OVERVIEW

This page details all the artifacts required by the various defined FedRAMP Control Families.

ARTIFACT CATALOG

Code Artifact Audit Reference
MR001 Quarterly Management Review Quarterly Management Review
MR002 Annual Management Review Annual Management Review
MR003 Monthly Management Review Monthly Management Review
RA001 Risk Assessment Report Annual or On Demand Risk Assessment Policy and Procedure
RA002 Vulnerability Scan Report Quarterly or On Demand Risk Assessment Policy and Procedure
SA001 Information Systems Inventory Quarterly System and Service Acquisition Policy
SA002 System Risk Assessment On Demand System and Service Acquisition Policy
SI001 Information System Integrity Audit Report Quarterly System and Information Integrity Policy
AT001 Employee Roster On Demand Awareness and Training Policy
AT002 Security Awareness Training Certificate On Demand or Annually Awareness and Training Policy
AT003 Roles Based Security Training Certificate On Demand or Annually Awareness and Training Policy
PE001 Hosting Partner Review Annual Physical and Environmental Protection Policy
PL001 Security Plan Annual Planning Policy
PL002 Information Security Team Roster Quarterly Planning Policy
PL003 Acceptable Use Agreement On Demand Planning Policy
PS001 Background Check On Demand Personnel Security Policy
PS002 Onboarding/Offboard/Transfer Checklist On Demand Personnel Security Policy
PL003 Confidentiality Agreement On Demand Personnel Security Policy
PL004 Employee Sanction On Demand Personnel Security Policy
IR001 Incident Response Training Certification On Demand Incident Response Policy
AC001 Employee Access Checklist On Demand Access Control Policy
AC002 Access Control Audit Quarterly Access Control Policy
CM001 Configuration Management Plan Annual Configuration Management Policy
CM002 Information System Components On Demand Configuration Management Policy
CM003 Software Inventory Quarterly Configuration Management Policy
CP001 Information Systems Contingency Plan (ISCP) Annually Contingency Planning Policy
CA001 Security Assessment Plan Annually Security Assessment and Authorization Policy
CA002 Security Assessment Report Annually Security Assessment and Authorization Policy
CA003 Plan of Action & Milestones (POAM) Annually Security Assessment and Authorization Policy