This week, FedRAMP published questions and answers that discuss System Security Plans, and continuous monitoring:
Q: A service previously documented in the System Security Plan (SSP) was renamed. How do we reflect the name change when we submit a Deviation Request (DR) for a vulnerability that affects the renamed service?
A: Please provide a brief contextual description of the renamed service and reference its documented name in the SSP. This enables the reviewer to look up the service by its original name in the SSP.
Q: Are CSPs expected to maintain Continuous Monitoring activities while undergoing an annual assessment?
Yes. CSPs are expected to maintain Continuous Monitoring activities while undergoing an annual assessment, including timely remediation of POA&Ms and submission of monthly deliverables. FedRAMP does not allow exceptions for this.
More Information
Read more about this week’s FedRAMP’s Tip and cues here.