This week, FedRAMP published one Tip for Federal Agencies and one Q&A for Cloud Service Providers(CSPs):
Federal Agencies
TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable.
The responsibility for the AO (or his/her designated representative) includes reviewing the system security artifacts provided by the Cloud Service Provider (CSP), Third Party Assessment Organization (3PAO), and FedRAMP PMO (in the case of services with a JAB P-ATO) for both granting the authorization and during continuous monitoring. The AO should have confidence that the security posture of the service is maintained in good standing for ongoing authorization.
Cloud Service Providers (CSPs)
Q: Can I use the FedRAMP Significant Change Request (SCR) form for multiple significant changes?
A: Yes, you can include multiple significant changes as long as all changes will be implemented for assessment at the same time. We often see SCR’s for multiple changes where the CSP is on-boarding multiple new services, tech-refresh of multiple component types and others. The assumption is that testing for all of the new services and components will be performed under a single Security Assessment Plan (SAP) and the results will be reflected in a single Security Assessment Report (SAR).
Read more about this week’s FedRAMP’s Tip and cues here