This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: CSP must prove to the Third Party Assessment Organization (3PAO) that Plan of Action and Milestones (POA&M) items are remediated as per the FedRAMP timeframe (Section 4.2.6 Configuration and Risk Management Item #10)
High vulnerabilities are required to be remediated within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days.
Cloud Service Providers (CSPs)
Q: If the CSO does not have any federal customers (and therefore no ATOs), how does the 3PAO handle configuration and risk management requirements?
A: The CSP should be completing Continuous Monitoring and a POA&M each month as soon as they begin the FedRAMP process, rather than waiting until they are FedRAMP authorized. Even without Federal customers, the environment must be scanned and vulnerabilities must be remediated.
More Information
Read more about this week’s FedRAMP’s Tips and cues here