# FedRAMP Authorization Package > Draft and validate FedRAMP authorization packages for cloud service providers: System Security Plan (SSP) with all required attachments, Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). Supports Low, Moderate, and High baselines. Tags: FedRAMP, NIST, Compliance, Government, Cloud Security, ATO ## Example Prompts - Draft our FedRAMP SSP control implementations for the Moderate baseline - Write the Privacy Impact Assessment and Rules of Behavior for our FedRAMP package - Document SAR findings and build the Risk Exposure Table for our 3PAO assessment - Update our FedRAMP POA&M with remediation owners and target dates URL: https://rakenne.app/skills/fedramp-authorization-package/index.md Try this skill: https://rakenne.app/a/?skill=fedramp-authorization-package ## Overview Draft and validate FedRAMP authorization packages for cloud service providers: System Security Plan (SSP) with all required attachments, Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M). Supports Low, Moderate, and High baselines. ## Getting Started Add your source materials to the project workspace, then activate the *FedRAMP Authorization Package* skill. The agent will guide you through the process step by step. ## Example Conversation > **You:** We're a SaaS company pursuing FedRAMP Moderate authorization for our case management platform. I've uploaded our existing AWS architecture diagram, our ISO 27001 policies, and a draft boundary description. Can you start the SSP? > > **Agent:** I'll build the SSP for a Moderate baseline. Before I start the control implementations, I need: (1) Confirm the FIPS 199 categorization — is Moderate the highest impact across confidentiality, integrity, and availability? (2) Which services are inside the authorization boundary vs. inherited from AWS GovCloud? (3) Do any controls leverage a FedRAMP-authorized leveraged system we can reference for inheritance? > > **You:** Moderate is correct. Boundary is our application tier, database, and CI/CD pipeline — all in AWS GovCloud (East). We'll inherit from AWS GovCloud's existing P-ATO for relevant infrastructure controls. > > **Agent:** I've created `ssp-draft.md` with your system description, FIPS 199 categorization, and authorization boundary narrative based on your diagram. I've mapped 87 controls as Inherited from AWS GovCloud (P-ATO package FR-2849) and flagged 238 controls requiring CSP implementation. Starting with the AC family — I've drafted AC-2 (Account Management): *"User accounts are managed through Okta. Provisioning requires a manager-approved ticket in ServiceNow. Accounts are reviewed quarterly; role assignments are reviewed semi-annually. AWS IAM roles mapped to Okta groups enforce least-privilege separation between application, database, and CI/CD environments."* Want me to continue through the AC family and flag controls with partial implementations? ## Sample Output Excerpt Below is a representative excerpt from a FedRAMP Moderate System Security Plan. --- ### Control AC-17 — Remote Access **Status:** Implemented **Origination:** SP System **Implementation narrative:** Remote access to all system components is restricted to VPN connections using Cisco AnyConnect with certificate-based mutual TLS authentication. Multi-factor authentication (Okta Verify TOTP) is enforced as a condition of VPN session establishment for all users, including privileged administrators. Remote sessions terminate automatically after 30 minutes of inactivity (parameter: AC-17(2) — 30 minutes, per FedRAMP Moderate baseline). All remote access sessions are logged to the SIEM (Splunk Cloud) via AWS VPC Flow Logs and Okta System Log integration. Alerts are configured for: (1) remote access from anomalous geographic locations; (2) failed MFA attempts exceeding three within a 15-minute window; (3) privileged session activity outside business hours. The VPN gateway is hosted on dedicated EC2 instances in a hardened security group that permits only TLS 1.2+ on port 443. No split-tunnelling is permitted; all traffic is routed through the VPN tunnel while connected. **Related policies:** Remote Access Policy v2.1 (approved 10 Jan 2025), MFA Enforcement Standard v1.4 **Parameter values:** Session timeout: 30 minutes (FedRAMP required). MFA lockout: 3 failed attempts (FedRAMP required). --- ### SSP Attachment — Rules of Behavior (RoB) Excerpt *All users must acknowledge these Rules of Behavior before being granted access to the system.* **2.3 Prohibited Activities** Users must not: - Store, process, or transmit federal agency data outside the authorised system boundary - Attempt to access systems, data, or functions beyond their assigned role - Use personal devices to access federal data unless enrolled in the approved MDM solution - Share credentials, session tokens, or MFA codes with any other person - Connect to the system via public Wi-Fi without VPN active Violations may result in immediate account suspension, disciplinary action, and referral to the relevant federal agency's ISSO. ## Built-in Scripts and Validation The skill includes a validation tool the agent runs against SSP files and POA&M updates throughout the authorization lifecycle. ### Validation tools | Tool | Purpose | |------|---------| | **fedramp_package_completeness_check** | Accepts the path to an SSP file or package directory plus the impact level (Low, Moderate, or High). Validates: (1) all NIST 800-53 Rev 5 control families in the selected baseline are represented with at least one control entry; (2) implementation status keywords are present (Implemented, Partially Implemented, Planned, Not Applicable, or Alternative Implementation); (3) the seven required SSP attachments are detectable — Rules of Behavior, Contingency Plan, Incident Response Plan, Configuration Management Plan, Digital Identity Worksheet, Control Implementation Summary, and Customer Responsibility Matrix; (4) a Privacy Impact Assessment is present if the word "PII" or "personally identifiable information" appears in the SSP; (5) the authorization boundary diagram and data flow diagrams are referenced; (6) a POA&M exists in the package directory if any outstanding findings are referenced. Issues are flagged as must-fix; attachment gaps are flagged as warnings. Returns PASS or FAIL with a detailed item list. | --- Back to [Skill Library](https://rakenne.app/skills/index.md)