This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: I received a request from a Federal Agency to review my system’s Provisional Authorization to Operate (P-ATO) letter, and I am concerned that sharing the letter will violate sensitivity policies. Is it appropriate to share an authorization letter with Agencies?
A: Yes! The Authorization Letter is intended to serve as evidence that the CSP has obtained their FedRAMP P-ATO. The CSP may show or even provide a copy to a requesting Agency. Indeed, the Agency may need a copy for their own ATO package as evidence they selected a CSP with a valid FedRAMP P-ATO.
Cloud Service Providers (CSPs)
Q: Could you explain the purpose and process behind requiring a CSP to complete an incident response test and contingency plan test before their 3PAO assessment?
A: If a CSP does not complete an incident response test and contingency plan test before the 3PAO assessment, the Joint Authorization Board (JAB) will not issue the cloud offering a Provisional Authorization to Operate (P-ATO). These tests must be conducted in accordance with NIST SP 800-53, and the results should be made available to the 3PAO for evaluation. Once a P-ATO is granted, the tests should continue to be completed prior to the annual assessment so that the 3PAO can evaluate the results as part of that assessment.
More Information
Read more about this week’s FedRAMP’s Tip and cues here