This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Effective July 1, 2018, CSPs must complete implementation of TLS version 1.1 for their Federal Agency customers.
CSPs must ensure that federal customers are fully authenticated and compliant with TLS version 1.1 or higher (turning off TLS 1.0 and below).
Cloud Service Providers (CSPs)
TIP: When updating the Plan of Action and Milestones (POA&M) to account for findings in the Security Assessment Report (SAR), consider the following:
- The POA&M items should be easily traceable to the same finding in the SAR, with matching unique IDs.
- The details of POA&M items should map to the same details of the same findings in the SAR (one for one).
- For findings in the SAR that are already in the POA&M, the original discovery date should remain unchanged.
- For new findings that are not already in the POA&M, the discovery date should be no later than the last day of the assessment noted in the paragraph above SAR Table ES-1.
- Unless the findings are operationally required, completion dates should be in line with FedRAMP required timeframes for remediation. From the date of discovery, high risks should be remediated within 30 days, moderate risks within 90 days, and low risks within 180 days.
- Deviations should be appropriately reflected in the POA&M to match those in the SAR. All pre-existing deviations, prior to the start of the assessment, must be accounted for correctly and consistently across the SAR and POA&M documents.
- The CSP should monitor changes to the SAR to ensure any changes are carried over to the POA&M.
More Information
Read more about this week’s FedRAMP’s Tip and cues here
