Remote Testing of Datacenters
Cloud Service Providers (CSPs) hire Third Party Assessment Organizations (3PAOs) to perform security assessments for their initial and annual assessment authorizations. These assessments are usually performed onsite, including the physical and environmental controls provided by datacenters housing CSPs’ information technology resources. Due to the current safety guidelines from the Centers for Disease Control and Prevention (CDC) for COVID-19, however, 3PAOs may be permitted to perform the testing of certain datacenters remotely.
When making the decision to perform either local or remote testing, the 3PAO should reference the state or territorial and local health department for up-to-date information regarding travel, testing requirements, stay-at-home orders, and quarantine requirements upon arrival. However, in all instances prior to performing remote testing, the 3PAO must outline their request and ask for permission from the Authorizing Official (AO) or a delegated party.
All remote testing must be explicitly detailed in the Security Assessment Plan (SAP) as well as any test cases used and any modifications to the test cases that were made to facilitate the remote testing.
FedRAMP will revisit this guidance periodically and provide updates when the guidance is modified. Contact us at firstname.lastname@example.org with any questions.