Blog
This week, FedRAMP published two tips that discuss Cloud Service Offering Assessments and the requirements for a security assessment report and readiness assessment report: TIP: What does a typical Third Party Assessment Organization (3PAO) Team performing a Cloud Service Offering (CSO) assessment look like according to FedRAMP? FedRAMP requires that all assessments must be staffed by an...
This week, FedRAMP published a weekly tip that discusses requirements for vulnerability scanning: Q: What are the FedRAMP requirements for vulnerability scanning? A: Vulnerability scanning must occur for Operating System (OS)/ infrastructure, databases, and web application components in the Cloud Service offering authorization boundary. The scanning parameters for the components must be defined in the Security...
This week, FedRAMP published a weekly tip that discusses email notifications and background checks on staff members. TIP: When submitting a RAR or an authorization package, be sure to send an email notification to info@fedramp.gov. Cloud Service Providers (CSPs), Partnering Agencies, and/or Third Party Assessment Organizations (3PAOs) must send an email notification to info@fedramp.gov to let...
This week, FedRAMP published a weekly tip that discusses POA&Ms and testing evidence timeliness. Q: What purpose does the Plan of Action & Milestones (POA&M) document serve? A: The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&Ms include...
This week, FedRAMP published a weekly tip that discusses CSP transfers of ownership and ISSO assignments for a JAB P-ATO: Q: Is there an established process for what is supposed to occur when ownership of an authorized service transfers from one Cloud Service Provider (CSP) to another? A: If there were NO changes to the...
This week, FedRAMP published a weekly tip that addresses Incident Response Plans and Security Assessment Reports: Q: Does FedRAMP provide a template for an Incident Response Plan? A: Security Control IR-8 requires CSPs to develop an Incident Response Plan (IRP). The IRP is a required document within security authorization packages. FedRAMP does not provide a...
This week, FedRAMP published a weekly tip that addresses applying for an Agency High Baseline Authorization and an RAR Federal Mandate that is often overlooked: Q: What are some frequently asked questions for CSPs who currently hold an Agency Authorization to Operate (ATO) at the Moderate level, but wish to apply for an Agency High...
How Does a FedRAMP P-ATO Reduce The Lead Time For A Cloud Migration? Federal government agencies want to move to the cloud, but they don’t know where to begin. There are many questions around that need to be answered: “Which cloud service provider should I choose?” “How do I meet all of the cybersecurity requirements and...