This week, FedRAMP published one tip and one Q&A for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Avoid adding time to your authorization process by successfully completing the System Security Plan (SSP) review the first time! Here are some tips from the FedRAMP PMO on how to create a strong SSP.
- Submit a complete and well structured SSP.
- Dedicate enough resources – often one writer is not enough to complete the SSP, and you may have to allot additional resources and subject matter experts to complete.
- Employ the four C’s of writing: Clear – straightforward, avoiding convoluted or overly long phrases; Concise – pack the most meaning into your words; Concrete – concrete writing is precise and detail oriented; and Correct – correct grammar, mechanics, and format are baseline expectations for writing.
- Ensure the writer(s) has knowledge of the system and/or can obtain the information from others and be able to communicate it.
- Perform a quality review on the SSP.
Doing these things cannot guarantee a successful SSP review, but will greatly enhance your chances.
Cloud Service Providers (CSPs)
Q: What is a security architecture diagram and what should it include?
A: A security architecture diagram is a component of the System Security Plan (SSP) that illustrates how technical security controls are implemented in the environment. It also articulates the overall security program strategy in alignment with the position and selection of security control implementations. A security architecture diagram MUST be a stand-alone document and address the requirements outlined in the control supplemental guidance in PL-8. It is not sufficient to reference other sections of the SSP or outside product guides.
Architectural and network diagrams must include all possible communication links between the CSP and Federal Agencies, as well as paths into the system boundary. If customers are not yet connecting directly, a CSP can identify all planned connection points in the SSP. The diagrams should be completed prior to writing implementation statements.
More Information
Read more about this week’s FedRAMP’s Tip and cues here