This week, FedRAMP published two tips for Cloud Service Providers (CSPs):
TIP: Deviation Requests (DR) should be written as stand-alone documents, telling the entire story of the need for the DR and how the DR is implemented.
The Deviation Request is the mechanism used by the CSP to document and justify a deviation from full remediation of a vulnerability in accordance with FedRAMP standards to the Joint Authorization Board (JAB). This typically involves one of a handful of circumstances for a Vulnerability found in Continuous Monitoring: Risk Adjustment of a vulnerability, determination of a False Positive finding, Operational Requirements, and Vendor Dependencies. For each vulnerability, a separate DR should be prepared, explaining the circumstance with all background information requested on the form, including Boundary context of affected components, justification for the request, supporting evidence, and time frames for resolution as appropriate. Each DR should be clear and complete, providing the JAB reviewer with all relevant information to make a decision recommendation without further clarifications or extensive research.
TIP: When submitting a Microsoft Outlook, Gmail or email from other messaging systems as evidence, ensure that it is captured in a common format such as a Microsoft Word file or Adobe PDF.
This helps to eliminate issues with dissimilar email systems. The preferred method is to avoid the use of email all together and use secure methods for transmitting and storing evidence.
Read more about this week’s tip on the FedRAMP website.