As FedRAMP continues to evolve and mature, the program and its stakeholders must balance the need for rigorous security with the constant need for growth and change from Cloud Service Providers (CSPs). In order to help keep up with the pace of changes to the environments we’ve authorized, we’ve created a New Services Onboarding Request Template, a document allowing CSPs with an existing JAB Provisional Authorization to onboard new cloud services for consideration to authorize.
In partnership with the Third Party Assessment Organization (3PAO), a CSP and the FedRAMP PMO can now jointly make a decision to onboard new cloud services into an already JAB-authorized system up to two times faster and in a more transparent way than with the previous significant change process.
A key part of the new template includes a 3PAO attestation that a CSP’s organizational processes and the security capabilities of its system were ascertained through the 3PAO evaluation of the new service or feature through observations, evidence reviews, personnel interviews and demonstrated capabilities of security implementations. By attesting in this fashion, the 3PAO validates to the JAB that the feature or service being onboarded is truly FedRAMP compliant.
The template defines some parameters for what constitutes a feature or service that qualifies for onboarding:
Does not replace an existing service/feature previously included in the original system assessment;
Is not an outsourced service belonging to a different CSP;
Does not change the categorization of the Cloud Service Offering;
Does not introduce vulnerabilities affecting the current security posture of the system;
Does not affect the existing security controls implementation details of any controls as captured in the System Security Plan; and/or
Does not add a unique or alternative implementation of any of the security controls as captured in the System Security Plan.
We’ve created this new template and process in response to feedback from our stakeholders. This template is located on the FedRAMP website, on the FedRAMP Templates page and under the Monitor Phase.
Should you have any feedback on the document or process outlined above, please let us know by reaching out to us at firstname.lastname@example.org.