Blog
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Do the FedRAMP security controls restrict data to reside only within the United States? A:There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Using a graphic to depict a security authorization boundary is crucial for an assessor to fully understand the security enclave that is being addressed by the CSP. The Boundary Diagram is essential in that it provides a depiction and understanding...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: How can the CSP access the redline version of the New FedRAMP SSP template? A: Please email info@fedramp.gov to request the redlined version of the New SSP templates. We will send you zip file with all of the SSPs (including the LI-SaaS...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Do single-tenant cloud offerings have to comply with FedRAMP, or can an agency issue a FISMA authorization? A: This should be vetted with the sponsoring government agency. For private (single tenant) clouds, agencies have the final say on authorization; however, FedRAMP...
This week, FedRAMP published one Tip for Federal Agencies and one Q&A for Cloud Service Providers(CSPs): Federal Agencies TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable. The responsibility for the AO (or his/her designated...
This week, FedRAMP published one Q&A and one Tip for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Question: Does a CSP need to submit an Significant Change Request (SCR) for a system name change? Answer: CSPs are not required to submit an SCR for a system name change. However, CSPs are required to notify the FedRAMP...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Submitting an Operational Requirement Deviation Request (DR) is typically acceptable when updating the host would break FIPS compliance. However, it is critical that CSPs continuously re-evaluate FIPS certification to determine when updates become FIPS compliant. Consequently, the Operational Requirements would no...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Tip: Boundaries for FedRAMP Cloud Service Offerings (CSOs) must have established demarcation points. This means that entry and exit points must be limited, centralized, and well controlled and applies even for a Platform as a Service (PaaS). Cloud Service Providers (CSPs)...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When is the distinction between an Operational Requirement (OR) and a Vendor Dependency (VD)? A: An OR is a weakness that has a fix available but the fix cannot be applied without impacting the full operation of the system. A VD...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: To access the document that lists all of the cryptographic modules that have been submitted for evaluation and are currently in process, please visit: http://csrc.nist.gov/groups/STM/cmvp/inprocess.html The title of the document is “Cryptographic Module Validation Program FIPS 140-2 Modules In Process List“...