Purpose

The purpose of this article is to cover basic FedRAMP Controls compliance automation. This documentation is specific to the new FedRAMP Rev. 5 framework that is now available in the Platform.


Relevant Modules and Features


Basic Setup Information Required to Automate


Customer Information Required to Automate

To get started, you need the following information from your compliance team:

  • FedRAMP System Security Plan (SSP)
    • Frontmatter previously also known as System Characterization
    • Control Responses
  • Current FedRAMP Plan of Action & Milestones (POA&M)
  • Boundary Artifacts (Policies, Procedures, Diagrams, & Other Evidence)
  • Customer Implementation Summary (CIS)/Customer Responsibility Matrix (CRM)


If you currently have any FedRAMP data in the Platform, start by following Implement NIST RMF (NIST SP 800-53 Rev x) leveraging Ignyte steps on leveraging Ignyte and the skip Basic Automation Steps.


FedRAMP NIST SP 800-53 Revision 4 to Revision 5 Conversion Information

If your organization has not converted from Revision 4 to Revision 5, please contact your account representative. The Ignyte team can aid in accelerating the conversion process leveraging the software. Please find more specific information regarding the transition from the following FedRAMP pages:


Basic Automation Steps

Some of these can be done concurrently with the exception of Step 1. There are no dependencies for Step 2 and forward.


StepsDescription
OneCreate a System - You need to create a system first, and then you can start adding data to that system. Once the system is created, the structure of the selected framework provides the bones to start building your compliance management program and keeps you focused on the requirement.
Two

Upload Existing FedRAMP Data -  The data can be imported or added manually depending on how you are currently doing your compliance management. 


To import data, Options | Edit System | Advanced Configuration is where you need to go. Import instructions can be found here.


To manually enter data, see the Compliance - Requirements article and navigate to the "Working within Requirements to Update Controls" topic.  Using Macro Builder is a great way to automate data point updates when tools and people change in your Control Responses. 


The FedRAMP system also has an ODP (Organizationally Defined Parameter) Editor (Options | ODP Editor) that allows you to update parameters in one location. That value is shown within the Compliance Module of the Platform. This editor contains 200+ control statements from NIST RMF 800-53 that contain parameters that need to be defined to complete the control statement. This feature is similar to the Macro Builder but designed specifically to meet FedRAMP specifications. 


As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M (see step 4 below) and a concurrent activity.


Entering your data into Options | Edit System | Categorize and System Security Plan are discussed in more details below. 

ThreeUpload Artifacts and Policies - The artifacts are managed from within the Compliance System when you see Attach Files buttons or under Artifact Management for the System. First, the System folder is a default folder used to store files and folders to a specific compliance system. Next, the Global folder is a default folder used to store files and folders which are inheritable by other modules, systems of record, and global organization records. Third, the Additional Programs folder is the default folder used to store files and folders from corresponding custom Systems of Record. Finally, the External Files folder is used for gathering external information from external parties through artifact request links.

When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic.

The Document Management Module (found in the top menu) is organized using folders. There are default folders but you can create new folders that best help your organizations needs. Instruction for Artifact Uploads and Artifact Upload Requests are located in the Document Management article.

NOTE: Artifacts are supporting evidence files that are attached to Compliance controls, a POA&M, or even an asset. These files are local to the System.
In Document Management in the "System" folder you will find a folder for each system you have in your instance and it will contain your artifact files; however, Document Management contains Global files that can be used in any system as well as Custom SOR files, External files, and Vendor Management files, if any.
FourReview and Correct POA&Ms - As you are building out your Compliance System you may find issues that require the creation of a Plan of Action & Milestones or POA&M and part of a concurrent activity from Step 2 above. Step Four brings you back to the task of reviewing items that were created to look for any issues and, when an issue is found, correcting the issue or planning the correction of the issue.
Five

Correcting Statuses, Narratives, and Linking Policies - The best way to correct or update control statuses or add comments is to use the bulk update feature in the Requirement (table view only) feature. Alternatively, you can work on updating controls from the Requirements | Control area and Edit Properties  area to update statuses, owner, target assessment frequency, etc. 


This is also the time to link up artifacts associated with the control for ease of reference internally and at audit time. When you see the Attach Files button, there are two options "Attach Existing Artifacts" or "Upload New Artifacts". See the Compliance - Requirements article and navigate to the "Attach Files" topic.



Implement NIST RMF (NIST SP 800-53 Rev x) leveraging Ignyte:

FedRAMP is based on NIST SP 800-53 Control set. The Ignyte platform adapts to any variant of NIST 800-53 control set. This guide specifically outlines implementation for FedRAMP. If you require advance implementation of NIST 800-53 such as CNNSI-53, CCIs implementation, STIGS, EMASS integration, Test cases and objectives management or Special Access Program (JSIG) implementation - please contact your service representative for specialized instructions. 



 

The biggest lift to initiating and automating your FedRAMP system is getting your SSP or Frontmatter data into the Platform. A good portion of the data can be imported but there is data that will need to be manually input or even directly entered into the SSP.  Some portions of the SSP are supplemental templates, such as Appendix A, that are downloaded from the FedRAMP Resources Documents & Templates page. This documentation is for FedRAMP Rev. 5 templates.


Most of the data used in the Frontmatter is entered from the Systems Options | System Security Plan screen which is a continuous scroll - it also auto-saves as you enter data. If the data for a given section is entered in an alternate location, such as the editing of Controls in the Requirements area, it will be called out in the instructions below. 


SSP Navigation

The navigation of the System Security Plan screen consists of five (5) key areas: 1) internal SSP menu; 2) Completion stats; 3) Edit area; 4) Instructions; and 5) Mark as complete button.  


1) The internal SSP menu is scrollable and clickable to quickly access the section that you want to work on and it shows the current completion stats for the section. The sections in the internal menu will indicate "Incomplete" initially, except for a handful that require no action. Once data is entered in the Edit area, the section's status will show "PC" for partially completed. 


2) The Completion stats sit in a fixed position at the top of the screen and dynamically update. It provides an overall status completion percentage, Completed, Incomplete, and Partially completed section counts.


3) The Edit area allows for data entry or file uploads. It will also display data that was entered from other areas of the system when appropriate. The area is a continuous scroll. As you advance, the highlight in the internal SSP menu will shift focus. Within this area, there are two other key items "Instructions" and "Mark as complete," which are described below.   


4) The Instructions are from the FedRAMP SSP template. Click on the Instructions link to access section specific context to help you complete the section. If the Instructions are short, they will display onscreen under the section title.


5) The Mark as complete button is used to indicate that you have worked on the section and it does not need further edits. For a section to display "Completed" you will need to click on the Mark as complete button - always to the far right of the section title. 


Breakdown of the SSP Sections within the Platform:

Prerequisites:

After you Create a System, you are able to start crafting your SSP, also known as the Frontmatter, and start importing or entering your controls data in the Requirements feature. When creating the system, keep in mind that some of this data (CSO Name, ID, and CSO Abbreviation) is used within the SSP and will display in the SSP Frontmatter. Data entered in the SSP section will be output into the SSP from the Reports feature found to the left of the profile icon in the top menu.


Header and Cover Page

Information found on the document Header and the Cover Page pulls the CSP Name and Abbreviation entered in the Header and Cover Page section and the CSO Name from System creation; however, the Version # and Date come from the data entered in the Document Revision History section of the Platform. 


 


The Cover Page also pulls in the High, Moderate, Low, LI-SaaS based on the level selected when the system is setup. 


Enter the CSP Name and Abbreviation in the fields provided and it will auto-save. Once completed, click the Mark as complete button to update the status of the section.


Prepared by/for

The Prepared by and Prepared for information is entered through the Prepared by/for section. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section.


Enter data into the requested fields: Organization Name, Street Address, Suite/Room/Building, and City, State, Zip for both Prepared by and Prepared for section. Once completed, click the Mark as complete button to update the status of the section.


Document Revision History

The Document Revision History section allows you to enter the revision date, description of the revision, version number, and who authored the revision. When a new version needs to be created, use the +Add Row link to create a new entry. The information entered here appears on the Cover Page, in the header and footer, and in the Document Revision History table of the SSP. The latest entry will always be used on the Cover Page, in the header and footer, as well as other data entry areas in the SSP. The table mentioned above it will display all of the entries made in reverse chronological order. 


When the SSP is done and ready for submission, click the Mark as complete button to update the status of the section.


If further revisions become necessary, you will still be able to add more rows and continue to update the SSP.


Cloud Service Provider (CSP) Signatures

While this is in the beginning of the Frontmatter or SSP, it will be one of the last things you do once the document is complete. Within the section, you will be able to capture the Name of the person or persons who need to sign, enter the date the SSP is being signed, the title of the signers, and CSPs name. To add more signers, use the +Add Row link to create a new entry.  Once you have more than one signer, a Trashcan icon will display in the Action column if you need to delete an entry. Signatures on the final report can be either digital (using an image or e-Sign) or physical signatures (print and sign). Once completed, click the Mark as complete button to update the status of the section.



Section 1 Introduction

No action is needed in this section other than reading it. There are no fields to complete, but it contains an explanation of what the System Security Plan (SSP) represents for a Cloud Service Offering (CSO).


Section 2 Purpose

No action is needed in this section other than reading it. There are no fields to complete.


Section 3 System Information

The primary data for this section is Table 3.1. All of this data is stored within the Platform - some of the data is pulled from other places within the platform and some is entered here in Section 3. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. If the field is grey, it indicates that the data was pulled from another area of the Platform and the data cannot be changed.


Select the Service Model and the Digital Identity Level (DIL) Determination, Deployment Model, and Authorization Path from the individual drop-downs, and enter a date for the Fully Operational as of field. The General System Description is a free text field for you to enter the description. The Instruction link explains most of these fields in greater detail. If you need more information about the DIL, navigate to Appendix E Instructions for more details. Once completed, click the Mark as complete button to update the status of the section.



Section 4 System Owner

The primary data element for this section is Table 4.1, you will need to provide a Name, Title, Company Name, Address, Phone, and Email. Onscreen Instructions are provided in this section. Once completed, click the Mark as complete button to update the status of the section.


Section 5 Assignment of Security Responsibility

The data elements for this section are to capture Name, Title, Company Name, Address, Phone, and Email of personnel with "key security responsibilities" we have provided one data entry area but additional can be added by clicking the +Add link. Click on the Instructions link to access the full Instructions for this section. Once completed, click the Mark as complete button to update the status of the section.

 

Section 6 Leveraged FedRAMP-Authorized Services

Data for Table 6.1 in the SSP is captured in this section and should include "all functions, services, features, and APIs that are leveraged from FedRAMP Authorized CSOs."  Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. The FedRAMP Marketplace is the authoritative source for identifying CSOs and services that are FedRAMP Authorized. This table does not have to be used, and an additional Appendix can be added. If you decide to add as a new appendix, you will need to manually remove the table from the output report and insert the following quoted information to the SsP in place of the table. You will need to make these changes to the SSP report that is downloaded from the Platform. 

“The <Insert CSO Name> leverages the FedRAMP Authorized services depicted in <Insert Appendix Letter>,” and include a hyperlink to the appendix.


If you are entering data in the provided table, complete the first row and use +Add Row to add more entries. Once completed, click the Mark as complete button to update the status of the section.


Section 7 External Systems and Services Not Having FedRAMP Authorization

Data for Table 7.1 in the SSP is captured in this section and should identify "establish[ed] connections to external systems and services that lack FedRAMP authorization to exchange data and information or augment system functionality and provide operational support services." Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. The FedRAMP Marketplace is the authoritative source for identifying CSOs and services that are FedRAMP Authorized, and should be used whenever possible; however, there are times when they are not. Use this table to capture non-authorized external systems and services. This table does not have to be used and an additional Appendix can be added. If you decide to add as a new appendix you will need to manually remove the table from the output report and insert the following quoted information to the SSP in place of the table. You will need to make these changes to the SSP report that is downloaded from the Platform. 

"The <Insert CSO Name> makes use of systems, services, application program interfaces (APIs), and command-line interfaces (CLIs) lacking FedRAMP authorization as depicted in <Insert Appendix Letter>," and include a hyperlink to the appendix.


If you are entering data in the provided table, complete the first row and use +Add Row to add more entries. Once completed, click the Mark as complete button to update the status of the section.


Section 8 Illustrated Architecture and Narratives

There are sub-sections under Section 8: 1) 8.1 Illustrated Architecture and 2) 8.2 Narrative.  


8.1 Illustrated Architecture

There are two options for the opening paragraph in this section You need to choose one of the paragraphs based on the number of diagrams. If you have one (1) diagram that depicts the Authorization Boundary, Network, and Data Flow in one file, use the first paragraph. If you have more than one (1) diagrams, use the second paragraph. Diagram files are embedded into the SSP document. The first paragraph will be pre-selected and the sections status will be PC. Once the appropriate radio button is selected, click the Mark as complete button to update the status of the section.

8.1 Diagrams

Once the paragraph selection is done, this next section allows you to update the diagram or diagrams for Authorization Boundary, Network, and Data Flow diagrams. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. We allow up to 3 diagrams for each of the diagram types when the multi-diagram option is selected above. "ALL diagrams must be consistent (using same component names, color coding, etc.) and represent at least the authorization boundary and its components." For each diagram, provide a description of the diagram, this description will not display in the SSP report but could be used during an audit to help the auditor understand what is being provided. Once completed, click the Mark as complete button to update the status of the section.



8.2 Narrative

Whether using one or multiple diagrams, after each, provide a detailed narrative description that clearly describes the CSO and the elements of the diagram. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. There is a sample narrative within the Rev. 5 template that can be used as your starting point and customized to describe your environment. The narrative should describe the components of the system as depicted in the diagram using the same naming conventions, to avoid confusion. Additionally, the narrative must describe the relationships of the internal services. It may be useful to describe these using a numbering or lettering scheme and then include them in the diagram (i.e., enabling the narrative to act as a key for the diagram). Make sure to reference the diagram(s) by figure number in the narrative description, and name the diagram appropriately. If you choose to have separate diagrams, ensure that there is an appropriate narrative provided for each diagram.


There is an optional table 8.1 that is provided in the SSP template for Security and Management Technologies. If you do not need to use table 8.1 in the narrative sample, remove it from the 8.2 Narrative's edit box. Feel free to copy the default text provided into a Word document, compile your full narrative, then paste it back into the edit box. Once completed, click the Mark as complete button to update the status of the section.


Section 9 Services, Ports, and Protocols

The primary data element for this section is Table 9.1 and are captured within the Platform. This table must be completed even if you are leveraging a pre-existing FedRAMP authorization. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. Complete the first row and use +Add Row to add more entries. Once completed, click the Mark as complete button to update the status of the section.


Section 10 Cryptographic Modules Implemented for Data At Rest (DAR) and Data In Transit (DIT)

There are introductory paragraphs in this section which will pull in the CSO Name and the CSP Name, which at this point are in the Platform, so no action is needed. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. Make sure to read the onscreen Note which references Appendix Q and the use of figure numbers. You will need to enter the Figure Numbers in the SSP Report manually once it is downloaded. 


Section 11 Separation of Duties 

The primary data element for this section is Table 11.1 and the data fields in the table are captured in the Platform. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Each duty description is listed in a separate row; if a CSP is a large and complex organization, there could be several. In the case of a CSP being large and complex, focus on the duty descriptions that apply to the CSO. There may be third party relationships that apply, such as administrators who are not part of the organization; these should also be listed. Additionally, the table should include any duties performed by agency customers. 


Identify and document all general roles (such as Information Owner, Security Officer, etc.) for the organization or the CSO (one for each column). There may be indirect roles that apply that should also be listed.


If the CSO has many more duties and roles, you can create your own Excel spreadsheet and reference it as an appendix within the SSP and within this section. If you decide to add as a new appendix you will need to insert the following quoted information to the SSP in place of the table. You will need to make these changes to the SSP report that is downloaded from the Platform. 

"The <Insert CSO Name> Separation of Duties Matrix is as depicted in <Insert Appendix Letter>," and include a hyperlink to the appendix.


If you are entering data in the provided table, we are providing sample data that can be altered to meet your organization's need. You have the option to +Add Row and +Add Column to allow for the customization you need. If your organization is not that complex, you can also delete columns and rows by clicking on the trash can to the right of the row, or below the column. Once completed, click the Mark as complete button to update the status of the section.


Section 12 SSP Appendices List

The primary data element for this section is Table 12.1.  Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. This table lists out all of the Appendices and indicates whether a template is FedRAMP-provided, CSP-provided, included in the SSP, should be a ZIP file, and if not required for LI-SaaS. It also allows a space to capture files names where appropriate. This will be one of the last things to complete once the files names have been finalized. We recommend naming the file to reflect the Appendix letter and what it is, such as "Appendix A - <CSO Name> FedRAMP Security Controls". 


Within the Appendix sections, if there is a FedRAMP provided template, we have provided a Download Template link that takes you to the FedRAMP Marketplace Documents & Templates page so you can easily navigate to the template. Generally, with the CSP-provided indicator you can use your discretion regarding format when it is included within the SSP. If you create additional Appendices for Section 6, 7, or 11, make sure to add them to the Appendices List and clearly identify which section they belong with.


Most of the Appendices described below are not part of the Platform at this time with some exceptions, such as Appendix A, E, and L. More details can be found under the individual Appendices.


Appendix A FedRAMP Security Controls

The data in Appendix A is from Requirements - all of the Controls work that you did in the Platform. With Rev. 5, there are different templates depending on your baseline of High, Moderate, Low, or LI-SaaS. The Requirements data is pulled into the Appendix A report found in the Report area of the Platform. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 

Appendix B Related Acronyms 

The Appendix B data is in the Platform and provides a simple table to capture the acronym and description which is included in the SSP output. Onscreen instructions are provided for this Appendix. 


Enter data in the provided table, complete the first row, and use +Add Row to add more entries. Once completed, click the Mark as complete button to update the status of the section.  


Appendix C Information Security Policies and Procedures 

The Policies and Procedures for the CSO can be zipped together when uploading this content for review by the FedRAMP PMO. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. FedRAMP does not provide a template for policies and procedure so it is at the CSP's discretion on how these document look as long as the control families are addressed. The files should be named so it is easy to understand how to locate the documents associated with the control family. 


Within the Platform, you can upload your Zip file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix D User Guide 

The content of this Appendix can be either a file or a website address. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. You will select one of the options that is shown in the screenshot below. The first option indicates that you have a physical file that can be uploaded as an object within Appendix D. Click the CHOOSE FILE button and browse for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, and then click the CHOOSE FILE button to browse and upload. 


The second statement is pretty self-explanatory. If you select the second statement, you will need to provide the website URL. 


Once your selection has been made and completed, click the Mark as complete button to update the status of the section.


Appendix E Digital Identity Worksheet 

The first table is informational to help make the best decision for you organization's Digital Identity Level. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. The Digital Identity Determination option selected in System Information Section 3 will display here in Appendix E. Once you have validated the selection, click the Mark as complete button to update the status of the section.




Appendix F Rules of Behavior 

FedRAMP developed a template for the Rules of Behavior or RoB, which can be downloaded by clicking on the Download Template link and following the instructions in the footnote. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Within the Platform, you can upload your completed RoB file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, and then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix G Information System Contingency Plan (ISCP) 

FedRAMP developed a template for the ISCP, which can be downloaded by clicking on the Download Template link and following the instructions in the footnote. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Within the Platform, you can upload your completed ISCP file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix H Configuration Management Plan (CMP) 

FedRAMP does not have a template for the CMP and directs you to NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems which provides guidelines and a sample in Appendix D of the Guide. Onscreen instructions are provided for this Appendix.


Within the Platform, you can upload your completed CMP file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix I Incident Response Plan (IRP) 

FedRAMP does not have a template for the IRP and directs you to NIST SP 800-61, Computer Security Incident Handling Guide which provides guidance on how to develop an IRP. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Within the Platform, you can upload your completed IRP file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix J Control Implementation Summary (CIS) and Customer Responsibilities Matrix (CRM) Workbook 

FedRAMP developed a template for the CIS and CRM Workbook with color-coded worksheets for the four baselines (High, Moderate, Low, and Li-SaaS), which can be downloaded by clicking on the Download Template link and following the instructions in the footnote. There is an instruction tab that provides guidance for completing both the CIS and CRM. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 

 

Because you are working in a FedRAMP system, within the Platform, under Sub Frameworks in the left navigation menu there are two sub-menus: 1) CIS and 2) CRM. If you don't see the Sub Frameworks menu, you should check in the Options | Edit System menu Advanced Configuration and enable the SUB FRAMEWORK CONTROL to display the CIS and CRM Sub Frameworks. If you don't see the CIS and CRM Sub Frameworks after toggling, please contact your Service Delivery Lead for assistance.


Control Implementation Summary (CIS)

The data shown within the CIS sub framework is pulled in from Control Statuses and Control Origination responses from Requirements. Depending on the Control Origination response, additional fields will display. If "Provided by Customer" is selected, a "Customer Responsibility" field will display and a description needs to be provided. If "Inherited from pre-existing provisional system" is selected, "Authorization Description" and "Date of Authorization" fields will display. This table can be exported to Excel if needed and this output could be copy/pasted into the FedRAMP provided template for submission to FedRAMP PMO. 


An example of the edit properties screen in Requirements is shown below. You will notice the "Control origination type" drop-down field. The options in this drop-down are detailed below and the table is meant to help you make the appropriate selection(s) depending on the status of the control and associated statements. Like the Status field, more than one origination type can be selected, if needed.


Control Origination
Definition
Example
Additional Field(s)
Service Provider Corporate
A control that originates from the CSP's corporate network.
Domain Name System (DNS) from the corporate network provides address resolution services for the information system and the service offering.
None
Service Provider System Specific
A control specific to a particular CSP system and the control is not part of the service provider corporate controls.
A unique host-based intrusion detection system (HIDS) is available on the service offering platform that is separate from the corporate network and dedicated to the service offering.
None
Service Provider Hybrid (Corporate and System Specific)
A control that makes use of both corporate controls and additional controls specific to a particular CSP system.
Corporate may provide scanning of the CSP's service offering utilizing the corporate network infrastructure, databases, or web-based applications.
None
Configured by Customer (Customer System Specific)
A control where the customer needs to apply a configuration to meet the control requirement.
User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http or https, etc.), entering an IP range specific to their organization that are configurable by the customer.
None
Provided by Customer (Customer System Specific)
A control where the customer needs to provide additional hardware or software to meet the control requirement.
The customer provides a Security Assertion Markup Language (SAML) Single Sign On (SSO) solution to implement two-factor authentication.
Customer Responsibility
Shared (Service Provider and Customer Responsibility)
A control that is managed and implemented partially by the CSP and partially by the customer.
Security awareness training must be conducted by both the CSP and customer.
None
Inherited from Pre-Existing Authorization
A control that is inherited (by the CSP service offering) from another CSP system that has already received a FedRAMP Authorization.
A Platform as a Service (PaaS) or Software as a Service (SaaS) provider inherits Physical and Environmental Protection (PE) controls from an Infrastructure as a Service (IaaS) provider.
Authorization Description and Date of Authorization (date auto-populates)


The results of your selection(s) when evaluating the Control and sub-statements will look something like the sample shown below.



Customer Responsibilities Matrix (CRM)

The data shown within the CRM sub framework is also pulled from Requirements based on control responses, and "Yes," "No," or "Partial" will display in the "Can Be Inherited from CSP" column. If "Provided by Customer" was the Control Origination selection, the "Customer Responsibility" field content will display in the "Specific Inheritance and Customer Agency/CSP Responsibilities" column. This table can be exported to Excel if needed and this output could be copied/pasted into the FedRAMP provided template for submission to FedRAMP PMO. 

  • For Control IDs identified in the CIS Worksheet as Service Provider Corporate, Service Provider System Specific, or Service Provider Hybrid (Corporate and System Specific), the Platform will enter "Yes" in the "Can Be Inherited from CSP" column below, and leave the "Specific Inheritance and Customer Agency/CSP Responsibilities" column blank. See the table above for more Control ID information.
  • For Control IDs identified in the CIS Worksheet as Shared (Service Provider and Customer Responsibility), the Platform will enter "Partial" in the "Can Be Inherited from CSP" column (below). See the table above for more Control ID information. In the "Specific Inheritance and Customer Agency/CSP Responsibilities" column, you will need to describe which elements are inherited from the CSP and describe the customer responsibilities once you copy/paste the Platform's output into the template.
  • For Control IDs identified in the CIS Worksheet as Configured by Customer (Customer System Specific) or Provided by Customer (Customer System Specific), the Platform will enter "No" in the "Can Be Inherited from CSP" column (below). See the table above for more Control ID information. In the "Specific Inheritance and Customer Agency/CSP Responsibilities" column, the output will include what you entered in the Customer Responsibilities field, and you will need to explain why the Control ID cannot be inherited once you copy/paste the Platform's output into the template.

The results of your selection(s) when evaluating the Control and sub-statements will look something like the sample shown below.


Within the Platform, you can upload your completed workbook file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix K Federal Information Processing Standard (FIPS) 199 Categorization 

The primary data elements for this section are Table K.1 which is pulled in from Options | Categorize data that has been entered. The Platform uses the NIST SP 800-60 (current revision) Volume II Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories to identify information types with the security impacts. 


The Platform allows you to start keying the Information Type Id or the Information Type name. Once an Id or Type are selected, data will populate based on the selection. By default the Confidentiality, Integrity, and Availability (CIA) will be set according to the NIST SP 800-60 Volume II Appendices referenced above; however, they can be change to High, Moderate, or Low accordingly, and we provide a place to enter a justification. 



In Appendix K in the internal SSP menu, the data entered in Categorize will display but in the FedRAMP SSP template format. Columns 2-4 display the default recommended levels for the specific Information Type, columns 5-7 display the CSP selected levels which may be the same as NIST but could have been modified in the Categorize feature. Justification statements will be displayed as well. Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Appendix L Specific Laws and Regulations 

The Appendix L data is in the Platform and provides a simple table to capture the appendix information. Onscreen instructions are provided for this Appendix. 


Enter data in the provided table, complete the first row and use +Add Row to add more entries. Once completed, click the Mark as complete button to update the status of the section.

Appendix M Integrated Inventory Workbook (IIW)

FedRAMP developed a template for the IIW, which can be downloaded by clicking on the Download Template link and following the instructions in the footnoteClick on the Instructions link to access the full Instructions from the FedRAMP template for this section. Within the Platform, we leverage our CMBD to capture Assets within the Asset Module. Please talk to your Service Delivery lead for assistance to complete the file.


Within the Platform, you can upload your completed IIW file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix N Continuous Monitoring Plan

The FedRAMP Continuous Monitoring Strategy Guide provides guidance and instructions on how to implement a continuous monitoring program, and the guidance may be used to help formulate a continuous monitoring plan (CMP). Click on the Instructions link to access the full Instructions from the FedRAMP template for this section. 


Within the Platform, you can upload your completed CMP file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.



Appendix O POA&M

FedRAMP developed a template for the POA&M, which can be downloaded by clicking on the Download Template link and following the instructions in the footnoteOnscreen instructions are provided for this Appendix. The ability to create POA&Ms is available within the Platform. Please talk to your Service Delivery lead for assistance with how to use the Platform POA&M data to complete the FedRAMP template.


Within the Platform, you can upload your completed POA&M file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix P Supply Chain Risk Management Plan (SCRMP)

The Appendix P data is currently not within the Platform. Please review the onscreen instructions provided for this Appendix. 


Within the Platform, you can upload your completed SCRMP file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.


Appendix Q Cryptographic Modules Table

FedRAMP developed a template for Appendix Q, which can be downloaded by clicking on the Download Template link and following the instructions in the footnoteOnscreen instructions are provided for this Appendix. Please talk to your Service Delivery lead for assistance to complete the file.


Within the Platform, you can upload your completed file by clicking the CHOOSE FILE button and browsing for the file on your local or network drive. If you need to replace the file, click the X to the right of the file name, then click the CHOOSE FILE button to browse and upload. Once completed, click the Mark as complete button to update the status of the section.