This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Before onboarding new services to your authorized cloud service, make sure that all applicable controls are within the previously authorized controls.
Any service that introduces new controls to the environment or changes existing controls is considered a significant change and may require additional steps to be onboarded. Work with your Authorizing Official to determine the appropriate steps to add new services to your authorization boundary.
Cloud Service Providers (CSPs)
TIP: A deviation request (DR) should assume a reviewer has sufficient general knowledge of the technologies involved, but no specific knowledge of the CSP’s system. Ensure the DR contains sufficient system detail to give the reviewer appropriate context.
DRs should tell the full story of the risk to the system and mitigations in place to address the risk. When preparing deviation requests for operationally required and/or risk adjustment items, address the following:
- What components are impacted by the vulnerability and what is their function in the environment
- What would be required to exploit the vulnerability?
- What exists or what has been put in place to reduce the risk (reduce the likelihood of exploitation and/or reduce the impact of exploitation)?
Note that the CSP always has the option of putting in place additional security controls to further mitigate a risk to an acceptable level. An example could be setting up additional monitoring to detect specific conditions related to the vulnerability.
More Information
Read more about this week’s FedRAMP’s Tip and cues here