Browse Skills

FedRAMP Authorization Package

    FedRAMP NIST Compliance Government Cloud Security ATO
    Get Started with This Skill

    Overview

    Draft and validate FedRAMP authorization packages for cloud service providers: System Security Plan (SSP) with all required attachments, Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). Supports Low, Moderate, and High baselines.

    Getting Started

    Add your source materials to the project workspace, then activate the FedRAMP Authorization Package skill. The agent will guide you through the process step by step.

    Example Conversation

    You: We’re a SaaS company pursuing FedRAMP Moderate authorization for our case management platform. I’ve uploaded our existing AWS architecture diagram, our ISO 27001 policies, and a draft boundary description. Can you start the SSP?

    Agent: I’ll build the SSP for a Moderate baseline. Before I start the control implementations, I need: (1) Confirm the FIPS 199 categorization — is Moderate the highest impact across confidentiality, integrity, and availability? (2) Which services are inside the authorization boundary vs. inherited from AWS GovCloud? (3) Do any controls leverage a FedRAMP-authorized leveraged system we can reference for inheritance?

    You: Moderate is correct. Boundary is our application tier, database, and CI/CD pipeline — all in AWS GovCloud (East). We’ll inherit from AWS GovCloud’s existing P-ATO for relevant infrastructure controls.

    Agent: I’ve created ssp-draft.md with your system description, FIPS 199 categorization, and authorization boundary narrative based on your diagram. I’ve mapped 87 controls as Inherited from AWS GovCloud (P-ATO package FR-2849) and flagged 238 controls requiring CSP implementation. Starting with the AC family — I’ve drafted AC-2 (Account Management): “User accounts are managed through Okta. Provisioning requires a manager-approved ticket in ServiceNow. Accounts are reviewed quarterly; role assignments are reviewed semi-annually. AWS IAM roles mapped to Okta groups enforce least-privilege separation between application, database, and CI/CD environments.” Want me to continue through the AC family and flag controls with partial implementations?

    Sample Output Excerpt

    Below is a representative excerpt from a FedRAMP Moderate System Security Plan.

    Control AC-17 — Remote Access

    Status: Implemented Origination: SP System

    Implementation narrative:

    Remote access to all system components is restricted to VPN connections using Cisco AnyConnect with certificate-based mutual TLS authentication. Multi-factor authentication (Okta Verify TOTP) is enforced as a condition of VPN session establishment for all users, including privileged administrators. Remote sessions terminate automatically after 30 minutes of inactivity (parameter: AC-17(2) — 30 minutes, per FedRAMP Moderate baseline).

    All remote access sessions are logged to the SIEM (Splunk Cloud) via AWS VPC Flow Logs and Okta System Log integration. Alerts are configured for: (1) remote access from anomalous geographic locations; (2) failed MFA attempts exceeding three within a 15-minute window; (3) privileged session activity outside business hours.

    The VPN gateway is hosted on dedicated EC2 instances in a hardened security group that permits only TLS 1.2+ on port 443. No split-tunnelling is permitted; all traffic is routed through the VPN tunnel while connected.

    Related policies: Remote Access Policy v2.1 (approved 10 Jan 2025), MFA Enforcement Standard v1.4

    Parameter values: Session timeout: 30 minutes (FedRAMP required). MFA lockout: 3 failed attempts (FedRAMP required).

    SSP Attachment — Rules of Behavior (RoB) Excerpt

    All users must acknowledge these Rules of Behavior before being granted access to the system.

    2.3 Prohibited Activities

    Users must not:

    • Store, process, or transmit federal agency data outside the authorised system boundary
    • Attempt to access systems, data, or functions beyond their assigned role
    • Use personal devices to access federal data unless enrolled in the approved MDM solution
    • Share credentials, session tokens, or MFA codes with any other person
    • Connect to the system via public Wi-Fi without VPN active

    Violations may result in immediate account suspension, disciplinary action, and referral to the relevant federal agency’s ISSO.

    Built-in Scripts and Validation

    The skill includes a validation tool the agent runs against SSP files and POA&M updates throughout the authorization lifecycle.

    Validation tools

    ToolPurpose
    fedramp_package_completeness_checkAccepts the path to an SSP file or package directory plus the impact level (Low, Moderate, or High). Validates: (1) all NIST 800-53 Rev 5 control families in the selected baseline are represented with at least one control entry; (2) implementation status keywords are present (Implemented, Partially Implemented, Planned, Not Applicable, or Alternative Implementation); (3) the seven required SSP attachments are detectable — Rules of Behavior, Contingency Plan, Incident Response Plan, Configuration Management Plan, Digital Identity Worksheet, Control Implementation Summary, and Customer Responsibility Matrix; (4) a Privacy Impact Assessment is present if the word “PII” or “personally identifiable information” appears in the SSP; (5) the authorization boundary diagram and data flow diagrams are referenced; (6) a POA&M exists in the package directory if any outstanding findings are referenced. Issues are flagged as must-fix; attachment gaps are flagged as warnings. Returns PASS or FAIL with a detailed item list.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started