Blog
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Is the CSP responsible for ensuring the quality of the work performed by the Third Party Assessment Organization (3PAO)? A: While accredited 3PAOs perform security assessments of FedRAMP cloud services, the CSP is responsible for all 3PAO activities and deliverables related...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Do single-tenant cloud offerings have to comply with FedRAMP, or can an agency issue a FISMA authorization? A: This should be vetted with the sponsoring government agency. For private (single tenant) clouds, agencies have the final say on authorization; however, FedRAMP...
This week, FedRAMP published one Tip for Federal Agencies and one Q&A for Cloud Service Providers(CSPs): Federal Agencies TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable. The responsibility for the AO (or his/her designated...
This week, FedRAMP published one Q&A and one Tip for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Question: Does a CSP need to submit an Significant Change Request (SCR) for a system name change? Answer: CSPs are not required to submit an SCR for a system name change. However, CSPs are required to notify the FedRAMP...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Submitting an Operational Requirement Deviation Request (DR) is typically acceptable when updating the host would break FIPS compliance. However, it is critical that CSPs continuously re-evaluate FIPS certification to determine when updates become FIPS compliant. Consequently, the Operational Requirements would no...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: A CSP is required to submit a Significant Change Request (SCR) when they intend to change their vulnerability scan tool. While the requirement for notification is a minimum of 30 days before implementing a significant change, in order to allow enough time...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: When possible, upload embedded documents as System Security Plan (SSP) attachments as an additional method for document retrieval. This is helpful for when embedded links are broken. For example, if a document is converted to PDF, embedded documents will no...
This week, FedRAMP published one Tip for Federal Agencies and one Tip for Cloud Service Providers(CSPs): Federal Agencies TIP: For a Cloud Service Offering (CSO) that is a combination of one authorization leveraging another (e.g. a SaaS leveraging a IaaS), Agency customers should assess the combined risk of the two systems Authorizing Officials should make...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Tip: Boundaries for FedRAMP Cloud Service Offerings (CSOs) must have established demarcation points. This means that entry and exit points must be limited, centralized, and well controlled and applies even for a Platform as a Service (PaaS). Cloud Service Providers (CSPs)...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When is the distinction between an Operational Requirement (OR) and a Vendor Dependency (VD)? A: An OR is a weakness that has a fix available but the fix cannot be applied without impacting the full operation of the system. A VD...