Last week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
TIP: Cloud Service Providers (CSPs) pursuing a JAB P-ATO have asked about how to implement new technologies. New technologies have a minimum control set in the significant change policy and procedures. The assumption is that all the controls will be assessed unless the 3PAO provides a rationale for excluding controls or scoping the assessment of the controls as:
- Not Applicable (N/A) – The nature of the component means it inherently does not contain this capability and will not be tested (e.g. controls that apply to collaborative computing devices only apply if that capability exists in the system)
- Not Selected (N/S) – A centralized automated mechanism ensures the implementation of the specific control, and that central automated mechanism has already been assessed to ensure that it is operating as intended and producing the desired result. Therefore, the assessment of the control will be scoped to only verifying/validating that the component is integrated into the centralized automated mechanism. Here are a few examples of centralized and/or automated mechanisms that implement other controls:
- AC-2 (1) – The organization employs automated mechanisms to support the management of information system accounts
- AU-7 – The information system provides an audit reduction and report generation capability
- CM-6 (1) – The organization employs automated mechanisms to centrally manage, apply, and verify the configuration settings for organization-defined information system components
JAB reviewers will review each rationale for excluding controls from assessment or scoping the assessment of the control to determine if they concur.
Question: A CSP asked, “What is the process for handling False Positives found during Initial or Annual Assessment when the Security Assessment Report (SAR) is closed but has not yet been approved by the Sponsoring Agency?”
A: All of the False Positives found during the Annual Assessment should be added to the Plan of Action and Milestones (POA&M) list. If they are approved before the SAR is closed/signed, they are moved to the Closed Tab of the POA&M list. If they have not been approved, they should remain in the Open Tab of the POA&M list until approved. Then, at least Annually during assessment, the False Positives should be evaluated for continued False Positive status.
For more information on handling the Annual Assessment and scan findings check out the CSP Continuous Monitoring Strategy Guide.
Read more about this week’s FedRAMP’s Tip and cues here