Blog
This week, FedRAMP published one Tip for Federal Agencies and one Q&A for Cloud Service Providers(CSPs): Federal Agencies TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable. The responsibility for the AO (or his/her designated...
This week, FedRAMP published one Q&A and one Tip for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Question: Does a CSP need to submit an Significant Change Request (SCR) for a system name change? Answer: CSPs are not required to submit an SCR for a system name change. However, CSPs are required to notify the FedRAMP...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Submitting an Operational Requirement Deviation Request (DR) is typically acceptable when updating the host would break FIPS compliance. However, it is critical that CSPs continuously re-evaluate FIPS certification to determine when updates become FIPS compliant. Consequently, the Operational Requirements would no...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: A CSP is required to submit a Significant Change Request (SCR) when they intend to change their vulnerability scan tool. While the requirement for notification is a minimum of 30 days before implementing a significant change, in order to allow enough time...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: When possible, upload embedded documents as System Security Plan (SSP) attachments as an additional method for document retrieval. This is helpful for when embedded links are broken. For example, if a document is converted to PDF, embedded documents will no...
This week, FedRAMP published one Tip for Federal Agencies and one Tip for Cloud Service Providers(CSPs): Federal Agencies TIP: For a Cloud Service Offering (CSO) that is a combination of one authorization leveraging another (e.g. a SaaS leveraging a IaaS), Agency customers should assess the combined risk of the two systems Authorizing Officials should make...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Tip: Boundaries for FedRAMP Cloud Service Offerings (CSOs) must have established demarcation points. This means that entry and exit points must be limited, centralized, and well controlled and applies even for a Platform as a Service (PaaS). Cloud Service Providers (CSPs)...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When is the distinction between an Operational Requirement (OR) and a Vendor Dependency (VD)? A: An OR is a weakness that has a fix available but the fix cannot be applied without impacting the full operation of the system. A VD...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: To access the document that lists all of the cryptographic modules that have been submitted for evaluation and are currently in process, please visit: http://csrc.nist.gov/groups/STM/cmvp/inprocess.html The title of the document is “Cryptographic Module Validation Program FIPS 140-2 Modules In Process List“...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: In Table 4-1 of the SAR, please ensure that the columns, “Risk Statement” and “Mitigating Controls/Factors” contain the following information: Risk Statement: Provide a risk statement that describes the risk to the business. Indicate whether the affected host(s) is/are internally or...