This week, FedRAMP published one Q&A for Agencies and one Tip for Cloud Service Providers(CSPs):
Q: What happens during an Agency Authorization kick-off meeting with the FedRAMP PMO?
A: As described in the Agency Authorization Playbook, the FedRAMP PMO considers a kick-off meeting to be an integral step of the authorization process. Kick-off meetings provide the Agency, Cloud Service Provider (CSP), Third Party Assessment Organization (3PAO), and FedRAMP PMO the opportunity to convene at the outset of an authorization effort. During a kick-off meeting, the following topics should be addressed:
- Roles and responsibilities for the Agency, CSP, and 3PAO
- Applicable project milestones, especially with respect to CSP package documentation for the System Security Plan (SSP), Security Assessment Plan (SAP), and Security Assessment Report (SAR)
- Review of Agency-specific system or control requirements and concerns
- Review of the authorization boundary
Kick-off meetings are designed to enable effective partnership among all stakeholders within an authorization effort, allowing for clear communication of requirements and providing a forum for answering questions.
Cloud Service Providers (CSPs)
TIP: CSPs should remember to consider alerts sent from the system (e.g., via email or text messages) and assess the needed protections of data in the alerts.
Consult NIST 800-60 Volume II for datatypes and the categorization of the data. The categorization (Low, Moderate, or High) corresponds to the FedRAMP baseline of security controls (Low, Moderate, or High) that need to be applied to protect that data. The CSP may determine that changes need to be made to the alerts. For example, they may need to modify the contents of the alerts and keep the sensitive data within the boundary where the full set of security controls are being applied.
Read more about this week’s FedRAMP’s Tip and cues here