Note: CSV files are currently only provided to permit easy online viewing, without requring a download of the controls. Presently the FedRAMP PMO is only able to accept routine submissions via the more formal Excel/Word templates. However, future activities will seek to enable more flexible/automatable submission formats, and ideas are encouraged!
APPENDIX A - FedRAMP Tailored Security Controls Baseline
Key to LISaaS Baseline
There are six (6) categories of FedRAMP Tailored Low Impact-Software as a Service (LI-SaaS) Baseline controls, based on the FedRAMP Low Impact Baseline, that are required to be addressed by the Cloud Service Provider (CSP). The following table provides a list of the tailoring symbols with a short description of the tailoring criteria.
|Tailoring Symbol||Tailoring Criteria|
|FED||Controls that are uniquely Federal, which are primarily the responsibility of the Federal Government|
|NSO||Controls FedRAMP determined. Does not impact the security of the Cloud SaaS|
|Required||Controls FedRAMP determined. Not required for Low Impact Cloud SaaS, and are independently assessed|
|Conditional||Controls FedRAMP determined to be conditionally required for Low Impact Cloud SaaS|
|Inherited||Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS|
|Attestation||Controls for which FedRAMP determined that the CSP is required to attest to being in place for Low Impact Cloud SaaS|
There are two (2) worksheets that provide the listing of the FedRAMP Tailored LI-SaaS Baseline controls and associated tailoring criteria:
1. FedRAMP Tailored - CSP Response - Provides a list of all controls that require the CSP to provide detailed descriptions of their implementation, or provide a self-attestation that their implementation meets the intent of the security requirements. All required and conditional controls must be tested by an approved assessor. * View
2. FedRAMP Tailored - Details - Provides details of the FedRAMP tailoring criteria for all FedRAMP Low Impact Baseline controls * View
APPENDIX B - FedRAMP Tailored Mandatory Templates
APPENDIX C - FedRAMP Tailored ATO Letter Template
Insert your information
ATO Letter Template
Federal Agency/Office logo
Cloud System Owner Name
Cloud Service Name Cloud System Owner
CSP System Owner Name:
Federal Agency/Office has completed the security review of the
Cloud Service Provider (CSP) Name (
System Name (
System Acronym), which leverages the
CSP Name (
System Name (
Select IaaS or PaaS. Based on the Federal Information Processing Standard (FIPS) security impact categorization of Low (Confidentiality = Low, Integrity = Low, Availability = Low) and specifically the FedRAMP Tailored Low Impact Software-as-a-Service (LISaaS) Security Requirements,1
Federal Agency/Office has determined that
System Acronym meets the information security requirements and is granted
Federal Agency/Office FedRAMP Authorization to Operate (ATO).
The FedRAMP Tailored LISaaS Baseline established by the FedRAMP Joint Authorization Board (JAB) defines the minimum security requirements for SaaS systems and applications that meet specific criteria for use by agencies.
Insert information regarding the appropriate use, purposes and restrictions for use of this SaaS
Federal Agency/Office has determined this
CSP system Name ATO is applicable for use by
Federal Agency/Office users for the following purposes, and with the following restrictions:
- Purpose Example: This application is authorized for use by
Federal Agency/Officeusers and contractors for Federal business collaboration and management purposes only.
- Restriction Example: No Personally Identifiable Information (PII) data may be stored, processed, or transmitted with this application.
Based on the assessment conducted by
Assessment Organization Name, and review by
Federal Agency/Office's Authorization Organization the
CSP and/or CSP System Name has been implemented and is maintained at an acceptable level of risk.
Edit as appropriate, if known risks or security controls are not implemented and have been accepted by the Authorization Organization specifically for this ATO
The following is a list of known vulnerabilities and risks of the
CSP Name/System Name that have been determined as acceptable for the specific use and with the specified restrictions:
- Example risk accepted: Support for acceptance of PIV/CAC credentials for Federal privileged users has not been implemented or is planned for implementation by
- Example risk accepted: Implementation of continuous monitoring is based on
enter continuous monitoring process information here.
The security authorization of the information system will remain in effect for a length of time in alignment with Office of Management and Budget Circular A-130 as long as:
CSP Acronymsatisfies the requirement of implementing continuous monitoring activities in accordance with FedRAMP Tailored LISaaS continuous monitoring requirements and/or as agreed between
CSP Acronymmitigates open vulnerabilities in accordance with FedRAMP requirements and as agreed between
- Significant changes or critical vulnerabilities are identified and managed in accordance with applicable Federal law, guidelines, policies, and best practices.
System Acronym is delivered using a
Deployment Model cloud computing deployment model. It is available to
Insert scope of customers as stated in the documentation (for example, Public, Federal Only, Hybrid community).
Brief system description provided by CSP
Federal Agencies are encouraged to leverage this Agency FedRAMP ATO as a key element of their own ATO as applicable. The package associated with
System Acronym ATO must be considered with this
Federal Agency/Office believes the
System Acronym and
System AcronymFedRAMP Security Authorization Packages accurately document and clearly define the aggregate outstanding risk considerations, when viewed in concert. Agency customers must consider the aggregate risk for the LISaaS and underlying systems when granting an ATO.
Copies of authorization packages are available for agency review in the FedRAMP Secure Repository. If you have any questions or comments regarding this ATO, please contact
Agency ATO contact information.
Agency AO Name
Agency AO Title
APPENDIX D - FedRAMP Tailored Continuous Monitoring Requirements
APPENDIX E - FedRAMP Tailored Self-Attestation Requirements
FedRAMP Tailored Self-Attestation Requirements
FedRAMP Tailored [System Name] Attestation Statement
I, [System Owner Name] am the system owner for [Cloud Service Provider (CSP) Name and System Name]. I attest to the accuracy of the statements in this document. I understand any willful misrepresentation of the information presented here will result in immediate revocation of this system authorization to operate. System Owner Signature: X__________ Date: ______-
<System Owner Name>
<CSP Name> –
Attestation of Policies and Procedures
The following policies and procedures exist and address the basic elements listed for this system. The policies are reviewed and updated at least every three years. The procedures are reviewed and updated annually. Exceptions are identified in the Modifications column.
Where policies or procedures are fully inherited, simply state, “This is inherited.” in the Modification Statement column. For a fully virtual SaaS this is likely true for PE-1, Physical and Environment Protection Policy and Procedures, and may be true for others.
Do not delete rows or modify the Basic Elements column in the tables below. State any exceptions in the Modifications Statement column.
Attestation of Capabilities
The following capabilities exist and satisfy the associated requirement at least to the degree described in the associated attestation statement.
Do not delete rows or modify the Attestation Statement column in the table below. State any exceptions in the Modifications column.
Where the satisfaction of a control is partially or fully inherited, please check the appropriate box in the Modification Statement column. If there is no inheritance, leave both boxes unchecked. For example, if the PE controls are fully inherited from an underlying service provider with a separate authorization, check the “Inherited” box for each.
Please note, you are still attesting the statements for inherited controls are true to the best of your knowledge. If you have reason to believe otherwise, you must still state the difference in the Modification Statement column.