Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our weekly email, sign up here for our listserv.
You can also review and search all of our past Tips & Cues by downloading our compilation document here.
October 2018 Tips & Cues
Q: Do single-tenant cloud offerings have to comply with FedRAMP, or can an agency issue a FISMA authorization?
A: This should be vetted with the sponsoring government agency. For private (single tenant) clouds, agencies have the final say on authorization; however, FedRAMP strongly suggests use of the FedRAMP baselines. The difference between a private cloud and a community or public offering is that the authorizations aren't shared on the FedRAMP marketplace for private clouds since they cannot be reused. (October 3, 2018)
Q: FedRAMP released updates to the System Security Plan (SSP) template. If we have already submitted our SSP to our Third Party Assessment Organization (3PAO) for our annual assessment, do we need to update the SSP to align to the new FedRAMP requirements and re-submit to the 3PAO?
A: No, you do not need to update and resubmit the SSP to your 3PAO immediately. These changes must be incorporated before the CSP’s next annual assessment (for annual assessments after Oct 31, 2018). Therefore, the changes to the SSP should be made but does not need to be submitted to the 3PAO unless the assessment is after the deadline date. Please see our Blog Post titled FedRAMP Documentation Release for additional details regarding new and updated documentation. (October 3, 2018)
TIP: The CSP must prove to the Third Party Assessment Organization (3PAO) that Plan of Action and Milestones (POA&M) items are remediated as per the FedRAMP timeframe (Section 4.2.6 Configuration and Risk Management Item #10)
High vulnerabilities are required to be remediated within 30 days, Moderate vulnerabilities within 90 days, and Low vulnerabilities within 180 days. (October 16, 2018)
Q: If the CSO does not have any federal customers (and therefore no ATOs), how does the 3PAO handle configuration and risk management requirements?
A: The CSP should be completing Continuous Monitoring and a POA&M each month as soon as they begin the FedRAMP process, rather than waiting until they are FedRAMP authorized. Even without Federal customers, the environment must be scanned and vulnerabilities must be remediated. (October 16, 2018)
Q: How can the CSP access the redline version of the New FedRAMP SSP template?
A: Please email firstname.lastname@example.org to request the redlined version of the New SSP templates. We will send you zip file with all of the SSPs (including the LI-SaaS Appendix B). There are many formatting changes and other minor corrections, but the major changes are as follows:
1) Alignment with NIST 800-63-3 Digital Identity Requirements (Section 2.3, IA-5, Attachment 3)
2) Updated reference to boundary guidance document (Section 9.2)
3) Updated vulnerability remediation requirements (RA-5) (October 24, 2018)</div>
Q: Is a CSP required to submit a Significant Change Request for combining or consolidating an already approved Infrastructure as a Service (IaaS) and Platform as a Service (PaaS)?
A significant change request is required to consolidate systems, even if both are already authorized. Please complete our Significant Change Request (SCR) form found on the FedRAMP Templates Page. (October 24, 2018)
TIP: Per the FedRAMP Significant Change Policies and Procedures, every new code release is not automatically considered a significant change.
The CSP must perform a security impact analysis (SIA), in compliance with FedRAMP control CM-4, on every new code release, including the analysis required by the FedRAMP SA-11 controls (the base control and enhancements). Therefore, if an SIA shows that the new code release will adversely affect the system's security posture, the new code release must be treated as a significant change. (October 31, 2018)
TIP: Please remember when submitting a Significant Change Request to include the minimum control set that is required if your change type is a new technology, new interconnection, new data center, or a moderate to high FIPS-199 Categorization change.
This is outlined in the FedRAMP Significant Change Policies and Procedures document. You can find the control set in Appendix B of this document. (October 31, 2018)