Blog
This week, FedRAMP published two Q&A’s, one for Federal Agencies and one for Cloud Service Providers(CSPs): Federal Agencies Q: If a FedRAMP Authorized service offers several multi-factor authentication (MFA) methods to remotely access that service, may I use any of those forms of multifactor authentication to access the service? A:Cryptographic functions are used in many...
This week, FedRAMP published one Q&A and one Tip for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Could you explain the purpose and process behind requiring a CSP to complete an incident response test and contingency plan test before their 3PAO assessment? A: It is important that the incident response test and the contingency plan...
This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) Q: Do the FedRAMP security controls restrict data to reside only within the United States? A:There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Using a graphic to depict a security authorization boundary is crucial for an assessor to fully understand the security enclave that is being addressed by the CSP. The Boundary Diagram is essential in that it provides a depiction and understanding...
This week, FedRAMP published two Tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: Per the FedRAMP Significant Change Policies and Procedures, every new code release is not automatically considered a significant change. The CSP must perform a security impact analysis (SIA) in compliance with FedRAMP control CM-4 on every new code release. This includes...
This week, FedRAMP published two tips for Cloud Service Providers(CSPs): Cloud Service Providers (CSPs) TIP: To access the document that lists all of the cryptographic modules that have been submitted for evaluation and are currently in process, please visit: http://csrc.nist.gov/groups/STM/cmvp/inprocess.html The title of the document is “Cryptographic Module Validation Program FIPS 140-2 Modules In Process List“...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Would a cloud service require a FedRAMP authorization if it already has a FISMA ATO? If so, can you reference the specific language in the requirement? A: While FISMA and FedRAMP authorizations are similar, FedRAMP authorizations involve extra requirements...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: Do the FedRAMP security controls restrict data to reside only within the United States? A: There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: The effort and/or costs are too great to remediate a vulnerability within the required time period. Is it acceptable to submit a risk adjustment in this situation? A: Generally, level of effort and/or cost of implementing a remediation...
This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs): Cloud Service Providers (CSPs) Q: What is the relationship between continuous monitoring and continuous diagnostics & mitigation (CDM) and ongoing authorization? A: The FedRAMP and CDM monitoring requirements are both based on NIST Special Publication 800-137 guidance for implementing an Information Security Continuous Monitoring...