Purpose

The purpose of this article is to cover basic FedRAMP Controls compliance automation. This documentation can be used for Rev. 4 to Rev. 5 conversion.  Ignyte has released a FedRAMP Rev. 5 specific system within the Platform; see the FedRAMP Solution Rev.5 - Basic Automation article.


Relevant Modules and Features


Basic Setup Information Required to Automate


Customer Information Required to Automate

To get started, you need the following information from your compliance team:

  • FedRAMP System Security Plan
    • Front Matter previously known as System Characterization
    • Control Responses
  • Current FedRAMP Plan of Action & Milestones (POA&M)
  • Boundary Artifacts (Policies, Procedures & Other Evidence)
  • Customer Implementation Summary (CIS)/Customer Responsibility Matrix (CRM)


If you currently have any FedRAMP data in the Platform, start by following Implement NIST RMF (NIST SP 800-53 Rev x) leveraging Ignyte steps on leveraging Ignyte and the skip Basic Automation Steps.


FedRAMP NIST SP 800-53 Revision 4 to Revision 5 Conversion Information

If your organization has not converted from Revision 4 to Revision 5, please contact your account representative. The Ignyte team can aid in accelerating the conversion process leveraging the software. Please find more specific information regarding the transition from the following FedRAMP pages:


Basic Automation Steps

Some of these can be done concurrently with the exception of Step 1. There are no dependencies for Step 2 and forward.


StepsDescription
OneCreate a System - You need to create a system first, and then you can start adding data to that system. Once the system is created, the structure of the selected framework provides the bones to start building your compliance management program and keeps you focused on the requirement.
Two

Upload Existing FedRAMP Data -  The data can be imported or added manually depending on how you are currently doing your compliance management. 


To import data, Options | Edit System | Advanced Configuration is where you need to go. Import instructions can be found here.


To manually enter data, see the Compliance - Requirements article and navigate to the "Working within Requirements to Update Controls" topic.  Using Macro Builder is a great way to automate data point updates when tools and people change in your Control Responses. 


The FedRAMP system also has an ODP (Organizationally Defined Parameter) Editor (Options | ODP Editor) that allows you to update parameters in one location and that value is shown within the Compliance Module of the Platform. This editor contains 200+ control statements from NIST RMF 800-53 that contain parameters that need to be defined to complete the control statement. This feature is similar to the Macro Builder but designed specifically to meet FedRAMP specifications. 


As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M (see step 4 below) and a concurrent activity.

ThreeUpload Artifacts and Policies - The artifacts are managed from within the Compliance System when you see Attach Files buttons or under Artifact Management for the System. First, the System folder is a default folder used to store files and folders to a specific compliance system. Next, the Global folder is a default folder used to store files and folders which are inheritable by other modules, systems of record, and global organization records. Third, the Additional Programs folder is the default folder used to store files and folders from corresponding custom Systems of Record. Finally, the External Files folder is used for gathering external information from external parties through artifact request links.

When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts." See the Compliance - Requirements article and navigate to the "Attach Files" topic.

The Document Management Module (found in the top menu) is organized using folders. There are default folders but you can create new folders that best help your organization's needs. Instruction for Artifact Uploads and Artifact Upload Requests are located in the Document Management article.

NOTE: Artifacts are supporting evidence files that are attached to Compliance controls, a POA&M, or even an asset. These files are local to the System.
In Document Management in the "System" folder you will find a folder for each system you have in your instance and it will contain your artifact files; however, Document Management contains Global files that can be used in any system as well as Custom SOR files, External files, and Vendor Management files if any.
FourReview and Correct POA&Ms - As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M and part of a concurrent activity from Step 2 above. Step Four brings you back to the task of reviewing items that were created to look for any issues and, when an issue is found, correcting the issue or planning the correction of the issue. 
Five

Correcting Statuses, Narratives, and Linking Policies - The best way to correct or update control statuses or add comments is to use the bulk update feature in the Requirement (table view only) feature. Alternatively, you can work on updating controls from the Requirements | Control area and Edit Properties area to update statuses, owner, target assessment frequency, etc. 


This is also the time to link up artifacts associated with the control for ease of reference internally and at audit time. When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic.



Implement NIST RMF (NIST SP 800-53 Rev x) Leveraging Ignyte:

FedRAMP is based on NIST SP 800-53 Control set. The Ignyte platform adapts to any variant of NIST 800-53 control set. This guide specifically outlines implementation for FedRAMP. If you require advance implementation of NIST 800-53 such as CNNSI-53, CCIs implementation, STIGS, EMASS integration, Test cases and objectives management or Special Access Program (JSIG) implementation - please contact your service representative for specialized instructions. 



 

The biggest lift to initiating and automating your FedRAMP system is getting your Frontmatter data into the Platform. A good portion of the data can be imported but there is data that will need to be manually input or even directly entered into the System Security Plan (SSP).  Some portions of the SSP are supplemental templates, such as Appendix A, that are downloaded from the FedRAMP Resources Documents & Templates page. This documentation is for FedRAMP Rev. 5 templates.

Most of the data used in the Frontmatter is entered from the Systems Options | Characterization screen by enabling the option you want to work on and entering the data. Once the data is saved for an Option it will remain enabled and it can be revised as needed. If the data for the SSP is entered in an alternate location it will be called out in the instructions below.


Characterization Options

Location in the SSP Template & Data Entry Description
System Security PlanThis information displays before the Table of Contents and is used to capture the organization that prepared this Document and the Cloud Service Provider's Name, street address, suite/room/building, and City, State, Zip Code information for each individually.  
RolesThis data displays in Sections 4 and 5, specifically Table 4.1 and 5.1 respectively. For Table 4.1, use the Information System Owner Role to create the record. For Table 5.1, use other pre-defined roles to create the records for this table.
Information System Operational StatusThis information is just a date in the Rev. 5 template and the system must be fully operational for it to be considered for FedRAMP authorized status. Skip this option.
Cloud Service ModelsThis data displays in Section 3, Table 3.1.
Cloud Deployment ModelsThis data displays in Section 3, Table 3.1.
Leveraged AuthorizationsThis data displays in Section 6, Table 6.1.
System Function or PurposeThis data displays in Section 3, Table 3.1.
Information System Components & Boundaries DiagramSection 8
Types of UsersNot used with Rev. 5 and will be removed with the upgrade in Q324.
Network Architecture DiagramSection 8
Data Flow DiagramSection 8
Ports, Protocols and ServicesThis data displays in Section 9, Table 9.1.
System InterconnectionsThis data displays in Section 10, Tables from Appendix Q.
Applicable Laws and RegulationsAppendix L, Table L.1.
Applicable Standard & GuidanceNot used with Rev. 5 and will be removed with the upgrade in Q324.
Digital Identity DeterminationThis data displays in Section 3, Table 3.1 and Appendix E, Table E.2.

Privacy Threshold PolicyNot used with Rev. 5 and will be removed with the upgrade in Q324.
System InformationUsed in multiple places within the SSP but it is the place where the Cloud Service Providers (CSP) name is define.


Prerequisites:

After you Create a System, you are able to start crafting your Frontmatter and importing your controls data. When creating the system, keep in mind that some of this data is used within the Frontmatter - CSO Name, ID, and CSO Abbreviation - and will display in the SSP Frontmatter.


Breakdown of the Frontmatter Data Input within the Platform:

Cover Page and SSP Header

Information found on the document Header and the Cover page pulls the CSP and CSO Names from the System Information option; however, the Version # and Date are not currently stored in the Platform and will need to be entered manually once the SSP is generated from the Platform. 


 


The Cover page also pulls in the High, Moderate, Low, LI-SaaS from Options | Categorize (LI-SaaS to be added) screen so you'll need to select the appropriate option from the Selected Overall Category drop-down menu on this screen or update to LI-SaaS within the SSP directly. 



System Security Plan

Prepared by, Prepared for, Document Revision History

The Prepared by and Prepared for data is entered into the System Security Plan option. Currently, the Document Revision History is not captured as data within the Platform. Enable this option and fill in the requested fields: Organization Name, Street Address, Suite/Room/Building, and City, State, Zip. Logo upload is no longer required for this.


Document Revision History is currently not stored within the Platform and needs to be populated directly in the SSP template.


System Security Plan Approvals

Cloud Service Provider (CSP) Signatures

While this is the beginning of the Frontmatter or SSP, it will be one of the last things you do once you complete the document. You will also need to provide the Version # and the date in this signature section. Templates provide three signature blocks which can be added to if needed, or removed if only 1-2 need to sign. This data is not captured in the Platform and will need to be done via a digital or a physical signature.


Section 1 Introduction

No action is needed in this section other than reading it. There are no fields to complete, but it does contain an explanation of what the SSP represents for a Cloud Service Offering (CSO).


Section 2 Purpose

No action is needed in this section other than reading it. There are no fields to complete.


Section 3 System Information

The primary data for this section is Table 3.1. Most of this data is stored within the Platform - the screenshot below defines where the data is input. To summarize, you will need to enter data in multiple Characterization options including: System Information, Cloud Service Models, Digital Identity Determination, Cloud Deployment Models, and System Function or Purpose. 

Section 4 System Owner

The primary data element for this section is Table 4.1. The data field in the Tables name is pulled in from System Information option. All other table data is stored within the Platform under the Roles option. For Table 4.1, use the Information System Owner Role when creating the record. You will need to provide a Name, Title, Company Name, Address, Phone, and Email, then Save. 


Section 5 Assignment of Security Responsibility

There is an intro paragraph above the table in this section. The CSP Name and CSO Name which at this point are in the Platform so no action is needed. The primary data element for this section is Table 5.1. The data field in the Table's name is pulled in from System Information option which is already in the Platform. All other table data is stored within the Platform under the Roles option. For Table 5.1, use the Role highlighted in the screenshot below when creating the record. You will need to provide a Name, Title, Company Name, Address, Phone, and Email, then Save.

 

Section 6 Leveraged FedRAMP-Authorized Services

There is an intro paragraph above the table in this section. The CSO Name at this point is in the Platform so no action is needed. The primary data element for this section is Table 6.1.  Currently, this data is not captured in the Platform but will be captured in a future release under the Leveraged Authorization option. The FedRAMP Marketplace is the authoritative source for identifying CSOs and services that are FedRAMP Authorized. This table doesn't have to be used and an additional Appendix can be added. If you decide to add as a new appendix you will need to insert the following quoted information to the SSP in place of the table. 

“The <Insert CSO Name> leverages the FedRAMP Authorized services depicted in <Insert Appendix Letter>,” and include a hyperlink to the appendix.


Section 7 External Systems and Services Not Having FedRAMP Authorization

There is an intro paragraph above the table in this section. The CSO Name at this point is in the Platform so no action is needed. The primary data element for this section is Table 7.1. Currently, this data is not captured in the Platform but will be captured in a future release under the System Interconnections option. For the first column, use 1 for Non-FedRAMP Authorized Cloud Services, 2 for Corporate Shared Services, or 3 for Update Services for In-Boundary Software/Services. This table doesn't have to be used and an additional Appendix can be added. If you decide to add as a new appendix you will need to insert the following quoted information to the SSP in place of the table. 

"The <Insert CSO Name> makes use of systems, services, application program interfaces (APIs), and command-line interfaces (CLIs) lacking FedRAMP authorization as depicted in <Insert Appendix Letter>," and include a hyperlink to the appendix.


Section 8 Illustrated Architecture and Narratives

There is an intro paragraph above the table in this section, the CSO Name which at this point is in the Platform so no action needed. There are sub-sections under Section 8: 1) 8.1 Illustrated Architecture and 2) 8.2 Narrative. Section 8 is for the Authorization Boundary, Network, and Data Flow diagram or diagrams. 


8.1 Illustrated Architecture

There are two options for the opening paragraph in this section. You need to choose one of the paragraphs based on the number of diagrams. If you have one (1) diagram that depicts the Authorization Boundary, Network, and Data Flow in one file, use the first paragraph. If you have more than one (1) diagrams, use the second paragraph. Diagram files are embedded into the SSP document. 

  • Authorization Boundary is uploaded to the Information System Components & Boundary Diagram option
  • Network is uploaded to the Network Architecture Diagram option
  • Data Flow is uploaded to the Data Flow Diagram option


8.2 Narrative

Whether using one or multiple diagrams, after each, provide a detailed narrative description that clearly describes the CSO and the elements of the diagram. There is a sample narrative within the Rev. 5 template that can be used as your starting point and customized to describe your environment. The narrative should describe the components of the system as depicted in the diagram using the same naming conventions, to avoid confusion. Additionally, the narrative must describe the relationships of the internal services. It may be useful to describe these using a numbering or lettering scheme and then include them in the diagram (i.e., enabling the narrative to act as a key for the diagram). Ensure to reference the diagram(s) by figure number in the narrative description, and name the diagram appropriately. If you choose to have separate diagrams, ensure that there is an appropriate narrative provided for each diagram.


There is an option table 8.1 that is provided in the SSP template for Security and Management Technologies.


Section 9 Services, Ports, and Protocols

There is an intro paragraph above the table in this section. The CSO Name at this point is in the Platform so no action is needed. The primary data element for this section is Table 9.1.  The column order of this table has changed in Rev. 5, but all of the data elements are captured within the Platform under the Ports, Protocols & Services option. This table must be completed even if you are leveraging a pre-existing FedRAMP authorization. Changes to align the Rev. 5 changes will be applied in a future release.


Section 10 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT)

There are intro paragraphs in this section which will pull in the CSO Name and the CSP Name which at this point are in the Platform so no action is needed. However, figure numbers will also need to be included in the intro that refer to the diagrams in the SSP depicting encryption status, typically data flow, if not combined. The primary data element for this section is Appendix Q. 


Section 11 Separation of Duties 

The primary data element for this section is Table 11.1 and the opening paragraph and table heading pulls in the CSO Name. The data fields in the table are currently not in the Platform but will be added in a future release. The SSP template provides a table with default values which should be removed prior to populating this table for your CSO


Each duty description is listed in a separate row; if a CSP is a large and complex organization, there could be several. In the case of a CSP being large and complex, focus on the duty descriptions that apply to the CSO. There may be third party relationships that apply, such as administrators who are not part of the organization; these should also be listed. Additionally, the table should include any duties performed by agency customers. 


Identify and document all general roles (such as Information Owner, Security Officer, etc.) for the organization or the CSO (one for each column); there may be indirect roles that apply that should also be listed.


If the CSO has many more duties and roles, you can create your own Excel spreadsheet and reference it as an appendix within the SSP and within this section. If you decide to add as a new appendix you will need to insert the following quoted information to the SP in place of the table. 

"The <Insert CSO Name> Separation of Duties Matrix is as depicted in <Insert Appendix Letter>," and include a hyperlink to the appendix.


Sample of Table 11.1.



Section 12 SSP Appendices List

The primary data element for this section is Table 12.1.  This table captures all of the files names and includes a brief comment whether a template is FedRAMP-provided, CSP-provided, included in the SSP, should be a ZIP file, and if not required for LI-SaaS. This will be one of the last things to complete once the files names have been finalized. We recommend naming the file to reflect the Appendix letter and what it is, such as "Appendix A - <CSO Name> FedRAMP Security Controls". This data is currently not captured in the Platform but may be in a future release.


If the list below indicates that a FedRAMP-provided template is used, it can be downloaded here. Generally, with CSP-provided indicator you can use your discretion regarding format when it is included within the SSP. If you create additional Appendices for Section 6, 7, or 11, make sure to add them to the Appendices List and clearly identify which section they belong with.


Appendix Name
File Name

Appendix A: FedRAMP Security Controls

(FedRAMP-provided; different template for each impact level)


Appendix B: Related Acronyms

(CSP-provided)

Included within the SSP

Appendix C: Security Policies and Procedures

(CSP-provided in a zip file; not required for LI-SaaS)


Appendix D: User Guide

(CSP-provided; not required for LI-SaaS)

This could be a file name or a website URL included within the SSP

Appendix E: Digital Identity Worksheet

(FedRAMP-provided)

Included within the SSP

Appendix F: Rules of Behavior

(FedRAMP-provided; not required for LI-SaaS)


Appendix G: Information System Contingency Plan (ISCP)

(FedRAMP-provided; not required for LI-SaaS)


Appendix H: Configuration Management Plan (CMP)

(CSP-provided; not required for LI-SaaS)


Appendix I: Incident Response Plan (IRP)

(CSP-provided; not required for LI-SaaS)


Appendix J: CIS and CRM Workbook

(FedRAMP-provided; different template for each impact level)


Appendix K: FIPS 199 Worksheet

(FedRAMP-provided)

Included within the SSP

Appendix L: CSO-Specific Required Laws and Regulations

(CSP-provided)


Appendix M: Integrated Inventory Workbook

(FedRAMP-provided)


Appendix N: Continuous Monitoring Plan

(CSP-provided)


Appendix O: POA&M

(FedRAMP-provided)


Appendix P: Supply Chain Risk Management Plan (SCRMP)

(CSP-provided)


Appendix Q: Cryptographic Module Table

(FedRAMP-provided)



Most of the Appendices described below are not part of the Platform at this time with some exceptions, such as Appendix A, E, and L. More details can be found under the individual Appendices.


Appendix A FedRAMP Security Controls 

The data in Appendix A is from Requirements. All of the Controls work that you did in the Platform, and it is used when generating an SSP for Rev 4. With Rev 5, there are different templates depending on your baseline of High, Moderate, Low, or LI-SaaS. The Requirements data will be an Appendix A output file in a future release. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output. 


Appendix B Related Acronyms 

The Appendix B data is currently not within the Platform and the format of this data is at the CSP discretion. In the future release, the Platform will provide a simple table to capture the acronym and description and will be included in the SSP output. The acronyms that are included are specific to the CSO's SSP. Always spell out any acronyms you use within the SSP the first time it is used. The format can be as simple as a two column table with the acronym in the first column and the spelled out text in the second column. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.  


Appendix C Information Security Policies and Procedures 

The Policies and Procedures for the CSO can be zipped together when uploading this content for review by the FedRAMP PMO. FedRAMP doesn't provide a template for policies and procedure so it is at the CSP's discretion on how these documents look as long as the control families are addressed. The files should be names so it is easy to understand how to locate the documents associated with the control family. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output. 


Appendix D User Guide 

The content of this Appendix can be either a file or a website address. You will leave one of the following statements in the SSP and remove the other. The first statement would indicate that you have a physical file that can be included as an object within Appendix D. The second statement is pretty self-explanatory. The one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output; however, if you select the second statement you will need to provide the website URL as part of that statement. 


The <Insert CSO Name> user guide is included in Appendix D, available separately.


or


The <Insert CSO Name> user guide website address is <Insert CSO User Guide URL>.


Appendix E Digital Identity Worksheet 

The primary data elements for this section are Table E.1 and Table E.2.  Table E.1 is informational and no additional data is needed. Table E.2 is pulled in from the Digital Identity Determination option. Select the lowest level that will cover all potential impacts identified from Table E.1. The appendix title pulls in the CSO Name and the paragraph above Table E.2 pulls in the CSP and CSO Names automatically in the SSP output.


Appendix F Rules of Behavior 

FedRAMP developed a template for the Rules of Behavior or RoB, and it can be downloaded here. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output . 


Appendix G Information System Contingency Plan (ISCP) 

FedRAMP developed a template for the ISCP; it can be downloaded here. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Appendix H Configuration Management Plan (CMP) 

FedRAMP does not have a template for the CMP and directs you to NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems which provides guidelines and a sample in Appendix D of this guide. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Appendix I Incident Response Plan (IRP) 

FedRAMP does not have a template for the IRP and directs you to NIST SP 800-61, Computer Security Incident Handling Guide which provides guidance on how to develop an IRP. Before achieving FedRAMP authorization, CSP's need to test this IRP and at least annually once authorized as part of continuous monitoring. Your IRP should include incident reporting requirements from FedRAMP Incident Communications Procedures. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Appendix J Control Implementation Summary (CIS) and Customer Responsibilities Matrix (CRM) Workbook 

FedRAMP developed a template for the CIS and CRM Workbook with color-coded worksheets for the four baselines (High, Moderate, Low, Li-SaaS); it can be downloaded here. There is an instruction tab that provides guidance for completing both the CIS and CRM. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Because you're working in a FedRAMP system, within the Platform, under Sub Frameworks in the left navigation menu there are two sub-menus: 1) CIS and 2) CRM. 


Control Implementation Summary (CIS)

The data shown within the CIS sub framework is pulled in from Control Statuses and Control Origination responses from Requirements. Depending on the Control Origination response, additional fields will display. If "Provided by Customer" is selected, a "Customer Responsibility" field will display and a description needs to be provided. If "Inherited from pre-existing provisional system" is selected, "Authorization Description" and "Date of Authorization" fields will display. This table can be exported to Excel if needed if needed and this output could be copy/pasted into the FedRAMP provided template for submission to FedRAMP PMO. 


An example of the edit properties screen in Requirements is shown below, you'll notice the "Control origination type" drop-down field. The options in this drop-down are detailed below and the table is meant to help you make the appropriate selection or selections depending on the status of the control and associated statements. Like the Status field, more than one origination type can be selected if needed.


Control Origination
Definition
Example
Additional Field(s)
Service Provider Corporate
A control that originates from the CSP's corporate network.
Domain Name System (DNS) from the corporate network provides address resolution services for the information system and the service offering.
None
Service Provider System Specific
A control specific to a particular CSP system and the control is not part of the service provider corporate controls.
A unique host-based intrusion detection system (HIDS) is available on the service offering platform that is separate from the corporate network and dedicated to the service offering.
None
Service Provider Hybrid (Corporate and System Specific)
A control that makes use of both corporate controls and additional controls specific to a particular CSP system.
Corporate may provide scanning of the CSP's service offering utilizing the corporate network infrastructure, databases, or web-based applications.
None
Configured by Customer (Customer System Specific)
A control where the customer needs to apply a configuration to meet the control requirement.
User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http or https, etc.), entering an IP range specific to their organization that are configurable by the customer.
None
Provided by Customer (Customer System Specific)
A control where the customer needs to provide additional hardware or software to meet the control requirement.
The customer provides a Security Assertion Markup Language (SAML) Single Sign On (SSO) solution to implement two-factor authentication.
Customer Responsibility
Shared (Service Provider and Customer Responsibility)
A control that is managed and implemented partially by the CSP and partially by the customer.
Security awareness training must be conducted by both the CSP and customer.
None
Inherited from Pre-Existing Authorization
A control that is inherited (by the CSP service offering) from another CSP system that has already received a FedRAMP Authorization.
A Platform as a Service (PaaS) or Software as a Service (SaaS) provider inherits Physical and Environmental Protection (PE) controls from an Infrastructure as a Service (IaaS) provider.
Authorization Description and Date of Authorization (date auto-populates)


The results of your selection(s) when evaluating the Control and sub-statements will look something like the sample shown below.



Customer Responsibilities Matrix (CRM)

The data shown within the CRM sub-framework is also pulled from Requirements based on control responses, and "Yes," "No," or "Partial" will display in the "Can Be Inherited from CSP" column. If "Provided by Customer" was the Control Origination selection, the "Customer Responsibility" field content will display in the "Specific Inheritance and Customer Agency/CSP Responsibilities" column. This table can be exported to Excel if needed and this output could be copied/pasted into the FedRAMP provided template for submission to FedRAMP PMO. 

  • For Control IDs identified in the CIS Worksheet as Service Provider Corporate, Service Provider System Specific, or Service Provider Hybrid (Corporate and System Specific - see table above for more ID information) the Platform will enter "Yes" in the "Can Be Inherited from CSP" column below, and leave the "Specific Inheritance and Customer Agency/CSP Responsibilities" column blank. 
  • For Control IDs identified in the CIS Worksheet as Shared (Service Provider and Customer Responsibility - see table above for more ID information) the Platform will enter "Partial" in the "Can Be Inherited from CSP" column (below). In the "Specific Inheritance and Customer Agency/CSP Responsibilities" column, you will need to describe which elements are inherited from the CSP and describe the customer responsibilities once you copy/paste the Platforms output into the template.
  • For Control IDs identified in the CIS Worksheet as Configured by Customer (Customer System Specific) or Provided by Customer (Customer System Specific - see table above for more ID information) the Platform will enter "No" in the "Can Be Inherited from CSP" column (below). In the "Specific Inheritance and Customer Agency/CSP Responsibilities" column, the output will include what you entered in the Customer Responsibilities field, and you'll need to explain why the Control ID cannot be inherited once you copy/paste the Platform's output into the template.

The results of your selection(s) when evaluating the Control and sub-statements will look something like the sample shown below.



Appendix K Federal Information Processing Standard (FIPS) 199 Categorization 

The primary data elements for this section are Table K.1 which is pulled in from Options | Categorize data that has been entered. The Platform uses the NIST SP 800-60 (current revision) Volume II Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories to identify information types with the security impacts. The Platform allows you to start keying the Information Type ID and populates the type name based on the ID selection. By default the Confidentiality, Integrity, and Availability (CIA) will be set to Low but they can be changed to High, Moderate, or LI-SaaS (in a future release) accordingly, and provides a place to enter a Justification. The appendix title pulls in the CSO Name and the paragraph above Table K.1 pulls in the CSO Name and the Category Level automatically in the SSP output.


Appendix L Specific Laws and Regulations 

The primary data element for this section is Table L.1.  All of the table data is stored within the Platform under the Applicable Laws and Regulations option. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.



Appendix M Integrated Inventory Workbook (IIW)

FedRAMP developed a template for the IIW; it can be downloaded here. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output. Within the Platform, we leverage our CMBD to capture Assets within the Asset Module. Please talk to your Service Delivery Lead for assistance to complete the file.


Appendix N Continuous Monitoring Plan

The FedRAMP Continuous Monitoring Strategy Guide provides guidance and instructions on how to implement a continuous monitoring program, and the guidance may be used to help formulate a continuous monitoring plan.


Additionally, CSPs must use the FedRAMP-provided FedRAMP Continuous Monitoring Monthly Executive Summary that is submitted with the initial authorization package and updated as part of continuous monitoring. Updates should be uploaded in the CSO’s FedRAMP Secure Repository continuous monitoring subdirectory.


The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output. 


Appendix O POA&M

The ability to create POA&Ms is available within the Platform. Please talk to your Service Delivery Lead for assistance to complete the file. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Appendix P Supply Chain Risk Management Plan (SCRMP)

The Appendix P data is currently not within the Platform and the format of this data is at the CSP discretion, in accordance with SR-2. A plan format is available, for reference, in NIST SP 800-161 (current revision). The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.


Appendix Q Cryptographic Modules Table

FedRAMP developed a template for Appendix Q, it can be downloaded here. Please talk to your Service Delivery Lead for assistance to complete the file. The appendix title and the one sentence in the SSP template for this appendix pulls in the CSO Name automatically in the SSP output.