Office 365 FedRAMP Compliance Articles

FedRAMP Weekly Tips – August 31 2017

This week, FedRAMP published two tips about security controls and incident response plans: TIP: AC-2 and IA-2 are closely related. Every group, account, or role defined in AC-2 must be explicitly addressed in IA-2. AC-2 is used to define the groups, accounts, and roles, who may be assigned to one, and how they are managed...

FedRAMP Weekly Tips – August 24 2017

This week, FedRAMP published questions and answers that discuss System Security Plans, and continuous monitoring: Q: A service previously documented in the System Security Plan (SSP) was renamed. How do we reflect the name change when we submit a Deviation Request (DR) for a vulnerability that affects the renamed service? A: Please provide a brief...

FedRAMP Weekly Tips – August 17 2017

This week, FedRAMP published questions and answers that discuss FedRAMP documents, and points of contact: Q: What information does the FedRAMP PMO require for Contingency Plans and Incident Response Plans, and for testing them? A: You must use the Contingency Plan template from the Templates section of the FedRAMP website, at https://www.fedramp.gov/resources/templates-2016/. In Section 6,...

What is ATO as a Service™ for Office 365?

The process to obtain a Office 365 FedRAMP ATO is time consuming, manual, and paper-intensive. Until now! Introducing ATO as a Service™, an exclusive Software as a Service that automates FedRAMP processes, and shortens FedRAMP ATO timeframes for Office 365 government subscriptions. cFocus Software has partnered with Microsoft Corporation to develop ATO as a Service™, allowing...

FedRAMP Weekly Tips – August 3 2017

This week, FedRAMP published QA and a tip that discusses POA&Ms and inventory: Q: What constitutes a unique finding for Plan of Actions & Milestones (POA&M) reporting and how should CSPs group related findings on the POA&M? A: The weakness identifier, asset identifier, and original detection date are elements that constitutes a new finding. If vulnerabilities are...

FedRAMP Weekly Tips – July 27 2017

This week, FedRAMP published a weekly tip that discusses the use of non-US persons support and updating SSP officials: TIP: A CSP using non-US persons to support their system is FedRAMP compliant, but will find their market limited among Federal agencies. Using non-US persons to support a FedRAMP system is a business decision the CSP must...

FedRAMP Weekly Tips – July 20 2017

This week, FedRAMP published two tips that discuss Cloud Service Offering Assessments and the requirements for a security assessment report and readiness assessment report: TIP: What does a typical Third Party Assessment Organization (3PAO) Team performing a Cloud Service Offering (CSO) assessment look like according to FedRAMP? FedRAMP requires that all assessments must be staffed by an...

FedRAMP Weekly Tips – July 13 2017

This week, FedRAMP published a weekly tip that discusses requirements for vulnerability scanning: Q: What are the FedRAMP requirements for vulnerability scanning? A: Vulnerability scanning must occur for Operating System (OS)/ infrastructure, databases, and web application components in the Cloud Service offering authorization boundary. The scanning parameters for the components must be defined in the Security...

FedRAMP Weekly Tips – July 6 2017

This week, FedRAMP published a weekly tip that discusses email notifications and background checks on staff members. TIP: When submitting a RAR or an authorization package, be sure to send an email notification to info@fedramp.gov. Cloud Service Providers (CSPs), Partnering Agencies, and/or Third Party Assessment Organizations (3PAOs) must send an email notification to info@fedramp.gov to let...