Blog
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: In the updated Continuous Monitoring Strategy Guide, I noticed there is now a defined “due date” for low vulnerabilities. Does my service offering have to implement that immediately? A: The FedRAMP Continuous Monitoring Strategy Guide now requires low vulnerabilities to be remediated/mitigated...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Would a cloud service require a FedRAMP authorization if it already has a FISMA ATO? If so, can you reference the specific language in the requirement? A: While FISMA and FedRAMP authorizations are similar, FedRAMP authorizations involve extra requirements...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Do the FedRAMP security controls restrict data to reside only within the United States? A: There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: The effort and/or costs are too great to remediate a vulnerability within the required time period. Is it acceptable to submit a risk adjustment in this situation? A: Generally, level of effort and/or cost of implementing a remediation...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: What is the relationship between continuous monitoring and continuous diagnostics & mitigation (CDM) and ongoing authorization? A: The FedRAMP and CDM monitoring requirements are both based on NIST Special Publication 800-137 guidance for implementing an Information Security Continuous Monitoring...
This week, FedRAMP published two question and answers for Cloud Service Providers ( CSPs): Cloud Service Providers (CSPs) Q: What is the purpose of an Information System Contingency Plan (ISCP)? A: Each CSP must develop and maintain contingency plans to address operational disruptions. The contingency plan (and test results) provides management with an evaluation of the...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assessment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: How should a CSP address platform scope within the System Security Plan (SSP)? A: There are multiple platforms/platform groups in a system as identified by the inventory. A platform has...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: I referenced a document in my System Security Plan (SSP), but did not provide the referenced document because it contains proprietary or sensitive information. How will this affect my...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: What are the roles and responsibilities of the third party assessment organization (3PAO) and the cloud service provider (CSP) during the assessment? A: While FedRAMP certifies 3PAOs to perform security...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: How do policies and procedures differ from the System Security Plan (SSP)? A: Policies and procedures are a critical supplement to the SSP and are required by the first control...