From fedramp
Expert guidance for FedRAMP certification and compliance under CR26 (FedRAMP Consolidated Rules for 2026). Use this skill whenever a user asks about FedRAMP authorization, ATO (Authority to Operate), cloud security for federal government, NIST SP 800-53 controls, CSP compliance, or any of the core FedRAMP document types: SSP, SAP, SAR, POA&M, CIS/CRM workbooks. Also trigger for questions about FedRAMP Certification Classes (A, B, C, D — new baseline labels: A = pilot/transitional, B = LI-SaaS/Low, C = Moderate, D = High, per NTC-0004), FedRAMP 20x (now the primary authorization pathway), OSCAL mandate (September 2026), 3PAO assessments, continuous monitoring (ConMon), gap assessments, system boundary definition, or architecture reviews for federal cloud. FedRAMP Ready retires July 28, 2026. When in doubt, use this skill — it covers the full FedRAMP lifecycle from readiness through continuous monitoring.
How this skill is triggered — by the user, by Claude, or both
Slash command
/fedramp:fedrampThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Last verified:** 2026-07-03
Last verified: 2026-07-03
A comprehensive guide for helping users navigate FedRAMP authorization — from initial readiness through ATO and ongoing continuous monitoring.
Identify the user's goal and jump to the appropriate section:
| User Goal | Go To |
|---|---|
| "Are we ready for FedRAMP?" / gap assessment | → Readiness & Gap Assessment |
| Writing SSP, POA&M, SAR, SAP, or other docs | → ATO Documentation |
| "Which controls apply to us?" / control mapping | → NIST 800-53 Control Mapping |
| Cloud architecture / AWS/Azure/GCP config | → Architecture Guidance |
| Already authorized, ongoing compliance | → Continuous Monitoring |
⚠️ CR26 (FedRAMP Consolidated Rules for 2026): FedRAMP has restructured its authorization framework. FIPS 199-based baseline labels (Low/Moderate/High/LI-SaaS) are replaced with Certification Classes A–D (per notice NTC-0004; CR26 rules valid through December 31, 2028). Class labels change the names of the baselines, not their requirements. CSPs already authorized under the old labels retain their authorization through a transition period in which old and new labels are linked.
references/readiness-checklist.mdFedRAMP Ready is retiring July 28, 2026. If a CSP is currently pursuing FedRAMP Ready, advise them to pivot immediately to FedRAMP 20x or begin a full authorization package.
The core FedRAMP authorization package consists of:
Authorization Package
├── System Security Plan (SSP) + Appendices A–Q
├── Security Assessment Plan (SAP) + Appendices A–D [3PAO-prepared]
├── Security Assessment Report (SAR) + Appendices A–F [3PAO-prepared]
└── Plan of Action & Milestones (POA&M) [SSP Appendix O]
Important: CSPs must use official FedRAMP PMO templates. OSCAL-format submissions are mandatory by September 30, 2026. Templates: https://www.fedramp.gov/documents-templates/
For detailed guidance on each document type, read the appropriate reference file:
references/ssp-guide.mdreferences/poam-guide.mdreferences/sap-sar-guide.mdreferences/appendices-guide.md| ID | Family | Notes |
|---|---|---|
| AC | Access Control | IAM, RBAC, least privilege, remote access |
| AT | Awareness & Training | Security + privacy training (new in Rev 5) |
| AU | Audit & Accountability | Log retention, SIEM, audit review |
| CA | Assessment, Authorization & Monitoring | ConMon, 3PAO, ATO |
| CM | Configuration Management | Baselines, change control, CMDB |
| CP | Contingency Planning | BCP/DR, tested annually |
| IA | Identification & Authentication | MFA, PIV, FIPS 140-2/3 crypto |
| IR | Incident Response | IRP, tested annually, reporting SLAs |
| MA | Maintenance | Remote maintenance controls |
| MP | Media Protection | Data at rest, media sanitization |
| PE | Physical & Environmental | Datacenters; often inherited from IaaS |
| PL | Planning | SSP, rules of behavior |
| PM | Program Management | Enterprise-level security program |
| PS | Personnel Security | Screening, termination procedures |
| PT | PII Processing & Transparency | New family in Rev 5 — privacy controls |
| RA | Risk Assessment | Vulnerability scanning, MITRE ATT&CK scoring |
| SA | System & Services Acquisition | SDLC, supply chain |
| SC | System & Communications Protection | Encryption in transit, network segmentation |
| SI | System & Information Integrity | Patching, malware, integrity monitoring |
| SR | Supply Chain Risk Management | New family in Rev 5 — SCRM |
Under CR26, the FedRAMP PMO is aligning control baselines to Certification Classes. When users describe their system, map to a class:
Legacy references: Many existing FedRAMP documents still reference Low/Moderate/High/LI-SaaS. These map to LI-SaaS/Low → Class B, Moderate → Class C, High → Class D (Class A is new — it has no legacy equivalent). During the CR26 transition, old and new labels are linked. Advise CSPs to check fedramp.gov for the latest.
The boundary defines what is IN scope for FedRAMP. This is one of the most common sources of findings and delays.
Key principles:
AWS GovCloud (US)
Azure Government
Google Cloud (FedRAMP-authorized regions)
Once authorized, CSPs must maintain compliance through ConMon activities:
Match output format to request type:
| Request Type | Preferred Format |
|---|---|
| Gap assessment | Table + prose summary |
| SSP control narrative | Prose paragraphs (one per control/enhancement) |
| POA&M entry | Structured table row with all required fields |
| Architecture review | Bullet findings + recommended remediations |
| Control mapping question | Table: Control ID | Requirement | How to Implement |
| Readiness overview | Executive summary prose + priority action list |
When generating document content, always note: "Use official FedRAMP templates from fedramp.gov — this content should be inserted into the appropriate template section."
Load these when more depth is needed:
references/readiness-checklist.md — Full readiness checklist (75+ items)references/ssp-guide.md — SSP section-by-section writing guidereferences/poam-guide.md — POA&M structure, field definitions, SLA tablereferences/sap-sar-guide.md — SAP/SAR overview and review tips for CSPsreferences/appendices-guide.md — Guide to all SSP appendices (A–Q)references/control-families.md — Deep-dive on each of the 20 control familiesThis skill provides general compliance information, not legal advice. Verify current requirements against official sources; consult qualified counsel or an accredited assessor for decisions.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Manages knowledge base ingestion, sync, and retrieval across local files, MCP memory, vector stores, and Git repos. Use for saving, organizing, deduplicating, or searching knowledge.
2plugins reuse this skill
First indexed Jul 12, 2026
npx claudepluginhub tadthies/claude-skills-governance-risk-and-compliance --plugin fedramp