This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: Do single-tenant cloud offerings have to comply with FedRAMP, or can an agency issue a FISMA authorization?
A: This should be vetted with the sponsoring government agency. For private (single tenant) clouds, agencies have the final say on authorization; however, FedRAMP strongly suggests use of the FedRAMP baselines. The difference between a private cloud and a community or public offering is that the authorizations aren’t shared on the FedRAMP marketplace for private clouds since they cannot be reused.
Cloud Service Providers (CSPs)
Q: FedRAMP released updates to the System Security Plan (SSP) template. If we have already submitted our SSP to our Third Party Assessment Organization (3PAO) for our annual assessment, do we need to update the SSP to align to the new FedRAMP requirements and re-submit to the 3PAO?
A: No, you do not need to update and resubmit the SSP to your 3PAO immediately. These changes must be incorporated before the CSP’s next annual assessment (for annual assessments after Oct 31, 2018). Therefore, the changes to the SSP should be made but does not need to be submitted to the 3PAO unless the assessment is after the deadline date. Please see our Blog Post titled FedRAMP Documentation Release for additional details regarding new and updated documentation.
Read more about this week’s FedRAMP’s Tip and cues here