Skip to main content

Note: CSV files are currently only provided to permit easy online viewing, without requring a download of the controls. Presently the FedRAMP PMO is only able to accept routine submissions via the more formal Excel/Word templates. However, future activities will seek to enable more flexible/automatable submission formats, and ideas are encouraged!

APPENDIX A - FedRAMP Tailored Security Controls Baseline

Download as an Excel Spreadsheet

Key to LISaaS Baseline

There are six (6) categories of FedRAMP Tailored Low Impact-Software as a Service (LI-SaaS) Baseline controls, based on the FedRAMP Low Impact Baseline, that are required to be addressed by the Cloud Service Provider (CSP). The following table provides a list of the tailoring symbols with a short description of the tailoring criteria.

Tailoring Symbol Tailoring Criteria
FED Controls that are uniquely Federal, which are primarily the responsibility of the Federal Government
NSO Controls FedRAMP determined. Does not impact the security of the Cloud SaaS
Required Controls FedRAMP determined. Not required for Low Impact Cloud SaaS, and are independently assessed
Conditional Controls FedRAMP determined to be conditionally required for Low Impact Cloud SaaS
Inherited Controls FedRAMP determined to be inherited from the underlying infrastructure provider (i.e., FedRAMP authorized IaaS/PaaS) for Low Impact Cloud SaaS
Attestation Controls for which FedRAMP determined that the CSP is required to attest to being in place for Low Impact Cloud SaaS

There are two (2) worksheets that provide the listing of the FedRAMP Tailored LI-SaaS Baseline controls and associated tailoring criteria:

1. FedRAMP Tailored - CSP Response - Provides a list of all controls that require the CSP to provide detailed descriptions of their implementation, or provide a self-attestation that their implementation meets the intent of the security requirements. All required and conditional controls must be tested by an approved assessor. * View

2. FedRAMP Tailored - Details - Provides details of the FedRAMP tailoring criteria for all FedRAMP Low Impact Baseline controls * View

APPENDIX B - FedRAMP Tailored Mandatory Templates

Download as a Word Document

APPENDIX C - FedRAMP Tailored ATO Letter Template

Download as a Word Document

Insert your information here

ATO Letter Template

Federal Agency/Office logo

Date

Cloud System Owner Name

Cloud Service Name Cloud System Owner

Address

Mr./Mrs. CSP System Owner Name:

Federal Agency/Office has completed the security review of the Cloud Service Provider (CSP) Name (CSP Acronym) System Name (System Acronym), which leverages the CSP Name (CSP Acronym) System Name (System Acronym) Select IaaS or PaaS. Based on the Federal Information Processing Standard (FIPS) security impact categorization of Low (Confidentiality = Low, Integrity = Low, Availability = Low) and specifically the FedRAMP Tailored Low Impact Software-as-a-Service (LISaaS) Security Requirements,1Federal Agency/Office has determined that System Acronym meets the information security requirements and is granted Federal Agency/Office FedRAMP Authorization to Operate (ATO).

The FedRAMP Tailored LISaaS Baseline established by the FedRAMP Joint Authorization Board (JAB) defines the minimum security requirements for SaaS systems and applications that meet specific criteria for use by agencies.

Insert information regarding the appropriate use, purposes and restrictions for use of this SaaS

The Federal Agency/Office has determined this CSP system Name ATO is applicable for use by Federal Agency/Office users for the following purposes, and with the following restrictions:

Based on the assessment conducted by Assessment Organization Name, and review by Federal Agency/Office's Authorization Organization the CSP and/or CSP System Name has been implemented and is maintained at an acceptable level of risk.

Edit as appropriate, if known risks or security controls are not implemented and have been accepted by the Authorization Organization specifically for this ATO

The following is a list of known vulnerabilities and risks of the CSP Name/System Name that have been determined as acceptable for the specific use and with the specified restrictions:

The security authorization of the information system will remain in effect for a length of time in alignment with Office of Management and Budget Circular A-130 as long as:

  1. CSP Acronym satisfies the requirement of implementing continuous monitoring activities in accordance with FedRAMP Tailored LISaaS continuous monitoring requirements and/or as agreed between Federal Agency/Office andSystem Acronym.
  2. CSP Acronym mitigates open vulnerabilities in accordance with FedRAMP requirements and as agreed between Federal Agency/Office and System Acronym.
  3. Significant changes or critical vulnerabilities are identified and managed in accordance with applicable Federal law, guidelines, policies, and best practices.

System Acronym is delivered using a Deployment Model cloud computing deployment model. It is available to Insert scope of customers as stated in the documentation (for example, Public, Federal Only, Hybrid community).

Brief system description provided by CSP

Federal Agencies are encouraged to leverage this Agency FedRAMP ATO as a key element of their own ATO as applicable. The package associated with System Acronym ATO must be considered with this System AcronymATO. Federal Agency/Office believes the System Acronym and System AcronymFedRAMP Security Authorization Packages accurately document and clearly define the aggregate outstanding risk considerations, when viewed in concert. Agency customers must consider the aggregate risk for the LISaaS and underlying systems when granting an ATO.

Copies of authorization packages are available for agency review in the FedRAMP Secure Repository. If you have any questions or comments regarding this ATO, please contact Agency ATO contact information.

APPROVED: _______________X

Agency AO Name

Agency AO Title

Agency Name

APPENDIX D - FedRAMP Tailored Continuous Monitoring Requirements

Download as a Word Document

APPENDIX E - FedRAMP Tailored Self-Attestation Requirements

Download as a Word Document

FedRAMP Tailored Self-Attestation Requirements

FedRAMP Tailored [System Name] Attestation Statement

I, [System Owner Name] am the system owner for [Cloud Service Provider (CSP) Name and System Name]. I attest to the accuracy of the statements in this document. I understand any willful misrepresentation of the information presented here will result in immediate revocation of this system authorization to operate. System Owner Signature: X__________ Date: ______- <System Owner Name><CSP Name><System Name>

Attestation of Policies and Procedures

The following policies and procedures exist and address the basic elements listed for this system. The policies are reviewed and updated at least every three years. The procedures are reviewed and updated annually. Exceptions are identified in the Modifications column.

Where policies or procedures are fully inherited, simply state, “This is inherited.” in the Modification Statement column. For a fully virtual SaaS this is likely true for PE-1, Physical and Environment Protection Policy and Procedures, and may be true for others.

Do not delete rows or modify the Basic Elements column in the tables below. State any exceptions in the Modifications Statement column.

TABLE E-1

Attestation of Capabilities

The following capabilities exist and satisfy the associated requirement at least to the degree described in the associated attestation statement.

Do not delete rows or modify the Attestation Statement column in the table below. State any exceptions in the Modifications column.

Where the satisfaction of a control is partially or fully inherited, please check the appropriate box in the Modification Statement column. If there is no inheritance, leave both boxes unchecked. For example, if the PE controls are fully inherited from an underlying service provider with a separate authorization, check the “Inherited” box for each.

Please note, you are still attesting the statements for inherited controls are true to the best of your knowledge. If you have reason to believe otherwise, you must still state the difference in the Modification Statement column.

TABLE E-2

  1. [FedRAMP Tailored Low Impact Software-as-a Service (LISaaS) Requirements and FedRAMP Tailored Low Impact Software-as-a-Service__Template] will be available at www.fedramp.gov.