Blog
This week, FedRAMP published two tips for Cloud Service Providers (CSPs): TIP: Deviation Requests (DR) should be written as stand-alone documents, telling the entire story of the need for the DR and how the DR is implemented. The Deviation Request is the mechanism used by the CSP to document and justify a deviation from full...
This week, FedRAMP published two tips for Cloud Service Providers (CSPs): TIP: In the “Description of Risk to the System” section of the Deviation Request, do NOT copy and paste the vulnerability description from the source. It is necessary to explain the vulnerability within the context of the system and the potential risk should a...
This week, FedRAMP published one tip for Cloud Service Providers (CSPs): TIP: When submitting the Annual Assessment (AA) package, the final Security Assessment Plan (SAP), Security Assessment Review (SAR), System Security Plan (SSP) and Plan of Action & Milestones (POA&M) documents must be submitted no later than the P-ATO anniversary date. CSP’s should plan carefully...
This week, FedRAMP published two tips about significant change requests and POA&M items: TIP: When submitting a Significant Change Request (SCR), always discuss the change with your reviewer prior to submitting the form. A CSP is often inclined to err on the side of caution and evaluate a change as significant when it may not...
This week, FedRAMP published two tips about security controls and incident response plans: TIP: AC-2 and IA-2 are closely related. Every group, account, or role defined in AC-2 must be explicitly addressed in IA-2. AC-2 is used to define the groups, accounts, and roles, who may be assigned to one, and how they are managed...
This week, FedRAMP published questions and answers that discuss System Security Plans, and continuous monitoring: Q: A service previously documented in the System Security Plan (SSP) was renamed. How do we reflect the name change when we submit a Deviation Request (DR) for a vulnerability that affects the renamed service? A: Please provide a brief...
This week, FedRAMP published questions and answers that discuss FedRAMP documents, and points of contact: Q: What information does the FedRAMP PMO require for Contingency Plans and Incident Response Plans, and for testing them? A: You must use the Contingency Plan template from the Templates section of the FedRAMP website, at https://www.fedramp.gov/resources/templates-2016/. In Section 6,...
This week, FedRAMP published QA and a tip that discusses 3PAO templates and POA&Ms: Q: When does a 3PAO have to use a new FedRAMP template and why? A: The FedRAMP PMO office does not like to cause extra effort, but we do prefer that the latest templates be used where it makes sense and is feasible,...
This week, FedRAMP published QA and a tip that discusses POA&Ms and inventory: Q: What constitutes a unique finding for Plan of Actions & Milestones (POA&M) reporting and how should CSPs group related findings on the POA&M? A: The weakness identifier, asset identifier, and original detection date are elements that constitutes a new finding. If vulnerabilities are...
This week, FedRAMP published a weekly tip that discusses the use of non-US persons support and updating SSP officials: TIP: A CSP using non-US persons to support their system is FedRAMP compliant, but will find their market limited among Federal agencies. Using non-US persons to support a FedRAMP system is a business decision the CSP must...