This week, FedRAMP published QA and a tip that discusses 3PAO templates and POA&Ms:
Q: When does a 3PAO have to use a new FedRAMP template and why?
A: The FedRAMP PMO office does not like to cause extra effort, but we do prefer that the latest templates be used where it makes sense and is feasible, because the updates include additional information and changes that are based on FedRAMP changes in policy or direction.
That being said, if you have already updated your template and this would cause a lot of extra effort to move over to the latest template, please continue to use the existing template. However, next time we ask that you check the website before you start to ensure that use the current version at that time. Please note what template version you are using in your document history log at the front of the template, so the Reviewers will keep that in mind for reviews.
If possible, we would request using the latest versions of templates for the SSP attachments and other package documents (at least those where templates are provided), since several were updated recently.
TIP: When providing a screenshot as evidence, be sure to also include a description of what the Joint Authorization Board (JAB) Reviewer is to review and how this provides the information necessary to either close the Plan of Action & Milestones (POA&M) or provide evidence of a False Positive.
Providing only a screenshot is insufficient, but providing a screenshot with a detailed description or a step-by-step characterization will lead to more approvals than rejections. This is important because the context of the screenshot might not be enough for a JAB Reviewer to make a decision on whether to approve or reject a Deviation Request (DR) or to accept as sufficient Plan of Action & Milestones evidence. These screenshots are separate from the POA&M excel file, and are typically copied and pasted into a word document.
Read more about this week’s FedRAMP’s Tip and cues here.