This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: All of the controls listed in the System Security Plan (SSP) Template do not apply to my system, so I only completed those that are applicable and left the others blank. Is it permissible to leave a control blank if it has not been implemented?
A: Every section within the SSP is required to have an answer – including each control. So simply leaving it blank is not permissible. You must list the control as “n/a” and any appropriate rationale as to why that control does not apply to your system. Very few controls are ever considered “not applicable.” The average FedRAMP CSP system has no more than a handful of controls that are truly not applicable and typically include controls involving “Wifi” and “Mobile,” where these components are simply not used. However, there should be very limited or no controls listed as “not applicable” for technical controls such as AC, AU, IA, SC, etc.
CSPs must think of the system as a whole when determining applicability. If the control applies to the system in any way from the provider to the consumer, it is applicable. A provider must describe any portion the control that the provider is responsible for as well as any responsibilities of consumers. For example, IA-2 (12) requires multi-factor authentication for end users via PIV or CAC cards, which might not sound applicable for a CSP. Controls like this are tricky because a CSP usually doesn’t work with end users at agencies to issue PIV or CAC cards. However, CSPs are required to have the capabilities in place for end users to authenticate via PIV or CAC cards. In this case, instead of this control being not applicable, a CSP might describe how they accept SAML authentication mechanisms for the end user, and also the customer responsibilities related to PIV/CAC and SAML interactions with the CSP.
Third Party Assessment Organizations (3PAOs)
Q: How does a 3PAO ensure repeatable and consistent results when reporting the results of an assessment method?
A: When reporting the results of an assessment method (document examinations, personal interviews, and system tests), ensure there is enough detail so that the assessment method and result can be repeated by someone else. This generally refers to Appendix B of the Security Assessment Report (SAR), spreadsheet tab: “Procedure and Evidence.” For each control, there should be sufficient detail to describe the assessment method that includes the procedure, evidence, and results. This should have a consistent look and feel from control to control, for repeatability and consistency.
Read more about this week’s FedRAMP’s Tip and cues here.