This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: When completing the Security Assessment Report (SAR), is it appropriate to assign the same values to tables F-1 and F-2 for the initial assessment? What about assigning the same values to ES-1, F-1, and F-2 for the annual assessment if there were POA&Ms at the start of the annual assessment?
A: For the initial assessment, it is appropriate to assign the same values to tables F-1 and F-2. For the annual assessment, SAR tables ES-1, F-1, and F-2 should have the same values as well. All three tables account for all system risks. Because FedRAMP guidance requires that the 3PAO assess all POA&Ms for the annual assessment, the POA&M risks are also included in those tables for the annual assessment. In summary, the tables account for all system risks reported in:
- POA&Ms (if any exist at the start of the annual assessment)
- Vulnerability scans
- NIST 800-53 controls assessment
- Penetration testing
- Other assessment activities performed for either the initial or annual assessment
Cloud Service Providers (CSPs)
Q: Is the CSP responsible for ensuring the quality of the work performed by the Third Party Assessment Organization (3PAO)?
A: While accredited 3PAOs perform security assessments of FedRAMP cloud services, the CSP is responsible for all 3PAO activities and deliverables related to the assessment of their cloud offering. The CSP manages and oversees these activities accordingly.
Exceptions are delivery of the Security Assessment Plan (SAP), Security Assessment Report (SAR), and the SAR results. In order to maintain the integrity and independence of these documents, they must be provided to the PMO directly from the 3PAO. While the 3PAO makes the final determination on the security results in the SAR, the CSP should ensure the quality of the SAR and all 3PAO deliverables provided to FedRAMP.
More Information
Read more about this week’s FedRAMP’s Tip and cues here