This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
TIP: All FedRAMP Baselines require the CSP information system to accept and electronically verify Personal Identity Verification (PIV) and Common Access Card (CAC) credentials according to IA-2(12).
Many CSP’s assign the responsibility of PIV/CAC implementation to the Federal Agency customer for on-premise authentication. Then, they employ federation methods described in the Digital Identity Guidelines such as SAML/ADFS to authenticate to the CSP environment. While this is an acceptable method, the CSP must still demonstrate the capability of accepting and verifying PIV/CAC credentials in the Cloud Service Offering. Understanding that CSP personnel may not have been issued PIV/CAC credentials, NIST has developed a set of test PIV cards that can be purchased to test the PIV/CAC capability which is available here.
The 3PAO is expected to assess the PIV/CAC implementation by the CSP even if the responsibility is ultimately assigned to the Federal Agency Customer. Also, of course, proper implementation of federated authentication is also assessed by the 3PAO.
Cloud Service Providers (CSPs)
Q: Can a CSP close out Operational Requirements (ORs) in the Plan of Action and Milestones (POA&M)?
A: Operational Requirements (OR’s) occur when a vulnerability is found within the Information System, but the remediation (ie patch, parameter setting, etc.) cannot be implemented without adverse impact on the system. OR’s are accepted by the Joint Authorization Board (JAB) or Sponsoring Agency when strong mitigations are implemented to adjust the risk as low as possible. ORs remain in the Open Tab of the POA&M spreadsheet until the vulnerability is eliminated. The OR is reviewed at least yearly during Annual Assessments to confirm continued need with a view toward closing out the vulnerability.
More Information
Read more about this week’s FedRAMP’s Tip and cues here