FedRAMP Weekly Tips & Cues – August 10, 2016

Many of our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns.

This week’s tips come from FedRAMP’s Accelerated event. Read the full list of questions asked during FedRAMP Accelerated here.

Send potential tips and questions that you would like published as a tip [via email].


Federal Agencies


Do Federal Agencies need an Interconnection Security Agreement (ISA) with a CSP?


Interconnection Security Agreements (ISAs) are not designed for use between a CSP and Federal Agency. An Agency ATO memo should be the governing document for Agency and CSP interaction and security requirement communications. CSPs should document security protections in place for agency access – whether through dedicated connections or publicly routable internet space. This documentation should be included within the standard FedRAMP-required templates, policies, and procedures.

Agencies should follow the documented processes for issuing ATOs included in the FedRAMP guidance and documentation available on FedRAMP.gov:

  • Guide to Understanding FedRAMP
  • * Agency Guide for FedRAMP Authorizations
  • Agency ATO Quick Guide
  • CSPs should also continue to utilize ISAs for cloud system interconnections that fall within the scope of the cloud boundary. These ISAs will be reviewed as part of the security assessment and testing process by 3PAOs and testing for control CA-3. The FedRAMP Agency or JAB P-ATO process should be the mechanism for validating ISA documentation.

    Federal Agencies


    How can a federal organization ensure it maintains reasonable investigation capabilities, auditability, and traceability of data within the cloud?

    Answer: {.gd_p}

    Federal Agencies can ensure they maintain reasonable investigation capabilities, auditability, and traceability of data by logging and monitoring the following application events:

  • Management of network connections
  • * Addition or removal of users * Management of changes to privileges * Assignment of users to tokens * Addition or removal of tokens * Management of system administrative privileges access * Actions by users with administrative privileges * Use of data encrypting keys * Management of key changes * Creation and removal of system level objects * Import and export of data, including screen based reports
  • Submission of user-generated content, especially file uploads
  • This post was originally published on the FedRAMP blog.