The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitor for cloud products and services. There are five (5) categories of FedRAMP Tailored Low Impact-Software as a Service (LI-SaaS) Baseline controls, based on the FedRAMP Low Impact Baseline, that are required to be addressed by the Cloud Service Provider (CSP). The following table provides a list of the tailoring symbols with a short description of the tailoring criteria. Tailoring Criteria: FED: The control is typically the responsibility of the Federal Government, not the CSP. NSO Â : FedRAMP has determined the control does not impact the security of the Cloud SaaS. Document and Assess: The control must be documented in Appendix B, and independently assessed. This does not mean that a vendor will necessarily have each control fully implemented or implemented as stated. A vendor must address how they meet (or don't meet) the intent of the control so that it can be independently assessed and detail any risks associated with the implementation. Document and Assess (Conditional): If the condition exists, the control must be documented in Appendix B and independently assessed as above. If the condition does not exist, the CSP must attest to this in Appendix E. Attest: The control must exist; however, the CSP may attest to its existence in Appendix E. (No documentation or independent assessment is required.) FedRAMP utilizes a do once, use many times approach designed to reduce the cost of compliance versus requesting assessments each time an agency initiates a CSP acquisition. FedRAMP is compliant with the Federal Information Security Management Act (FISMA) of 2002 and leverages the National Institution of Standards and Technology (NIST) baseline controls and framework for risk management. FedRAMP risk management encompasses four processes in the security assessment framework (SAF): * Document * Categorize the system The CSP determines its risk impact (Low, Moderate, or High) based upon the FIPS 199 template. Note: Currently, FedRAMP does not apply to high-risk impact systems. However, guidance is available for high-risk impact systems. * Select and implement security controls - The CSP will select NIST baseline security controls based on its system categorization. For any control not achieved, the CSP must justify its position for not implementing the control. * Create a System Security Plan (SSP) The CSP documents the details of the above steps in an SSP for review. The SSP describes the security authorization boundary, how the implementation addresses each required control, roles and responsibilities, and expected behavior of individuals with system access. Every security package must include an SSP for review. * Supplemental documents for submission: Supplemental documents include Security Policies, Privacy Analysis, e-Authentication Worksheet, User Guide, Rules of Behavior, IT Contingency Plan, Configuration Management Plan, Control Information Summary (CIS), Incident Response Plan, and Privacy Impact Assessment (if applicable). * Assess * Security assessment plan (SAP) - CSPs must use an independent assessor to test the controls as documented in the SSP. This assessment starts with documenting the SAP developed by an independent assessor. Authorizing officials must approve the SAP. * Perform security testing - The independent assessor performs testing in accordance with the SAP. Testing includes completion of FedRAMP control test cases, penetration testing, configuration scans, and authenticated vulnerability scans of the CSP system. * Authorize * Security assessment report (SAR) - The independent assessor prepares a report using FedRAMP templates. The SAR contains information about vulnerabilities, threats, and risks discovered during the testing process. The SAR also contains guidance for CSPs in mitigating the security weaknesses found. Authorizing officials review the SAR. * Plan of action and milestones (POA&M) - The CSP must address vulnerabilities noted in the SAR and demonstrate a plan for correcting weaknesses. The POA&M serves as a tracking system for the CSP. * The CSP submits all documents noted above, including the SAR and POA&M. Authorizing officials review the entire package and make a risk-based decision on authorization. * Authorization letter - The formalized decision is documented through an authority to operate (ATO) letter from authorizing officials to the CSP and the FedRAMP project management office. The CSP is then added to the authorizing list of CSPs atwww.fedramp.gov. * Monitor * Operational visibility - This includes periodic submission of control artifacts and an annual re-assessment. The re-assessment is completed by an independent assessor. * Change control - The CSP must notify authorizing officials of changes that might impact the ability to meet FedRAMP requirements. * Incident response - As documented in the SSP, the CSP must have incident response plans in place for all compliant FedRAMP systems. Severe incidents may initiate a review of the CSPs authorization. Failure to report incidents may also trigger a review. Plan of action and milestones (POA&M). The CSP must address vulnerabilities noted in the SAR and demonstrate a plan for correcting weaknesses. The POA&M serves as a tracking system for the CSP. The CSP submits all documents noted above, including the SAR and POA&M. Authorizing officials review the entire package and make a risk-based decision on authorization. Authorization letter - The formalized decision is documented through an authority to operate (ATO) letter from authorizing officials to the CSP and the FedRAMP project management office. The CSP is then added to the authorizing list of CSPs atwww.fedramp.gov. Monitor Operational visibility - This includes periodic submission of control artifacts and an annual re-assessment. The re-assessment is completed by an independent assessor. Change control - The CSP must notify authorizing officials of changes that might impact the ability to meet FedRAMP requirements. Incident response - As documented in the SSP, the CSP must have incident response plans in place for all compliant FedRAMP systems. Severe incidents may initiate a review of the CSPs authorization. Failure to report incidents may also trigger a review.