This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: In the updated Continuous Monitoring Strategy Guide, I noticed there is now a defined “due date” for low vulnerabilities. Does my service offering have to implement that immediately?
A: The FedRAMP Continuous Monitoring Strategy Guide now requires low vulnerabilities to be remediated/mitigated within 180 days. That requirement took effect on January 31, 2018 when the document was published. All newly identified “low” vulnerabilities should have a resolution date (as specified in the POA&M) no later than 180 days after the date of discovery. “Low” vulnerabilities that were identified and placed on the POA&M prior to January 31, 2018 may keep the previously assigned resolution date.
Cloud Service Providers (CSPs)
Q: Can a Federal Agency require CSPs to be FedRAMP authorized in a request for proposal (RFP)?
A: Federal Agencies cannot require CSPs to be FedRAMP authorized as part of their RFP, but they can state that a CSP needs to be FedRAMP authorized once federal data is placed in the system. For more information on contract clauses, please review the FedRAMP Standard Contractual Clauses.
More Information
Read more about this week’s FedRAMP’s Tip and cues here