Claude-Skills-Governance-Risk-and-Compliance fedramp

install

source · Clone the upstream repo

git clone https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/Sushegaad/Claude-Skills-Governance-Risk-and-Compliance "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/fedramp/skills/fedramp" ~/.claude/skills/sushegaad-claude-skills-governance-risk-and-compliance-fedramp && rm -rf "$T"

manifest: plugins/fedramp/skills/fedramp/SKILL.md

FedRAMP Certification Skill

A comprehensive guide for helping users navigate FedRAMP authorization — from initial readiness through ATO and ongoing continuous monitoring.

Quick Reference: What Does the User Need?

Identify the user's goal and jump to the appropriate section:

User Goal	Go To
"Are we ready for FedRAMP?" / gap assessment	→ Readiness & Gap Assessment
Writing SSP, POA&M, SAR, SAP, or other docs	→ ATO Documentation
"Which controls apply to us?" / control mapping	→ NIST 800-53 Control Mapping
Cloud architecture / AWS/Azure/GCP config	→ Architecture Guidance
Already authorized, ongoing compliance	→ Continuous Monitoring

Current FedRAMP State (as of 2025–2026)

Baseline: NIST SP 800-53 Rev 5 (approved May 2023, fully in effect)
Control counts (Rev 5): Low = ~156, Moderate = 323, High = 421
OSCAL mandate: RFC-0024 requires all CSPs to transition to machine-readable OSCAL packages by September 2026
Security Inbox: As of January 5, 2026, all authorized CSPs must maintain a dedicated Security Inbox for urgent vulnerability directives (no CAPTCHAs or barriers)
FedRAMP 20x: A modernization initiative in progress; introduces continuous authorization and modular/API-driven submissions. Traditional SSP/SAP/SAR templates remain required for non-20x paths.
Key templates updated: SSP, SAR, SAP, POA&M, CIS/CRM, IIW, ISCP — all updated to align with Rev 5 (Dec 2024 releases)

1. Readiness & Gap Assessment

Approach

Clarify scope — Ask the user: What is the CSO (Cloud Service Offering)? IaaS/PaaS/SaaS? Target impact level?
Identify authorization path — Agency Authorization (sponsor needed) vs. JAB P-ATO (Joint Authorization Board — effectively suspended since 2024; verify current status with FedRAMP PMO) vs. FedRAMP 20x pilot
Run through the readiness checklist — See
```
references/readiness-checklist.md
```
Surface gaps — Map current state to required controls; flag missing documentation, unimplemented controls, and architectural deficiencies
Prioritize — Group gaps by: (a) blockers for readiness review, (b) items addressable before 3PAO assessment, (c) POA&M candidates

Key Readiness Questions to Ask the User

What cloud platform (AWS GovCloud, Azure Government, GCP, on-prem hybrid)?
Are you leveraging any existing FedRAMP-authorized IaaS/PaaS (e.g., AWS GovCloud FedRAMP High)?
Do you have FIPS 140-2/3 validated encryption in place?
Is your authorization boundary defined and documented?
Do you have a vulnerability scanning program (OS, DB, web app, container)?
Are security policies and procedures documented?
Do you have an Incident Response Plan (IRP) and Contingency Plan (CP) that have been tested?

Output Format

Produce a gap table: Control Family | Current State | Gap | Priority | Owner
Summarize top 5–10 high-priority gaps as prose
Recommend whether to pursue Readiness Assessment Report (RAR) first

2. ATO Documentation

The core FedRAMP authorization package consists of:

Authorization Package
├── System Security Plan (SSP) + Appendices A–Q
├── Security Assessment Plan (SAP) + Appendices A–D  [3PAO-prepared]
├── Security Assessment Report (SAR) + Appendices A–F  [3PAO-prepared]
└── Plan of Action & Milestones (POA&M)  [SSP Appendix O]

Important: CSPs must use official FedRAMP PMO templates. Reviewers are trained on standardized formats; non-standard submissions risk rejection or delays. Templates: https://www.fedramp.gov/rev5/documents-templates/

Document Guidance

For detailed guidance on each document type, read the appropriate reference file:

SSP →
```
references/ssp-guide.md
```
POA&M →
```
references/poam-guide.md
```
SAP / SAR →
```
references/sap-sar-guide.md
```
Supporting appendices →
```
references/appendices-guide.md
```

General Writing Principles for All ATO Docs

Describe only what is implemented — Do not document planned or aspirational controls; these trigger findings and must go in POA&M instead
Be specific — Reference exact tools, filenames, section numbers, policy names; vague language causes findings
Mind the verbs — Each control requirement uses specific verbs (track, document, enforce, test). Address each verb explicitly
Shared responsibility — For any customer-configurable or shared control, create a clear "Customer Responsibility" section
Keep it consistent — Architecture diagrams, data flows, inventory, and control statements must all be internally consistent

3. NIST 800-53 Control Mapping

Control Families (Rev 5)

ID	Family	Notes
AC	Access Control	IAM, RBAC, least privilege, remote access
AT	Awareness & Training	Security + privacy training (new in Rev 5)
AU	Audit & Accountability	Log retention, SIEM, audit review
CA	Assessment, Authorization & Monitoring	ConMon, 3PAO, ATO
CM	Configuration Management	Baselines, change control, CMDB
CP	Contingency Planning	BCP/DR, tested annually
IA	Identification & Authentication	MFA, PIV, FIPS 140-2/3 crypto
IR	Incident Response	IRP, tested annually, reporting SLAs
MA	Maintenance	Remote maintenance controls
MP	Media Protection	Data at rest, media sanitization
PE	Physical & Environmental	Datacenters; often inherited from IaaS
PL	Planning	SSP, rules of behavior
PM	Program Management	Enterprise-level security program
PS	Personnel Security	Screening, termination procedures
PT	PII Processing & Transparency	New family in Rev 5 — privacy controls
RA	Risk Assessment	Vulnerability scanning, MITRE ATT&CK scoring
SA	System & Services Acquisition	SDLC, supply chain
SC	System & Communications Protection	Encryption in transit, network segmentation
SI	System & Information Integrity	Patching, malware, integrity monitoring
SR	Supply Chain Risk Management	New family in Rev 5 — SCRM

Impact Level Mapping

When the user describes their system, recommend the impact level:

LI-SaaS (Low-Impact SaaS): No PII, no sensitive federal data, limited scope — uses a simplified template combining SSP + assessment
Low: Federal information where loss of CIA has limited adverse effect
Moderate: Most common — federal information where loss has serious adverse effect; covers the majority of CSPs handling non-classified government data
High: Federal information where loss has severe or catastrophic effect (e.g., law enforcement, financial, health data)

Mapping Workflow

Ask: What types of federal data will the system process/store/transmit?
Run FIPS 199 categorization (Confidentiality / Integrity / Availability × Impact)
Select baseline (Low/Moderate/High) based on high-water mark
Cross-reference with FedRAMP parameter requirements (FedRAMP often sets stricter parameters than base NIST)
For inherited controls, identify which are fully/partially inherited from leveraged FedRAMP IaaS/PaaS and document in CIS/CRM workbook

Rev 4 → Rev 5 Key Changes to Highlight

New control families: PT (Privacy), SR (Supply Chain)
Password controls revised: No more forced rotation schedules; now requires compromised-password lists and password strength meters (NIST 800-63b alignment)
Privacy integrated: AT-3 now mandates privacy training; many families have privacy-specific enhancements
Threat-based methodology: MITRE ATT&CK framework now informs control prioritization
Moved/merged controls: Some Rev 4 controls were merged — don't assume 1:1 mapping

4. Architecture Guidance

Authorization Boundary

The boundary defines what is IN scope for FedRAMP. This is one of the most common sources of findings and delays.

Key principles:

Everything that processes, stores, or transmits federal data must be inside the boundary
External services connected to in-scope systems must be FedRAMP-authorized OR documented with compensating controls
Boundary must be depicted in a clear network/data flow diagram (required in SSP)

Cloud Platform Considerations

AWS GovCloud (US)

AWS GovCloud is FedRAMP High authorized — most PE and some SC controls are fully inherited
Use AWS Config, CloudTrail, GuardDuty, Security Hub to satisfy AU, RA, SI controls
Ensure use of GovCloud region endpoints (not standard commercial) to stay in boundary
FIPS endpoints available for IA controls

Azure Government

Azure Government is FedRAMP High authorized
Azure Policy + Defender for Cloud maps well to CM, RA, SI
Use Azure Blueprints / Policy Initiatives aligned to FedRAMP Moderate/High

Google Cloud (FedRAMP-authorized regions)

Assured Workloads for FedRAMP compliance
Chronicle SIEM for AU controls

Architecture Patterns That Support FedRAMP

Zero Trust — aligns directly with AC, IA, SC control families
Immutable infrastructure — simplifies CM (configuration drift is a common finding)
Centralized logging — SIEM/log aggregation addresses AU family comprehensively
Automated vulnerability scanning — Required; must cover OS, DB, web app, and containers (if used)
Container security — FedRAMP has specific container scanning guidance; image signing and runtime protection are expected

Common Architecture Findings

Undocumented external connections leaving the boundary
FIPS-non-compliant encryption algorithms in transit or at rest
Overly broad IAM roles / lack of least privilege
Missing MFA on privileged accounts
Vulnerability scans not covering all boundary components
Logging gaps (not all components sending logs to centralized SIEM)

5. Continuous Monitoring

Once authorized, CSPs must maintain compliance through ConMon activities:

Monthly Requirements

Vulnerability scan results submitted to agency AOs
POA&M updates (open findings, remediation progress)
Inventory updates (new/removed assets)
ConMon Monthly Executive Summary (template updated Nov 2024)

Annual Requirements

Full security assessment by 3PAO using Annual Assessment Controls Selection Worksheet
Updated SSP and appendices
Tested IRP and CP
SAR and updated POA&M

POA&M Management

All open findings must have: risk level, owner, milestone dates, remediation plan
Vendor Dependencies (VDs): when a finding depends on a third-party fix — document and track
Deviation Requests (DRs): false positives and risk adjustments require AO approval
SLA for remediation: Critical = 30 days, High = 90 days, Moderate = 180 days, Low = 365 days (FedRAMP standard)

Output Formatting Guide

Match output format to request type:

Request Type	Preferred Format
Gap assessment	Table + prose summary
SSP control narrative	Prose paragraphs (one per control/enhancement)
POA&M entry	Structured table row with all required fields
Architecture review	Bullet findings + recommended remediations
Control mapping question	Table: Control ID \| Requirement \| How to Implement
Readiness overview	Executive summary prose + priority action list

When generating document content, always note: "Use official FedRAMP templates from fedramp.gov — this content should be inserted into the appropriate template section."

Reference Files

Load these when more depth is needed:

```
references/readiness-checklist.md
```
— Full readiness checklist (75+ items)
```
references/ssp-guide.md
```
— SSP section-by-section writing guide
```
references/poam-guide.md
```
— POA&M structure, field definitions, SLA table
```
references/sap-sar-guide.md
```
— SAP/SAR overview and review tips for CSPs
```
references/appendices-guide.md
```
— Guide to all SSP appendices (A–Q)
```
references/control-families.md
```
— Deep-dive on each of the 20 control families