On March 28, 2016 the FedRAMP Program Management Office (PMO) posted a draft of the FedRAMP Readiness Assessment Report and FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs for public comment and have heard from many of you.
The goal of the FedRAMP Readiness Assessment Report is to allow vendors to demonstrate their capabilities faster through an assessment by a Third Party Assessment Organization (3PAO) than through documentation reviews by the FedRAMP PMO. This will in turn enable Cloud Service Providers (CSPs) and Agencies to achieve FedRAMP authorizations faster without negatively impacting risk and quality of security packages.
In addition to the comments we’ve been receiving, we’ve collected feedback internally from the 3PAOs and CSPs that are testing the FedRAMP JAB authorization process.
So far, we’ve heard a lot of great feedback some of which is listed below:
Define Readiness Assessment Report Evidence , The PMO’s expectation is that 3PAOs will perform physical examinations (including an on-site visit), observations, evidence reviews, assessments of the trustworthiness of evidence, and personnel interviews in order to complete the FedRAMP Readiness Assessment Report. We heard that we need to clarify this in the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs. The Readiness Assessment Report should not be based on documentation created by the CSP.
Clarify Capability Level Criteria , FedRAMP needs to provide additional guidance in the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs on the Capability Levels. We need to identify which capabilities have a minimum acceptable threshold and which capabilities require a 3PAO’s judgment given each individual system’s requirements. We should also provide guidance on how to interpret the capability levels, as some are not intuitive given the FedRAMP requirements. In addition, we should clarify if and/or how the Personnel Security/Credentialing and Physical and Environmental descriptions should be taken into account for the overall system rating.
Rationale for 3PAO Decisions , We’re looking for 3PAOs to provide the rationale behind their decisions, and we heard that we need to provide additional guidance explaining that.
Conflict of Interest , The PMO should clarify conflict of interest concerns, such as whether a 3PAO can perform both a readiness assessment and a full security assessment.
Overall Grade , The guidance document does not specify whether 3PAOs should use a mathematical formula, or simply best judgment for selecting Level I-V value for overall system. We will clarify further.
The FedRAMP PMO is looking forward to receiving your comments to continue improving this new process. Please submit your feedback on both the FedRAMP Readiness Assessment Report and the FedRAMP Readiness Assessment Guidance for CSPs and 3PAOs. The period for public comment ends on April 28, 2016.
For additional information and instructions on submitting your comments, please visit: https://www.fedramp.gov/provide-public-comment/draft-readiness-capabilities