Seeking Public Comments on the Draft Customer Implementation Summary (CIS) and Customer Responsibility Matrix (CRM) Templates
In response to Agency and CSP feedback, FedRAMP updated the Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) templates to provide clearer directions, sample responses, and a more streamlined structure. Prior to making permanent changes to the templates, the program is seeking public comments on the draft templates from the FedRAMP community.
The Control Implementation Summary and Customer Responsibility Matrix (CIS/CRM) is a security artifact that delineates the security responsibilities of cloud service providers (CSPs) and customers (Federal Agencies). The CIS summarizes the implemetation status of each control and the party responsible for maintaining that control, whether the customer is fully responsible for the control, partially inherits the control (there are some customer responsibilities), or the control is fully implemented by the CSP (no responsibilities for the customer). The CRM provides details for a customer of what their responsibilities are for a given control, including responsibilities for optional services (applicable depending on which services the customer acquires). This new CRM version is intended to help clarify roles and responsibilities to promote consumption and re-use of the FedRAMP security package.
The worksheet now includes the following upgrades:
- Individually Listed Controls and Control Parts: The controls in the CRM are now listed individually instead of being grouped together, making the content easier to consume and present and easier to pull from the System Security Plan (SSP).
- Detailed Inheritance Fields: The CRM now includes fields for CSPs to indicate if a control may be inherited, partially inherited, or may not be inherited. It also includes fields where the CSP describes specifics around how a control may be inherited by customers.
- Detailed Examples: Examples were added to provide further guidance on how to populate the CRM with controls that have partial or no inheritance.