FedRAMP Package Access Request Form

FedRAMP

Package

Access Request Form

For Review of a FedRAMP Security Package

Version 7.0

INSTRUCTIONS:

1. Please complete this form, then digitally sign.

2. Distribute to your FedRAMP approver for

review and signature.

3. Please email your signed request form to

[email protected].

You must have a .gov or

.mil email address to

access a FedRAMP

Security Package

NOTE: By signing this form, you agree to the rules of behavior described in the below sections.

User Information

Date of

Request:

Agency or

Department:

First

Name:

Bureau:

Last

Name:

Ofﬁce:

E-Mail

Address:

Phone:

Select one: Federal Employee

Federal Contractor – If yes, what company? __________________________________________

If you are a federal contractor, please also review Attachment A: Federal Contractor Non Disclosure

Agreement for FedRAMP, sign, and attach to this request.

Info@FedRAMP.gov

FedRAMP.gov

FedRAMP Package Access Request Form

Version 7.0

Requested Package

If you plan on requesting access to more than one FedRAMP security package at the time of submission,

please include all requested packages in one consolidated form.

Name of Package Requested: ______________________________________________________________________

Package ID (the Package ID is located on the cloud service offering’s (CSO’s) FedRAMP Marketplace page

and is generally in the format of “FR12345678”):

_________________________________________________________________________________________________

If you are not a current customer and an Authority to Operate (ATO) letter has not been provided to the

FedRAMP PMO, access is granted for 60 days in order to properly ensure a high level of access control

and maintain proper security over the security authorization packages. Permanent access is only granted

to CSO customers who have provided the FedRAMP PMO with an ATO letter for the CSO in use.

Access Authorization

All reviewers are required to use multi-factor authentication via PIV (Personal Identity Veriﬁcation) card to

obtain access to the FedRAMP secure repository on Connect.gov. Please go to community.connect.gov to

In order to gain access to the FedRAMP secure repository, the FedRAMP PMO requires approval from an

authorized FedRAMP approver. This is your agency CIO, CISO, or someone the FedRAMP approver has

designated.

Authorized FedRAMP Approver:

First

Name:

Title:

Last

Name:

Agency or

Department:

Phone: Bureau:

E-Mail

Address:

Ofﬁce:

FedRAMP.gov

page 2

FedRAMP Package Access Request Form

Version 7.0

Agreement for Package Reviewers

Instructions: Please initial each box

By completing and submitting this form you have conﬁrmed and agree to the following:

I agree to abide by all security and record management policies, standards, and procedures

of my respective agency. I also agree to abide by the General Rules of Behavior outlined in

this Agreement. If my agency’s security and record management policies conﬂict with these

General Rules of Behavior, I will consult with the FedRAMP PMO prior to accessing any of the

documents provided by the FedRAMP PMO.

I understand that GSA may monitor and audit my usage of my account and that using the

system constitutes consent to such monitoring.

I agree to use FedRAMP packages only for authorized federal purposes such as granting a

security authorization for the cloud service provider referenced in this request.

I have a .gov or .mil email account that is registered on community.connect.gov.

I will not disclose information in FedRAMP security packages to parties outside of my

organization, or to parties inside my organization, without a valid need to know.

I will not save, print, email, post, publish, or reproduce any FedRAMP security package

documents in any form including all electronic methods, except to the extent necessary for

internal evaluation of the FedRAMP security package as part of the agency authorization

and agency-related continuous monitoring activities.

Once I no longer require access to the FedRAMP security package documentation,

for authorization and continuous monitoring purposes, I agree to destroy and delete

all copies of the documentation provided under this Agreement.

FedRAMP.gov

page 3

FedRAMP Package Access Request Form

Version 7.0

I agree to store FedRAMP security package documentation only on:

• Government furnished equipment and devices and subject to the same

standards as my agency and the FedRAMP PMO General Rules of Behavior, OR

• Third-party systems authorized by my agency to hold data at the same or

greater impact level as the CSO

The undersigned prospective package reviewer certiﬁes that the information listed above is

current and accurate.

I’m requesting access for authorized federal purposes, such as granting a security

authorization for the cloud service referenced in this request, as well as for ongoing

monitoring of the cloud service provider’s security implementation.

I understand and acknowledge that violation of this agreement is subject to the federal

criminal prohibitions on theft of proprietary information and trade secrets by government

employees, 18 U.S.C. § 1905, and theft of trade secrets for commercial advantage, 18 U.S.C.

§ 1832, which makes it a crime to take or use without authorization such information and to

attempt or conspire to engage in such misconduct. The company that submitted the security

package is a cloud service provider to GSA under FedRAMP. I acknowledge that (i) any

FedRAMP security package documents and any other conﬁdential information disclosed to

Recipient under this Agreement are the proprietary technical or commercial information or

trade secret information of the submitting company and (ii) the submitting company is an

intended third-party beneﬁciary of this Agreement and may enforce its terms with respect to

such information directly through an action in any court of competent jurisdiction.

User’s Signature: ___________________________________________________ Date: _________________

FedRAMP.gov

page 4

FedRAMP Package Access Request Form

Version 7.0

Agreement for Authorized FedRAMP Approver

If the user, which I am certifying, leaves my agency for any reason, or transfers to a different department,

I agree to notify [email protected] of their departure from my supervision immediately.

Instructions: Please initial each box

I am a federal employee.

I have the authority to grant FISMA authorizations for my agency, or have been delegated

by such authority to approve FedRAMP Package Access Request Forms on behalf of my

agency.

The person requesting access to the security package is requesting access for ofﬁcial

government purposes.

I agree to ensure that the package reviewer acts, in accordance with, the rules of behavior

cited and agreed to.

When the package reviewer no longer needs access, I will notify the FedRAMP PMO.

The undersigned authorized FedRAMP approver certiﬁes that the information listed above is current and

accurate.

Authorized FedRAMP Approver (please print): _________________________________________

Authorized FedRAMP Approver’s Signature: _______________________________ Date: _________________

FedRAMP.gov

page 5

Federal Contractor Non Disclosure Agreement for FedRAMP

Version 7.0

Attachment A: Federal Contractor Non

Disclosure Agreement for FedRAMP

THIS NONDISCLOSURE AGREEMENT is entered into as of the date signed below by GSA, which is the party

disclosing conﬁdential information, and _________________________, who is the party receiving conﬁdential

information ("Recipient"), in order to protect the conﬁdential information which is disclosed to Recipient by GSA.

NOW THEREFORE, in consideration of the mutual covenants contained herein, the parties hereto agree as follows:

1. This Non-Disclosure Agreement (“Agreement”) is supplemental to the FedRAMP Package Access Request Form

For Review of FedRAMP security package (“Access Request Form”) to which Recipient has agreed. In the event

of a conﬂict between this Agreement and the Access Request Form, the Access Request Form shall control.

2. The Conﬁdential Information disclosed by GSA under this Agreement is: conﬁdential and proprietary security

authorization materials for the Federal Risk and Authorization Management Program (FedRAMP).

3. The Recipient shall keep the conﬁdential information conﬁdential and shall use the Conﬁdential Information only

for evaluation of a cloud service offering’s security risk level in granting federal agency speciﬁc security

authorizations and for ongoing monitoring of the cloud service offering’s security implementation.

4. The Recipient shall not save, print, email, post, publish, or reproduce any FedRAMP security package documents,

in any form, including all electronic methods, except to the extent necessary for internal evaluation of the

FedRAMP security package as part of an agency authorization and agency-related continuous monitoring

activities. Any copied security package documentation should be stored consistently with the requirements for

marking and storage of Controlled Unclassiﬁed Information (“CUI”).

5. Recipient shall safeguard all Conﬁdential Information (whether disclosed orally or otherwise) with at least the

same degree of care (but no less than reasonable care) as it uses to safeguard its own Conﬁdential Information

of like kind. Recipient shall limit distribution of Conﬁdential Information that it receives pursuant to this

Agreement to its employees who have a need to know the information for the purposes set forth in Paragraph 3

and who have previously agreed to be bound by conﬁdentiality obligations no less stringent than those in this

Agreement and the online Agreement for Package Reviewers to which Recipient has agreed.

6. This agreement controls only conﬁdential information which is disclosed to Recipient between the effective date

(the date of last signature) and the end of the cloud service offering’s authority to operate as deﬁned in the ATO

letter.

7. Recipient's duties, under Paragraphs 3, 4 and 5 of this Agreement, shall expire twenty (20) years after the

expiration of the cloud service offering’s authority to operate as deﬁned in the ATO letter. Upon written request

by GSA on or before the expiration of the conﬁdentiality period as set forth herein, Recipient shall certify that it

has no Conﬁdential Information in its possession and that it has destroyed or deleted all Conﬁdential Information

that has been disclosed to it in electronic format.

8. This Agreement imposes no obligation upon the Recipient with respect to conﬁdential information which (a) was

in the Recipient's possession before receipt from FedRAMP; (b) is or becomes a matter of public knowledge

through no fault of the Recipient; (c) is received by the Recipient from a third party without a duty of

conﬁdentiality; (d) is independently disclosed by the Recipient with GSA's prior written approval, or (e) is

developed by the Recipient without reference to information disclosed hereunder.

FedRAMP.gov

page 6

Federal Contractor Non Disclosure Agreement for FedRAMP

Version 7.0

9. FedRAMP warrants that it has the right to make the disclosures under this Agreement.

10. Neither party acquires any intellectual property rights under this Agreement.

11. I am aware that an unauthorized disclosure of any proprietary or conﬁdential information or CUI may subject me

to breach of contract claims as well as criminal, civil, and/or administrative penalties.

12. Appropriations Act restriction: These restrictions are consistent with and do not supersede, conﬂict with, or

otherwise alter the employee obligations, rights, or liabilities created by Executive Order No. 12958; section 7211

of title 5, United States Code (governing disclosures to Congress); section 1034 of title 10, United States Code, as

amended by the Military Whistleblower Protection Act (governing disclosure to Congress by members of the

military); section 2302(b)(8) of title 5, United States Code, as amended by the Whistleblower Protection Act

(governing disclosures of illegality, waste, fraud, abuse or public health or safety threats); the Intelligence

Identities Protection Act of 1982 (50 U.S.C. 421 et seq.) (governing disclosures that could expose conﬁdential

federal government deﬁnitions, requirements, obligations, rights, sanctions, and liabilities created by said

Executive order and listed statutes are incorporated into this agreement and are controlling.

13. The parties do not intend that any agency or partnership relationship be created between them by this

Agreement. With respect to any conﬁdential information disclosed to Recipient under this Agreement that is the

proprietary technical or commercial information or trade secret information of a cloud service provider to GSA

under FedRAMP, such cloud service provider is an intended third-party beneﬁciary of this Agreement and may

enforce its terms with respect to such information directly through an action in any court of competent jurisdiction.

14. All additions or modiﬁcations to this Agreement must be in writing and signed by both parties.

15. This Agreement is made under and shall be governed by the laws of the United States.

16. This Agreement may be terminated immediately by either party upon delivery of written notice of termination to

the other party. Such termination shall not affect Recipient's duties with respect to conﬁdential information

disclosed prior to termination including without limitation those under Section 7, above.

SIGNED

IN WITNESS WHEREOF, the parties have executed this Agreement as of the date of the last signature below

Federal Contractor Name (please print): _________________________________________

Federal Contractor Signature: _________________________________________ Date: _________________

FedRAMP.gov

page 7