This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: What are the roles and responsibilities of the third party assessment organization (3PAO) and the cloud service provider (CSP) during the assessment?
A: While FedRAMP certifies 3PAOs to perform security assessments of FedRAMP cloud services, the CSP is ultimately responsible for all 3PAO activities and deliverables related to the assessment of their cloud offering. The CSP develops and maintains the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and other supporting documents; however, the CSP also manages and oversees the assessment activities accordingly. The 3PAO develops and delivers the Security Assessment Plan (SAP), Security Assessment Report (SAR), and SAR evidence/attachments. While the 3PAO makes the final determination on the security results in the SAR, the CSP should ensure the quality of the SAR and all other 3PAO deliverables.
Third Party Assessment Organizations (3PAOs)
Q: When developing a System Assessment Plan (SAP), how should a 3PAO select which controls to assess?
A: Guidance documents for selecting controls to include in the SAP can be found on the FedRAMP website. For Annual Assessments, as an example, the 3PAO should select core security controls, as well as other controls required by the CSP, all controls that haven’t been tested within the three-year cycle, and controls that were Plan of Action and Milestones (POA&M) items, involved with Deviation Requests, etc.
TIP: When developing the SAP, 3PAOs should review the controls listed in the closed POA&Ms as a basis for the selection of controls to assess. Then, instead of full testing of the control, simply assess the remediation actions/documentation associated with the closed POA&M to ensure the specific issue noted in that POA&M was addressed.
Read more about this week’s FedRAMP’s Tip and cues here