This week, FedRAMP published one Tip for Cloud Service Providers(CSPs) and one Q&A for Third Party Assessment Organizations(3PAOs):
Cloud Service Providers (CSPs)
TIP: Be sure that monthly Continuous Monitoring (ConMon) scans are submitted in the same format each month.
Failure to submit in a consistent, approved format can lead to a Detailed Finding Review or Corrective Action Plan (CAP).
Third Party Assessment Organizations (3PAOs)
Q: Does a 3PAO need to list previously approved deviations (such as Operational Requirements), to be evaluated for an annual assessment in the SAP?
A: During Annual Assessments, previously approved deviations, such as Operational Requirements, are assessed to determine continued justification of this status. While the 3PAO does not need to explicitly list the specific deviations to be re-evaluated during their assessment, they should at least include a statement in the Security Assessment Plan (SAP) that states that such a re-evaluation will occur as part of the assessment
Read more about this week’s FedRAMP’s Tip and cues here