This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: Is the CSP responsible for ensuring the quality of the work performed by the Third Party Assessment Organization (3PAO)?
A: While accredited 3PAOs perform security assessments of FedRAMP cloud services, the CSP is responsible for all 3PAO activities and deliverables related to the assessment of their cloud offering. The CSP manages and oversees these activities accordingly.
Exceptions are delivery of the Security Assessment Plan (SAP), Security Assessment Report (SAR), and the SAR results. In order to maintain the integrity and independence of these documents, they must be provided to the PMO directly from the 3PAO. While the 3PAO makes the final determination on the security results in the SAR, the CSP should ensure the quality of the SAR and all 3PAO deliverables provided to FedRAMP.
Cloud Service Providers (CSPs)
Q: I already have a Provisional Authorization to Operate (P-ATO) with the Joint Authorization Board (JAB). Is non-compliance on a particular control or on business issues allowed?
A: Once a CSP achieves a P-ATO, it is incumbent on them to maintain their authorization to the best of their ability. Any non-compliance must be addressed expediently and to the satisfaction of the JAB. This includes ensuring consistent, successful monthly continuous monitoring with remediations and annual assessments. Corrective Action Plans (CAPs) will be instituted if deemed necessary. This level of fidelity is necessary to ensure the security of government data and systems.
Read more about this week’s FedRAMP’s Tips and cues here