This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
TIP: When submitting a Security Assessment Report (SAR) package to your 3PAO, a few simple quality checks will help ensure a timely review:
- Ensure the SAR Template text is unchanged, except for the removal of instructional text.
- Run a quick spell-check of the document.
- Check to make sure the math in the Risk tables add up within the table, and across the various tables of the SAR.
- Ensure all findings are addressed. Table ES-1 must be consistent with Table 4-1 and the tables in Section 5 and with the text in Section 7.
- Make sure all tables are fully populated with meaningful information.
- Check that all attachments are included and can be opened.
- Ensure that scan data is provided in the appropriate machine-readable format.
As a reminder, the SAP and SAR must be submitted to the FedRAMP PMO by the 3PAO, not the CSP.
Cloud Service Providers (CSPs)
Q: Can the FedRAMP PMO share a Cloud Service Provider’s (CSP) System Security Plan (SSP) with me?
A: SSPs are the intellectual property of the CSP. FedRAMP is only authorized to share an SSP with US Federal Agencies or contractors acting on behalf of Federal Agencies in pursuit of an Authority to Operate (ATO). If you meet this requirement, please fill out the FedRAMP Package Access Request Form.
Otherwise, you may send your requests directly to the CSP, who may or may not share their SSP with non-Agency customers at their sole discretion. Also, consider the CSP may have other security documentation to share with non-Agency customer (i.e.ISO 27001 or SOC2-Type II audit reports).
More Information
Read more about this week’s FedRAMP’s Tip and cues here