Submitting a complete authorization package helps to speed-up processing time and the time to initiate a package review. But the PMO office has noticed a trend of Cloud Service Providers (CSPs) neglecting to include the fifteen required documents for an Initial Review. A list of the required documents can be found in the Initial Review Standard Operating Procedure.
The PMO has put together a list of the top five commonly missed required documents to help CSPs put together a complete Authorization Package the first-time around.
- User Guide
Close to sixty percent of CSPs neglected to include a User Guide in their Authorization Package. A User Guide explains the use of the system from the point of view of end-users of the system.
- Information System Security Policies & Procedures
Sixty-five percent of recently submitted Packages were missing this document. The Information System Security Policies and Procedures document must meet all the Policies and Procedures control requirements specified in all 17 of the “dash one” requirements, that is AC-1, AT-1, AU-1, etc.
- Configuration Management (CM) Plan
Nearly two-thirds (65%) of recently submitted Packages did not have a CM plan. The CM plan describes process for establishing and maintaining consistency of a product’s performance, functional and physical attributes with its requirements, design and operational information throughout its life. Requirements for the Configuration Management (CM) Plan are documented in Control Requirement CM-9. The CM Plan must encompass all the other CM-family security requirements.
- Control Implementation Summary (CIS)**
The Control Implementation was missing from 65% of Authorization packages. This document provides a sample format for preparing the Control Implementation Summary (CIS) Report for the CSP information system.
- Incident Response Plan
Sixty-five percent of recently submitted Packages did not include an Incident Response Plan. The Incident Response Plan outlines the measures to consider in order for all parties to effectively communicate during a security incident incurred by a FedRAMP authorized cloud service provider.
The FedRAMP PMO provides templates for the CIS and Incident Response Plan. However, the remaining three commonly missed documents are standard system security documentation and the PMO does not provide templates for them.