Blog
This week, FedRAMP published a weekly tip that discusses POA&Ms and testing evidence timeliness. Q: What purpose does the Plan of Action & Milestones (POA&M) document serve? A: The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&Ms include...
This week, FedRAMP published a weekly tip that discusses CSP transfers of ownership and ISSO assignments for a JAB P-ATO: Q: Is there an established process for what is supposed to occur when ownership of an authorized service transfers from one Cloud Service Provider (CSP) to another? A: If there were NO changes to the...
This week, FedRAMP published a weekly tip that addresses Incident Response Plans and Security Assessment Reports: Q: Does FedRAMP provide a template for an Incident Response Plan? A: Security Control IR-8 requires CSPs to develop an Incident Response Plan (IRP). The IRP is a required document within security authorization packages. FedRAMP does not provide a...
Let’s face it—FedRAMP is a tough nut to crack! There is so much to the process and so much at stake when it comes to managing the risk of your information systems in the cloud. So let’s start with the basics–this Azure FedRAMP compliance FAQ gives you a plain-English primer on FedRAMP, Azure Commercial, Azure...