• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Sys & Infrast Lifecycle Mngt 1

MIS5203

Sys & Infrast Lifecycle Mngt 1

MIS 5203.951 ■ Spring 2022 ■ William Bailey
  • Home
  • Instructor
  • Syllabus
  • Schedule
    • Unit 1 Introduction
    • Unit 2 IS Development Lifecycle (SDLC)
    • Unit 3 Project Initiation and Selection
    • Unit 4 Project Planning and Management
    • Unit 5 Requirements Analysis – Processes
    • Unit 6 Requirements Analysis – Data
    • Unit 8 – Case Study 2 and Design – Database
    • Unit 9: Design – User Experience
    • Unit 10: Development
    • Unit 11: Implementation and Testing
    • Unit 12: Application Certification / Accreditation
    • Unit 13: Maintaining Information Systems
  • Deliverables
    • Assignments
      • Answers to Questions
      • Case Studies
    • Team Project – Option #1
    • Team Project – Option #2

Write about one thing of interest you took away from: FedRAMP CSP Authorization Playbook

January 4, 2020 by William Bailey 18 Comments

Filed Under: Unit 12: Post Implementation and Maintenance Tagged With:

Reader Interactions

Comments

  1. Peixuan Dou says

    March 4, 2022 at 11:16 am

    1. FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
    2. Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization.
    3. Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process.

    Log in to Reply
  2. Xiaoyu Shi says

    March 5, 2022 at 3:46 am

    Hello professor, here is my answer.
    From reading I learned that FedRAMP is designed to provide a standardized approach to evaluating, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal. FedRAMP authorizes cloud systems through three steps: security assessment, utilization and authorization, and ongoing assessment and authorization. In a word, FedRAMP is important because it increases the adoption of secure cloud solutions through counter-conscious assessment and authorization, resulting in near real-time continuous monitoring that responds to cloud intelligence strategies.

    Log in to Reply
  3. Chaoqun Song says

    March 5, 2022 at 4:06 am

    Dear professor,
    Here is my answer:

    For systems with AB P-ATOsthe |AB acts as a centralized PMO for Continuous Monitoring activities for those systems, providing agencies with the artifacts and a standard process for the assessment and management ofJABP-ATOsystems.In this capacity,theJAB:
    1.Reviews and approves Continuous
    2.Monitoring and security artifacts on a regular basis Monitors,suspends,and revokes asystem’s P-ATO as appropriate
    3.Authorizes or denies Significant Change and deviation requests
    4.Reviews incident information to ensure proper handling and closure
    5.Ensures the FedRAMP PMO is providing artifacts to leveraging agencies in a timely manner

    Log in to Reply
  4. Yushu Feng says

    March 5, 2022 at 4:34 am

    Dear professor, the following is my answer, please check,thanks
    Plan of Action and Milestones (POA&M)
    Security control CA-5 requires CSPs to develop a Plan of Action and Milestones (POA&M) to document remediation plans for correcting risks (e.g., weaknesses, deficiencies, vulnerabilities) identified during security assessments and Continuous Monitoring activities.
    CSPs are required to use the FedRAMP POA&M Template to track and manage risks. Instructions for completing the POA&M Template are provided in the POA&M Template Completion Guide.
    CSPs are required to submit a POA&M with the initial authorization package. Before authorizing the CSO, AOs will review the POA&M to understand the current risk posture. Depending on the AO’s risk tolerance, the CSP may be required to remediate or mitigate open risks prior to authorization. We have provided some general “POA&M management” guidance in this section, but CSPs should also review the following FedRAMP documents, which provide comprehensive guidance related to Continuous Monitoring:
    ● Continuous Monitoring Strategy Guide
    ● Continuous Monitoring Performance Management Guide
    ● Vulnerability Scan Requirements
    ● Vulnerability Scanning Requirements for Containers
    ● Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans
    ● Significant Change Policies and Procedures

    Log in to Reply
  5. Shan Qiao says

    March 5, 2022 at 4:39 am

    Hello Professor:
    JAB authorization:
    Phase 1: FedRAMP readiness assessment and FedRAMP connect:
    To ensure a clear ROI of the resources used to authorize CSOs for the US government, the FedRAMP PMO, CIO Council, and JAB evaluate CSOs via a process called FedRAMP Connect. To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering-a Readiness Assessment Report (RAR).
    Phase 2: Full security assessment:
    The 3PAO develops a Security assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
    Phase 3: Authorization process:
    A kick-off meeting is held with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team. The purpose of the kick off is to conduct a collaborative deep dive into the service offering, system architecture, security capabilities, and risk posture, through a combination of briefings and informal Q&A.
    Phase 4: Continuous monitoring:
    The CSP is required to maintain a security posture that alight with FedRAMP and the JAB’ s requirements, pursuant to the initial assessment and authorization process. This is achieved though continuous monitoring of the CSP’s system.
    Thank you

    Log in to Reply
  6. Qian Xiao says

    March 5, 2022 at 6:50 am

    Before FedRAMP, each government agency had its own way of evaluating cloud computing services. This often leads to cumbersome, inconsistent, costly, and inefficient workflows. FedRAMP establishes a set of security assessment benchmarks for cloud services, with uniform guidelines and requirements for all organizations. Of course, this also means that FedRAMP has strict authorizations requirements.
    There are two types of FedRAMP authorization: JAB Authorization and Agency Authorization. Both of them have 4 phases.
    1. JAB Authorization:
    (1) FedRAMP Readiness Assessment and FedRAMP Connect;
    (2) Full Security Assessment;
    (3) Authorization Process;
    (4) Continuous Monitoring.
    2. Agency Authorization:
    (1) Partnership Establishment;
    (2) Full Security Assessment;
    (3) Authorization Process;
    (4) Continuous Monitoring.
    No matter what kind of authorization, the process is complex and clear, and the requirements are strict and uniform. And the process of authorization is not a short-term process, it involves long-term review and monitoring. In the process, we find risks and assess them, but do not stop at knowing the risks, but on the basis of hierarchical classification and control. Such rigorous requirements undoubtedly guarantee the quality of FedRAMP’s authorization.

    Log in to Reply
  7. Qi Mao says

    March 5, 2022 at 10:53 am

    Demand is a key consideration for CSPs deciding between pursuing a JAB P-ATO, Agency ATO, or both. FedRAMP generally evaluates CSOs as having broad or niche demand, where broad demand reflects proven or potential demand for an offering from multiple Agencies, and niche demand reflects Agencyspecific utility or applicability of an offering. When evaluating which authorization to pursue, a CSP
    should be able to qualify whether their offering has broad or niche demand.
    A FedRAMP Ready designation is required for any CSP pursuing a JAB P-ATO, and is highly recommended prior to pursuing an Agency ATO. While becoming FedRAMP Ready is not a guarantee that a CSO will be authorized, achieving FedRAMP Ready status indicates a greater likelihood of success in the authorization process as the government has a clearer understanding of a CSP’s technical capabilities.
    To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering.. If there are any issues spotted by the PMO in the review, an in-person meeting is held to discuss the PMO’s comments and what is needed in order for the CSP to be deemed FedRAMP Ready. Once the PMO approves a RAR, the CSO will be designated FedRAMP Ready and advertised as such on the FedRAMP Marketplace.

    Log in to Reply
  8. Qingzheng Sun says

    March 5, 2022 at 11:47 am

    Hello, professor
    Here is my answer:
    The thing of interest I took away from FedRAMP CSP Authorization Playbook is the process of determining your authorization strategy. By this way, I know the factors being evaluated to determine your authorization strategy. And I know that CSPs are most successful when they pursue a multi-pronged approach. It increases my interests about authorization.

    Log in to Reply
  9. Yuguo Qian says

    March 5, 2022 at 1:07 pm

    The JAB prioritizes up to 12 CSOs a year to work toward a JAB Authorization. After a CSP is prioritized, it has 60 days to become FedRAMP Ready (if it isn t already). Being prioritized to work with the JAB and being deemed FedRAMP Ready by the FedRAMP PMO constitute the first phase of the JAB Authorization process
    In order to kick off with the JAB, CSPs must achieve the FedRAMP Ready designation for their CSO. To achieve the FedRAMP Ready designation, a CSP must work with a FedRAMP-recognized Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP’s capability, and provides the JAB with a snapshot of a CSO s security posture,manage system security risks identified in the SAR. The SSP, SAP, SAR, and POA&M must be completed using FedRAMP templates and submitted together. The JAB will not review the documents one by one. Instead, the full security package, along with the first Continuous Monitoring submission, will be considered in its entirety and must be submitted to the PMO at least 2 weeks prior to a Kickoff Meeting with the JAB. The FedRAMP PMO will then work with the CSP and FedRAMP-recognized 3PAO to conduct a completeness check, and coordinate the JAB Kickoff Meeting .

    Log in to Reply
  10. Hongyi Bi says

    March 5, 2022 at 8:56 pm

    One thing interest here is that FedRAMP’s definitions for cloud services is different from I learned in other articles. FedRAMP’s definitions for cloud services not only include IaaS and SaaS, but also PaaS. PaaS is a little bit different from the SaaS in the creator of the software. PaaS created by the consumers and SaaS created by providers. As required by FedRAMP, IaaS, PaaS and SaaS have their own authorization boundary and its own ATO letter.

    Log in to Reply
  11. Xiaotian Wang says

    March 6, 2022 at 12:16 am

    This CSP playbook is designed to guide the CSP who holds federal data to obtain the FedRAMP authorization.

    What interests me is how to determine their authorization strategy. To increase the possibilities of successful authorization, there are some factors that the CSP need to decide first:

    (1)Demand: broad or niche?
    Broad demand means an offering from multiple agencies while niche demand means specific utility or applicability of an offering.
    CSOs with broad demand are more appropriate for a JAB P-ATO and CSOs with niche demand are more appropriate for an Agency ATO.
    (2)Existing or potential agency partners?
    The first step in achieving a FedRAMP Agency ATO is for a CSP to establish a partnership with an Agency.
    (3)Impact levels
    CSOs are categorized into one of three impact levels: low, moderate, and high; and across three security objectives: confidentiality, integrity, and availability.
    CSPs must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline.
    (4)Deployment model
    CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud.

    Above all, obtaining the FedRAMP authorization need to be planned. It requires a lot of thinking and assessing.

    Log in to Reply
  12. Qiaohang Zhang says

    March 6, 2022 at 2:12 am

    FedRAMP is a government-wide initiative that provides a standardized approach to security assessment, authorization, and ongoing monitoring of cloud products and services. If one have a Cloud Service Offering (CSO) that is in use by the federal government, he should be thinking about obtaining a FedRAMP authorization.
    If one want to determine his authorization strategy there are many factors which are recommended to be evaluated : (1) Demand: BROAD vs. NICHE; (2) EXISTING OR POTENTIAL AGENCY PARTNERS; (3) IMPACT LEVELS; and (4)DEPLOYMENT MODEL.
    There are two types of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization.

    Log in to Reply
  13. Tingting Li says

    March 6, 2022 at 5:34 am

    Hi professor,
    here is my answer:
    One thing that interests me from the reading ‘FedRAMP CSP Authorization Playbook’ is the Security Assessment Plan (SAP). The SAP describes the scope, methodology, test plan and rules of engagement for CSO assessments. Because the CSP and 3PAO are required to sign the SAP, this expresses the endorsement while the CSP also needs to critically review the quality and completeness of the SAP. and there are some checklists to guidance in this section to help when performing a review of the SAP.The Security Assessment Report (SAR) is primarily a record of the results of the CSO’s security assessment, including a summary of the remaining risks at the end of the assessment. The purpose of the security assessment is to evaluate the CSO’s implementation of and compliance with FedRAMP baseline security controls.

    Log in to Reply
  14. Xue Fang says

    March 6, 2022 at 5:40 am

    Hello professor
    Here is my answer
    A FedRAMP Ready designation is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with FedRAMP-recognized 3PAO to complete a Readiness Assessment of its service offering. The RAR documents the CSP’s capability to meet federal security requirements.
    In the partnership establishment phase of Pre-Authorization, a CSP formalizes their partnership with an agency meeting the requirements outlined in FedRAMP Marketplace Designations for Cloud Service Providers. In some cases, a vendor may be under contract with an agency already, or an agency may be working through the acquisition process. At this stage, a CSP should have a fully operational system and an executive team that is committed to the FedRAMP process. CSPs should engage with the FedRAMP PMO through the intake process by filling out a CSP Information Form. By completing this form, the PMO will also generate a FedRAMP ID for the CSO.

    Log in to Reply
  15. Zhuoran Ouyang says

    March 6, 2022 at 7:58 am

    When we talk about an certification or authorization, the first think that stick up is what benefit it can bring. As FedRAMP is concerned, FedRAMP approval is required for any cloud services that store federal data. FedRAMP authorisation is a vital aspect of your security plan if you wish to engage with the federal government.

    FedRAMP is crucial because it assures consistency in both the security of the government’s cloud services and the evaluation and monitoring of that security. It establishes a single set of guidelines for all government departments and cloud service providers.

    FedRAMP-authorized cloud service providers are listed in the FedRAMP Marketplace. When government agencies need to find a new cloud-based solution, they go to this marketplace first. It is significantly easier and faster for an agency to employ a product that has already been approved rather than starting the approval process with a new vendor.

    Log in to Reply
  16. Yidi Xu says

    March 6, 2022 at 9:08 am

    Dear professor, Here is my answer:
    I will talk about FedRAMP Releases Updated CSP Authorization Playbook
    FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
    Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization. Volume I includes:
    How CSPs can get started with FedRAMP
    Introducing the paths to authorization
    FedRAMP designations
    Considerations that CSPs should think about prior to pursuing an authorization
    Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process. Volume II includes:
    Elements of an authorization package
    Guidance for developing key artifacts
    Tips for delivering a clean, easy-to-review package
    While the CSP Authorization Playbook is written to inform Cloud Service Providers approaching the FedRAMP Authorization process, the information is helpful to all FedRAMP stakeholders.

    BR
    Yidi Xu

    Log in to Reply
  17. Bowei Zhu says

    March 6, 2022 at 9:41 am

    Strategy Guide Key Takeaways:

    FedRAMP overview
    Preparing and project planning for FedRAMP
    FedRAMP costs
    5 Steps to FedRAMP ATO
    Authorization paths and timelines

    Log in to Reply
  18. Qixiang Fu says

    March 8, 2022 at 9:00 am

    If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized.
    PMO, JAB, Agencies, 3PAOs
    JAB Authorization: 1. FedRAMP Connect; 2.Full security assessment; 3.Authorization Process; 4.Continous Monitoring
    I focus on the Impact Levels and Deployment Model. I think the specific criteria make me better understand what FedRAMP is from the bottom up

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Unit Assignments & Questions

  • Unit 01: Introduction (1)
  • Unit 02: IS Development Lifecycle (SDLC) (4)
  • Unit 03: Project Initiation and Selection (2)
  • Unit 04: Project Planning and Management (4)
  • Unit 05: Requirements Analysis – Processes (1)
  • Unit 08: Database Design (2)
  • Unit 09: Design – User Experience (2)
  • Unit 10: System Development (1)
  • Unit 11: Implementation Testing (2)
  • Unit 12: Post Implementation and Maintenance (3)
  • Unit 13: Maintenance and Course Review (2)

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in