This week, FedRAMP published one Q&A and one Tip for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: Could you explain the purpose and process behind requiring a CSP to complete an incident response test and contingency plan test before their 3PAO assessment?
A: It is important that the incident response test and the contingency plan test are done before a 3PAO assessment in order to ensure that the processes are functioning as intended and that lessons learned can be integrated into the plan. If a CSP does not complete an incident response test and contingency plan test before the 3PAO assessment, the Joint Authorization Board (JAB) will not issue the cloud offering a Provisional Authorization to Operate (P-ATO). These tests must be conducted in accordance with NIST SP 800-53, a
nd the results should be made available to the 3PAO for evaluation. Once a P-ATO is granted, the tests should continue to be completed prior to the annual assessment so that the 3PAO can evaluate the results as part of that assessment.
Cloud Service Providers (CSPs)
TIP: Your FedRAMP or government liaison is here to help guide you through the FedRAMP process. Communication is imperative to get through the FedRAMP process! The better communication you have, the smoother the process will go.
If you have any questions or concerns, or just want to brainstorm ideas, your FedRAMP liason can share potential impacts of any proposal you have. If you’re not sure a control implementation should be “Not Applicable” or an “Alternative Implementation,” your liason can help! And if you’re unclear on how to describe your PIV/CAC implementation, your government liaison can point you in the right direction!
Read more about this week’s FedRAMP’s Tips and cues here