It depends on the quality of the authorization package. Because the initial authorizing agency is the first agency to review the authorization package, the process for getting to an informed risk-based decision may take longer and require more effort if there are aspects of the authorization package that are unclear, incomplete, inaccurate, or inconsistent.
The FedRAMP Program Management Office (PMO) provides guidance to Cloud Service Providers (CSPs) and third party Assessment Organizations (3PAOs) on how to deliver a high quality authorization package, but if the agency team is unable to determine the actual security posture of the cloud service offering (CSO) due to poor quality, the agency will provide feedback. The feedback may result in modifications to the package deliverables and/or additional testing, and additional review cycles.
Comments
0 comments
Please sign in to leave a comment.