PLEASE REMOVE THE INSTRUCTIONS BEFORE SUBMITTING FORM.
WHO SHOULD USE THIS FORM?
Cloud Service Providers (CSPs) with systems that have an existing FedRAMP authorization, who intend to implement a
significant change within the systems’ authorization boundary.
CSPs are required to submit this completed form to FedRAMP and receive FedRAMP approval prior to implementing a
significant change to a system with an existing FedRAMP authorization.
For more information about significant changes, see the FedRAMP Continuous Monitoring Strategy Guide, Section 3.2,
Change Control.
FORM AND ATTACHMENT INSTRUCTIONS
1. Complete the form and attach additional pages if necessary.
a. The 3PAO must sign page 2 as an indication that they have reviewed this form, including the controls, and
agree it is accurate to the best of their knowledge.
b. If changing the system’s FIPS-199 categorization level from Moderate to High, please also complete all of
Attachment A and include it with your submission.
2. Upload either a digitally signed copy or a physically signed and scanned copy to OMB MAX.
3.
Send a notification message to [email protected] - include the OMB MAX location of the document.NOTE: FedRAMP must also review your 3PAO’s security assessment plan (SAP) prior to implementing the change. Please
include this plan with the form if it is available at the time of submission.
The FedRAMP Master Acronyms & Glossary contains definitions for all FedRAMP publications, and is available on the
FedRAMP website Documents
page under FedRAMP Program Documents.
(https://www.fedramp.gov/documents/)
Please send suggestions about corrections, additions, or deletions to info@fedramp.gov.
Questions about FedRAMP or this form should be directed to info@fedramp.gov.
For more information about FedRAMP, visit the website at https://www.fedramp.gov.
Version 2.1 - August 28, 2018