Blog
This week, FedRAMP published QA and a tip that discusses POA&Ms and inventory: Q: What constitutes a unique finding for Plan of Actions & Milestones (POA&M) reporting and how should CSPs group related findings on the POA&M? A: The weakness identifier, asset identifier, and original detection date are elements that constitutes a new finding. If vulnerabilities are...
This week, FedRAMP published a weekly tip that discusses the use of non-US persons support and updating SSP officials: TIP: A CSP using non-US persons to support their system is FedRAMP compliant, but will find their market limited among Federal agencies. Using non-US persons to support a FedRAMP system is a business decision the CSP must...
This week, FedRAMP published two tips that discuss Cloud Service Offering Assessments and the requirements for a security assessment report and readiness assessment report: TIP: What does a typical Third Party Assessment Organization (3PAO) Team performing a Cloud Service Offering (CSO) assessment look like according to FedRAMP? FedRAMP requires that all assessments must be staffed by an...
This week, FedRAMP published a weekly tip that discusses requirements for vulnerability scanning: Q: What are the FedRAMP requirements for vulnerability scanning? A: Vulnerability scanning must occur for Operating System (OS)/ infrastructure, databases, and web application components in the Cloud Service offering authorization boundary. The scanning parameters for the components must be defined in the Security...
This week, FedRAMP published a weekly tip that discusses email notifications and background checks on staff members. TIP: When submitting a RAR or an authorization package, be sure to send an email notification to info@fedramp.gov. Cloud Service Providers (CSPs), Partnering Agencies, and/or Third Party Assessment Organizations (3PAOs) must send an email notification to info@fedramp.gov to let...
This week, FedRAMP published a weekly tip that discusses POA&Ms and testing evidence timeliness. Q: What purpose does the Plan of Action & Milestones (POA&M) document serve? A: The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&Ms include...
This week, FedRAMP published a weekly tip that discusses CSP transfers of ownership and ISSO assignments for a JAB P-ATO: Q: Is there an established process for what is supposed to occur when ownership of an authorized service transfers from one Cloud Service Provider (CSP) to another? A: If there were NO changes to the...
This week, FedRAMP published a weekly tip that addresses Incident Response Plans and Security Assessment Reports: Q: Does FedRAMP provide a template for an Incident Response Plan? A: Security Control IR-8 requires CSPs to develop an Incident Response Plan (IRP). The IRP is a required document within security authorization packages. FedRAMP does not provide a...