This week, FedRAMP published a weekly tip that discusses the use of non-US persons support and updating SSP officials:
TIP: A CSP using non-US persons to support their system is FedRAMP compliant, but will find their market limited among Federal agencies.
Using non-US persons to support a FedRAMP system is a business decision the CSP must make. There is no Federal requirement about citizenship. Some agencies have no issue with the use of non-US persons supporting the system; however, many agencies have their own citizenship requirements. For some agencies, the requirement is blanket. For others, it may depend on the sensitivity of the system.
TIP: If a CSP’s or Authorizing Official’s information has changed, be sure to make these changes in the role section of the System Security Plan (SSP) immediately after the change.
There have been a lot of personnel changes in CSPs and agencies. It’s critical that CSPs update their SSPs to reflect these changes, as this is something that is vital, but often overlooked.
Read more about this week’s FedRAMP’s Tip and cues here.