Appendix B

FedRAMP Assessment Process and Templates

The Federal Risk Assessment and Management Program is the joint NIST-GSA program which oversees the US governmental installations of cloud-based systems.

The FedRAMP program has produced templates and guidelines for each area of the cloud deployment of system for federal agencies which require ATO and periodic testing under FISMA requirements and all if these efforts are in conformance to SP 800-53 and SP 800-37 criteria.

I have included the testing guide for the controls here from the FedRAMP site (, but there are many other documents of relevance there also, including SAP and SAR templates, guides for Third-Party Assessment Organizations (3PAOs) who do the actual assessments ...

Get Security Controls Evaluation, Testing, and Assessment Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.