What are FedRAMP impact levels and control counts?

Levels include low (~125 controls), moderate (~325 controls), and high (~425 controls) with use cases defined for each level.

What is conmon and what are its components?

Conmon refers to the continuous monitoring configuration, including vulnerability_scans (monthly), penetration_tests (annual), poa_m_updates (monthly), and security_assessment (annual).

What artifacts are required for FedRAMP compliance?

Key artifacts include SSP documentation, POA&M tracking, evidence from continuous monitoring, and the authorization package reviewed by a 3PAO during annual assessments.

fedramp-compliance

Scanned

npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/fedramp-compliance --openclaw

Files (1)

SKILL.md

1.4 KB

FedRAMP Compliance

Implement FedRAMP requirements for federal cloud services.

Impact Levels

levels:
  low:
    controls: ~125
    use_case: Public data
    
  moderate:
    controls: ~325
    use_case: CUI, most federal systems
    
  high:
    controls: ~425
    use_case: Law enforcement, emergency services

NIST 800-53 Families

control_families:
  AC: Access Control
  AU: Audit and Accountability
  AT: Awareness and Training
  CM: Configuration Management
  CP: Contingency Planning
  IA: Identification and Authentication
  IR: Incident Response
  MA: Maintenance
  MP: Media Protection
  PE: Physical Protection
  PL: Planning
  PS: Personnel Security
  RA: Risk Assessment
  CA: Assessment and Authorization
  SC: System and Communications Protection
  SI: System and Information Integrity
  SA: System and Services Acquisition
  PM: Program Management

Continuous Monitoring

conmon:
  vulnerability_scans: Monthly
  penetration_tests: Annual
  poa_m_updates: Monthly
  security_assessment: Annual

Best Practices

3PAO assessment
SSP documentation
POA&M tracking
Continuous monitoring
Annual authorization

Source

git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/frameworks/fedramp-compliance/SKILL.md

View on GitHub

Overview

This skill guides you through implementing FedRAMP requirements for federal cloud services, including mapping NIST 800-53 controls and setting up continuous monitoring. It covers impact levels (low, moderate, high) and the artifacts needed for authorization and ongoing assessment.

How This Skill Works

Identify the applicable FedRAMP impact level (low, moderate, high) and map the corresponding NIST 800-53 control families. Then implement continuous monitoring using the conmon configuration (vulnerability_scans, penetration_tests, poa_m_updates, security_assessment) to keep SSPs, POA&Ms, and authorization artifacts up to date for annual assessments.

When to Use It

When providing cloud services to US federal agencies
When starting a FedRAMP authorization project for a new cloud service
When preparing for a 3PAO assessment
When maintaining authorization through continuous monitoring
When performing annual reauthorization or reassessment

Quick Start

Step 1: Identify the applicable impact level (low/moderate/high) and the corresponding controls (~125/~325/~425).
Step 2: Configure continuous monitoring (conmon) with vulnerability_scans: Monthly, penetration_tests: Annual, poa_m_updates: Monthly, security_assessment: Annual.
Step 3: Prepare SSP/POA&M artifacts and coordinate with a 3PAO for the initial assessment; establish annual authorization workflow.

Best Practices

3PAO assessment conducted by an accredited third party
Maintain up-to-date SSP documentation
POA&M tracking and timely remediation
Establish and enforce continuous monitoring
Plan for and execute annual authorization/recertification

Example Use Cases

Deploying a FedRAMP Moderate SaaS solution for a government agency
Auditing a High impact cloud service for emergency services
Operating a Low impact public data cloud with FedRAMP Low requirements
Maintaining an existing FedRAMP system with annual authorization
Migrating from non-FedRAMP to FedRAMP-compliant continuous monitoring

Frequently Asked Questions

Add this skill to your agents