This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: I referenced a document in my System Security Plan (SSP), but did not provide the referenced document because it contains proprietary or sensitive information. How will this affect my review?
A: Every attempt should be made to prevent this situation. The assessment package should stand on its own without referencing documents that require complex retrieval, which can be confusing, time consuming, and cause delays in the assessment. In the rare circumstance this can’t be avoided, you might add a statement that says, “The document is available onsite for review upon request or as required for audits and assessments.”
Third Party Assessment Organizations (3PAOs)
Q: Are low risk findings tracked on the Plan of Action and Milestones (POA&M)? If so, what is the time window to correct low risk findings? The FedRAMP guidance only states remediation time frames for high/moderate risk items.
A: Yes, all findings must be documented in the POA&M, including low risk findings. Low risk findings should be remediated within 180 days, and the remediation will be validated during the next annual assessment.
Read more about this week’s FedRAMP’s Tip and cues here