Blog
This week, FedRAMP published two tips for Cloud Service Providers ( CSPs): Cloud Service Providers (CSPs) TIP: CSPs must address every vulnerability they submit as part of their continuous monitoring data. There are a few different options for managing those vulnerabilities. 1. Remediate the finding within the required timeframe. This should be the default approach...
This week, FedRAMP published two question and answers for Cloud Service Providers ( CSPs): Cloud Service Providers (CSPs) Q: What is the purpose of an Information System Contingency Plan (ISCP)? A: Each CSP must develop and maintain contingency plans to address operational disruptions. The contingency plan (and test results) provides management with an evaluation of the...
This week, FedRAMP published one tip for Cloud Service Providers ( CSPs) and one question and answer for Third Party Assessment Organizations (3PAOs). : Cloud Service Providers (CSPs) TIP: When submitting the monthly Plan of Actions and Milestones (POA&M) spreadsheet, the findings on the spreadsheet must be reconciled each month with the scan results to...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assessment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: How should a CSP address platform scope within the System Security Plan (SSP)? A: There are multiple platforms/platform groups in a system as identified by the inventory. A platform has...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: I referenced a document in my System Security Plan (SSP), but did not provide the referenced document because it contains proprietary or sensitive information. How will this affect my...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: What are the roles and responsibilities of the third party assessment organization (3PAO) and the cloud service provider (CSP) during the assessment? A: While FedRAMP certifies 3PAOs to perform security...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: How do policies and procedures differ from the System Security Plan (SSP)? A: Policies and procedures are a critical supplement to the SSP and are required by the first control...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: All of the controls listed in the System Security Plan (SSP) Template do not apply to my system, so I only completed those that are applicable and left the...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs): Cloud Service Providers (CSPs) Q: Why is it important to maintain consistency between the security control implementation statements and the technical diagrams in the System Security Plan (SSP)? A: The security control implementation statements...
This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs) Cloud Service Providers (CSPs) Q: The Agency I’m working with requires that their data be cryptographically protected. What requirements must I follow? A: Any system that handles Government data may be the target of...