This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Submitting an Operational Requirement Deviation Request (DR) is typically acceptable when updating the host would break FIPS compliance.
However, it is critical that CSPs continuously re-evaluate FIPS certification to determine when updates become FIPS compliant. Consequently, the Operational Requirements would no longer be relevant.
Cloud Service Providers (CSPs)
TIP: Do not automatically assume that an N/A assertion from an IaaS/Paas can be inherited by a SaaS, even if the SaaS does not implement the relevant features.
The SaaS may also assert the control as N/A, but they need to provide their own rationale, not rely on the underlying IaaS/PaaS assertion. AC-19 Access Control for Mobile Devices comes to mind. This may be N/A for the IaaS, but in-scope for the SaaS. Thus, it would need to be addressed for the SaaS.
More Information
Read more about this week’s FedRAMP’s Tip and cues here