This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: For my JAB P-ATO package, who should I list as the FedRAMP POC in my SSP and other package documents?
A: For the SSP main document (excluding operational documents) the FedRAMP POC should be info@fedramp.gov. For procedural docs that include interaction around security procedures (IR and CP), the primary JAB Reviewer/POC should be listed.
For agency ATO packages, work with your agency to determine the appropriate POCs.
Cloud Service Providers (CSPs)
Q: I’m no longer required to include vulnerabilities on my POA&M that are not “late” according to FedRAMP requirements. Can I still report on-schedule scan items in my POA&M?
A: Yes. Excluding non-late scan items is optional and will not impact FedRAMP’s processing.
More Information
Read more about this week’s FedRAMP’s Tip and cues here