PLEASE REMOVE THE INSTRUCTIONS BEFORE SUBMITTING FORM.
WHO SHOULD USE THIS FORM?
Cloud Service Providers (CSPs) with systems that have an existing FedRAMP authorization, who intend to implement a
significant change within the systems’ authorization boundary.
ABOUT THIS FORM
CSPs are required to submit this completed form to FedRAMP and receive FedRAMP approval prior to implementing a
significant change to a system with an existing FedRAMP authorization.
For more information about significant changes, see the FedRAMP Continuous Monitoring Strategy Guide, Section 3.2,
Change Control.
FORM AND ATTACHMENT INSTRUCTIONS
1. Complete the form and attach additional pages if necessary.
a. The 3PAO must sign page 2 as an indication that they have reviewed this form, including the controls, and
agree it is accurate to the best of their knowledge.
b. If changing the system’s FIPS-199 categorization level from Moderate to High, please also complete all of
Attachment A and include it with your submission.
2. Upload either a digitally signed copy or a physically signed and scanned copy to OMB MAX.
3. Send a notification message to [email protected] - include the OMB MAX location of the document.
NOTE: FedRAMP must also review your 3PAO’s security assessment plan (SAP) prior to implementing the change. Please
include this plan with the form if it is available at the time of submission.
FedRAMP ACRONYMS
The FedRAMP Master Acronyms & Glossary contains definitions for all FedRAMP publications, and is available on the
FedRAMP website Documents
page under FedRAMP Program Documents.
(https://www.fedramp.gov/documents/)
Please send suggestions about corrections, additions, or deletions to info@fedramp.gov.
HOW TO CONTACT US
Questions about FedRAMP or this form should be directed to info@fedramp.gov.
For more information about FedRAMP, visit the website at https://www.fedramp.gov.
Version 2.1 - August 28, 2018
FedRAMP Si
gnificant Change Request Form
Instructio
ns:
1. Complete t
he form and attach additional pages if necessary.
2.
Upload either a digitally signed copy or a physically signed and scanned copy to OMB MAX.
3.
CSP Contac
t Information
Company Name
System Name
System Owne
r
Name Title
P
ri
m
a
ry
P
O
C
Name Title
Phone Email
System Inf
ormation
Type of System (Please choose from the drop down menu.) Choose an item.
System Description
List of current and
pending Federal
customers
3PAO Compa
ny Name
3PAO Prima
ry
POC
Name Title
Phone Email
Currently on co
ntract for significant change proposed?
☐ Yes ☐ No
Security As
sessment Plan attached?
☐ Yes ☐ No
Nature of Cha
nge
Change Deta
ils
3PAO Information
(Required)
(Please provide background
and brief description. Attach
additional pages if necessary.)
Version 2.1 - August 28, 2018
FormPage1of3
Click on arrow to choose an item
FormPage2of3
FedRAMPSignifican t Change RequestForm
TypeofCh
ange
(Checkallthatapply.)
☐Authenticationoraccesscontrol
☐Storage
☐Newcoderelease
☐Repl
acementofCOTSproduct
☐Changeinservicesoffered
☐ChangeinFIPS199CategorizationLevel
(ModeratetoHighrequiresAttachmentA)
☐Backupmechanismorprocess
☐SaaSorPaaSchangingunderlying
provider
☐Changingalt
ernateorcompensating
control
☐Removalofsecuritycontrol(s)
☐Changeinsystemscope
☐Other(PleaseSpecify):
SystemComponent(s
)
Im
pacte
d
(Listall.)
Sec
urityControl(s)
Impacted
(Listall.)
Hasthe3PAOvalidatedabovecontro lli
st?
☐Yes ☐No
StatusofChange
Isthereadatebywhich
thischange mus
tbe
operationa l?
☐ Yes
☐ No
If yes
y
e
s
y
e
s
, what is the date?
If yes, why?
Validation
Please describe how
the impacted
controls
will
be validated.
(Attach additional
pages
if necessary.)
Signature
Version 2.1 - August 28, 2018
FormPage3of3
FedRAMPSignifican t Change RequestForm
Dem
and/Justification
Whichcustomersaredrivingthis
change?
(Required
for
changes
to
service,
scope,
or
FIPS
199
Level)
Justifi
cationfor Change
(Attach
additional
pages
if
necessary.)
Isthechange requiredbeca usea
previousversionisrea
chingendof
lifeorendofsupport?
☐Yes ☐No
If yes, what is the end of life date?
Isthischangeinte
ndedtoenhanceConMonperformance?
☐ Yes
☐ No
CS
PSignature(Must
be
signed
by
an
individual
with
the
authority
to
represent
the
CSP
to
FedRAMP)
Name
(Printed) Title
______________________
________
Date
________________________________________________
Signature
Wa
sthelast assessment completed?
☐ Yes
☐ No
Wh
enisthenext annual assessment due?
☐ Yes
☐ No
If yes, why?
IsCSPcurrent
lyoverdueonits annual
a
ssessment?
ConMonPerf
ormance
WasCSPonacorrectiveactionplaninthepa
stsixmo nths?
☐Yes ☐No
FedRAM
PStanding
(To be completed by FedRAMP)
A
nnualAssessment
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 1 of 8
Attachm
ent A
I
ns
t
r
uc
t
io
ns:
Table A-1
Instructio
ns:
FedRAMP Significant Change Request Form:
Attachment A – Part 1
This attachment is only required if changing the system’s FIPS 199 categorization level from Moderate to High. If
this is the case, please complete all subsequent pages. Otherwise, remove these pages before submission.
Table A-1, below, lists all additional controls that do not exist in the Moderate baseline, but must be addressed as
part of the High baseline.
Please provide the status of each control in the table below.
Table A-1
– New controls required when changing from Moderate to High
Control
Applicab
ility
Implement
ation Status Notes
(If “Pendin
g Implementation,” provide implementation date.
If “Not Applicable
,”
explain why ).
Implemen
ted
Pending
Implemen
tation
Not Applica
ble
AC-
2 (11)
☐ ☐ ☐
AC-
2 (13)
☐ ☐ ☐
A
C-
4 (8)
☐ ☐ ☐
AC-
6 (3)
☐ ☐ ☐
AC-
6 (7)
☐ ☐ ☐
AC-
6 (8)
☐ ☐ ☐
AC-
7 (2)
☐ ☐ ☐
AC-
12 (1)
☐ ☐ ☐
AC-
18 (3)
☐ ☐ ☐
A
C-
18 (4)
☐ ☐ ☐
AC-
18 (5)
☐ ☐ ☐
AT-
3 (3)
☐ ☐ ☐
AT-3 (4)
☐ ☐ ☐
AU-
3 (2)
☐ ☐ ☐
AU-
5 (1)
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 2 of 8
Control
Applicab
ility
Implement
ation Status Notes
(If “Pendin
g Implementation,” provide implementation date.
If “Not Applicable
,”
explain why ).
Implemen
ted
Pending
Implemen
tation
Not Applica
ble
AU-
5 (2)
☐ ☐ ☐
AU-
6 (4)
☐ ☐ ☐
AU-
6 (5)
☐ ☐ ☐
AU-
6 (6)
☐ ☐ ☐
AU-
6 (7)
☐ ☐ ☐
AU-6 (10)
☐ ☐ ☐
AU-
9 (3)
☐ ☐ ☐
AU-10
☐ ☐ ☐
A
U-
12 (1)
☐ ☐ ☐
AU-
12 (3)
☐ ☐ ☐
CA-7 (3)
☐ ☐ ☐
CM-3 (1)
☐ ☐ ☐
CM-3 (2)
☐ ☐ ☐
CM-3 (4)
☐ ☐ ☐
CM-3 (6)
☐ ☐ ☐
CM-4 (1)
☐ ☐ ☐
CM-5 (2)
☐ ☐ ☐
CM-6 (2)
☐ ☐ ☐
CM-8 (2)
☐ ☐ ☐
CM-8 (4)
☐ ☐ ☐
CM-11
(1)
☐ ☐ ☐
CP-2 (4)
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 3 of 8
Control
Applicab
ility
Implement
ation Status Notes
(If "Pending Im
plementation,” provide implementation date.
If “Not Applicable
,” e
xplain why )
.
Implemente
d
Pending
Implementa
tion
Not Applicable
CP-2 (5)
☐ ☐ ☐
CP-3 (1)
☐ ☐ ☐
CP-4 (2)
☐ ☐ ☐
CP-6 (2)
☐ ☐ ☐
CP-7 (4)
☐ ☐ ☐
CP-8 (3)
☐ ☐ ☐
CP-8 (4)
☐ ☐ ☐
CP-
9 (2)
☐ ☐ ☐
CP-9 (5)
☐ ☐ ☐
CP-10
(4)
☐ ☐ ☐
IA-2 (4)
☐ ☐ ☐
IA-2 (9)
☐ ☐ ☐
IA-5 (8)
☐ ☐ ☐
IA-
5 (13)
☐ ☐ ☐
IR-2 (1)
☐ ☐ ☐
IR-2 (2)
☐ ☐ ☐
IR-4 (2)
☐ ☐ ☐
IR-4 (3)
☐ ☐ ☐
IR-4 (4)
☐ ☐ ☐
IR-4 (6)
☐ ☐ ☐
IR-4 (8)
☐ ☐ ☐
IR-5 (1)
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 4 of 8
Control
Applicab
ility
Implementation Status Notes
(If “Pending Implementation,” provide implementation date.
If “Not Applicable
,” e
xplain why ).
Implemen
ted
Pending
Implemen
tation
Not Applica
ble
MA-
2 (2)
☐ ☐ ☐
MA-
4 (3)
☐ ☐ ☐
MA-
4 (6)
☐ ☐ ☐
MP-
6 (1)
☐ ☐ ☐
MP-
6 (3)
☐ ☐ ☐
PE-3 (1)
☐ ☐ ☐
PE-6 (4)
☐ ☐ ☐
PE-8 (1)
☐ ☐ ☐
PE-11
(1)
☐ ☐ ☐
PE-13
(1)
☐ ☐ ☐
PE-15
(1)
☐ ☐ ☐
PE-18
☐ ☐ ☐
PS-4 (2)
☐ ☐ ☐
RA-5 (4)
☐ ☐ ☐
RA-5 (10)
☐ ☐ ☐
SA-12
☐ ☐ ☐
SA-15
☐ ☐ ☐
SA-16
☐ ☐ ☐
SA-17
☐ ☐ ☐
SC-3
☐ ☐ ☐
SC-7 (10)
☐ ☐ ☐
SC-
7 (20)
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 5 of 8
Control
Applica
bility
Implementation Status Notes
(If “Pending Implementation,” provide implementation date.
If “Not Applicable,
”
explain why ).
Impleme
nted
Pending
Impleme
ntation
Not Applic
able
SC-7 (21)
☐ ☐ ☐
SC-1
2 (1)
☐ ☐ ☐
SC-2
3 (1)
☐ ☐ ☐
SC-24
☐ ☐ ☐
SI-2 (1)
☐ ☐ ☐
SI-4 (11)
☐ ☐ ☐
SI-4 (18)
☐ ☐ ☐
SI-4 (19)
☐ ☐ ☐
SI-4 (20)
☐ ☐ ☐
SI-4 (22)
☐ ☐ ☐
SI-4 (24)
☐ ☐ ☐
SI-5 (1)
☐ ☐ ☐
SI-7 (2)
☐ ☐ ☐
SI-7 (5)
☐ ☐ ☐
SI-7 (14)
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
FedRAMP S
ignificant Change Request Form:
Attachme
nt A – Part 2
Attachm
ent A
Instructio
ns:
This at
tachment is only required if changing the system’s FIPS-199 categorization level from Moderate to High.
If this is the case, please complete all subsequent pages. Otherwise, remove these pages before submission.
Table A-2
Instructio
ns:
The con
trols listed in Table A-2, below, exist in both the Moderate and High baselines; however, the FedRAMP
prescribed parameter is different in the High baseline.
When transitioning from Moderate to High, the CSP must update these parameters appropriately in their System
Security Plan (SSP). The revised parameter changes the control requirement. The CSP must also revise the control
implementation within the system, and the control description within the SSP to align with the new parameter.
P
lease provide the status of each in the table below.
Table A-2
– Controls with different FedRAMP parameters when changing from Moderate to High
Control
Applicab
ility
Implement
ation Status Notes
(If
“Paramet
er Pending,”
provide
implementation date.
If “Not Applicable
,”
explain why ).
Parameter
&
Control
Updated
Paramete
r &
Control
Update Pending
N
o
t
A
p
p
licable
AC-
1
☐ ☐ ☐
AC-
2
☐ ☐ ☐
AC-
2 (2)
☐ ☐ ☐
AC-
2 (3)
☐ ☐ ☐
AC-7
☐ ☐ ☐
AC-
8
☐ ☐ ☐
AC-
17 (9)
☐ ☐ ☐
A
T-1
☐ ☐ ☐
A
T-4
☐ ☐ ☐
AU-1
☐
☐
☐
AU-2
☐
☐
☐
AU-3 (1)
☐
☐
☐
AU-11
☐
☐
☐
CA-1
☐
☐
☐
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 6 of 8
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 7 of 8
Control
Applica
bility
Implemen
tation Status Notes
(If
“Param
eter Pending
,” provid
e implementation date.
If “Not Applicable
,”
explain why ).
Paramete
r &
Control
Updated
Paramet
er &
Control
Update Pendin
g
Not Ap
plicable
CA
-2 (3)
☐ ☐ ☐
CA-6
☐ ☐ ☐
CM-1
☐ ☐ ☐
CM-7 (5)
☐ ☐ ☐
CM-8 (3)
☐ ☐ ☐
CP
-1
☐ ☐ ☐
CP
-9 (1)
☐ ☐ ☐
IA-1
☐ ☐ ☐
IA-4
☐ ☐ ☐
IA-4 (4)
☐ ☐ ☐
IA-5 (1)
☐ ☐ ☐
IR-1
☐ ☐ ☐
IR-3
☐ ☐ ☐
MA-1
☐ ☐ ☐
MP-1
☐ ☐ ☐
MP-4
☐ ☐ ☐
MP-5
☐ ☐ ☐
MP-6 (2)
☐ ☐ ☐
PE-1
☐ ☐ ☐
PE-2
☐ ☐ ☐
PL-1
☐ ☐ ☐
(Check one per row.)
Version 2.1 - August 28, 2018
ATTACH ONLY IF CHANGING FROM MODERATE TO HIGH Attachment A Page 8 of 8
Control
Applicabi
lity
Implementa
tion Status Notes
(If
“Parameter
Pending
,” provide
implementation date.
If “Not Applicable
,”
explain why ).
Parameter &
Control
Updated
Parameter
&
Control
Update Pending
Not Applic
able
PL-4
☐ ☐ ☐
PS-1
☐ ☐ ☐
PS-2
☐ ☐ ☐
PS-4
☐ ☐ ☐
PS-5
☐ ☐ ☐
PS-6
☐ ☐ ☐
PS-7
☐ ☐ ☐
RA-1
☐ ☐ ☐
RA-3
☐ ☐ ☐
RA-5
☐ ☐ ☐
SA-1
☐ ☐ ☐
SA-4 (2)
☐ ☐ ☐
SC-1
☐ ☐ ☐
SC-7 (4)
☐ ☐ ☐
SC-10
☐ ☐ ☐
SI-1
☐ ☐ ☐
SI-2
☐ ☐ ☐
SI-3
☐ ☐ ☐
d.orremediate
thesignificantchangeSARaremitigatedtoalowerlevelighvulnerability
findingsinhechangeuntilallHnotapprovet
tegorizationlevelfromModeratetoHigh,FedRAMPwillncreasetheFIPS‐199systemcaicantchangeistoiIfthesignif
tionalGuidanceAddi
(Check one per row.)
Version 2.1 - August 28, 2018
