Annual Assessment Guidance
The FedRAMP PMO recently encountered a question from a Cloud Service Provider (CSP) as to whether they are required to perform a re-authorization every three years. We wanted to take this opportunity to clarify FedRAMP’s Annual Assessment requirements.
First, FedRAMP does not require CSPs to perform a full reassessment every three years. This is consistent with the July 28, 2016 revision to OMB A-130, which eliminated this requirement. It is important to note that while FedRAMP has eliminated this requirement, some Agency Authorizing Officials (AO) include a re-authorization requirement in the system’s authorization letter. Any re-authorization requirement specified by an AO in a system’s authorization letter must still be satisfied.
FedRAMP’s Continuous Monitoring (ConMon) program includes a requirement for annual assessments. FedRAMP-authorized CSPs (those with an existing P-ATO) must comply with the FedRAMP Annual Assessment Guidance. Not doing so may be considered a failure to maintain an adequate risk management program and result in escalation actions as described in the FedRAMP Continuous Monitoring Performance Management Guide.
These assessments require a subset of the system’s controls each year, as documented in Section 2.3 of our Annual Assessment guidance. The controls selected for each annual assessment include:
- All FedRAMP-identified critical controls
- All controls that have changed since the last assessment
- Approximately one third of the remaining applicable controls
While the CSP and 3PAO may propose the scope of controls for each annual assessment, the AO must approve the control scope for any assessment and may require additional controls. We recommend each control is tested within a three year period. We have also found most leveraging Agencies prefer this as well. Since not all controls have specific periodic requirements for each control, this ensures that no control is ever extremely dated.
Questions about FedRAMP or this post should be directed to email@example.com.