This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: Why is it important to maintain consistency between the security control implementation statements and the technical diagrams in the System Security Plan (SSP)?
A: The security control implementation statements provide a detailed explanation as to how compliance with NIST SP 800-53 and FedRAMP requirements are met. Generally, compliance is met with the implementation of technical components, policy/procedure, and other mechanisms. The Boundary, Network, and Data Flow diagrams provide a visual depiction of these components within the secure environment, so it’s very useful to reviewers to map control implementations to the specific components. Further, many controls are often satisfied with the implementation of the same components and are subject to security test and Continuous Monitoring to assure effectiveness. It’s important, therefore, that the implementation statements and the diagrams are consistent and accurate.
Third Party Assessment Organizations (3PAOs)
Q: Should a Security Assessment Plan (SAP) be submitted if the inventory differs from the System Security Plan (SSP)?
A: At the time the SAP is submitted by the 3PAO, the SSP and SAP should reflect the same inventory. Post testing, if there are devices that are discovered and not disclosed within the SSP and/or SAP, the Security Assessment Report (SAR) must reflect a deviation from the SAP, and the SSP must be updated prior to authorization with the accurate inventory listing.
Read more about this week’s FedRAMP’s Tip and cues here.