fedramp

Solid

Expert guidance for FedRAMP certification and compliance. Use this skill whenever a user asks about FedRAMP authorization, ATO (Authority to Operate), cloud security for federal government, NIST SP 800-53 controls, CSP compliance, or any of the core FedRAMP document types: SSP, SAP, SAR, POA&M, CIS/CRM workbooks. Also trigger for questions about FedRAMP impact levels (Low, Moderate, High, LI-SaaS), FedRAMP 20x, OSCAL, 3PAO assessments, continuous monitoring (ConMon), gap assessments, system boundary definition, FedRAMP readiness, or architecture reviews for federal cloud. When in doubt, use this skill — it covers the full FedRAMP lifecycle from readiness through continuous monitoring.

Data & Documents 488 stars 103 forks Updated today MIT

Install

View on GitHub

Quality Score: 91/100

Stars 20%
90
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# FedRAMP Certification Skill A comprehensive guide for helping users navigate FedRAMP authorization — from initial readiness through ATO and ongoing continuous monitoring. ## Quick Reference: What Does the User Need? Identify the user's goal and jump to the appropriate section: | User Goal | Go To | |---|---| | "Are we ready for FedRAMP?" / gap assessment | → [Readiness & Gap Assessment](#1-readiness--gap-assessment) | | Writing SSP, POA&M, SAR, SAP, or other docs | → [ATO Documentation](#2-ato-documentation) | | "Which controls apply to us?" / control mapping | → [NIST 800-53 Control Mapping](#3-nist-800-53-control-mapping) | | Cloud architecture / AWS/Azure/GCP config | → [Architecture Guidance](#4-architecture-guidance) | | Already authorized, ongoing compliance | → [Continuous Monitoring](#5-continuous-monitoring) | --- ## Current FedRAMP State (as of 2025–2026) - **Baseline**: NIST SP 800-53 **Rev 5** (approved May 2023, fully in effect) - **Control counts** (Rev 5): Low = ~156, Moderate = 323, High = 421 - **OSCAL mandate**: RFC-0024 requires all CSPs to transition to machine-readable OSCAL packages by **September 2026** - **Security Inbox**: As of January 5, 2026, all authorized CSPs must maintain a dedicated Security Inbox for urgent vulnerability directives (no CAPTCHAs or barriers) - **FedRAMP 20x**: A modernization initiative in progress; introduces continuous authorization and modular/API-driven submissions. Traditional SSP/SAP/SAR templates remain require...

Details

Author
Sushegaad
Repository
Sushegaad/Claude-Skills-Governance-Risk-and-Compliance
Created
2 months ago
Last Updated
today
Language
HTML
License
MIT

Integrates with

Google Cloud · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

Data & Documents Listed

fedramp

Expert guidance for FedRAMP certification and compliance. Use this skill whenever a user asks about FedRAMP authorization, ATO (Authority to Operate), cloud security for federal government, NIST SP 800-53 controls, CSP compliance, or any of the core FedRAMP document types: SSP, SAP, SAR, POA&M, CIS/CRM workbooks. Also trigger for questions about FedRAMP impact levels (Low, Moderate, High, LI-SaaS), FedRAMP 20x, OSCAL, 3PAO assessments, continuous monitoring (ConMon), gap assessments, system boundary definition, FedRAMP readiness, or architecture reviews for federal cloud. When in doubt, use this skill — it covers the full FedRAMP lifecycle from readiness through continuous monitoring.

2 Updated today
Jandyoverseas977
AI & Automation Solid

nist-800-53

NIST SP 800-53 Rev 5 compliance advisor — all 20 control families (AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI, SR), Low/Moderate/High baseline selection, FIPS 199/200 system categorization, control tailoring and overlays, privacy controls (PT family), supply chain risk management (SR family), assessment procedures (SP 800-53A), OSCAL, RMF integration (SP 800-37), and mapping to FedRAMP, FISMA, CMMC 2.0, and ISO 27001. Use for any federal system security controls, FISMA compliance, RMF step guidance, control narrative writing, or baseline tailoring question.

488 Updated today
Sushegaad
AI & Automation Solid

cmmc

Expert CMMC 2.0 (Cybersecurity Maturity Model Certification) advisor for US defense contractors and subcontractors in the Defense Industrial Base (DIB). Use this skill whenever a user asks about CMMC 2.0, CMMC Level 1, Level 2, or Level 3, DoD cybersecurity compliance, NIST SP 800-171, CUI (Controlled Unclassified Information) protection, System Security Plan (SSP), Plan of Action & Milestones (POA&M), C3PAO assessments, DIBCAC audits, self-assessment, SPRS score, or any requirement under DFARS 252.204-7012 or 7021. Also trigger for: "CMMC gap analysis", "CMMC readiness", "FCI protection", "CUI scoping", "CMMC practices", "DoD contract cybersecurity", "defense supply chain security", or "prime contractor flow-down requirements".

488 Updated today
Sushegaad
Data & Documents Solid

iso27001

Expert ISO 27001 compliance assistant for security and compliance teams. Use this skill whenever a user asks about ISO 27001 or ISO/IEC 27001, including any of the following: gap analysis, auditing, compliance assessments, control checklists, policy writing, document generation, Statement of Applicability (SoA), risk assessment, risk registers, risk treatment plans, Annex A controls, ISMS implementation, clause requirements, certification readiness, transitioning from 2013 to 2022, control implementation guidance, incident response policies, access control policies, supplier security, or any information security management system (ISMS) topic. Trigger even if the user doesn't say "skill" — any ISO 27001 or ISMS question should use this skill.

488 Updated today
Sushegaad
Data & Documents Listed

iso27001

Expert ISO 27001 compliance assistant for security and compliance teams. Use this skill whenever a user asks about ISO 27001 or ISO/IEC 27001, including any of the following: gap analysis, auditing, compliance assessments, control checklists, policy writing, document generation, Statement of Applicability (SoA), risk assessment, risk registers, risk treatment plans, Annex A controls, ISMS implementation, clause requirements, certification readiness, transitioning from 2013 to 2022, control implementation guidance, incident response policies, access control policies, supplier security, or any information security management system (ISMS) topic. Trigger even if the user doesn't say "skill" — any ISO 27001 or ISMS question should use this skill.

2 Updated today
Jandyoverseas977