Initiating a Request
Agencies and CSPs can both apply to FedRAMP to initiate an assessment of a cloud service. The Initiating a Request step involves the tasks and deliverables below. Please refer to the FedRAMP Concept of Operations document for more detailed information.
- CSP or Federal agency submits a completed FedRAMP Initiation Request Form to the FedRAMP PMO.
- FedRAMP PMO assigns an Information Systems Security Officer to provide guidance on implementing security controls, creating required documentation, and performing security testing.
- Upon FedRAMP PMO approval of the initiation request and the FIPS 199 worksheet, the FedRAMP PMO enters into agreement with the CSP and as required the sponsoring agency to perform an assessment of the CSP's system.
- Upon reaching agreement, the CSP completes the Control Tailoring Workbook (CTW) and the Control Implementation Summary (CIS) and submits the documents to the FedRAMP PMO for completeness and compliance checks.
- Once issues around compliance and completeness have been addressed, the documents are sent onto the Joint Authorization Board (JAB) for review.
- If the JAB accepts the CIS and CTW, the security assessment moves on to the Document Security Controls process step; otherwise, the FedRAMP PMO raises the specific concerns of the JAB with the CSP and they have an opportunity to address them and resubmit the documents.
|FedRAMP Request Form||The FedRAMP request form is used by Federal Agencies and CSPs to request initiation of the FedRAMP security assessment process.|
|FIPS 199 Categorization||The FIPS 199 Security categorization is used to determine the impact level to be supported by the cloud information system/service. The provider categorizes their system based on the data types currently stored and not leveraging agency data.|
|Control Tailoring Workbook||This document is used by the CSP to document their control implementation and define their implementation setting for FedRAMP defined parameters and any compensating controls.|
|Control Implementation Summary||This document summarizes the control ownership and indicates which controls are owned and managed by the CSP and which controls are managed by the leveraging agency.|