323, High = 421
- OSCAL mandate: RFC-0024 requires all CSPs to transition to machine-readable OSCAL packages by September 2026
- Security Inbox: As of January 5, 2026, all authorized CSPs must maintain a dedicated Security Inbox for urgent vulnerability directives (no CAPTCHAs or barriers)
- FedRAMP 20x: A modernization initiative in progress; introduces continuous authorization and modular/API-driven submissions. Traditional SSP/SAP/SAR templates remain required for non-20x paths.
- Key templates updated: SSP, SAR, SAP, POA&M, CIS/CRM, IIW, ISCP — all updated to align with Rev 5 (Dec 2024 releases)
1. Readiness & Gap Assessment
Approach
- Clarify scope — Ask the user: What is the CSO (Cloud Service Offering)? IaaS/PaaS/SaaS? Target impact level?
- Identify authorization path — Agency Authorization (sponsor needed) vs. JAB P-ATO (Joint Authorization Board — effectively suspended since 2024; verify current status with FedRAMP PMO) vs. FedRAMP 20x pilot
- Run through the readiness checklist — See
references/readiness-checklist.md - Surface gaps — Map current state to required controls; flag missing documentation, unimplemented controls, and architectural deficiencies
- Prioritize — Group gaps by: (a) blockers for readiness review, (b) items addressable before 3PAO assessment, (c) POA&M candidates
Key Readiness Questions to Ask the User
- What cloud platform (AWS GovCloud, Azure Government, GCP, on-prem hybrid)?
- Are you leveraging any existing FedRAMP-authorized IaaS/PaaS (e.g., AWS GovCloud FedRAMP High)?
- Do you have FIPS 140-2/3 validated encryption in place?
- Is your authorization boundary defined and documented?
- Do you have a vulnerability scanning program (OS, DB, web app, container)?
- Are security policies and procedures documented?
- Do you have an Incident Response Plan (IRP) and Contingency Plan (CP) that have been tested?
Output Format
- Produce a gap table: Control Family | Current State | Gap | Priority | Owner
- Summarize top 5–10 high-priority gaps as prose
- Recommend whether to pursue Readiness Assessment Report (RAR) first
2. ATO Documentation
The core FedRAMP authorization package consists of:
Authorization Package
├── System Security Plan (SSP) + Appendices A–Q
├── Security Assessment Plan (SAP) + Appendices A–D [3PAO-prepared]
├── Security Assessment Report (SAR) + Appendices A–F [3PAO-prepared]
└── Plan of Action & Milestones (POA&M) [SSP Appendix O]
Important: CSPs must use official FedRAMP PMO templates. Reviewers are trained on standardized formats; non-standard submissions risk rejection or delays. Templates: https://www.fedramp.gov/rev5/documents-templates/
Document Guidance
For detailed guidance on each document type, read the appropriate reference file:
- SSP →
references/ssp-guide.md - POA&M →
references/poam-guide.md - SAP / SAR →
references/sap-sar-guide.md - Supporting appendices →
references/appendices-guide.md
General Writing Principles for All ATO Docs
- Describe only what is implemented — Do not document planned or aspirational controls; these trigger findings and must go in POA&M instead
- Be specific — Reference exact tools, filenames, section numbers, policy names; vague language causes findings
- Mind the verbs — Each control requirement uses specific verbs (track, document, enforce, test). Address each verb explicitly
- Shared responsibility — For any customer-configurable or shared control, create a clear "Customer Responsibility" section
- Keep it consistent — Architecture diagrams, data flows, inventory, and control statements must all be internally consistent
3. NIST 800-53 Control Mapping
Control Families (Rev 5)
| ID | Family | Notes |
|---|---|---|
| AC | Access Control | IAM, RBAC, least privilege, remote access |
| AT | Awareness & Training | Security + privacy training (new in Rev 5) |
| AU | Audit & Accountability | Log retention, SIEM, audit review |
| CA | Assessment, Authorization & Monitoring | ConMon, 3PAO, ATO |
| CM | Configuration Management | Baselines, change control, CMDB |
| CP | Contingency Planning | BCP/DR, tested annually |
| IA | Identification & Authentication | MFA, PIV, FIPS 140-2/3 crypto |
| IR | Incident Response | IRP, tested annually, reporting SLAs |
| MA | Maintenance | Remote maintenance controls |
| MP | Media Protection | Data at rest, media sanitization |
| PE | Physical & Environmental | Datacenters; often inherited from IaaS |
| PL | Planning | SSP, rules of behavior |
| PM | Program Management | Enterprise-level security program |
| PS | Personnel Security | Screening, termination procedures |
| PT | PII Processing & Transparency | New family in Rev 5 — privacy controls |
| RA | Risk Assessment | Vulnerability scanning, MITRE ATT&CK scoring |
| SA | System & Services Acquisition | SDLC, supply chain |
| SC | System & Communications Protection | Encryption in transit, network segmentation |
| SI | System & Information Integrity | Patching, malware, integrity monitoring |
| SR | Supply Chain Risk Management | New family in Rev 5 — SCRM |
Impact Level Mapping
When the user describes their system, recommend the impact level:
- LI-SaaS (Low-Impact SaaS): No PII, no sensitive federal data, limited scope — uses a simplified template combining SSP + assessment
- Low: Federal information where loss of CIA has limited adverse effect
- Moderate: Most common — federal information where loss has serious adverse effect; covers the majority of CSPs handling non-classified government data
- High: Federal information where loss has severe or catastrophic effect (e.g., law enforcement, financial, health data)
Mapping Workflow
- Ask: What types of federal data will the system process/store/transmit?
- Run FIPS 199 categorization (Confidentiality / Integrity / Availability × Impact)
- Select baseline (Low/Moderate/High) based on high-water mark
- Cross-reference with FedRAMP parameter requirements (FedRAMP often sets stricter parameters than base NIST)
- For inherited controls, identify which are fully/partially inherited from leveraged FedRAMP IaaS/PaaS and document in CIS/CRM workbook
Rev 4 → Rev 5 Key Changes to Highlight
- New control families: PT (Privacy), SR (Supply Chain)
- Password controls revised: No more forced rotation schedules; now requires compromised-password lists and password strength meters (NIST 800-63b alignment)
- Privacy integrated: AT-3 now mandates privacy training; many families have privacy-specific enhancements
- Threat-based methodology: MITRE ATT&CK framework now informs control prioritization
- Moved/merged controls: Some Rev 4 controls were merged — don't assume 1:1 mapping
4. Architecture Guidance
Authorization Boundary
The boundary defines what is IN scope for FedRAMP. This is one of