Assessment tool covering all 156 NIST SP 800-53 Rev 5 controls required for FedRAMP Low authorization. Built for cloud service providers preparing for 3PAO assessment. No signup, no install, no data leaves your browser.
Need More?
The free tool covers the Low baseline. The Pro tool covers all three baselines with evidence tracking, POA&M management, control origination, and executive reporting.
| Feature | Free Tool | Professional |
|---|---|---|
| FedRAMP Low baseline (156 controls) | ✓ | ✓ |
| FedRAMP parameters & guidance | ✓ | ✓ |
| Gap analysis & executive summary | ✓ | ✓ |
| Save progress & export to CSV | ✓ | ✓ |
| FedRAMP Moderate baseline (323 controls) | — | ✓ |
| FedRAMP High baseline (410 controls) | — | ✓ |
| Evidence tracker with control ownership | — | ✓ |
| POA&M management with milestones | — | ✓ |
| Control origination tracking | — | ✓ |
| SSP mapping references | — | ✓ |
| Executive dashboard with charts | — | ✓ |
What's Included
Complete coverage of the FedRAMP Low baseline from NIST SP 800-53 Rev 5 across all 18 security control families.
Per-family implementation rates with status breakdowns, overall maturity scoring, and visual progress indicators.
Prioritized list of unimplemented controls filtered by family, with severity indicators and remediation notes.
Ready-to-present overview with overall readiness score, family-by-family breakdown, and key findings.
Official FedRAMP-specific parameter values and implementation guidance embedded directly in each control.
Save progress as JSON to continue later. Export to CSV for SSP documentation and 3PAO evidence packages.
Control Families
The FedRAMP Low baseline draws from NIST SP 800-53 Rev 5 and covers 156 controls across 18 families. Each control includes FedRAMP-specific parameters and implementation guidance where applicable.
| Family | Controls | Focus Area |
|---|---|---|
| AC — Access Control | 11 | Account management, access enforcement, remote access |
| AT — Awareness & Training | 5 | Security training, role-based awareness |
| AU — Audit & Accountability | 10 | Audit events, log review, timestamps |
| CA — Assessment & Authorization | 10 | Security assessments, continuous monitoring |
| CM — Configuration Management | 9 | Baseline configs, change control, least functionality |
| CP — Contingency Planning | 6 | Backup, recovery, contingency testing |
| IA — Identification & Authentication | 16 | MFA, authenticator management, identity proofing |
| IR — Incident Response | 7 | Incident handling, reporting, monitoring |
| MA — Maintenance | 4 | System maintenance, nonlocal maintenance |
| MP — Media Protection | 4 | Media access, sanitization, transport |
| PE — Physical & Environmental | 10 | Physical access, environmental controls |
| PL — Planning | 7 | System security plans, rules of behavior |
| PS — Personnel Security | 9 | Screening, termination, access agreements |
| RA — Risk Assessment | 8 | Risk assessment, vulnerability scanning |
| SA — System Acquisition | 9 | Development lifecycle, supply chain risk |
| SC — System & Communications | 14 | Boundary protection, cryptography, TLS |
| SI — System & Information Integrity | 6 | Flaw remediation, monitoring, alerting |
| SR — Supply Chain Risk | 11 | Acquisition controls, provenance, testing |
Implementation Status
Each of the 156 controls is assessed against five implementation statuses. The dashboard tracks implementation rates across all families and generates an overall readiness score.
| Status | Meaning | Counts Toward |
|---|---|---|
| Implemented | Control is fully operational | Implementation rate |
| Partially Implemented | Control exists but has gaps | Gap analysis |
| Planned | Control is scheduled but not yet in place | Gap analysis |
| Not Implemented | Control has not been addressed | Gap analysis |
| Not Applicable | Control does not apply to this system | Excluded from scoring |
Getting Started
Click "Launch Tool" above. Everything runs in your browser — no data is transmitted anywhere.
Add your organization name, system name, assessor, and date in the sidebar metadata fields.
Choose any of the 18 NIST SP 800-53 families from the sidebar navigation.
Expand controls to see FedRAMP parameters and guidance, then set implementation status and add notes.
The dashboard shows per-family implementation rates. The gap analysis tab lists all unimplemented controls.
Use the Summary tab for a presentation-ready overview of your FedRAMP readiness posture.
Save as JSON to continue later, or export to CSV for SSP documentation and 3PAO evidence packages.
Free Assessment Tools