This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Per the FedRAMP Significant Change Policies and Procedures, every new code release is not automatically considered a significant change.
The CSP must perform a security impact analysis (SIA) in compliance with FedRAMP control CM-4 on every new code release. This includes the analysis required by the FedRAMP SA-11 controls (the base control and enhancements). Therefore, if an SIA shows that the new code release will adversely affect the system’s security posture, the new code release must be treated as a significant change.
Cloud Service Providers (CSPs)
TIP: Please remember when submitting a Significant Change Request to include the minimum control set that is required if your change type is a new technology, new interconnection, new data center, or a moderate to high FIPS-199 Categorization change.
This is outlined in the FedRAMP Significant Change Policies and Procedures document. You can find the control set in Appendix B of this document.
More Information
Read more about this week’s FedRAMP’s Tips and cues here