This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs):
Q: How can my Agency support Cloud Service Providers (CSPs) that need to demonstrate federal demand as part of FedRAMP Connect?
A: FedRAMP Connect was developed to ensure that CSPs that are prioritized to pursue a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) have demand from Federal Agencies for their cloud offering and that they are well prepared to begin the authorization process. FedRAMP’s Prioritization Criteria outlines the criteria that is used to evaluate and select CSPs to partner with the JAB on a semi-annual basis.
Any CSP looking to pursue a JAB P-ATO must prove federal demand for their cloud offering. Agencies partnered with CSPs pursuing a JAB P-ATO can assist those CSPs by providing them with the following types of documentation that can be included in the CSPs’ applications to FedRAMP Connect:
- ATO(s) demonstrating current use of the cloud service offering (CSO) in a FISMA on-premise environment
- ATO(s) demonstrating current use of the CSO in a FedRAMP cloud environment
- ATO(s) demonstrating current use of the CSO
- RFI/RFQ/RFP demonstrating demand for the individual CSO
- Attestation from the Agency OCIO/OCISO, or other representative IT leadership, indicating demand and prospective utilization of the CSO
- Attestation or identification of shared demand with partner Agencies’ OCIO/OCISO, or other representative IT leadership
Cloud Service Providers (CSPs)
Q: Can I use the FedRAMP Significant Change Request (SCR) form for multiple significant changes?
A: Yes, you can include multiple significant changes as long as all changes will be implemented for assessment at the same time. We often see SCR’s for multiple changes where the CSP is on-boarding multiple new services, tech-refresh of multiple component types and others. The assumption is that testing for all of the new services and components will be performed under a single Security Assessment Plan (SAP) and the results will be reflected in a single Security Assessment Report (SAR).
Read more about this week’s FedRAMP’s Tip and cues here