Updated Control Implementation Summary (CIS) and Customer Responsibility Matrix (CRM) Templates
In response to Agency and CSP feedback, FedRAMP updated the Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) templates to provide clearer directions, sample responses, and a more streamlined structure. Prior to releasing these updated templates, the program sought public comment on the draft templates from the FedRAMP community and we appreciated all of your input.
The CIS/CRM is a security artifact that delineates the security responsibilities of Cloud Service Providers (CSPs) and customers (Federal Agencies). The CIS summarizes the implementation status of each control and the party responsible for maintaining that control, whether the customer is fully responsible for the control, partially inherits the control (there are some customer responsibilities), or the control is fully implemented by the CSP (no responsibilities for the customer). The CRM provides details for a customer of what their responsibilities are for a given control, including responsibilities for optional services (applicable depending on which services the customer acquires). This new CRM version is intended to help clarify roles and responsibilities to promote consumption and re-use of the FedRAMP security package.
- Individually Listed Controls and Control Parts: The controls in the CRM are now listed individually instead of being grouped together, making the content easier to consume and present and easier to pull from the System Security Plan (SSP).
- Detailed Inheritance Fields: The CRM now includes fields for CSPs to indicate if a control may be inherited, partially inherited, or may not be inherited. It also includes fields where the CSP describes specifics around how a control may be inherited by customers.
- Detailed Examples: Examples were added to provide further guidance on how to populate the CRM with controls that have partial or no inheritance.
CSP Transition Requirements:
CSPs are required to acknowledge the requirement of this updated template within a week, by August 14, 2020, by emailing firstname.lastname@example.org and are required to transition to the updated CIS/CRM template within 30 days from this release, by September 7, 2020. This template should be validated by the CSP’s 3PAO at their next annual assessment. Where full transition is not possible in this timeframe, the CSP must work with their Authorizing Official (AO) on a mitigation plan. The AO must review and approve the CSP’s mitigation plan. For systems with a JAB P-ATO, the CSP should post the mitigation plan to the FedRAMP repository and send an email notification to email@example.com, or discuss an alternative arrangement with their FedRAMP POC.
If there are any questions or comments, please contact us at firstname.lastname@example.org.