This week, FedRAMP published one Q&A for Federal Agencies and one Q&A for Cloud Service Providers(CSPs):
Federal Agencies
Q: Once a Deviation Request (DR) has been submitted for downgrading risk from High to Moderate, should CSP create a new POA&M ID and another separate DR for downgrading risk from Moderate to Low?
A: The original detection of the vulnerability POA&M ID should remain separate from the adjusted risk. CSPs should also maintain separate DRs. For tracking purposes, the ConMon team would need another DR submitted by the CSP.
Cloud Service Providers (CSPs)
Q: I keep receiving commentary from the JAB on documents in my authorization package and this has extended my review time. What can I do to lessen the amount of comments my authorization package receives?
A: When preparing documentation for final submission to the JAB Reviewers, one must remember that the document is telling a story about the effort. If there are gaps in the storyline, there will be comments to address the gaps. The more gaps in the storyline, the more numerous the comments will be created to try to fill in the gaps – which will in turn slow down your review time. The author should frame each answer in a way that the reader can follow the complete thread from the beginning to the end. The author must never assume that the reader already knows “details” about the story without identifying the detail’s location in the document. For instance, when providing the Penetration Testing Report, the 3PAO should provide the full name and versions of the tools used, why these were chosen, and then what the outcome was from the testing. These questions are basic to information gathering and reporting. For each section within the documentation, each of these questions must have a factual, detailed answer for the story to be complete.
Read more about this week’s FedRAMP’s Tip and cues here