This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: Are there any alternative formats available to help facilitate reviews? Sometimes scan files are in a format that does not allow reviewers to do their analysis with common tools.
A: For the Security Assessment Report (SAR), always provide scan file outputs in a “machine-readable” format that permits analysis using common tools. For example, XML files can be formatted into something that is Microsoft Excel compatible in the following way (Applies to: Excel 2016, Excel 2013):
- On the Data tab, click From Other Sources > From XML Import.
- Browse to your XML file, and click Open.
- If the XML file doesn’t refer to a schema, Excel offers to create a schema for you.
- Click OK.
- Choose where you want to import the data.
Additionally, files can be provided in a “.CSV” format that opens directly into Excel.
Cloud Service Providers (CSPs)
Q: Can the Security Assessment Plan (SAP) and/or the Security Assessment Report (SAR) templates be modified?
A: The SAP and/or the SAR template can be modified to add content, but content cannot be removed from the template. So you will be able to add information to help bolster security packages, but you cannot eliminate parts or portions of the templates.
More Information
Read more about this week’s FedRAMP’s Tip and cues here