This week, FedRAMP published a weekly tip that discusses email notifications and background checks on staff members.
TIP: When submitting a RAR or an authorization package, be sure to send an email notification to email@example.com.
Cloud Service Providers (CSPs), Partnering Agencies, and/or Third Party Assessment Organizations (3PAOs) must send an email notification to firstname.lastname@example.org to let the FedRAMP PMO know exactly when an Agency FedRAMP Package or a Readiness Assessment Report (RAR) is posted to OMB MAX. Because both the RAR and the CSP package culminates in the Security Assessment Report (SAR) and the 3PAO recommendation to the Authorizing Official (AO) concerning the risk posture and/or authorization of the system, it is ideal if the 3PAO uploads the documentation. This email notification facilitates the beginning of the process to get the Cloud Service Offering (CSO) Package into the FedRAMP process or at the least get the AO Memo posted to the website. The OMB MAX facilitator will set up the CSO package skeleton on MAX into which the package is uploaded. Other encryption policies apply if the CSO is a High Baseline package.
Please be advised that OMB Max submissions do not generate an automatic notification to the FedRAMP PMO, at this time. If a RAR or authorization package is submitted, but the PMO is not made aware of the submission, the review will be delayed.
Q: Are CSPs required to perform background checks on staff members?
A: Yes. Personnel Security (PS) – 3 Personnel Screening is required for all FedRAMP defined baselines (High, Moderate, Low, and FedRAMP Tailored). Specifically, the control requirement is that the organization:
(a) Screens individuals prior to authorizing access to the information system; and
(b) Rescreens individuals for national security clearances – a reinvestigation is required during the 5th year for top secret security clearance; the 10th year for secret security clearance; and 15th year for confidential security clearance. Additionally, for moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions.
The objective/ intent of part (a) of this PS-3 control is to ensure that the CSP elaborates upon what type of personnel screening is accomplished before the personnel are allowed system access. The CSP must be aware that when contracting with the Federal Government it is at the discretion of the partnering Agency to determine what level of personnel screening must be accomplished. Since the CSP is contracting and acting on behalf of the Agency, the CSP is required to follow the Agency requirements for suitability to perform services on behalf of the Agency.
Further, for FedRAMP Moderate and High baseline systems, PS-3(3) Personnel Screening | Information With Special Protection Measures, the control requirement is that the organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:
(a) Have valid access authorizations that are demonstrated by assigned official government duties; and
(b) Satisfy personnel screening criteria – as required by specific information.
NIST Supplemental Guidance:
Organizational information requiring special protection includes, for example, Controlled Unclassified Information (CUI) and Sources and Methods Information (SAMI). Personnel security criteria include, for example, position sensitivity background screening requirements.
Read more about this week’s FedRAMP’s Tip and cues here.