This week, FedRAMP published one tip for Cloud Service Providers (CSPs):
TIP: When submitting the Annual Assessment (AA) package, the final Security Assessment Plan (SAP), Security Assessment Review (SAR), System Security Plan (SSP) and Plan of Action & Milestones (POA&M) documents must be submitted no later than the P-ATO anniversary date.
CSP’s should plan carefully to ensure all documents are completed and submitted for the Annual Assessment no later than the P-ATO anniversary date. FedRAMP often receives partial packages (e.g. with only the SAP and SAR and not the SSP and POA&M). If FedRAMP does not receive a complete package (with documents in a final draft form) by the P-ATO anniversary date, the package is considered late and the CSP will be placed on a corrective action plan (CAP) in accordance with the FedRAMP P-ATO Management and Revocation Guide.
The POA&M provided must be updated to include the findings from the SAR. For the SSP provided, the NIST SP 800-53 controls in that SSP must be updated to match the status reflected in the SAR. The CSPs and 3PAO should allow for these POA&M and SSP update tasks in the annual assessment schedule.
Cloud Service Providers (CSPs)
Q: What is the first step to move from a moderate system to a high system?
A: Please visit the FedRAMP Templates page and find the “FedRAMP FIPS-199 Categorization Change Form Template” under the “Continuous Monitoring” section. Once the form is completed, send the form, along with the letter from an agency demonstrating demand, to firstname.lastname@example.org. Your JAB reviewer will then contact you regarding the request (with request for clarification, approval, or denial).
Read more about this week’s tip on the FedRAMP website.