New template outlines FedRAMP readiness assessment

The General Services Administration's Federal Risk and Authorization Management Program dropped Tuesday the final version of its Readiness Assessment Report template, an avenue for cloud providers to show they are ready to start the certification process.


The General Services Administration’s Federal Risk and Authorization Management Program dropped Tuesday the final version of its Readiness Assessment Report template, an avenue for cloud providers to show they are ready to start the certification process.

FedRAMP-accredited third-party assessment organizations will fill out the report when they are conducting what is basically a pre-audit to deem cloud service providers “FedRAMP Ready.” The FedRAMP Program Management Office must then approve the report.

The new template is part of recent efforts to speed the process to get certified called FedRAMP Accelerated.


[Read more: Exclusive: FedRAMP embraces the need for speed]

The report template published Tuesday lays out minimum requirements for the providers while giving guidance to the third-party assessors, according to the GSA blog post.

Being FedRAMP Ready signals the provider is likely to get a provisional authorization to operate, or P-ATO, via the Joint Authorization Board or an authorization to operate by an agency, the blog post says.

This process allows the government to assess the providers’ capabilities before they go through a lengthy documentation process to get certified.

Focusing on capabilities enables the third party “to assess a CSP’s [cloud service provider’s] system in a shorter amount of time,” and gives “the government a clearer understanding of a provider’s technical capabilities up-front in the assessment process,” according to the blog post.


Conducting the readiness assessment should be a two-to-four week effort for mid-size, straightforward systems, according to the template. The first half of the assessment would focus on information gathering, and the second on analysis and developing the report, according to the template.

“The RAR focuses on key capabilities rather than documentation,” the blog post says.

The public commented on a draft version of the template, and the final version reflects industry feedback, according to the post.

Cloud service providers can use the template immediately, the post says.

Samantha Ehlinger

Written by Samantha Ehlinger

Samantha Ehlinger is a technology reporter for FedScoop. Her work has appeared in the Houston Chronicle, Fort Worth Star-Telegram, and several McClatchy papers, including Miami Herald and The State. She was a part of a McClatchy investigative team for the “Irradiated” project on nuclear worker conditions, which won a McClatchy President’s Award. She is a graduate of Texas Christian University. Contact Samantha via email at, or follow her on Twitter at @samehlinger. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Latest Podcasts