From: FedRAMP PMO
Many of our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns.
Cloud Service Providers
Question:
Should I repeat the control requirement?
Answer:
Do not repeat the control requirement. Feel free to use it though as a jumping off point to write a detailed, specific implementation. Additionally use the same action and key words within the control requirement when describing your implementation so it is clear exactly how the implementation meets the stated requirements.
3PAOs
Question:
Are there limitations on the types of findings that can be reported in the Security Assessment Report (SAR)?
Answer:
There cannot be any unmitigated or unremediated high findings reported in the SAR for P-ATO. Hence, Table ES-1, shouldn’t have any high’s listed within the composite total.
Pro Writing Tip For CSPs and 3PAOs
Many readers commonly confuse the meanings of i.e. and e.g. I.e. and e.g. are both abbreviations for Latin terms. I.e. stands for id est and means roughly “that is.” E.g. stands for exempli gratia, which means “for example.” It is best to write out the meanings of these abbreviations to avoid any misunderstanding.
Avoid using “etc.” If an item is important enough to be in a list, then it is important enough to name. Only use “etc.” if it is completely clear how the rest of the list will run. Alternatively, explain the characteristics of the items in the list, and then say “For example.””
—
FedRAMP
|
OCSIT | GSA
Leave a Reply