Blog
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Before onboarding new services to your authorized cloud service, make sure that all applicable controls are within the previously authorized controls. Any service that introduces new controls to the environment or changes existing controls is considered a significant change and...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Agencies and CSPs are encouraged to adjust password complexity implementation for memorized secrets to align with NIST 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. FedRAMP Moderate and High controls IA-5 (g) and IA-5 (1) (a,d) are known to be more restrictive...
This week, FedRAMP published two Tips, one for Agencies and one for Third Party Assessment Organizations (3PAOs): Agencies TIP: During Continuous Monitoring, the Agency Authorizing Official (AO) is responsible for ensuring that the security posture of the cloud service their Agency is using continues to be acceptable. The responsibility for the AO (or his/her designated...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Effective July 1, 2018, CSPs must complete implementation of TLS version 1.1 for their Federal Agency customers. CSPs must ensure that federal customers are fully authenticated and compliant with TLS version 1.1 or higher (turning off TLS 1.0 and below). Cloud...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Can we start the annual assessment early? A: Yes, you can start your annual assessment early as long as you submit your package before the anniversary date of your Provisional Authority to Operate (P-ATO). However, you should work with your Authorizing Official to...
This week, FedRAMP published one Q&A for Agencies and one Tip for Cloud Service Providers(CSPs): Agencies Q: What happens during an Agency Authorization kick-off meeting with the FedRAMP PMO? A: As described in the Agency Authorization Playbook, the FedRAMP PMO considers a kick-off meeting to be an integral step of the authorization process. Kick-off meetings provide the...
This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs): Agencies Q: How can my Agency support Cloud Service Providers (CSPs) that need to demonstrate federal demand as part of FedRAMP Connect? A: FedRAMP Connect was developed to ensure that CSPs that are prioritized to pursue a Joint Authorization Board...
This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs): Agencies Q: My Agency is pursuing an authorization for a Software-as-a-Service (SaaS) solution. Does the underlying layer of the system stack also need to be authorized? A: The “system stack” generally refers to the layers of services in the data...
This week, FedRAMP published two Q&A’s; one for for Cloud Service Providers(CSPs) and one for Agencies: Cloud Service Providers (CSPs) Q: Do the tools used for the penetration test need to be listed anywhere else besides in the Penetration Test Plan document? A: Yes, the tools used for the penetration test must also be listed in...
This week, FedRAMP published one tip and one Q&A for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Avoid adding time to your authorization process by successfully completing the System Security Plan (SSP) review the first time! Here are some tips from the FedRAMP PMO on how to create a strong SSP. Submit a complete and...