Blog
This week, FedRAMP published one Q&A for Agencies and one Tip for Cloud Service Providers(CSPs): Agencies Q: What happens during an Agency Authorization kick-off meeting with the FedRAMP PMO? A: As described in the Agency Authorization Playbook, the FedRAMP PMO considers a kick-off meeting to be an integral step of the authorization process. Kick-off meetings provide the...
This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs): Agencies Q: How can my Agency support Cloud Service Providers (CSPs) that need to demonstrate federal demand as part of FedRAMP Connect? A: FedRAMP Connect was developed to ensure that CSPs that are prioritized to pursue a Joint Authorization Board...
This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs): Agencies Q: My Agency is pursuing an authorization for a Software-as-a-Service (SaaS) solution. Does the underlying layer of the system stack also need to be authorized? A: The “system stack” generally refers to the layers of services in the data...
This week, FedRAMP published two Q&A’s; one for for Cloud Service Providers(CSPs) and one for Agencies: Cloud Service Providers (CSPs) Q: Do the tools used for the penetration test need to be listed anywhere else besides in the Penetration Test Plan document? A: Yes, the tools used for the penetration test must also be listed in...
This week, FedRAMP published one tip and one Q&A for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Avoid adding time to your authorization process by successfully completing the System Security Plan (SSP) review the first time! Here are some tips from the FedRAMP PMO on how to create a strong SSP. Submit a complete and...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When completing the Security Assessment Report (SAR), is it appropriate to assign the same values to tables F-1 and F-2 for the initial assessment? What about assigning the same values to ES-1, F-1, and F-2 for the annual assessment if there...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Are there any alternative formats available to help facilitate reviews? Sometimes scan files are in a format that does not allow reviewers to do their analysis with common tools. A: For the Security Assessment Report (SAR), always provide scan...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: I received a request from a Federal Agency to review my system’s Provisional Authorization to Operate (P-ATO) letter, and I am concerned that sharing the letter will violate sensitivity policies. Is it appropriate to share an authorization letter...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: In the updated Continuous Monitoring Strategy Guide, I noticed there is now a defined “due date” for low vulnerabilities. Does my service offering have to implement that immediately? A: The FedRAMP Continuous Monitoring Strategy Guide now requires low vulnerabilities to be remediated/mitigated...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Would a cloud service require a FedRAMP authorization if it already has a FISMA ATO? If so, can you reference the specific language in the requirement? A: While FISMA and FedRAMP authorizations are similar, FedRAMP authorizations involve extra requirements...