FedRAMP Weekly Tips & Cues – July 11, 2018

This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):

Cloud Service Providers (CSPs)

Q: For my JAB P-ATO package, who should I list as the FedRAMP POC in my SSP and other package documents?

A: For the SSP main document (excluding operational documents) the FedRAMP POC should be info@fedramp.gov. For procedural docs that include interaction around security procedures (IR and CP), the primary JAB Reviewer/POC should be listed.

For agency ATO packages, work with your agency to determine the appropriate POCs.

Cloud Service Providers (CSPs)

Q: I’m no longer required to include vulnerabilities on my POA&M that are not “late” according to FedRAMP requirements. Can I still report on-schedule scan items in my POA&M?

A: Yes. Excluding non-late scan items is optional and will not impact FedRAMP’s processing.

More Information

Read more about this week’s FedRAMP’s Tip and cues here

Free Chatbot Call-To-Action