This week, FedRAMP published one tip for Cloud Service Providers ( CSPs) and one question and answer for Third Party Assessment Organizations (3PAOs). :
Cloud Service Providers (CSPs)
TIP: When submitting the monthly Plan of Actions and Milestones (POA&M) spreadsheet, the findings on the spreadsheet must be reconciled each month with the scan results to ensure POA&M accuracy. This means that any items that have closed throughout the month should be marked as such and appropriate artifacts should be provided to validate closure.
All findings must be recorded on the open tab of the POA&M. A false positive (FP) vulnerability remains in the open tab until the deviation request (DR) is approved. An operationally required (OR) vulnerability remains on the open tab indefinitely and is only closed if the circumstances creating the OR are resolved, such as migration to a new technology. A vendor dependency also remains on the open tab indefinitely and is only closed once the CSP resolves the issue by applying a vendor approved fix or upgrade.
Third Party Assessment Organizations (3PAOs)
Q: Our CSP client has data centers in multiple locations throughout the United States. As part of the Readiness Assessment Report (RAR), FedRAMP requires in-person interviews. Does visiting one data center satisfy FedRAMP’s requirement, or do we need to visit each location?
A: Visiting data centers is a best practice to enable you to view the security at the facility first-hand as part of your verification and validation efforts. If a CSP has multiple data centers, you are not required to visit each one as part of the RAR effort; however, during the Security Assessment Report (SAR) phase, we expect the 3PAO to visit each data center to perform in-person interviews, review documents as necessary, and validate some of the controls. Most CSPs remotely manage their systems, and the 3PAO needs to validate that the security capabilities are actually in place.
Read more about this week’s FedRAMP’s Tip and cues here