Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our weekly email, sign up here for our listserv.
You can also review and search all of our past Tips & Cues by downloading our compilation document here.
February 2018 Tips & Cues
Q: In the updated Continuous Monitoring Strategy Guide, I noticed there is now a defined “due date” for low vulnerabilities. Does my service offering have to implement that immediately?
A: The FedRAMP Continuous Monitoring Strategy Guide now requires low vulnerabilities to be remediated/mitigated within 180 days. That requirement took effect on January 31, 2018 when the document was published. All newly identified “low” vulnerabilities should have a resolution date (as specified in the POA&M) no later than 180 days after the date of discovery. “Low” vulnerabilities that were identified and placed on the POA&M prior to January 31, 2018 may keep the previously assigned resolution date. (February 28, 2018)
Q: Can a Federal Agency require CSPs to be FedRAMP authorized in a request for proposal (RFP)?
A: Federal Agencies cannot require CSPs to be FedRAMP authorized as part of their RFP, but they can state that a CSP needs to be FedRAMP authorized once Federal data is placed in the system. For more information on contract clauses, please review the FedRAMP Standard Contractual Clauses. (February 28, 2018)
Q: Would a cloud service require a FedRAMP authorization if it already has a FISMA ATO? If so, can you reference the specific language in the requirement?
A: While FISMA and FedRAMP authorizations are similar, FedRAMP authorizations involve extra requirements and parameters specified in the FedRAMP templates and baseline requirements documentation available on fedramp.gov. Agencies that are using a cloud system or service must follow FedRAMP requirements and go through the FedRAMP authorization process. The driving policy for FedRAMP is a policy memo released by OMB.
The initial cloud system/service authorization package (to include the ATO for Agency-authorized systems) must be reviewed and approved by the FedRAMP PMO to receive a FedRAMP authorization. (February 21, 2018)
Q: If a CSP wants to complete a FedRAMP Readiness Review, but is then going to pursue an Agency-sponsored FedRAMP authorization, can the CSP use the same 3PAO for both assessments?
A: A CSP can use the same 3PAO for completing their Readiness Assessment Report (RAR) and their full security assessment when working with an Agency or the JAB. The same 3PAO, however, cannot consult between assessments – this is outlined in the ISO 17020 requirements and FedRAMP-A2LA 3PAO accreditation requirements.
Additionally, to help ensure successful completion of the RAR, the FedRAMP PMO has created a FedRAMP RAR Guide for 3PAOs that includes useful tips and lessons learned. (February 21, 2018)
Q: Do the FedRAMP security controls restrict data to reside only within the United States?
A: There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary of the system is, and where and how data in transit is protected. We have some providers that are authorized through FedRAMP that are located globally, although a majority of service providers do restrict their data to the United States. It is up to each individual Agency and Authorizing Official to place restrictions, if needed, on data location. (February 14, 2018)
Q: Does the “FedRAMP Ready” designation allow CSPs to bid on contracts if their systems don’t have an existing Authority to Operate (ATO)? If not, how will a CSP that does not have a current ATO respond to an RFP? Will the CSP be required to obtain a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO)?
A: CSPs whose systems do not have existing ATOs are allowed to bid on contracts. Agencies can request a CSP to have a timeline for obtaining an ATO, but should not limit the request to CSPs with ATOs. Please contact the FedRAMP PMO if an Agency is making that request.
The “FedRAMP Ready” designation is a market indicator to Agencies that a system has a high likelihood of obtaining a JAB P-ATO or an Agency ATO. Agencies can be confident that systems that meet the FedRAMP Ready requirements actually have the key capabilities needed to fit their security needs. Therefore, a small cloud service provider will have the ability to attain FedRAMP Ready and be available for Agency review in the FedRAMP Marketplace. The Agency can then decide to issue an ATO based on the understanding that the system meets the Readiness Assessment requirements. (February 14, 2018)
Q: How do security controls impact Quality of Service (QoS) of an application or system?
A: Quality of Service (QoS) and security are interrelated. The implementation of security controls must be thoughtfully considered and deployed/implemented so as NOT to adversely impact an application's or system’s QoS. A good security program addresses confidentiality, integrity, AND availability. QoS is an important component of a well thought out security posture. (February 7, 2018)
Q: I’d like to know the criteria that the FedRAMP PMO uses to review Agency authorization packages. Where can I find that information?
A: The FedRAMP PMO reviews Agency authorization packages after an Agency has conducted its own in-depth review of the CSP’s authorization package; has issued an ATO for the service; and the final, complete authorization package has been uploaded to the FedRAMP secure repository.
The FedRAMP Agency Package Review Team focuses their review on key technical security concerns/critical controls and completeness of the authorization package. Results of the Team’s review are captured in the FedRAMP Agency ATO Review Template (available on fedramp.gov). The completed Agency Review Template (report) is made available to the specific CSP, the initial authorizing Agency, and any other Agency interested in using that particular cloud service.
However, Agencies and CSPs are cautioned not to overly focus on the Review Template checks, as FedRAMP PMO reviewers also spot check other areas within the package as part of the FedRAMP authorization determination. (February 7, 2018)