This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: Do the FedRAMP security controls restrict data to reside only within the United States?
A:There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary of the system is, and where and how data in transit is protected. We have some providers that are authorized through FedRAMP that are located globally, although a majority of service providers do restrict their data to the United States. It is up to each individual Agency and Authorizing Official to place restrictions, if needed, on data location. Cloud service providers should work with current and potential customers to determine data location requirements.
Cloud Service Providers (CSPs)
Q: How can an Agency ensure it maintains reasonable investigation capabilities, auditability, and traceability of data within the cloud?
A: Agencies can ensure they maintain reasonable investigation capabilities, auditability, and traceability of data by logging and monitoring the following application events:
- Management of network connections
- Addition or removal of users
- Management of changes to privileges
- Assignment of users to tokens
- Addition or removal of tokens
- Management of system administrative privileges access
- Actions by users with administrative privileges
- Use of data encrypting keys
- Management of key changes
- Creation and removal of system level objects
- Import and export of data, including screen based reports
- Submission of user-generated content, especially file uploads
Read more about this week’s FedRAMP’s Tips and cues here