This week, FedRAMP published one Tip for Federal Agencies and one Tip for Cloud Service Providers(CSPs):
TIP: For a Cloud Service Offering (CSO) that is a combination of one authorization leveraging another (e.g. a SaaS leveraging a IaaS), Agency customers should assess the combined risk of the two systems
Authorizing Officials should make decisions based on the complete risk posture of the offering, not just the top layer of the stack (e.g. SaaS). Authorizing Officials should be reviewing the appropriate FedRAMP packages to ensure they have a complete understanding of the risk before issuing an ATO to a service offering.
Cloud Service Providers (CSPs)
TIP: The Plan of Action and Milestones (POA&M) is for reporting and tracking security vulnerabilities and weaknesses.
Vulnerabilities are found through monthly scanning and annual 3PAO assessment and reported in the POA&M. Any security vulnerability found, regardless of its source, should be reported in the POA&M in accordance with FedRAMP guidelines. Even vulnerabilities found by the CSP itself or sources other than a 3PAO should be reported in the POA&M in accordance with FedRAMP guidelines. For vulnerabilities detected by scanners, FedRAMP only requires them to be reported in the POA&M if the remediation is delayed beyond FedRAMP required timeframes.
Read more about this week’s FedRAMP’s Tip and cues here