This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: TLS version 1.1, or higher, must be fully implemented for both public-facing and internal interfaces by July 1, 2018, in accordance with the FedRAMP Transport Layer Security (TLS) Requirements.
Control documentation should contain sufficient detail to describe TLS implementation for both public-facing and internal interfaces (if applicable).
Cloud Service Providers (CSPs)
TIP: If an incident requires notification to US-CERT, it almost always requires notification to Federal customers whose data could have been impacted or exposed.
Regardless of whether or not it is fully required, it is a best practice for customer relationship management. Inspector General’s (IG) for all agencies have access to all US-CERT incidents as they use this for their annual audits of agency incidents. Therefore, if an IG has access to an incident notification of a system an agency uses, the agency customer should be informed as well.
More Information
Read more about this week’s FedRAMP’s Tip and cues here