From: Coalfire
Recently, the FedRAMP Program Management Office (PMO) released new guidance to all Cloud Service Providers (CSP) regarding the actions FedRAMP will take when a CSP fails to maintain an adequate risk management program. The document, FedRAMP P-ATO Management and Revocation Guide (PDF), describes the escalation process and actions that FedRAMP will dictate when a CSP fails to adhere to the requirements of their Provisional Authority to Operate (P-ATO). Some key takeaways we wanted to highlight include:
- The FedRAMP PMO is improving the focus on risk in the areas of Operational Visibility, Significant Changes, and Incident Response.
- CSPs must adhere to the Continuous Monitoring (ConMon) requirements outlined within the FedRAMP Continuous Monitoring Strategy Guide.
- In cases where the CSP cannot meet the ConMon requirements, FedRAMP will initiate escalation procedures with the CSP, the FedRAMP PMO, and the FedRAMP Joint Authorization Board (JAB) that may include the following actions:
- Internal Corrective Action Plan – Action for the CSP
- Formal Corrective Action Plan – Action for the CSP , FedRAMP PMO/Director
- Suspension – Action for the CSP, FedRAMP PMO/Director, JAB
- Revocation – Action for the CSP, FedRAMP PMO/Director, JAB
While many CSPs are aware of the high bar that FedRAMP has set with the assessment and authorization program, many are just now realizing that the level of effort doesn’t diminish once the P-ATO is granted and the CSP transitions into ConMon. Coalfire can help you develop and implement a cost efficient continuous monitoring program that is FedRAMP compliant. Please reply to this message or contact us via our website.
1 comment
Samuel says:
January 2, 2020 at 3:33 pm (UTC -4)
Has this happened to a CSP before and if so, who?