This week, FedRAMP published two tips that discuss Cloud Service Offering Assessments and the requirements for a security assessment report and readiness assessment report:
TIP: What does a typical Third Party Assessment Organization (3PAO) Team performing a Cloud Service Offering (CSO) assessment look like according to FedRAMP?
FedRAMP requires that all assessments must be staffed by an appropriate number of 3PAO team members based on the complexity of the CSO being assessed. This 3PAO staffing includes, but is not limited to, individuals responsible for scanning, interviews, the examining of artifacts, and report writing. The 3PAO team must consist of at least three people from the 3PAO, who participate in and support the assessment, one of which is an individual considered to be the senior representative of the 3PAO, one of which is a penetration tester, and one of which is an individual dedicated to quality management of the 3PAO process.
The senior representative is responsible for ensuring the assessment activities and evidence is completed fully and meets the FedRAMP requirements and standards.
The penetration tester is responsible for ensuring the penetration testing is fully compliant with FedRAMP Penetration Test Guidance.
The individual dedicated to quality management is responsible for ensuring that all deliverables from the 3PAO meet the quality standards set forth by FedRAMP.
Any 3PAO who wishes to complete an assessment with less than three people must seek approval from the FedRAMP PMO. The senior representative must have the authority to sign off on the work of the other individuals who work on the project. During the onsite assessment by A2LA, the 3PAO must demonstrate the ability to meet the team staff requirements.
TIP: What are the basic FedRAMP requirements for 3PAOs delivering a security assessment report or a readiness assessment report?
All deliverables should be signed off by the 3PAO quality management lead before being delivered to a CSP or government authorizing official team. The quality review process for the 3PAO shall include checking all deliverables to ensure the following:
- There are no spelling or punctuation errors.
- All sections of each document delivered are complete, clear, concise, and consistent with each other.
- All team members of the assessment have reviewed the deliverables.
- Documents are prepared using the most recent standard templates, without alterations or deletions, and insertions must be agreed upon.
All SARs written by the 3PAO shall include an authorization recommendation on whether the system can appropriately safeguard government data in accordance with the security classification of the system. The recommendation shall include a summary statement and justification statement.
All SARs written by the 3PAO shall include all scan results in a readable format such that someone without a scanner license can read the results.
All RARs written by the 3PAO must adhere to the guidance within the FedRAMP High Readiness Assessment Report (RAR) template and the FedRAMP Moderate Readiness Assessment Report (RAR) template.
All RARs written by the 3PAO shall include analysis of results from activities including, but not limited to, discovery scans and in person interviews and physical examinations where appropriate. In the event that scan results are requested by the PMO, they should be retained in a readable format such that someone without a scanner license can read the results.
Read more about this week’s FedRAMP’s Tip and cues here.