This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: Would a cloud service require a FedRAMP authorization if it already has a FISMA ATO? If so, can you reference the specific language in the requirement?
A: While FISMA and FedRAMP authorizations are similar, FedRAMP authorizations involve extra requirements and parameters specified in the FedRAMP templates/baseline requirements documentation available on fedramp.gov. Agencies that are using a cloud system or services must follow FedRAMP requirements and go through the FedRAMP Authorization process. The driving policy for FedRAMP is a policy memo released by OMB.
The initial cloud system/service authorization package (to include the ATO for Agency-authorized systems) must be reviewed and approved by the FedRAMP PMO to receive a FedRAMP Authorization
Cloud Service Providers (CSPs)
Q: If a CSP wants to complete a FedRAMP Readiness Review, but is then going to pursue an Agency-sponsored FedRAMP authorization, can the CSP use the same 3PAO for both assessments?
A: A CSP can use the same 3PAO for completing their Readiness Assessment Report (RAR) and their full security assessment when working with an Agency or the JAB. The same 3PAO, however, cannot consult between assessments – this is outlined in the ISO 17020 requirements and FedRAMP-A2LA 3PAO accreditation requirements.
Additionally, to help ensure successful completion of the RAR, the FedRAMP PMO has created a FedRAMP RAR Guide for 3PAOs that includes useful tips and lessons learned.
More Information
Read more about this week’s FedRAMP’s Tip and cues here