FedRAMP Weekly Tips & Cues – September 5, 2018

This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):

Cloud Service Providers (CSPs)

TIP: Submitting an Operational Requirement Deviation Request (DR) is typically acceptable when updating the host would break FIPS compliance.

However, it is critical that CSPs continuously re-evaluate FIPS certification to determine when updates become FIPS compliant. Consequently, the Operational Requirements would no longer be relevant.

Cloud Service Providers (CSPs)

TIP: Do not automatically assume that an N/A assertion from an IaaS/Paas can be inherited by a SaaS, even if the SaaS does not implement the relevant features.

The SaaS may also assert the control as N/A, but they need to provide their own rationale, not rely on the underlying IaaS/PaaS assertion. AC-19 Access Control for Mobile Devices comes to mind. This may be N/A for the IaaS, but in-scope for the SaaS. Thus, it would need to be addressed for the SaaS.

More Information

Read more about this week’s FedRAMP’s Tip and cues here

Free Chatbot Call-To-Action