Twitter
+
FedRAMP.gov
- An official website of the GSA’s Technology Transformation Services
+ official website of the GSA’s Technology Transformation Services
YouTube
@@ -97,7 +97,7 @@ Keep Up To Date
FedRAMP.gov
- An official website of the GSA’s Technology Transformation Services
+ official website of the GSA’s Technology Transformation Services
YouTube
@@ -97,7 +97,7 @@ Keep Up To Date
- This document provides a summary of the roles and responsibilities of the agency, CSP, and FedRAMP PMO during the Agency Authorization process.
- -
@@ -272,9 +261,9 @@
This document provides guidance to agencies and CSPs to assist with a framework for collaboration when managing Agency ATOs.
- +
Provides guidance and templates for FedRAMP Tailored, a simple, condensed approach to the Authorization process for Low-Impact Software-as-a-Service (LI-SaaS) applications.
- +This web page helps stakeholders understand the FedRAMP Baselines and Impact Levels for FedRAMP Authorizations
+As independent third parties, they perform initial and periodic assessments of cloud systems based on federal security requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. During FedRAMP assessments, 3PAOs produce a Readiness Assessment Report (RAR), which is required for the Joint Authorization Board (JAB) Authorization process and optional but highly recommended for the Agency Authorization process, and/or a Security Assessment Plan (SAP) and Security Assessment Report (SAR) that is submitted for authorization to a government Authorizing Official (AO).
-A list of FedRAMP recognized Third Party Assessment Organizations (3PAOs) can be found on the FedRAMP Marketplace. +
A list of FedRAMP recognized Third Party Assessment Organizations (3PAOs) can be found on the FedRAMP Marketplace.
@@ -73,10 +73,10 @@The 3PAO Obligations and Performance Standards provides guidance for 3PAOs on demonstrating the quality, independence, and FedRAMP knowledge required as they perform security assessments on cloud systems.
+FedRAMP created a conformity assessment process to recognize third party assessment organizations (3PAOs) through accreditation by the American Association for Laboratory Accreditation (A2LA). This process ensures 3PAOs meet the necessary quality, independence, and FedRAMP knowledge requirements, to perform independent security assessments required by FedRAMP. To maintain recognition, 3PAOs must continue to demonstrate independence, quality, and FedRAMP knowledge as they perform security assessments on cloud systems.
[File Info: PDF - 458KB]
The FedRAMP Readiness Assessments: A Guide for 3PAOs provides 3PAOs with guidance on how best to utilize the RAR. It provides a shared understanding of the RAR’s intent, process, and best practices.
+FedRAMP created the Readiness Assessment Report Guide to assist 3PAOs and cloud service providers on how to best utilize the FedRAMP Readiness Assessment Report (RAR) templates to confirm the full implementation of the CSO’s technical capabilities, which is required for a FedRAMP Readiness Assessment to be successful. This also helps 3PAOs and CSPs understand the rigor that FedRAMP requires for assessments.
[File Info: PDF - 342KB]
CSPs should use the FedRAMP FIPS 199 Categorization Template (Attachment 10) in the SSP along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on their systems. Customer agencies are expected to perform a separate FIPS 199 analysis for their own data hosted in the CSP’s cloud environment.
+CSPs should use the FedRAMP FIPS 199 Categorization Template (Appendix K) in the SSP along with the guidance of NIST Special Publication 800-60 volume 2 Revision 1 to correctly categorize their system based on the types of information processed, stored, and transmitted on their systems. Customer agencies are expected to perform a separate FIPS 199 analysis for their own data hosted in the CSP’s cloud environment.
CSPs can achieve a FedRAMP Authorized designation via the Agency Path for any of the baselines (LI-SaaS, Low, Moderate, High). CSPs can only pursue a FedRAMP Authorized designation via the JAB Path for the Moderate and High baselines.
The CSP Authorization Playbook: Getting Started with FedRAMP provides CSPs with an overview of how to develop an authorization strategy, the types of authorizations, and important considerations for their CSOs when working with FedRAMP.
[File Info: PDF - 959KB]
FedRAMP eliminates duplicative efforts by providing a common security framework. Agencies review their security requirements against a standardized baseline. A Cloud Service Provider (CSP) goes through the authorization process once, and after achieving an authorization for their Cloud Service Offering (CSO), the security package can be reused by any federal agency.
+FedRAMP eliminates duplicative efforts by providing a common security framework. Agencies review their security requirements against a standardized baseline. A cloud service provider (CSP) goes through the authorization process once, and after achieving an authorization for their cloud service offering (CSO), the security package can be reused by any federal agency.
FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
All official FedRAMP documentation is maintained on FedRAMP.gov. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods, including the FedRAMP.gov website, "Focus on FedRAMP" blog, or by subscribing to FedRAMP email updates.
+All official FedRAMP documentation is maintained on FedRAMP.gov. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods. To ensure you are notified of these opportunities, subscribe to the FedRAMP distribution list for updates. Be sure to follow us on X (formerly Twitter) @FedRAMP to get notifications on other program updates.
FedRAMP is FISMA for the cloud. Per FISMA, the National Institute of Standards and Technology (NIST) is responsible for establishing “policies which shall set the framework for information technology standards for the Federal Government.” Based on this law, NIST developed the Risk Management Framework .
+FedRAMP is FISMA for the cloud. Per FISMA, the National Institute of Standards and Technology (NIST) is responsible for establishing “policies which shall set the framework for information technology standards for the Federal Government”. Based on this law, NIST developed the Risk Management Framework .
Both FedRAMP and FISMA use the NIST SP 800-53 security controls. The FedRAMP security controls are based on NIST SP 800-53 baselines and contain controls, parameters and guidance above the NIST baseline that address the unique elements of cloud computing.
There is a shared security responsibility model when using cloud products. Cloud Service Providers (CSPs) and agencies (customers) both assume important security roles and responsibilities to ensure data is protected within cloud environments. CSPs are required to submit a Control Implementation Summary (CIS) workbook as an attachment to the System Secruity Plan (SSP). The CIS workbook identifies security controls that the CSP is responsible for implementing, security controls that the agency (customer) is responsible for implementing, security controls where there is a shared CSP/agency responsibility, and security controls that are inherited from an underlying FedRAMP Authorized Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS). The CIS workbook also includes a Customer Responsibility Matrix (CRM) worksheet tab. CSPs must use the CRM to describe the specific elements of each control where the responsibility lies with the customer. Further details are also provided within the CSP’s SSP.
-FedRAMP provides two CIS Workbook templates: one for Low and Moderate systems and one for High systems. Both are available on FedRAMP.gov’s Documents & Templates page.
+There is a shared security responsibility model when using cloud products. Cloud service providers (CSPs) and customers (agencies or leveraging CSPs) both assume important security roles and responsibilities to ensure data is protected within cloud environments. CSPs are required to submit a Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) workbook as Appendix J to the System Security Plan (SSP). The CIS/CRM workbook identifies security controls that the CSP is responsible for implementing, security controls that the customer is responsible for implementing, security controls where there is a shared CSP/customer responsibility, and security controls that are inherited from an underlying FedRAMP Authorized Infrastructure-as-a-Service (IaaS) or Platform-as-a-Service (PaaS). CSPs use the CRM to describe the specific elements of each control where the responsibility lies with the customer.
The FedRAMP approver that can sign a Package Access Request Form [PDF - 278KB] is either the agency’s Chief Information Security Officer (CISO), Authorizing Official (AO), Authorizing Official Designated Representative (AODR) or Designated Approving Authority (DAA). If the form is signed by a DAA, that person must be at a level that has the authority to grant an Authority to Operate (ATO) for an information system.
+The FedRAMP approver that can sign a Package Access Request Form is either the agency’s Chief Information Security Officer (CISO), Authorizing Official (AO), Authorizing Official Designated Representative (AODR) or Designated Approving Authority (DAA). If the form is signed by a DAA, that person must be at a level that has the authority to grant an Authority to Operate (ATO) for an information system.
If a Cloud Service Offering (CSO) is listed as FedRAMP Authorized on the FedRAMP Marketplace, it has successfully completed the FedRAMP Authorization process with the Joint Authorization Board (JAB) or a federal agency. The FedRAMP Authorized designation indicates FedRAMP requirements are being met and a CSO’s security package is available for agency reuse. This means that any agency can request access to the security package for a FedRAMP Authorized CSO, review the security package, and issue their own Authority to Operate (ATO) for the product.
-When reusing FedRAMP security packages, agencies should complete and sign the FedRAMP Package Access Request Form [PDF - 278KB] and if the requestor is not a federal employee they must also complete the associated Non-Disclosure Agreement for the FedRAMP Authorized CSO, conduct a package review and risk analysis, understand and implement customer responsibilities, issue an ATO and send ATO letters to info@fedramp.gov, and perform continuous monitoring responsibilities. More guidance can be found in the Reusing Authorizations for Cloud Products Quick Guide [PDF - 72KB].
+If a Cloud Service Offering (CSO) is listed as FedRAMP Authorized on the FedRAMP Marketplace, it has successfully completed the FedRAMP authorization process with the Joint Authorization Board (JAB) or a federal agency. The FedRAMP Authorized designation indicates FedRAMP requirements are being met and a CSO’s security package is available for agency reuse. This means that any agency can request access to the security package for a FedRAMP Authorized CSO, review the security package, and issue their own Authority to Operate (ATO) for the product.More information on how to reuse an existing security package can be found in the FedRAMP Reusing Authorizations for Cloud Products Quick Guide.
As a registered OMB MAX user, you have the ability to “watch” a page. To watch a page, click the icon labeled “watchers” in the upper-right corner of the screen. When a page is being watched, you will be notified via email of changes made to that page. This can be particularly helpful for Cloud Service Providers (CSPs), agencies, or Third Party Assessment Organizations (3PAOs) as they anticipate the uploading of key documents, like a System Security Plan (SSP) or Security Assessment Report (SAR). To stop watching a page, simply click again on the icon in the upper-right corner of the screen.
+As a registered OMB MAX/USDA Connect user, you have the ability to “Watch” a page. To watch a page, navigate to a folder within a package and click the icon labeled “Watchers” in the upper-right corner of the screen. Oncea drop-down opens, click “Watch This Page”. When a page is being watched, you will be notified via email of changes made to that page. This can be particularly helpful for cloud service providers (CSPs), agencies, or third party assessment organizations (3PAOs) as they anticipate the uploading of key documents, like a system security plan (SSP) or security assessment report (SAR). To stop watching a page, simply click again on the icon in the upper-right corner of the screen to open a dropdown and click “Stop Watching This Page”.
Simply email info@fedramp.gov to request access extensions. Agencies can work directly with Cloud Service Providers (CSP) to obtain a copy of the package and request permissions to save, print, email, post, publish, or reproduce. If your agency has already issued an Authority to Operate (ATO) you can submit the ATO to info@fedramp.gov and receive permanent access to the package as long as an ATO is on file with the FedRAMP Program Management Office (PMO).
+Simply email info@fedramp.gov to request access extensions. If your agency has issued an Authority to Operate (ATO) for the cloud service offering (CSO), you can submit the ATO to ato-letter@fedramp.gov and receive permanent access to the package as long as an ATO is on file with the FedRAMP Program Management Office (PMO).
An Initial Agency Partner or initial authorizing agency refers to the first agency to grant an Authority to Operate (ATO) using FedRAMP standards and baselines for the Cloud Service Offering (CSO). Some stakeholders use the term "Agency Sponsor.” FedRAMP does not recognize the concept of an agency sponsor because the ATO granted by the initial authorizing agency is not a government-wide risk acceptance. As described in FedRAMP's Reuse Quick Guide, OMB Circular A-130 requires agencies to individually authorize operation of an information system and to explicitly accept the risk. Each agency that wishes to use the CSO will conduct its own risk review of the authorization package and grant its own ATO.
+An Initial Agency Partner or initial authorizing agency refers to the first agency to grant an Authority to Operate (ATO) using FedRAMP standards and baselines for the Cloud Service Offering (CSO). Some stakeholders use the term "Agency Sponsor.” FedRAMP does not recognize the concept of an agency sponsor because the ATO granted by the initial authorizing agency is not a government-wide risk acceptance. As described in FedRAMP's Reuse Quick Guide, OMB Circular A-130 requires agencies to individually authorize operation of an information system and to explicitly accept the risk. Each agency that wishes to use the CSO will conduct its own risk review of the authorization package and grant its own ATO.
It depends on the quality of the authorization package. Because the initial authorizing agency is the first agency to review the authorization package, the process for getting to an informed risk-based decision may take longer and require more effort if there are aspects of the authorization package that are unclear, incomplete, inaccurate, or inconsistent.
-The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and Third Party Assessors (3PAOs) on how to deliver a high quality authorization package, but if the agency team is unable to determine the actual security posture of the Cloud Service Offering (CSO) due to poor quality, the agency will provide feedback. The feedback may result in modifications to the package deliverables and/or additional testing, and additional review cycles. +
The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and third party Assessment Organizations (3PAOs) on how to deliver a high quality authorization package, but if the agency team is unable to determine the actual security posture of the cloud service offering (CSO) due to poor quality, the agency will provide feedback. The feedback may result in modifications to the package deliverables and/or additional testing, and additional review cycles.
No. It is not the initial authorizing agency’s responsibility to conduct ConMon oversight on behalf of all other agencies. OMB Circular A-130 requires federal agencies to implement the Risk Management Framework (RMF) described in NIST SP 800-37. The RMF process includes a Monitor step. The purpose of this step is to maintain ongoing situational awareness about the security posture of the system in support of risk management decisions. Each agency that issues an ATO or ATU for a cloud offering must review the Cloud Service Provider’s (CSP’s) ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly Plan of Action and Milestones (POA&M), approving deviation requests and significant change requests, and reviewing the results of the annual assessment. The FedRAMP Program Management Office (PMO) encourages CSPs who have more than one customer agency to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each agency still perform their due diligence related to ConMon. The PMO developed a recommended Collaborative ConMon approach. This approach is described in the Collaborative ConMon Quick Guide. Collaborative ConMon benefits agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests and the annual assessment - versus having to coordinate with each agency separately. -
+No. It is not the initial authorizing agency’s responsibility to conduct ConMon oversight on behalf of all other agencies. OMB Circular A-130 requires federal agencies to implement the Risk Management Framework (RMF) described in NIST SP 800-37 . The RMF process includes a Monitor step. The purpose of this step is to maintain ongoing situational awareness about the security posture of the system in support of risk management decisions. Each agency that issues an ATO or ATU for a cloud offering must review the cloud service provider’s (CSP’s) ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly Plan of Action and Milestones (POA&M), approving deviation requests and significant change requests, and reviewing the results of the annual assessment. With the release of the FedRAMP Rev 5 baselines, security control CA-7 requires CSPs with more than one customer agency to implement collaborative ConMon. This approach is intended to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each agency still perform their due diligence related to ConMon. The PMO developed a recommended Collaborative ConMon approach, which is described in the FedRAMP Collaborative ConMon Quick Guide. Collaborative ConMon benefits agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests and the annual assessment - versus having to coordinate with each agency separately.
NIST SP 800-37 describes the ATO and ATU as very similar in that they both are the mechanisms for documenting and accepting risk of information systems, and approving the use of the system by the agency. ATUs are intended to be used for shared systems, but still document accepting risk and approving use (based on an external security assessment). Though FedRAMP accepts both ATOs and ATUs, there must be at least one ATO on file for the Cloud Service Offering (CSO) in order for FedRAMP to accept an ATU.
+NIST SP 800-37 describes the ATO and ATU as very similar in that they both are the mechanisms for documenting and accepting risk of information systems, and approving the use of the system by the agency. ATUs are intended to be used for shared systems, but still document accepting risk and approving use (based on an external security assessment). Though FedRAMP accepts both ATOs and ATUs, there must be at least one ATO on file for the cloud service offering (CSO) in order for FedRAMP to accept an ATU.
Agencies should first notify the Cloud Service Provider (CSP) that they plan to rescind their Authorization to Operate (ATO) as they no longer are using the service. After they have notified the CSP, the agency should send an email to info@fedramp.gov, CCing their CSP, which notifies the FedRAMP Program Management Office (PMO) that the service is no longer in use at the agency, and indicates the agency will rescind the ATO letter by a specific date. +
Agencies should first notify the cloud service provider (CSP) that they plan to rescind their Authorization to Operate (ATO) as they no longer are using the service. After they have notified the CSP, the agency should send an email to info@fedramp.gov, CCing their CSP, which notifies the FedRAMP Program Management Office (PMO) that the service is no longer in use at the agency, and indicates the agency will rescind the ATO letter by a specific date.
A CSO must have at least one active Authorization to Operate (ATO) from a federal agency on file with the FedRAMP Program Management Office (PMO) to maintain an Authorized designation on the FedRAMP Marketplace. Having an ATO on file with FedRAMP ensures at least one agency is conducting oversight of the Cloud Service Provider’s (CSPs) Continuous Monitoring (ConMon) activities.
-If a CSP's service offering loses its only ATO on file with FedRAMP, the service offering may remain listed on the FedRAMP Marketplace as FedRAMP Ready for a maximum of 12 months while the CSP works to obtain a new ATO from a federal agency. If a new ATO is obtained during this period, the CSO will regain its FedRAMP Authorized designation. If an ATO is not achieved within 12 months, the CSP may pursue a Readiness Assessment Report to maintain its FedRAMP Ready designation, or transition to In Process by fulfilling the requirements described in FedRAMP’s Marketplace guidance. This provision does not apply to service offerings that lose their only ATO due to lack of maintaining an acceptable security posture.
-Please review page 8 of FedRAMP’s Marketplace Designations for Cloud Service Providers for a full explanation of the provision for CSPs that lose their only ATO on file.
+If a CSP's service offering loses its only ATO on file with FedRAMP, the service offering may remain listed on the FedRAMP Marketplace as FedRAMP Ready for a maximum of 12 months while the CSP works to obtain a new ATO from a federal agency. If a new ATO is obtained during this period, the CSO will regain its FedRAMP Authorized designation. If an ATO is not achieved within 12 months, the CSP may maintain its FedRAMP Ready designation by working with a FedRAMP-recognized Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering.to. Alternatively, the CSP may transition to In Process by fulfilling the requirements described in FedRAMP’s Marketplace guidance. This provision does not apply to service offerings that lose their only ATO due to lack of maintaining an acceptable security posture.
+Please review the About FedRAMP Marketplace page for a full explanation of the provision for CSPs that lose their only ATO on file.
There are three listing designations available on the FedRAMP Marketplace: FedRAMP Ready, In Process, or Authorized.
More detail about these designations and how to be listed on the Marketplace can be found on the About FedRAMP Marketplace page.
As a first step, please complete the FedRAMP Program Management Office’s (PMO’s) Cloud Service Provider (CSP) Information Form to notify our team of your intent to pursue FedRAMP Authorization with a federal agency and to initiate scheduling of an intake call with the PMO. During this call, the PMO will walk you through the Agency Authorization process. Additionally, please review the Get Authorized: Agency page and the FedRAMP Agency Authorization Playbook [PDF - 1.24MB]. This document provides an overview of every aspect of the Agency Authorization process, including roles and responsibilities for the CSP and agency at each step. If you have any questions after reviewing guidance materials, please forward them to info@fedramp.gov.
+As a first step, please complete the FedRAMP Cloud Service Provider (CSP) Information Form to notify the FedRAMP team of your intent to pursue a FedRAMP authorization with a federal agency. Submission of the form will generate a FedRAMP Package ID for your cloud offering. In addition, you will receive an email that describes the next steps in the authorization process, along with links to a number of helpful resources.
FedRAMP recognized Third Party Assessment Organizations (3PAOs) and FedRAMP Authorized CSPs may use the FedRAMP logo. Use of the FedRAMP logo, in conjunction with qualified products, services, or organizations, does not require approval. The FedRAMP Program Management Office (PMO) must approve any major educational or promotional campaigns that feature the FedRAMP logo prior to use. The submitted materials will be reviewed for consistency with these guidelines within two weeks of receipt of the materials. Materials should be submitted to info@fedramp.gov with the following in the subject line: “FedRAMP Branding Review.”
-Please review the FedRAMP Branding Guidance [PDF - 932KB] for more answers to your FedRAMP logo questions.
+FedRAMP recognized third party assessment organizations (3PAOs) and FedRAMP Authorized CSPs may use the FedRAMP logo. Use of the FedRAMP logo, in conjunction with qualified products, services, or organizations, does not require approval. Please work with your legal counsel and your communications or marketing department to ensure you are compliant with the FedRAMP Branding Guidance and the items below for all marketing materials:
+To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. While agencies may accept risk by allowing a CSP to work through POA&M actions to achieve compliance with NIST SP 800-63B requirements, a Readiness Assessment Report (RAR) has no authorizing official to accept and approve risk for open POA&Ms. A FedRAMP Ready designation indicates to agencies that a cloud service can be authorized without significant risk or delay due to noncompliance. The use of FIPS 140 validated cryptographic modules, where encryption is required, is a federal mandate, as indicated in the RAR template. This applies to MFA tools as well.
The FedRAMP PMO has provided additional resources below that apply to all MFA tools, where required (authenticators and verifiers).
MFA resources: -
3PAOs play a critical role in the authorization process by assessing the security of a Cloud Service Offering (CSO). As independent third parties, they perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. 3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA). A list of FedRAMP recognized 3PAOs can be found on the FedRAMP Marketplace under the “Assessors” tab.
-In addition to the critical role that 3PAOs play in assessing cloud services, some Cloud Service Providers (CSPs) use 3PAOs as consultants to help prepare security documentation or provide security advisory services. When CSPs use 3PAO advisors, they must select a different 3PAO to conduct an assessment of their cloud service to ensure that the assessor maintains impartiality.
+3PAOs play a critical role in the authorization process by assessing the security of a cloud service offering (CSO). As independent third parties, they perform initial and periodic assessments of cloud systems to ensure they meet FedRAMP requirements. The federal government uses 3PAO assessments as the basis for making informed, risk-based authorization decisions for the use of cloud products and services. 3PAOs are accredited by the American Association for Laboratory Accreditation (A2LA). A list of FedRAMP recognized 3PAOs can be found on the FedRAMP Marketplace under the “Assessors” tab.
+In addition to the critical role that 3PAOs play in assessing cloud services, some cloud service providers (CSPs) use 3PAOs as consultants to help prepare security documentation or provide security advisory services. When CSPs use 3PAO advisors, they must select a different 3PAO to conduct an assessment of their cloud service to ensure that the assessor maintains impartiality.
In order to become a FedRAMP recognized 3PAO, the American Association for Laboratory Accreditation (A2LA) must perform an initial assessment of the 3PAO and provide an initial assessment recommendation to FedRAMP for approval. For a 3PAO to maintain its FedRAMP recognition, A2LA must perform a favorable annual review and a full on-site reassessment every two years. A2LA assessments ensure 3PAOs meet the requirements of ISO/IEC 17020 (as revised) and FedRAMP-specific knowledge requirements. More information on becoming an accredited 3PAO may be found on the A2LA website .
+In order to become a FedRAMP recognized 3PAO, the American Association for Laboratory Accreditation (A2LA) must perform an initial assessment of the 3PAO and provide an initial assessment recommendation to FedRAMP for approval. For a 3PAO to maintain its FedRAMP recognition, A2LA must perform a favorable annual review and a full on-site reassessment every two years. A2LA assessments ensure 3PAOs meet the requirements of ISO/IEC 17020 (as revised) and FedRAMP-specific knowledge requirements. More information on becoming an accredited 3PAO may be found on the A2LA website .
For the JAB Authorization process, the assessment organization must be a FedRAMP recognized 3PAO. For the Agency Authorization process, a 3PAO is recommended, but not required. A CSP’s agency partner may choose to use their own Independent Verification and Validation (IV&V) organization to assess the system. If an agency chooses to use their own IV&V team, they must submit an attestation regarding the team’s independence, and the IV&V team must use FedRAMP templates for the assessment and follow all FedRAMP requirements.
+For the JAB Authorization process, the assessment organization must be a FedRAMP recognized 3PAO.For the Agency Authorization process, a 3PAO is recommended, but not required. A CSP’s agency partner may choose to use their own independent assessment organization to assess the system. If an agency chooses to use their own independent assessment organization, the Agency Authorizing Official must submit an attestation regarding the organization’s impartiality and independence. The independent assessment organization must use the most current FedRAMP templates for the assessment and follow all FedRAMP requirements.
For the JAB Authorization process, Cloud Service Providers (CSPs) must use a FedRAMP recognized 3PAO for annual assessments of its cloud system and to evaluate the impact of some changes a CSP makes to its cloud system. For the Agency Authorization process, a 3PAO is recommended, but not required. Additionally, some CSPs may acquire 3PAO services for monthly Continuous Monitoring.
+For the FedRAMP JAB Authorization process, cloud service providers (CSPs) must use a FedRAMP recognized 3PAO for annual assessments of its cloud offering and to evaluate the impact of those changes. For the FedRAMP Agency Authorization process, a FedRAMP recognized 3PAO is recommended, but is not required. Additionally, some CSPs may acquire 3PAO services for monthly continuous monitoring.
Cloud Service Offerings (CSOs) can obtain an ATO or P-ATO one of two ways:
-P-ATO through the Joint Authorization Board (JAB): a JAB P-ATO is an initial approval of the Cloud Service Provider (CSP) authorization package by the JAB that any federal agency can leverage to grant an ATO for the use of the cloud service within their agency. The JAB consists of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA), supported by designated technical representatives (TRs) from their respective member organizations. The JAB P-ATO is called a provisional ATO because there is no risk accepted by JAB CIOs. The JAB P-ATO signifies all three JAB agencies reviewed the security package and deemed it acceptable for the federal community. In turn, agencies review the JAB P-ATO and the associated security package and clear it for their agency’s use. In doing so, the agency issues their own authorization to use the product. Additionally, the JAB will conduct continuous monitoring for systems that have earned a P-ATO.
-Agency ATO through the Agency Authorization process: a CSP works directly with the agency partner who reviews the cloud service’s security package. After completing a security assessment, the agency Authorizing Official (or their designee) can issue an ATO.
+Cloud service offerings (CSOs) can obtain an ATO or P-ATO one of two ways:
+P-ATO through the Joint Authorization Board (JAB): A JAB P-ATO is an initial approval of the cloud service provider (CSP) authorization package by the JAB that any federal agency can leverage to grant an ATO for the use of the cloud service within their agency. The JAB consists of the Chief Information Officers (CIOs) from the Department of Defense (DoD), the Department of Homeland Security (DHS), and the General Services Administration (GSA), supported by designated technical representatives (TRs) from their respective member organizations. The JAB P-ATO is called a provisional ATO because there is no risk accepted by JAB CIOs. The JAB P-ATO signifies all three JAB agencies reviewed the security package and deemed it acceptable for the federal community. In turn, agencies review the JAB P-ATO and the associated security package and clear it for their agency’s use. In doing so, the agency issues their own authorization to use the product. Additionally, the JAB will conduct continuous monitoring for systems that have earned a P-ATO.
+Agency ATO through the Agency Authorization process: A CSP works directly with the agency partner who reviews the cloud service’s security package. After completing a security assessment, the agency authorizing official (or their designee) can issue an ATO.
For more information about these two authorization paths, please visit our Agency Authorization and JAB Authorization pages.
Yes, a FedRAMP-accredited Third Party Assessment Organization (3PAO) must perform an announced penetration test as part of the assessment/testing process for Moderate and High systems. For more information, please refer to the FedRAMP Penetration Test Guidance [PDF - 984KB].
+Yes, a FedRAMP recognized third party assessment organization (3PAO) must perform an announced penetration test as part of the assessment/testing process for Moderate and High systems. For more information, please refer to the FedRAMP Penetration Test Guidance.
Continuous Monitoring ensures a service offering maintains an appropriate security posture for the life of the system at an agency. Cloud Service Providers (CSPs) maintain and validate the security posture of their service offering through vulnerability management, including monthly operating system, database, and web application scanning reports. They also conduct an Annual Assessment and report incidents. Please refer to the FedRAMP Continuous Monitoring Strategy Guide [PDF - 1.11MB] for a list of all continuous monitoring deliverable requirements and to the FedRAMP Continuous Monitoring Performance Management Guide [PDF - 800KB] for guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.
+Continuous monitoring ensures a service offering maintains an appropriate security posture for the life of the system. Cloud service providers (CSPs) maintain and validate the security posture of their service offering through vulnerability management, including monthly operating system, database, web application, and container scanning reports. CSPs also conduct an annual assessment and report incidents. Please refer to the FedRAMP Continuous Monitoring Strategy Guide for a list of all continuous monitoring deliverable requirements and to the FedRAMP Continuous Monitoring Performance Management Guide for guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the FedRAMP requirements.
All of the false positives found during the Annual Assessment should be added to the Plan of Action and Milestones (POA&M). If they are approved before the SAR is closed/signed, they are moved to the “Closed POA&M Items” tab. If they have not been approved, they should remain in the “Open POA&M Items” tab until approved. Then, at least annually during assessment, the false positives should be evaluated for continued false positive status. For more information on handling the Annual Assessment and scan findings review the FedRAMP Continuous Monitoring Strategy Guide [PDF - 1.11MB].
+All of the false positives, found during the annual assessment, should be added to the plan of action and milestones (POA&M). If they are approved before the SAR is closed/signed, they are moved to the “Closed POA&M Items” tab. If they have not been approved, they should remain in the “Open POA&M Items” tab until approved. Then, at least annually during assessment, the false positives should be evaluated for continued false positive status. For more information on handling the annual assessment and scan findings review the FedRAMP Continuous Monitoring Strategy Guide.
A change in infrastructure would be considered a significant change that would need to be evaluated for the scope of the change, impact on the risk posture, and could possibly result in the need for re-authorization. See the FedRAMP Program Management Office’s (PMO’s) Significant Change Policies and Procedures guidance [WORD - 563KB] for more information.
+A change in infrastructure would be considered a significant change that would need to be evaluated for the scope of the change, impact on the risk posture, and could possibly result in the need for re-authorization. See the FedRAMP Significant Change Policies and Procedures guidance for more information.
No. Agencies cannot require a JAB P-ATO as a requirement to bid on a federal contract. Federal agencies cannot include a JAB P-ATO as a condition of the contract as no agency can commit the JAB to issuing a P-ATO.
-Program offices seeking to expedite a FedRAMP Authorization can consider source selection criteria that can be used in evaluating Cloud Service Offerings (CSOs) that may already have a JAB P-ATO. Inclusion of such evaluation criteria should be discussed with the agency acquisition integrated project team (IPT), including appropriate legal representation.
+Program offices seeking to expedite onboarding of a CSP authorization can consider source selection criteria that can be used in evaluating cloud service offerings (CSOs) that may already have an existing type of FedRAMP authorization. Inclusion of such evaluation criteria should be discussed with the agency acquisition integrated project team (IPT), including appropriate legal representation.
FedRAMP requirements apply to all federal agencies when federal information is collected, maintained, processed, disseminated, or disposed of by Cloud Service Providers (CSPs). Federal agencies are responsible for ensuring the FedRAMP requirements are met. Contractors are held accountable for performance written into a contract. Program and project managers must include FedRAMP requirements in performance criteria, deliverables, and other appropriate performance outcomes to facilitate inclusion in contract awards.
+FedRAMP requirements apply to all federal agencies when federal information is collected, maintained, processed, disseminated, or disposed of by cloud service providers (CSPs). Federal agencies are responsible for ensuring the FedRAMP requirements are met. Contractors are held accountable for performance written into a contract. Program and project managers must include FedRAMP requirements in performance criteria, deliverables, and other appropriate performance outcomes to facilitate inclusion in contract awards.
No. The FedRAMP process builds on the National Institute of Standards and Technology (NIST) FISMA baseline controls by removing requirements that are not applicable to commercial entities and replacing those with controls more appropriate for ensuring security related to protecting information maintained on behalf of the federal government.
+No. The FedRAMP process builds on FISMA and the National Institute of Standards and Technology (NIST) baseline controls by removing requirements that are not applicable to commercial entities and replacing those with controls more appropriate for ensuring security related to protecting information maintained on behalf of the federal government.
Perhaps. FedRAMP Ready means a CSP has expressed an interest in becoming a federal provider by sharing information with the federal government that indicates they can meet several of the baseline FedRAMP criteria. FedRAMP Ready does not mean the vendor has achieved FedRAMP Authorization via the Joint Authorization Board (JAB) or an agency.
+Perhaps. FedRAMP Ready means a CSP has expressed an interest in becoming a federal provider by sharing information with the federal government that indicates they can meet several of the baseline FedRAMP criteria. FedRAMP Ready does not mean the vendor has achieved FedRAMP authorization via the Joint Authorization Board (JAB) or an agency.
In some cases, but only if there are an adequate number of vendors to allow for effective competition. Inclusion of FedRAMP Authorization as a condition of contract award or use as an evaluation factor should be discussed with the agency acquisition integrated project team (IPT), including appropriate legal representation.
+In some cases, but only if there are an adequate number of vendors to allow for effective competition. Inclusion of FedRAMP authorization as a condition of contract award or use as an evaluation factor should be discussed with the agency acquisition integrated project team (IPT), including appropriate legal representation.
FedRAMP requires CSPs to describe their organization’s personnel screening requirements. If an agency has requirements for federal background investigations, or additional screening and/or citizenship and physical location (e.g., U.S. citizens in Continental United States [CONUS] offices only), then those requirements would need to be specified in the solicitation language, which may affect bid pricing.
@@ -486,15 +479,9 @@Security Control-13 (SC-13) requires that FIPS 140-validated or NSA-approved cryptographic modules (CMs) are used where cryptography is required. For example, encryption is required for federal data at-rest [SC-28], data in-transit [SC-8(1)], and authentication [IA-2(11)] for FedRAMP Moderate and High systems.
-SC-13 applies to all required cryptographic functions. Cryptography encompasses more than just encryption. It includes digital signatures, encryption, key management, message authentication, random number generation, and secure hashing.
+Security control SC-13 requires that FIPS 140-validated or NSA-approved cryptographic modules (CMs) are used where cryptography is required.
+ +For more information on SC-13, please reference the SC-13 Additional FedRAMP requirements and guidance described in the FedRAMP Security Controls Baseline.
The status of a cryptographic module (CM) submitted for testing and validation can be found at the National Institute of Standards and Technology (NIST) website.
+The status of a cryptographic module submitted for testing and validation can be found at the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) website .
National Security Agency (NSA)-tested and approved cryptographic modules (CMs) are also acceptable. The NSA validation status of a CM can be found at the National Information Assurance Partnership (NIAP) website. Since FIPS 140-validated CMs are by far more commonly used in Cloud Service Offerings (CSOs) than NSA-approved CMs, we will refer to FIPS mode from here on.
+National Security Agency (NSA)-tested and approved cryptographic modules (CMs) are also acceptable. The NSA validation status of a CM can be found on the National Information Assurance Partnership (NIAP) website . Since FIPS 140-validated CMs are by far more commonly used in cloud service offerings (CSOs) than NSA-approved CMs, we will refer to FIPS mode from here on.
No. The SC-13 requirement applies to cryptographic modules (CMs) used to implement TLS; the use of TLS alone does not satisfy the requirement. While TLS 1.2 and above are required at the protocol level, it is necessary to demonstrate that FIPS 140-validated CMs are used to implement the protocol. It is worth noting that some FIPS 140-2 validated modules may not support cryptographic algorithms to allow for TLS 1.3. In addition to listing ports and protocols, CSPs must also identify the component that performs the encryption function along with the FIPS validation certificate number. For each component and data flow, the SSP Data Flow Diagram(s) and control implementation statements should clearly depict one of the following:
+No. The SC-13 requirement applies to cryptographic modules (CMs) used to implement TLS; the use of TLS alone does not satisfy the requirement. While TLS 1.2 and above are required at the protocol level, it is necessary to demonstrate that FIPS 140-validated CMs are used to implement the protocol. It is worth noting that some FIPS 140 validated modules may not support cryptographic algorithms to allow for TLS 1.3. In addition to listing ports and protocols, CSPs must also identify the component that performs the encryption function along with the FIPS validation certificate number. For each component and data flow, the SSP Data Flow Diagram(s) and control implementation statements should clearly depict one of the following:
Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control for Configuration Settings is CM-6; however, compliance check findings often map directly to specific 800-53 controls.
-Cloud Service Providers (CSPs) and Third Party Assessment Organizations (3PAOs) typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, of where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding Security Assessment Reports (SAR) Risk Exposure Table (RET), which are then documented in the CSP’s Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.
-During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.
+Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control for configuration settings is CM-6; however, compliance check findings often map directly to specific 800-53 controls.
+For initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, of where risks exist. Therefore, 3PAOs must analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding Security Assessment Reports (SAR) Risk Exposure Table (RET), which are then documented in the CSP’s plan of action and milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable.
+For monthly continuous monitoring, cloud service providers (CSPs) and third party assessment organizations (3PAOs) are now asked to track these findings on a new tab of the POA&M document called “Configuration Findings”. There are no continuous monitoring triggers associated with these findings and they will not count as an “open” POA&M item. This new tab will only facilitate the tracking of and ability to see the deviation from the baseline that was set during the last assessment.
+While findings assessed during the annual assessment or the initial assessment require the application of the specific control, any net new item found during monthly continuous monitoring can be labeled as “CM-6” until the next assessment when the specific control should then be applied and forever, thereafter, remain with the finding.
The PMO recognizes that the timeline for issuing “In Process” requests differs from agency to agency. Cloud Service Providers (CSPs) can proceed with the assessment against the Rev. 4 baseline under the following conditions:
+The FedRAMP PMO recognizes that the timeline for issuing “In Process” requests differs from agency to agency. Cloud Service Providers (CSPs) can proceed with the assessment against the Rev. 4 baseline under the following conditions:
No, if your annual assessment is scheduled to occur between July 3, 2023 and December 15, 2023 you can proceed with your 2023 annual assessment using the Rev. 4 baseline. You must implement the Rev. 5 baseline prior to your 2024 annual assessment, during which your Rev. 5 implementation will be tested.
-Cloud Service Providers (CSPs) will be implementing Rev. 5 controls based on the plans created from their Rev. 4 to Rev. 5 gap analysis. SCRs will be based on Rev. 4 or Rev. 5 determined by those CSP-specific implementation plans, and as coordinated with your Authorizing Official (AO).
+Cloud service providers (CSPs) will be implementing Rev. 5 controls based on the plans created from their Rev. 4 to Rev. 5 gap analysis. SCRs will be based on Rev. 4 or Rev. 5 determined by those CSP-specific implementation plans, and as coordinated with your agency authorizing official (AO).
Please refer to the "FedRAMP Baseline Rev. 5 Transition Schedule" section of the FedRAMP Baseline Revision 5 Transition Plan to determine your place in the transition schedule and what guidance you should follow in coordination with guidance from your Authorizing Official (AO).
+Please refer to the "FedRAMP Baseline Rev. 5 Transition Schedule" section of the FedRAMP Baseline Revision 5 Transition Plan to determine your place in the transition schedule and what guidance you should follow in coordination with guidance from your agency authorizing official (AO).
If a Security Technical Implementation Guide (STIG) configuration parameter is more restrictive than the associated FedRAMP Rev. 5 baseline requirement, the Cloud Service Provider is under no obligation to implement the STIG parameter unless it is covered under an Executive Order or DHS Emergency Directive.
+If a Security Technical Implementation Guide (STIG) configuration parameter is more restrictive than the associated FedRAMP Rev. 5 baseline requirement, the cloud service provider is under no obligation to implement the STIG parameter unless it is covered under an Executive Order or DHS Emergency Directive.
Yes, Cloud Service Providers in Continuous Monitoring (ConMon) are required to utilize automated scanning tools to perform service configuration scans monthly and provide the scan results to the FedRAMP documentation repository as part of the monthly ConMon deliverable. 3PAOs will ensure that service configuration scans are performed during annual assessments and provide those scans as part of the SAR.
+Yes, Cloud service providers, in the continuous monitoring (ConMon) phase, are required to utilize automated scanning tools to perform service configuration scans monthly and provide the scan results to the FedRAMP documentation repository as part of the monthly ConMon deliverable. 3PAOs will ensure that service configuration scans are performed during annual assessments and provide those scans as part of the SAR.
While a WBS is not required, it may be requested by your Authorizing Official (AO). Please confirm your AO's expectations. However, the POA&M should have sufficent detail so that the AO can track the activities and progress made.
+While a WBS is not required, it may be requested by your agency authorizing official (AO). Please confirm your AO's expectations; however, the POA&M should have sufficient detail so that an AO can track the activities and progress made.
Each control should be tracked separately as a unique POA&M so that they can be managed separately.
@@ -669,28 +648,26 @@Cloud Service Providers must manage their Plan of Actions and Milestones (POA&Ms) the same way they manage POA&Ms during continuous monitoring.
+Cloud service providers must manage their plan of action and milestones (POA&Ms) the same way they manage POA&Ms during continuous monitoring.
As a companion document to the Rev. 5 transition plan, the Control Selection Guide is scheduled for release in the coming weeks. Cloud Service Providers, 3PAOs, and Agencies will use the guide to determine which controls need to be assessed during that annual assessment.
+The FedRAMP Rev. 4 to Rev. 5 Assessment Controls Selection Template was developed to help. cloud service providers, 3PAOs, and agencies determine which controls need to be assessed during an annual assessment.
POA&Ms created to document Rev. 5 control gaps can be captured as Low severity "manual findings." Once the Rev. 5 control is fully implemented, the CSP will identify the evidence that supports POA&M closure in column Y "Supporting Documents" of the POA&M. For CSPs in Continuous Monitoring, we recognize this may result in a spike of past due POA&Ms during the transition. Please work with your AO determine the appropriate course of action.
+POA&Ms created, to document Rev. 5 control gaps, can be captured as Low severity "manual findings". Once the Rev. 5 control is fully implemented, a CSP should identify the evidence that supports POA&M closure in column Y "Supporting Documents" of the POA&M. For CSPs in the continuous monitoring phase, FedRAMP recognizes this may result in a spike of past due POA&Ms during the transition. Please work with your agency AO to determine the appropriate course of action.
CSPs with a FedRAMP Authorization must utilize the Rev. 5 SSP template to identify the gaps between their Rev. 4 control implementations and the Rev. 5 requirements. CSPs should have already documented Rev. 4 to Rev. 5 gaps within the POA&M and the Rev. 5 CIS/CRM template. This provides stakeholders visibility into the Rev. 4 controls that have changed and what the CSP will do to implement the Rev. 5 requirements while also documenting the entire Rev. 5 gap.
-Each control that the CSP is documenting a gap for should be a separate POA&M entry. CSPs should not group individual controls together so that the AO and leveraging systems have the necessary fidelity to understand each Rev. 5 control status.
+CSPs with a FedRAMP authorization must utilize the Rev. 5 SSP template to identify the gaps between their Rev. 4 control implementations and the Rev. 5 requirements. CSPs should have already documented Rev. 4 to Rev. 5 gaps within the POA&M and the Rev. 5 CIS/CRM template. This provides stakeholders visibility into the Rev. 4 controls that have changed and what the CSP will do to implement the Rev. 5 requirements while also documenting the entire Rev. 5 gap.
For CSPs pursuing an initial FedRAMP authorization, deviations from the FedRAMP Baseline Revision 5 Transition Plan must approved by the AO. For CSPs in Continuous Monitoring, deviations must be documented in the CSP's transition plan (due on 9/1/2023) AND approved by the AO.
+For CSPs pursuing an initial FedRAMP authorization, deviations from the FedRAMP Baseline Revision 5 Transition Plan must be approved by an agency AO. For CSPs in the continuous monitoring phase, deviations must be documented in the CSP's transition plan (due on 9/1/23) AND approved by an agency AO.
FedRAMP is not providing a SCRM template at this time; however, NIST SP 800-161 includes sample SCRM templates in Appendix D.
+FedRAMP is not providing a SCRM template at this time; however, NIST SP 800-161 includes sample SCRM templates in Appendix D.
CSPs are required to perform (or acquire 3PAOs to perform) Red Team exercises in accordance with CA-8(2) and must provide evidence in the form of a Red Team Test Plan that documents the scope, methodology and approach of the exercise. CSPs must also provide the results of the exercise in the form of a Red Team Test Report. 3PAOs are required to validate and attest to the Red Team Test Plan and Report during the initial SAR testing and during annual assessment testing.
+CSPs are required to perform (or acquire 3PAOs to perform) Red Team exercises in accordance with CA-8(2) and must provide evidence in the form of a Red Team test plan that documents the scope, methodology, and approach of the exercise. CSPs must also provide the results of the exercise in the form of a Red Team test report. 3PAOs are required to validate and attest to the Red Team test plan and report during the initial SAR testing and during annual assessment testing.
Not at this time. However, we will continue to have discussions to determine whether this is a capability to include in the future.
+Not at this time; however, FedRAMP will continue to have discussions to determine whether this is a capability to include in the future.
CSPs will document all operational requirements and false positives from configuration checks the same way that they do vulnerabilities identified from automated scanning tools. Please consult the POA&M Template Completion Guide for further guidance. Not applicable and alternative implementations for configuration settings should be discussed with your AO to determine the appropriate course of action.
+CSPs will document all operational requirements and false positives from configuration checks the same way that they do vulnerabilities identified from automated scanning tools. Please consult the FedRAMP POA&M Template Completion Guide for further guidance. Not applicable and alternative implementations for configuration settings should be discussed with your agency AO to determine the appropriate course of action.
There are some privacy-related controls in the FedRAMP baselines; however, like with Rev 4, FedRAMP did not include the privacy overlay (Privacy Control Baseline) that NIST has defined in SP 800-53B or any PT controls as part of the FedRAMP baselines. It is the responsibility of each agency to determine their own privacy-related requirements and work with the CSP to make sure those controls are implemented. Privacy controls can flucuate greatly depending on the data types, which is why these are not included as part of the FedRAMP baselines.CSPs should work with their AO to determine if the Agency has privacy requirements above and beyond what is specificed in the Rev. 5 FedRAMP baselines. There are no current plans to provide a Rev. 5 PTA/PIA template for CSPs to complete. Agencies should execute a PTA/PIA to ensure that they are meeting their privacy requirements.
+There are some privacy-related controls in the FedRAMP baselines; however, like with Rev. 4, FedRAMP did not include the privacy overlay (Privacy Control Baseline) that NIST has defined in SP 800-53B or any PT controls as part of the FedRAMP baselines. It is the responsibility of each agency to determine their own privacy-related requirements and work with the CSP to make sure those controls are implemented. Privacy controls can fluctuate greatly depending on the data types, which is why these are not included as part of the FedRAMP baselines. CSPs should work with their agency AO to determine if the agency has privacy requirements above and beyond what is specified in the Rev. 5 FedRAMP baselines. There are no current plans to provide a Rev. 5 PTA/PIA template for CSPs to complete. Agencies should execute a PTA/PIA to ensure that they are meeting their privacy requirements.
FedRAMP will leverage NIST SP 800-161 as the requirements for supply chain considerations for all commercial, proprietary, and open source sources in Cloud Service Offerings (CSO)s. If the technology is being used or leveraged by the CSO, the supply chain controls apply. The Supply Chain Risk Management Plan should enumerate all the products and the plan for managing any risks including open source. According to the supply chain controls, CSPs need to document the scope, methodology and the depth of documenting, managing and testing for the source of products or code being used. The supply chain controls are in scope for audits for FedRAMP but the supplier management is the responsibility of the CSP. 3PAOs will be examining the records and documents, not the individual suppliers.
+FedRAMP will leverage NIST SP 800-161 as the requirements for supply chain considerations for all commercial, proprietary, and open source sources in cloud service offerings (CSO)s. If the technology is being used, or leveraged by the CSO, the supply chain controls apply. The supply chain risk management plan should enumerate all the products and the plan for managing any risks including open source. According to the supply chain controls, CSPs need to document the scope, methodology and the depth of documenting, managing and testing for the source of products or code being used. The supply chain controls are in scope for audits for FedRAMP but the supplier management is the responsibility of the CSP. 3PAOs will be examining the records and documents, not the individual suppliers.
While the supplemental guidance states that security awareness and security literacy training are two separate training activities, there is no requirement for giving separate trainings, only that the training covers both the topic categories. There is no requirement to provide distinct basic and advanced training. However, organizations may decide to separate basic and advance concepts or combine them. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework).
+While the supplemental guidance states that security awareness and security literacy training are two separate training activities, there is no requirement for giving separate trainings, only that the training covers both the topic categories. There is no requirement to provide distinct basic and advanced training. However, organizations may decide to separate basic and advanced concepts or combine them. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework).
Control plane traffic in the context of external telecommunications systems are the exchanges with the telecommunication providers that allow for the use of data and voice services and include, for example, management protocols, Domain Name Services (DNS) and Border Gateway Protocol (BGP). The term management plane is not a NIST term and not mentioned in this control but in this context it would be the plane where device management and monitoring takes place inside the authorization boundary. While there would not be a prescribed implementation detecting changes the protocols that defined network level changes do have safeguards built. How the CSP chooses to monitor for changes will be dependent on the implementation.
+Control plane traffic in the context of external telecommunications systems are the exchanges with the telecommunication providers that allow for the use of data and voice services and include (e.g., management protocols, Domain Name Services (DNS) and Border Gateway Protocol (BGP)). The term management plane is not a NIST term and not mentioned in this control but in this context it would be the plane where device management and monitoring takes place inside the authorization boundary. While there would not be a prescribed implementation detecting changes the protocols that defined network level changes do have safeguards built. How the CSP chooses to monitor for changes will be dependent on the implementation.
CSPs can assess the Baseline Risk Factors defined in NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, Appendix E Table E-1. CSPs will need to work with their vendors to gain access to the necessary documentation that the CSP can review to determine whether the vendor is in alignment with NIST 800-171 or equivalent framework. That may be an internal assessment performed by the supplier, a third-party, or in support of a framework such as PCI or ISO/IEC 27001 and others.
+CSPs can assess the baseline risk factors defined in NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, Appendix E Table E-1. CSPs will need to work with their vendors to gain access to the necessary documentation that the CSP can review to determine whether the vendor is in alignment with NIST 800-171 or equivalent framework. That may be an internal assessment performed by the supplier, a third-party, or in support of a framework such as PCI or ISO/IEC 27001 and others.
Network connections are represented in several areas of an SSP. The reference number assigned in the Data in Transit (DIT) table of Appendix Q should be used to align these entries to the Ports, Protocols, Service (PPS) table, and DIT lines on the Data Flow Diagram (DFD).
+Network connections are represented in several areas of an SSP. The reference number assigned in the “Data in Transit (DIT)” table of Appendix Q should be used to align these entries to the “Ports, Protocols, Service (PPS)” table, and DIT lines on the data flow diagram (DFD).
All DIT connections should be included in all three places and are consistently aligned.The Rev. 5 templates address this by:
The 300-0 level training provides an overview of the 3PAO responsibilities, obligations, and performance standards and intends to achieve the following learning objectives: