FedRAMP Weekly Tips – September 20, 2017

This week, FedRAMP published one tip for Cloud Service Providers (CSPs):

TIP: When submitting the Annual Assessment (AA) package, the final Security Assessment Plan (SAP), Security Assessment Review (SAR), System Security Plan (SSP) and Plan of Action & Milestones (POA&M) documents must be submitted no later than the P-ATO anniversary date.

CSP’s should plan carefully to ensure all documents are completed and submitted for the Annual Assessment no later than the P-ATO anniversary date. FedRAMP often receives partial packages (e.g. with only the SAP and SAR and not the SSP and POA&M). If FedRAMP does not receive a complete package (with documents in a final draft form) by the P-ATO anniversary date, the package is considered late and the CSP will be placed on a corrective action plan (CAP) in accordance with the FedRAMP P-ATO Management and Revocation Guide.

The POA&M provided must be updated to include the findings from the SAR. For the SSP provided, the NIST SP 800-53 controls in that SSP must be updated to match the status reflected in the SAR. The CSPs and 3PAO should allow for these POA&M and SSP update tasks in the annual assessment schedule.

Cloud Service Providers (CSPs)

Q: What is the first step to move from a moderate system to a high system?

A: Please visit the FedRAMP Templates page and find the “FedRAMP FIPS-199 Categorization Change Form Template” under the “Continuous Monitoring” section.  Once the form is completed, send the form, along with the letter from an agency demonstrating demand, to info@fedramp.gov. Your JAB reviewer will then contact you regarding the request (with request for clarification, approval, or denial).

More Information

Read more about this week’s tip on the FedRAMP website.

Free Chatbot Call-To-Action