FCS Security Forms & Templates
The FCS forms and templates listed here cover a series of security and business risk management activities. Please note documents may have limited access and require a copy to be made to complete for use.
FCS Tenant Required Security Templates
Tenants shall use one of these templates to document security risks identified but are not remediable via Plan of Action and Milestones (POA&Ms). Risks in this category are often due to technical limitations, however Tenants must first make honest attempts to address all risks via POA&Ms prior to requesting acceptance of risk via either of these templates.
Tenants shall use one of these templates to document security risks identified but are not remediable via Plan of Action and Milestones (POA&Ms). Risks in this category are often due to technical limitations, however Tenants must first make honest attempts to address all risks via POA&Ms prior to requesting acceptance of risk via either of these templates.
FCS Security Requests
The types of security requests which should be routed to FCS Security Compliance from current or potential tenants include:
- Customer Requirements Matrices for FCS capabilities.
- Read only access to FCS security documentation
- Support in upcoming tenant-managed drill or exercise
- Clarification on security control implementation within FCS
- Review of Information Exchange Agreements between FCS and an entity.
- Review of tenant SSPP documentation for proper inclusion of FCS controls.
Tenants use this template to document business impact and recovery procedures as needed to sustain primary business functions.
Digital Identity Acceptance statements help determine the desired digital authenticator assurance levels to be deployed. Assurance Levels range from AAL 1 to AAL 3.
FIPS Low and Moderate SSPP
Tenants use these templates to document all control implementation details and Overview of a Low and Moderate system operational status.
Request an SSPP template for either Immutable Compute Deployment or Containers (formerly MCaaS).
Tenants use this template to categorize information systems based on NIST SP-800-60 Vol 2 Information Types.
Tenants must document information exchanges occurring with the FCS Data Platform (includes DataBricks) using an IEA. This document supplies links to the appropriate IEA for use by a Tenant.
Interconnection Security Agreement
Tenants shall consult this guidance to identify the type of interconnection security agreement that may be required. The guidance shall contain links to templates to document the characteristics of an interconnection such as type of connection (internal/external), flow of connection (inbound/outbound) etc. Tenants shall also consult their ISSO for guidance.
Privacy Impact and Privacy Threshold Assessment
Tenant ISSOs shall use the GSA Archer platform to submit the PTA and PIA information for GSA Privacy Office review and approval. If the tenant system is contractor-owned and contractor-operated, the ISSO shall work with the ISSM to understand the PIA process.
This Service Level Agreement (SLA) and the Memorandum of Understanding (MOU) specifies the technical and security requirements for the exchange and consumption of services, including but not limited to the transmission of data between systems.
Customer Responsibility Matrix (CRM)
Customer Responsibility Matrices are used to control the documentation and inheritance model of information security controls within the GSA FCS Program.
Documents available via request.