Skip to main content

Tips & Cues

Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our weekly email, sign up here for our listserv.

You can also review and search all of our past Tips & Cues by downloading our compilation document here.

February 2019 Tips & Cues

TIP: Be sure that monthly Continuous Monitoring (ConMon) scans are submitted in the same format each month.

Failure to submit in a consistent, approved format can lead to a Detailed Finding Review or Corrective Action Plan (CAP). (February 6, 2019)

Q: Does a 3PAO need to list previously approved deviations (such as Operational Requirements), to be evaluated for an annual assessment in the SAP?

A: During Annual Assessments, previously approved deviations, such as Operational Requirements, are assessed to determine continued justification of this status. While the 3PAO does not need to explicitly list the specific deviations to be re-evaluated during their assessment, they should at least include a statement in the Security Assessment Plan (SAP) that states that such a re-evaluation will occur as part of the assessment. (February 6, 2019)

Q: What types of databases are required to be scanned and how should they be tested?

A: The database scanning or manual testing requirements apply to all databases within the security boundary (i.e., those that reside/are embedded in a host/application as well as other databases). Databases that reside in a host (such as an appliance) need to be tested and may require the tester to work with the relevant vendor to ensure the appropriate security posture of the database that resides in a host is secure. If the databases are not accessible by the scanners, alternate methods of database testing (such as manual tests) should be explored. The host on which the databases reside should be scanned as part of the infrastructure scanning. (February 20, 2019)

Q: Does a 3PAO need to list previously approved deviations (such as Operational Requirements), to be evaluated for an annual assessment in the SAP?

A: During Annual Assessments, previously approved deviations, such as Operational Requirements, are assessed to determine continued justification of this status. While the 3PAO does not need to explicitly list the specific deviations to be re-evaluated during their assessment, they should at least include a statement in the Security Assessment Plan (SAP) that states that such a re-evaluation will occur as part of the assessment. (February 20, 2019)