Blog
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: All of the controls listed in the System Security Plan (SSP) Template do not apply to my system, so I only completed those that are applicable and left the...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: Why is it important to maintain consistency between the security control implementation statements and the technical diagrams in the System Security Plan (SSP)? A: The security control implementation statements...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs) Cloud Service Providers (CSPs) Q: The Agency I’m working with requires that their data be cryptographically protected. What requirements must I follow? A: Any system that handles Government data may be the target of...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs) and Important Stakeholder Information: Cloud Service Providers (CSPs) Q: Can a CSP mark a control as both “Implemented” and “Alternative Implemented” in the System Security Plan (SSP)? A: Usually not. If a control is fully implemented, then only the “Implemented” box is checked....
This week, FedRAMP published questions and answers, one for Cloud Service Providers (CSPs) and one for Thrid Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: If I am uploading an Agency-authorized cloud service package for review/approval by FedRAMP, how do I ensure I am uploading all the required documents? A: The FedRAMP Documentation Checklist (found on FedRAMP.gov...
This week, FedRAMP published two tips for Cloud Service Providers (CSPs): TIP: Deviation Requests (DR) should be written as stand-alone documents, telling the entire story of the need for the DR and how the DR is implemented. The Deviation Request is the mechanism used by the CSP to document and justify a deviation from full...
This week, FedRAMP published two tips for Cloud Service Providers (CSPs): TIP: In the “Description of Risk to the System” section of the Deviation Request, do NOT copy and paste the vulnerability description from the source. It is necessary to explain the vulnerability within the context of the system and the potential risk should a...
This week, FedRAMP published one tip for Cloud Service Providers (CSPs): TIP: When submitting the Annual Assessment (AA) package, the final Security Assessment Plan (SAP), Security Assessment Review (SAR), System Security Plan (SSP) and Plan of Action & Milestones (POA&M) documents must be submitted no later than the P-ATO anniversary date. CSP’s should plan carefully...
This week, FedRAMP published two tips about significant change requests and POA&M items: TIP: When submitting a Significant Change Request (SCR), always discuss the change with your reviewer prior to submitting the form. A CSP is often inclined to err on the side of caution and evaluate a change as significant when it may not...
Microsoft is a leader in FedRAMP certified services–as of September 2017, Microsoft offers 12 services in Azure (the commercial version) that are FedRAMP-certified at the Moderate Impact Level, and 32 services in Azure Government that are FedRAMP-certified at the High Impact Level. Additionally, Azure and Azure Government have both earned P-ATOs from the FedRAMP Joint...