This week, FedRAMP published two tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: In Table 4-1 of the SAR, please ensure that the columns, “Risk Statement” and “Mitigating Controls/Factors” contain the following information:
Risk Statement: Provide a risk statement that describes the risk to the business. Indicate whether the affected host(s) is/are internally or externally facing.
Mitigating Controls/Factors: Describe any applicable mitigating controls/factors that could downgrade the likelihood or risk exposure. Also indicate whether the affected host(s) is/are internally or externally facing. Include a full description of any mitigating factors and/or compensating controls if the risk is an operational requirement.
Cloud Service Providers (CSPs)
TIP: Due to “chain of custody” control, the JAB Technical Reviewers cannot move Continuous Monitoring (ConMon) documents if the CSP or 3PAO uploaded them to incorrect folders in OMB MAX.
Please ensure that you upload ConMon documents to their correct respective folders!
More Information
Read more about this week’s FedRAMP’s Tip and cues here