This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: How do policies and procedures differ from the System Security Plan (SSP)?
A: Policies and procedures are a critical supplement to the SSP and are required by the first control (known as the “dash ones,” i.e. AC-1) for each control family. These documents are submitted with the SSP and provide the guidelines under which the procedures are developed and by which the SSP controls are implemented. Policies address what the policy is and its classification, who is responsible for the execution and enforcement of the policy, and why the policy is required. Procedures define the specific instructions necessary to perform a task. Procedures detail who performs the procedure, what steps are performed, when the steps are performed, and how the procedure is performed.
Third Party Assessment Organizations (3PAOs)
Q: What is the third party assessment organization’s (3PAO) responsibility if it is not conducting the vulnerability scanning for specific controls in an assessment?
A: Generally, an assessment by the 3PAO includes several methodologies: personal interviews, document and evidence reviews, vulnerability scanning, and penetration testing. The Security Assessment Plan (SAP) should address the assessment methodology in detail so that it can be reviewed and approved prior to assessment testing. For vulnerability scanning, 3PAO responsibilities include:
- Reviewing scanning tools to ensure the tools are appropriately configured before the scans are executed (i.e., describing the appropriate/expected configurations that will then be verified)
- Ensuring scans comply with the FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide
- Overseeing and monitoring scans from initiation to completion
- Describing and executing the procedures to ensure 3PAO chain-of-custody of the scan and results
Read more about this week’s FedRAMP’s Tip and cues here.