On March 28th, the FedRAMP PMO announced that the CSP-Supplied option will evolve as part of an effort to focus on agency and JAB provisional authorizations. After numerous interviews with CSPs, agencies, and 3PAOs, we concluded that CSP-Supplied had the lowest demand and was too risky, costly, and resource intensive for both industry and the FedRAMP PMO.
Since FedRAMP launched, CSP-Supplied has been the least utilized of the three options to FedRAMP Compliance. Many of the CSP-Supplied packages submitted to the PMO did not pass the compliance review, and less than five ultimately obtained compliant status.
As an alternative, CSPs will have have the option to pursue the redesigned FedRAMP Ready process. CSPs can work with a 3PAO to prove their cloud system’s security capabilities through successful completion of a FedRAMP Readiness Assessment in a matter of weeks. We estimate this new process will take 10-15% of the time and cost to complete a CSP-Supplied package. It also brings the added benefit of quicker visibility in the FedRAMP Marketplace, where federal agencies can view FedRAMP Ready systems.
While CSP-Supplied is going away, we believe the redesigned FedRAMP Ready will better prepare CSP’s for a JAB provisional authorization or help identify an agency sponsor for an authorization , with it happening faster, cheaper, and with more certainty.
Reminder: All CSPs who intend to submit a CSP-Supplied package must submit their documentation to FedRAMP by COB April 29, 2016. FedRAMP will not accept any CSP-Supplied packages after April 29th. FedRAMP will only review a package once for a pass/fail determination for any package submissions in order to focus on the new FedRAMP Ready process.