This week, FedRAMP published a weekly tip that discusses CSP transfers of ownership and ISSO assignments for a JAB P-ATO:
Q: Is there an established process for what is supposed to occur when ownership of an authorized service transfers from one Cloud Service Provider (CSP) to another?
A: If there were NO changes to the service, NO change to the security posture, NO change to the risk management strategy of the overall organization, and it was simply a name change, then the process could be as easy as notifying the Authorizing Official(s) of the name change. This could be addressed as an administrative change based upon the AO determination. The CSP should notify FedRAMP also, of the change. The Cloud Service Offering authorization package documentation should be changed as well to reflect the ownership change.
More often than not, when services change owners, organizational policies and procedures change which changes the security posture and the risk management strategy of the system. Changes like this are significant and must be documented appropriately. If that is the case, the CSP should account for and make associated updates to the CSO package as early as possible. The changes must be clearly documented and submitted to the AO for review and approval.
Of course, the CSP and involved Agencies will need to facilitate contractual changes to reflect the change of ownership.
Q: Does FedRAMP still assign Information System Security Officers (ISSOs) to each Cloud Service Provider (CSP) that is engaged in the Joint Authorization Board provisional authorization process?
A: FedRAMP no longer has FedRAMP ISSOs assigned to each CSP. Now, each CSP has a direct relationship with a primary and secondary Joint Authorization Board (JAB) Reviewer. Each CSP should ensure that the SSP documentation, when referring to designated contacts, is changed (for example, changing “FedRAMP ISSO” to “Primary JAB Reviewer” and “Secondary JAB Reviewer”).
Please note that in the recent past, the “JAB Reviewer” was called the “JAB Technical Review-Reviewer.” Since the FedRAMP JAB Provisional Authorization adjustments, and the shifting of the responsibilities, the JAB Technical Review-Reviewer is now called the “JAB Reviewer”.
Read more about this week’s FedRAMP’s Tip and cues here.