FedRAMP provides standards in cloud security for federal agencies; cloud service providers; and third party assessor organizations (3PAOs). The Federal Risk and Authorization Management Program is a joint project of the Office of Management and Budget; the Department of Defense; the Department of Homeland Security; the General Services Administration; the Chief Information Officer Council; and the National Institute for Standards and Technology.

The FedRAMP documentation web page, has an Excel spreadsheet which lists baseline security controls.

There are 17 ares to focus on:

ACCESS CONTROL AWARENESS AND TRAINING AUDIT AND ACCOUNTABILITY SECURITY ASSESSMENT AND AUTHORIZATION CONFIGURATION MANAGEMENT CONTINGENCY PLANNING IDENTIFICATION AND AUTHENTICATION INCIDENT RESPONSE MAINTENANCE MEDIA PROTECTION PHYSICAL AND ENVIRONMENTAL PROTECTION PLANNING PERSONNEL SECURITY RISK ASSESSMENT SYSTEM AND SERVICES ACQUISITION SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND INFORMATION INTEGRITY

Each of the 17 areas or families, contains multiple areas of control . For example the Personnel Security area contains the following areas of control:

PERSONNEL SECURITY POLICY AND PROCEDURES POSITION RISK DESIGNATION PERSONNEL SCREENING PERSONNEL TERMINATION PERSONNEL TRANSFER ACCESS AGREEMENTS THIRD-PARTY PERSONNEL SECURITY PERSONNEL SANCTIONS

There is a specific description for each control. For example, for Position Risk Designation, we see that an organization should implement different screening procedures for people occupying different positions that are assigned different risk designations.