Blog
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: For my JAB P-ATO package, who should I list as the FedRAMP POC in my SSP and other package documents? A: For the SSP main document (excluding operational documents) the FedRAMP POC should be info@fedramp.gov. For procedural docs that include interaction around...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: TLS version 1.1, or higher, must be fully implemented for both public-facing and internal interfaces by July 1, 2018, in accordance with the FedRAMP Transport Layer Security (TLS) Requirements. Control documentation should contain sufficient detail to describe TLS implementation for both public-facing and...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: If an optional feature in a CSP’s product affects the customer’s security responsibilities, these customer responsibilities need to be notated in the Customer Responsibility Matrix. In addition, the feature must be explicitly identified as being applicable for customers who purchase...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: The rationale for Risk Adjustment (RA) and Operational Requirement (OR) provided in deviation requests should be based exclusively on risk (e.g., description of the likelihood and/or impact if the vulnerability was exploited and why), not availability or priority of resources. For the...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: When submitting final documents, please also provide extracted versions of embedded documents. This will facilitate the preparation of the final package for customer review. Cloud Service Providers (CSPs) TIP: In the System Security Plan (SSP), control CA-3 (3) “CA-3, Control...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Before onboarding new services to your authorized cloud service, make sure that all applicable controls are within the previously authorized controls. Any service that introduces new controls to the environment or changes existing controls is considered a significant change and...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Agencies and CSPs are encouraged to adjust password complexity implementation for memorized secrets to align with NIST 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. FedRAMP Moderate and High controls IA-5 (g) and IA-5 (1) (a,d) are known to be more restrictive...
This week, FedRAMP published two Tips, one for Agencies and one for Third Party Assessment Organizations (3PAOs): Agencies TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable. The responsibility for the AO (or his/her designated...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Effective July 1, 2018, CSPs must complete implementation of TLS version 1.1 for their Federal Agency customers. CSPs must ensure that federal customers are fully authenticated and compliant with TLS version 1.1 or higher (turning off TLS 1.0 and below). Cloud...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Can we start the annual assessment early? A: Yes, you can start your annual assessment early as long as you submit your package before the anniversary date of your Provisional Authority to Operate (P-ATO). However, you should work with your Authorizing Official to...