This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: Do the FedRAMP security controls restrict data to reside only within the United States?
A: There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary of the system is, and where and how data in transit is protected. We have some providers that are authorized through FedRAMP that are located globally, although a majority of service providers do restrict their data to the United States. It is up to each individual Agency and authorizing official to place restrictions, if needed, on data location.
Cloud Service Providers (CSPs)
Q: Does the “FedRAMP Ready” designation allow CSPs to bid on contracts if their systems don’t have an existing Authority to Operate (ATO)? If not, how will a CSP that does not have a current ATO respond to an RFP? Will the CSP be required to obtain a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)?
A: CSPs whose systems do not have existing ATOs are allowed to bid on contracts. Agencies can request a CSP to have a timeline for obtaining an ATO, but should not limit the request to CSPs with ATOs. Please contact the FedRAMP PMO if an Agency is making that request.
The “FedRAMP Ready” designation is a market indicator to Agencies that a system has a high likelihood of obtaining a JAB P-ATO or an Agency ATO. Agencies can be confident that systems that meet the FedRAMP Ready requirements actually have the key capabilities needed to fit their security needs. Therefore, a small cloud service provider will have the ability to attain FedRAMP Ready and be available for Agency review in the FedRAMP Marketplace. The Agency can then decide to issue an ATO based on the understanding that the system meets the Readiness Assessment requirements.
More Information
Read more about this week’s FedRAMP’s Tip and cues here