FedRAMP Weekly Tips & Cues – 6/3/2015

Jun 03

From: GSA | FedRAMP

Many of  our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often  share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns.

Cloud Service Providers

Question:

How should a Cloud Service Provider (CSP) address platform scope within the System Security Plan (SSP)?

Answer:

There are multiple platforms/platform groups in a system as identified by the inventory. A platform has certain controls (e.g., access controls, audit logging, session lock, etc.) configured uniquely for each device type. It is expected that unique implementations would be addressed by platform for the following controls/control families where applicable: AC, IA, AU, CM, SI-2, SI-3, SI-5, SI-11. We recommend using a standard format for addressing controls by platform (e.g., have a sub header within the control part/parts for “Cisco,” “Brocade,” etc.).

3PAOs

Question:

How does a 3PAO ensure repeatable results when reporting the results of an assessment method?

Answer:

When reporting the results of an assessment method (examines, interviews and tests), ensure there is enough detail so that the assessment method and result can be repeated by someone else.

Recipe for Successful Review Process

Avoid adding time to your authorization process by successfully completing the System Security Plan (SSP) review the first time! Here are some tips from the FedRAMP PMO on how to create a strong SSP:

  1. Submit a complete and well-structured SSP.
  2. Expertise and knowledge of NIST/FedRAMP security controls
  3. Enough resources – often one writer is not enough and you may have to allot additional resources and subject matter experts to complete SSP
  4. Employ the four C’s of writing: Clear – straightforward, avoiding convoluted phrases or over-long phrases; Concise – pack the most meaning into your words; Concrete – concrete writing is precise and detail-oriented; and finally, Correct – correct grammar, mechanics, and format are baseline expectations for writing.
  5. The writer(s) has knowledge of the system and/or can obtain the information from others and be able to communicate their technical knowledge
  6. Perform quality review on the SSP

Doing these things cannot guarantee a successful SSP review, but will greatly enhance your chances.

Read the Weekly FedRAMP Tips & Cues on the website.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *