Blog
This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: CSP must prove to the Third Party Assessment Organization (3PAO) that Plan of Action and Milestones (POA&M) items are remediated as per the FedRAMP timeframe (Section 4.2.6 Configuration and Risk Management Item #10) High vulnerabilities are required to...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Is the CSP responsible for ensuring the quality of the work performed by the Third Party Assessment Organization (3PAO)? A: While accredited 3PAOs perform security assessments of FedRAMP cloud services, the CSP is responsible for all 3PAO activities and deliverables related...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: A CSP is required to submit a Significant Change Request (SCR) when they intend to change their vulnerability scan tool. While the requirement for notification is a minimum of 30 days before implementing a significant change, in order to allow enough time...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: When possible, upload embedded documents as System Security Plan (SSP) attachments as an additional method for document retrieval. This is helpful for when embedded links are broken. For example, if a document is converted to PDF, embedded documents will no...
This week, FedRAMP published one Tip for Federal Agencies and one Tip for Cloud Service Providers(CSPs): Federal Agencies TIP: For a Cloud Service Offering (CSO) that is a combination of one authorization leveraging another (e.g. a SaaS leveraging a IaaS), Agency customers should assess the combined risk of the two systems Authorizing Officials should make...
This week, FedRAMP published two Q&A’s; one for for Cloud Service Providers(CSPs) and one for Agencies: Cloud Service Providers (CSPs) Q: Do the tools used for the penetration test need to be listed anywhere else besides in the Penetration Test Plan document? A: Yes, the tools used for the penetration test must also be listed in...
This week, FedRAMP published one tip and one Q&A for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Avoid adding time to your authorization process by successfully completing the System Security Plan (SSP) review the first time! Here are some tips from the FedRAMP PMO on how to create a strong SSP. Submit a complete and...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When completing the Security Assessment Report (SAR), is it appropriate to assign the same values to tables F-1 and F-2 for the initial assessment? What about assigning the same values to ES-1, F-1, and F-2 for the annual assessment if there...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Are there any alternative formats available to help facilitate reviews? Sometimes scan files are in a format that does not allow reviewers to do their analysis with common tools. A: For the Security Assessment Report (SAR), always provide scan...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: I received a request from a Federal Agency to review my system’s Provisional Authorization to Operate (P-ATO) letter, and I am concerned that sharing the letter will violate sensitivity policies. Is it appropriate to share an authorization letter...