Blog
This week, FedRAMP published one Tip for Federal Agencies and one Tip for Cloud Service Providers(CSPs): Federal Agencies TIP: For a Cloud Service Offering (CSO) that is a combination of one authorization leveraging another (e.g. a SaaS leveraging a IaaS), Agency customers should assess the combined risk of the two systems Authorizing Officials should make...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Tip: Boundaries for FedRAMP Cloud Service Offerings (CSOs) must have established demarcation points. This means that entry and exit points must be limited, centralized, and well controlled and applies even for a Platform as a Service (PaaS). Cloud Service Providers (CSPs)...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: When is the distinction between an Operational Requirement (OR) and a Vendor Dependency (VD)? A: An OR is a weakness that has a fix available but the fix cannot be applied without impacting the full operation of the system. A VD...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: To access the document that lists all of the cryptographic modules that have been submitted for evaluation and are currently in process, please visit: http://csrc.nist.gov/groups/STM/cmvp/inprocess.html The title of the document is “Cryptographic Module Validation Program FIPS 140-2 Modules In Process List“...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: In Table 4-1 of the SAR, please ensure that the columns, “Risk Statement” and “Mitigating Controls/Factors” contain the following information: Risk Statement: Provide a risk statement that describes the risk to the business. Indicate whether the affected host(s) is/are internally or...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: For my JAB P-ATO package, who should I list as the FedRAMP POC in my SSP and other package documents? A: For the SSP main document (excluding operational documents) the FedRAMP POC should be info@fedramp.gov. For procedural docs that include interaction around...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: TLS version 1.1, or higher, must be fully implemented for both public-facing and internal interfaces by July 1, 2018, in accordance with the FedRAMP Transport Layer Security (TLS) Requirements. Control documentation should contain sufficient detail to describe TLS implementation for both public-facing and...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: If an optional feature in a CSP’s product affects the customer’s security responsibilities, these customer responsibilities need to be notated in the Customer Responsibility Matrix. In addition, the feature must be explicitly identified as being applicable for customers who purchase...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: The rationale for Risk Adjustment (RA) and Operational Requirement (OR) provided in deviation requests should be based exclusively on risk (e.g., description of the likelihood and/or impact if the vulnerability was exploited and why), not availability or priority of resources. For the...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: When submitting final documents, please also provide extracted versions of embedded documents. This will facilitate the preparation of the final package for customer review. Cloud Service Providers (CSPs) TIP: In the System Security Plan (SSP), control CA-3 (3) “CA-3, Control...