This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: The rationale for Risk Adjustment (RA) and Operational Requirement (OR) provided in deviation requests should be based exclusively on risk (e.g., description of the likelihood and/or impact if the vulnerability was exploited and why), not availability or priority of resources.
For the purposes of the RA and OR deviation requests, discussion should be based on security risk. Make every effort to detail original risk score and adjusted risk score with clear description of the mitigations that contribute to the downgrade such that the remaining risk is understood.
Cloud Service Providers (CSPs)
TIP: FedRAMP will perform a completeness check of the Security Assessment Report (SAR).
This includes checking that all controls were assessed, all vulnerabilities are accounted for in the SAR, and all inventory items were scanned or assessed via alternate means. In order to prevent delays, ensure that:
- All scan vulnerability IDs are included in all SAR tables where they are reported. This typically includes tables 4-1, 5-1, 5-2, 5-3, and F-6.
- All control related findings have the control ID referenced in all SAR tables where they are reported. This typically includes tables 4-1, 5-1, 5-2, 5-3, and F-6.
- There is a result in the controls assessment workbook for every control that was selected for assessment in the previously approved Security Assessment Plan (SAP).
- Every control that hasn’t been satisfied in the controls assessment workbook is included in Table 4-1 with the control ID referenced.
More Information
Read more about this week’s FedRAMP’s Tip and cues here