Blog
This week, FedRAMP published two tips about security controls and incident response plans: TIP: AC-2 and IA-2 are closely related. Every group, account, or role defined in AC-2 must be explicitly addressed in IA-2. AC-2 is used to define the groups, accounts, and roles, who may be assigned to one, and how they are managed...
This week, FedRAMP published questions and answers that discuss System Security Plans, and continuous monitoring: Q: A service previously documented in the System Security Plan (SSP) was renamed. How do we reflect the name change when we submit a Deviation Request (DR) for a vulnerability that affects the renamed service? A: Please provide a brief...
This week, FedRAMP published questions and answers that discuss FedRAMP documents, and points of contact: Q: What information does the FedRAMP PMO require for Contingency Plans and Incident Response Plans, and for testing them? A: You must use the Contingency Plan template from the Templates section of the FedRAMP website, at https://www.fedramp.gov/resources/templates-2016/. In Section 6,...
This week, FedRAMP published QA and a tip that discusses 3PAO templates and POA&Ms: Q: When does a 3PAO have to use a new FedRAMP template and why? A: The FedRAMP PMO office does not like to cause extra effort, but we do prefer that the latest templates be used where it makes sense and is feasible,...
This week, FedRAMP published QA and a tip that discusses POA&Ms and inventory: Q: What constitutes a unique finding for Plan of Actions & Milestones (POA&M) reporting and how should CSPs group related findings on the POA&M? A: The weakness identifier, asset identifier, and original detection date are elements that constitutes a new finding. If vulnerabilities are...
The process to obtain an Azure FedRAMP ATO is time consuming, manual, and paper-intensive. Until now! Introducing ATO as a Service™, an exclusive Software as a Service that automates FedRAMP processes, and shortens FedRAMP ATO timeframes for information systems hosted in the Azure Government Cloud. cFocus Software has partnered with Microsoft Corporation to develop the offering,...
This week, FedRAMP published a weekly tip that discusses the use of non-US persons support and updating SSP officials: TIP: A CSP using non-US persons to support their system is FedRAMP compliant, but will find their market limited among Federal agencies. Using non-US persons to support a FedRAMP system is a business decision the CSP must...
This week, FedRAMP published two tips that discuss Cloud Service Offering Assessments and the requirements for a security assessment report and readiness assessment report: TIP: What does a typical Third Party Assessment Organization (3PAO) Team performing a Cloud Service Offering (CSO) assessment look like according to FedRAMP? FedRAMP requires that all assessments must be staffed by an...
This week, FedRAMP published a weekly tip that discusses requirements for vulnerability scanning: Q: What are the FedRAMP requirements for vulnerability scanning? A: Vulnerability scanning must occur for Operating System (OS)/ infrastructure, databases, and web application components in the Cloud Service offering authorization boundary. The scanning parameters for the components must be defined in the Security...
This week, FedRAMP published a weekly tip that discusses email notifications and background checks on staff members. TIP: When submitting a RAR or an authorization package, be sure to send an email notification to info@fedramp.gov. Cloud Service Providers (CSPs), Partnering Agencies, and/or Third Party Assessment Organizations (3PAOs) must send an email notification to info@fedramp.gov to let...