1. FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
2. Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization.
3. Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process.
Hello professor, here is my answer.
From reading I learned that FedRAMP is designed to provide a standardized approach to evaluating, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal. FedRAMP authorizes cloud systems through three steps: security assessment, utilization and authorization, and ongoing assessment and authorization. In a word, FedRAMP is important because it increases the adoption of secure cloud solutions through counter-conscious assessment and authorization, resulting in near real-time continuous monitoring that responds to cloud intelligence strategies.
For systems with AB P-ATOsthe |AB acts as a centralized PMO for Continuous Monitoring activities for those systems, providing agencies with the artifacts and a standard process for the assessment and management ofJABP-ATOsystems.In this capacity,theJAB:
1.Reviews and approves Continuous
2.Monitoring and security artifacts on a regular basis Monitors,suspends,and revokes asystem’s P-ATO as appropriate
3.Authorizes or denies Significant Change and deviation requests
4.Reviews incident information to ensure proper handling and closure
5.Ensures the FedRAMP PMO is providing artifacts to leveraging agencies in a timely manner
Dear professor, the following is my answer, please check,thanks
Plan of Action and Milestones (POA&M)
Security control CA-5 requires CSPs to develop a Plan of Action and Milestones (POA&M) to document remediation plans for correcting risks (e.g., weaknesses, deficiencies, vulnerabilities) identified during security assessments and Continuous Monitoring activities.
CSPs are required to use the FedRAMP POA&M Template to track and manage risks. Instructions for completing the POA&M Template are provided in the POA&M Template Completion Guide.
CSPs are required to submit a POA&M with the initial authorization package. Before authorizing the CSO, AOs will review the POA&M to understand the current risk posture. Depending on the AO’s risk tolerance, the CSP may be required to remediate or mitigate open risks prior to authorization. We have provided some general “POA&M management” guidance in this section, but CSPs should also review the following FedRAMP documents, which provide comprehensive guidance related to Continuous Monitoring:
● Continuous Monitoring Strategy Guide
● Continuous Monitoring Performance Management Guide
● Vulnerability Scan Requirements
● Vulnerability Scanning Requirements for Containers
● Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans
● Significant Change Policies and Procedures
Hello Professor:
JAB authorization:
Phase 1: FedRAMP readiness assessment and FedRAMP connect:
To ensure a clear ROI of the resources used to authorize CSOs for the US government, the FedRAMP PMO, CIO Council, and JAB evaluate CSOs via a process called FedRAMP Connect. To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering-a Readiness Assessment Report (RAR).
Phase 2: Full security assessment:
The 3PAO develops a Security assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
Phase 3: Authorization process:
A kick-off meeting is held with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team. The purpose of the kick off is to conduct a collaborative deep dive into the service offering, system architecture, security capabilities, and risk posture, through a combination of briefings and informal Q&A.
Phase 4: Continuous monitoring:
The CSP is required to maintain a security posture that alight with FedRAMP and the JAB’ s requirements, pursuant to the initial assessment and authorization process. This is achieved though continuous monitoring of the CSP’s system.
Thank you
Before FedRAMP, each government agency had its own way of evaluating cloud computing services. This often leads to cumbersome, inconsistent, costly, and inefficient workflows. FedRAMP establishes a set of security assessment benchmarks for cloud services, with uniform guidelines and requirements for all organizations. Of course, this also means that FedRAMP has strict authorizations requirements.
There are two types of FedRAMP authorization: JAB Authorization and Agency Authorization. Both of them have 4 phases.
1. JAB Authorization:
(1) FedRAMP Readiness Assessment and FedRAMP Connect;
(2) Full Security Assessment;
(3) Authorization Process;
(4) Continuous Monitoring.
2. Agency Authorization:
(1) Partnership Establishment;
(2) Full Security Assessment;
(3) Authorization Process;
(4) Continuous Monitoring.
No matter what kind of authorization, the process is complex and clear, and the requirements are strict and uniform. And the process of authorization is not a short-term process, it involves long-term review and monitoring. In the process, we find risks and assess them, but do not stop at knowing the risks, but on the basis of hierarchical classification and control. Such rigorous requirements undoubtedly guarantee the quality of FedRAMP’s authorization.
Demand is a key consideration for CSPs deciding between pursuing a JAB P-ATO, Agency ATO, or both. FedRAMP generally evaluates CSOs as having broad or niche demand, where broad demand reflects proven or potential demand for an offering from multiple Agencies, and niche demand reflects Agencyspecific utility or applicability of an offering. When evaluating which authorization to pursue, a CSP
should be able to qualify whether their offering has broad or niche demand.
A FedRAMP Ready designation is required for any CSP pursuing a JAB P-ATO, and is highly recommended prior to pursuing an Agency ATO. While becoming FedRAMP Ready is not a guarantee that a CSO will be authorized, achieving FedRAMP Ready status indicates a greater likelihood of success in the authorization process as the government has a clearer understanding of a CSP’s technical capabilities.
To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering.. If there are any issues spotted by the PMO in the review, an in-person meeting is held to discuss the PMO’s comments and what is needed in order for the CSP to be deemed FedRAMP Ready. Once the PMO approves a RAR, the CSO will be designated FedRAMP Ready and advertised as such on the FedRAMP Marketplace.
Hello, professor
Here is my answer:
The thing of interest I took away from FedRAMP CSP Authorization Playbook is the process of determining your authorization strategy. By this way, I know the factors being evaluated to determine your authorization strategy. And I know that CSPs are most successful when they pursue a multi-pronged approach. It increases my interests about authorization.
The JAB prioritizes up to 12 CSOs a year to work toward a JAB Authorization. After a CSP is prioritized, it has 60 days to become FedRAMP Ready (if it isn t already). Being prioritized to work with the JAB and being deemed FedRAMP Ready by the FedRAMP PMO constitute the first phase of the JAB Authorization process
In order to kick off with the JAB, CSPs must achieve the FedRAMP Ready designation for their CSO. To achieve the FedRAMP Ready designation, a CSP must work with a FedRAMP-recognized Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP’s capability, and provides the JAB with a snapshot of a CSO s security posture,manage system security risks identified in the SAR. The SSP, SAP, SAR, and POA&M must be completed using FedRAMP templates and submitted together. The JAB will not review the documents one by one. Instead, the full security package, along with the first Continuous Monitoring submission, will be considered in its entirety and must be submitted to the PMO at least 2 weeks prior to a Kickoff Meeting with the JAB. The FedRAMP PMO will then work with the CSP and FedRAMP-recognized 3PAO to conduct a completeness check, and coordinate the JAB Kickoff Meeting .
One thing interest here is that FedRAMP’s definitions for cloud services is different from I learned in other articles. FedRAMP’s definitions for cloud services not only include IaaS and SaaS, but also PaaS. PaaS is a little bit different from the SaaS in the creator of the software. PaaS created by the consumers and SaaS created by providers. As required by FedRAMP, IaaS, PaaS and SaaS have their own authorization boundary and its own ATO letter.
This CSP playbook is designed to guide the CSP who holds federal data to obtain the FedRAMP authorization.
What interests me is how to determine their authorization strategy. To increase the possibilities of successful authorization, there are some factors that the CSP need to decide first:
(1)Demand: broad or niche?
Broad demand means an offering from multiple agencies while niche demand means specific utility or applicability of an offering.
CSOs with broad demand are more appropriate for a JAB P-ATO and CSOs with niche demand are more appropriate for an Agency ATO.
(2)Existing or potential agency partners?
The first step in achieving a FedRAMP Agency ATO is for a CSP to establish a partnership with an Agency.
(3)Impact levels
CSOs are categorized into one of three impact levels: low, moderate, and high; and across three security objectives: confidentiality, integrity, and availability.
CSPs must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline.
(4)Deployment model
CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud.
Above all, obtaining the FedRAMP authorization need to be planned. It requires a lot of thinking and assessing.
FedRAMP is a government-wide initiative that provides a standardized approach to security assessment, authorization, and ongoing monitoring of cloud products and services. If one have a Cloud Service Offering (CSO) that is in use by the federal government, he should be thinking about obtaining a FedRAMP authorization.
If one want to determine his authorization strategy there are many factors which are recommended to be evaluated : (1) Demand: BROAD vs. NICHE; (2) EXISTING OR POTENTIAL AGENCY PARTNERS; (3) IMPACT LEVELS; and (4)DEPLOYMENT MODEL.
There are two types of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization.
Hi professor,
here is my answer:
One thing that interests me from the reading ‘FedRAMP CSP Authorization Playbook’ is the Security Assessment Plan (SAP). The SAP describes the scope, methodology, test plan and rules of engagement for CSO assessments. Because the CSP and 3PAO are required to sign the SAP, this expresses the endorsement while the CSP also needs to critically review the quality and completeness of the SAP. and there are some checklists to guidance in this section to help when performing a review of the SAP.The Security Assessment Report (SAR) is primarily a record of the results of the CSO’s security assessment, including a summary of the remaining risks at the end of the assessment. The purpose of the security assessment is to evaluate the CSO’s implementation of and compliance with FedRAMP baseline security controls.
Hello professor
Here is my answer
A FedRAMP Ready designation is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with FedRAMP-recognized 3PAO to complete a Readiness Assessment of its service offering. The RAR documents the CSP’s capability to meet federal security requirements.
In the partnership establishment phase of Pre-Authorization, a CSP formalizes their partnership with an agency meeting the requirements outlined in FedRAMP Marketplace Designations for Cloud Service Providers. In some cases, a vendor may be under contract with an agency already, or an agency may be working through the acquisition process. At this stage, a CSP should have a fully operational system and an executive team that is committed to the FedRAMP process. CSPs should engage with the FedRAMP PMO through the intake process by filling out a CSP Information Form. By completing this form, the PMO will also generate a FedRAMP ID for the CSO.
When we talk about an certification or authorization, the first think that stick up is what benefit it can bring. As FedRAMP is concerned, FedRAMP approval is required for any cloud services that store federal data. FedRAMP authorisation is a vital aspect of your security plan if you wish to engage with the federal government.
FedRAMP is crucial because it assures consistency in both the security of the government’s cloud services and the evaluation and monitoring of that security. It establishes a single set of guidelines for all government departments and cloud service providers.
FedRAMP-authorized cloud service providers are listed in the FedRAMP Marketplace. When government agencies need to find a new cloud-based solution, they go to this marketplace first. It is significantly easier and faster for an agency to employ a product that has already been approved rather than starting the approval process with a new vendor.
Dear professor, Here is my answer:
I will talk about FedRAMP Releases Updated CSP Authorization Playbook
FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization. Volume I includes:
How CSPs can get started with FedRAMP
Introducing the paths to authorization
FedRAMP designations
Considerations that CSPs should think about prior to pursuing an authorization
Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process. Volume II includes:
Elements of an authorization package
Guidance for developing key artifacts
Tips for delivering a clean, easy-to-review package
While the CSP Authorization Playbook is written to inform Cloud Service Providers approaching the FedRAMP Authorization process, the information is helpful to all FedRAMP stakeholders.
If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized.
PMO, JAB, Agencies, 3PAOs
JAB Authorization: 1. FedRAMP Connect; 2.Full security assessment; 3.Authorization Process; 4.Continous Monitoring
I focus on the Impact Levels and Deployment Model. I think the specific criteria make me better understand what FedRAMP is from the bottom up
1. FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
2. Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization.
3. Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process.
Hello professor, here is my answer.
From reading I learned that FedRAMP is designed to provide a standardized approach to evaluating, monitoring, and authorizing cloud computing products and services under the Federal Information Security Management Act (FISMA) and to accelerate the adoption of secure cloud solutions by federal. FedRAMP authorizes cloud systems through three steps: security assessment, utilization and authorization, and ongoing assessment and authorization. In a word, FedRAMP is important because it increases the adoption of secure cloud solutions through counter-conscious assessment and authorization, resulting in near real-time continuous monitoring that responds to cloud intelligence strategies.
Dear professor,
Here is my answer:
For systems with AB P-ATOsthe |AB acts as a centralized PMO for Continuous Monitoring activities for those systems, providing agencies with the artifacts and a standard process for the assessment and management ofJABP-ATOsystems.In this capacity,theJAB:
1.Reviews and approves Continuous
2.Monitoring and security artifacts on a regular basis Monitors,suspends,and revokes asystem’s P-ATO as appropriate
3.Authorizes or denies Significant Change and deviation requests
4.Reviews incident information to ensure proper handling and closure
5.Ensures the FedRAMP PMO is providing artifacts to leveraging agencies in a timely manner
Dear professor, the following is my answer, please check,thanks
Plan of Action and Milestones (POA&M)
Security control CA-5 requires CSPs to develop a Plan of Action and Milestones (POA&M) to document remediation plans for correcting risks (e.g., weaknesses, deficiencies, vulnerabilities) identified during security assessments and Continuous Monitoring activities.
CSPs are required to use the FedRAMP POA&M Template to track and manage risks. Instructions for completing the POA&M Template are provided in the POA&M Template Completion Guide.
CSPs are required to submit a POA&M with the initial authorization package. Before authorizing the CSO, AOs will review the POA&M to understand the current risk posture. Depending on the AO’s risk tolerance, the CSP may be required to remediate or mitigate open risks prior to authorization. We have provided some general “POA&M management” guidance in this section, but CSPs should also review the following FedRAMP documents, which provide comprehensive guidance related to Continuous Monitoring:
● Continuous Monitoring Strategy Guide
● Continuous Monitoring Performance Management Guide
● Vulnerability Scan Requirements
● Vulnerability Scanning Requirements for Containers
● Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans
● Significant Change Policies and Procedures
Hello Professor:
JAB authorization:
Phase 1: FedRAMP readiness assessment and FedRAMP connect:
To ensure a clear ROI of the resources used to authorize CSOs for the US government, the FedRAMP PMO, CIO Council, and JAB evaluate CSOs via a process called FedRAMP Connect. To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering-a Readiness Assessment Report (RAR).
Phase 2: Full security assessment:
The 3PAO develops a Security assessment Plan (SAP), conducts a full security assessment of the service offering, and produces a Security Assessment Report (SAR).
Phase 3: Authorization process:
A kick-off meeting is held with the JAB, FedRAMP PMO, the 3PAO, and the CSP’s authorization team. The purpose of the kick off is to conduct a collaborative deep dive into the service offering, system architecture, security capabilities, and risk posture, through a combination of briefings and informal Q&A.
Phase 4: Continuous monitoring:
The CSP is required to maintain a security posture that alight with FedRAMP and the JAB’ s requirements, pursuant to the initial assessment and authorization process. This is achieved though continuous monitoring of the CSP’s system.
Thank you
Before FedRAMP, each government agency had its own way of evaluating cloud computing services. This often leads to cumbersome, inconsistent, costly, and inefficient workflows. FedRAMP establishes a set of security assessment benchmarks for cloud services, with uniform guidelines and requirements for all organizations. Of course, this also means that FedRAMP has strict authorizations requirements.
There are two types of FedRAMP authorization: JAB Authorization and Agency Authorization. Both of them have 4 phases.
1. JAB Authorization:
(1) FedRAMP Readiness Assessment and FedRAMP Connect;
(2) Full Security Assessment;
(3) Authorization Process;
(4) Continuous Monitoring.
2. Agency Authorization:
(1) Partnership Establishment;
(2) Full Security Assessment;
(3) Authorization Process;
(4) Continuous Monitoring.
No matter what kind of authorization, the process is complex and clear, and the requirements are strict and uniform. And the process of authorization is not a short-term process, it involves long-term review and monitoring. In the process, we find risks and assess them, but do not stop at knowing the risks, but on the basis of hierarchical classification and control. Such rigorous requirements undoubtedly guarantee the quality of FedRAMP’s authorization.
Demand is a key consideration for CSPs deciding between pursuing a JAB P-ATO, Agency ATO, or both. FedRAMP generally evaluates CSOs as having broad or niche demand, where broad demand reflects proven or potential demand for an offering from multiple Agencies, and niche demand reflects Agencyspecific utility or applicability of an offering. When evaluating which authorization to pursue, a CSP
should be able to qualify whether their offering has broad or niche demand.
A FedRAMP Ready designation is required for any CSP pursuing a JAB P-ATO, and is highly recommended prior to pursuing an Agency ATO. While becoming FedRAMP Ready is not a guarantee that a CSO will be authorized, achieving FedRAMP Ready status indicates a greater likelihood of success in the authorization process as the government has a clearer understanding of a CSP’s technical capabilities.
To achieve the FedRAMP Ready designation, a CSP must partner with an accredited 3PAO to complete a readiness assessment of its service offering.. If there are any issues spotted by the PMO in the review, an in-person meeting is held to discuss the PMO’s comments and what is needed in order for the CSP to be deemed FedRAMP Ready. Once the PMO approves a RAR, the CSO will be designated FedRAMP Ready and advertised as such on the FedRAMP Marketplace.
Hello, professor
Here is my answer:
The thing of interest I took away from FedRAMP CSP Authorization Playbook is the process of determining your authorization strategy. By this way, I know the factors being evaluated to determine your authorization strategy. And I know that CSPs are most successful when they pursue a multi-pronged approach. It increases my interests about authorization.
The JAB prioritizes up to 12 CSOs a year to work toward a JAB Authorization. After a CSP is prioritized, it has 60 days to become FedRAMP Ready (if it isn t already). Being prioritized to work with the JAB and being deemed FedRAMP Ready by the FedRAMP PMO constitute the first phase of the JAB Authorization process
In order to kick off with the JAB, CSPs must achieve the FedRAMP Ready designation for their CSO. To achieve the FedRAMP Ready designation, a CSP must work with a FedRAMP-recognized Third Party Assessment Organization (3PAO) to complete a Readiness Assessment of its service offering. The Readiness Assessment Report (RAR) documents the CSP’s capability, and provides the JAB with a snapshot of a CSO s security posture,manage system security risks identified in the SAR. The SSP, SAP, SAR, and POA&M must be completed using FedRAMP templates and submitted together. The JAB will not review the documents one by one. Instead, the full security package, along with the first Continuous Monitoring submission, will be considered in its entirety and must be submitted to the PMO at least 2 weeks prior to a Kickoff Meeting with the JAB. The FedRAMP PMO will then work with the CSP and FedRAMP-recognized 3PAO to conduct a completeness check, and coordinate the JAB Kickoff Meeting .
One thing interest here is that FedRAMP’s definitions for cloud services is different from I learned in other articles. FedRAMP’s definitions for cloud services not only include IaaS and SaaS, but also PaaS. PaaS is a little bit different from the SaaS in the creator of the software. PaaS created by the consumers and SaaS created by providers. As required by FedRAMP, IaaS, PaaS and SaaS have their own authorization boundary and its own ATO letter.
This CSP playbook is designed to guide the CSP who holds federal data to obtain the FedRAMP authorization.
What interests me is how to determine their authorization strategy. To increase the possibilities of successful authorization, there are some factors that the CSP need to decide first:
(1)Demand: broad or niche?
Broad demand means an offering from multiple agencies while niche demand means specific utility or applicability of an offering.
CSOs with broad demand are more appropriate for a JAB P-ATO and CSOs with niche demand are more appropriate for an Agency ATO.
(2)Existing or potential agency partners?
The first step in achieving a FedRAMP Agency ATO is for a CSP to establish a partnership with an Agency.
(3)Impact levels
CSOs are categorized into one of three impact levels: low, moderate, and high; and across three security objectives: confidentiality, integrity, and availability.
CSPs must correctly align their CSOs to an impact level to pursue the appropriate authorization baseline.
(4)Deployment model
CSPs should be able to qualify whether their CSO is government-only or exists as a public cloud.
Above all, obtaining the FedRAMP authorization need to be planned. It requires a lot of thinking and assessing.
FedRAMP is a government-wide initiative that provides a standardized approach to security assessment, authorization, and ongoing monitoring of cloud products and services. If one have a Cloud Service Offering (CSO) that is in use by the federal government, he should be thinking about obtaining a FedRAMP authorization.
If one want to determine his authorization strategy there are many factors which are recommended to be evaluated : (1) Demand: BROAD vs. NICHE; (2) EXISTING OR POTENTIAL AGENCY PARTNERS; (3) IMPACT LEVELS; and (4)DEPLOYMENT MODEL.
There are two types of FedRAMP authorizations available to CSPs: JAB Authorization and Agency Authorization.
Hi professor,
here is my answer:
One thing that interests me from the reading ‘FedRAMP CSP Authorization Playbook’ is the Security Assessment Plan (SAP). The SAP describes the scope, methodology, test plan and rules of engagement for CSO assessments. Because the CSP and 3PAO are required to sign the SAP, this expresses the endorsement while the CSP also needs to critically review the quality and completeness of the SAP. and there are some checklists to guidance in this section to help when performing a review of the SAP.The Security Assessment Report (SAR) is primarily a record of the results of the CSO’s security assessment, including a summary of the remaining risks at the end of the assessment. The purpose of the security assessment is to evaluate the CSO’s implementation of and compliance with FedRAMP baseline security controls.
Hello professor
Here is my answer
A FedRAMP Ready designation is optional for the Agency Authorization process, but highly recommended. To achieve the FedRAMP Ready designation, a CSP must work with FedRAMP-recognized 3PAO to complete a Readiness Assessment of its service offering. The RAR documents the CSP’s capability to meet federal security requirements.
In the partnership establishment phase of Pre-Authorization, a CSP formalizes their partnership with an agency meeting the requirements outlined in FedRAMP Marketplace Designations for Cloud Service Providers. In some cases, a vendor may be under contract with an agency already, or an agency may be working through the acquisition process. At this stage, a CSP should have a fully operational system and an executive team that is committed to the FedRAMP process. CSPs should engage with the FedRAMP PMO through the intake process by filling out a CSP Information Form. By completing this form, the PMO will also generate a FedRAMP ID for the CSO.
When we talk about an certification or authorization, the first think that stick up is what benefit it can bring. As FedRAMP is concerned, FedRAMP approval is required for any cloud services that store federal data. FedRAMP authorisation is a vital aspect of your security plan if you wish to engage with the federal government.
FedRAMP is crucial because it assures consistency in both the security of the government’s cloud services and the evaluation and monitoring of that security. It establishes a single set of guidelines for all government departments and cloud service providers.
FedRAMP-authorized cloud service providers are listed in the FedRAMP Marketplace. When government agencies need to find a new cloud-based solution, they go to this marketplace first. It is significantly easier and faster for an agency to employ a product that has already been approved rather than starting the approval process with a new vendor.
Dear professor, Here is my answer:
I will talk about FedRAMP Releases Updated CSP Authorization Playbook
FedRAMP published an updated Cloud Service Providers (CSP) Authorization Playbook to provide CSPs with a more detailed understanding of the FedRAMP Authorization process now in two volumes.
Volume I helps CSPs understand the FedRAMP Authorization process and develop a strategy for achieving FedRAMP Authorization. Volume I includes:
How CSPs can get started with FedRAMP
Introducing the paths to authorization
FedRAMP designations
Considerations that CSPs should think about prior to pursuing an authorization
Volume II helps CSPs understand how to develop a high-quality security package for an expeditious and efficient FedRAMP Authorization to cut down rework and delays during the review process. Volume II includes:
Elements of an authorization package
Guidance for developing key artifacts
Tips for delivering a clean, easy-to-review package
While the CSP Authorization Playbook is written to inform Cloud Service Providers approaching the FedRAMP Authorization process, the information is helpful to all FedRAMP stakeholders.
BR
Yidi Xu
Strategy Guide Key Takeaways:
FedRAMP overview
Preparing and project planning for FedRAMP
FedRAMP costs
5 Steps to FedRAMP ATO
Authorization paths and timelines
If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized.
PMO, JAB, Agencies, 3PAOs
JAB Authorization: 1. FedRAMP Connect; 2.Full security assessment; 3.Authorization Process; 4.Continous Monitoring
I focus on the Impact Levels and Deployment Model. I think the specific criteria make me better understand what FedRAMP is from the bottom up