FedRAMP Authorized cloud service offerings (CSOs) without an active agency authorization to operate (ATO) who continue to meet all ongoing continuous monitoring (ConMon) activities while working to obtain a new ATO from a federal agency may remain in the FedRAMP Marketplace as FedRAMP Authorized.
Agencies should follow the steps outlined in FedRAMP’s Reuse Quick Guide when reviewing the package. To inform an agency’s risk-based ATO decision, FedRAMP requires cloud service providers (CSPs) to:
- Submit Monthly ConMon Deliverables. CSPs shall maintain an acceptable risk posture, and shall continue to upload monthly ConMon deliverables (updated POA&M and inventory, scan files, deviation requests) to their FedRAMP secure repository.
- Conduct Annual Assessment. If a service offering is due for an Annual Assessment during this period, the CSP shall complete the Annual Assessment.
- Deliver Risk Briefing. The CSP shall brief the agency on the current risk posture of the CSO, including any areas that require agency risk acceptance.
Note: To ensure agencies are aware there is no federal continuous monitoring oversight happening with these systems, FedRAMP will add language within the “Additional Information” field of the CSO’s Marketplace page stating, “**This cloud service offering lacks continuous monitoring oversight from FedRAMP or any federal agency. Agencies considering using this service should review the Cloud Service Provider's security documentation in their secure repository, directly coordinate with the CSP, and conduct their own evaluation before making an Authority to Operate (ATO) decision. Once an agency issues an ATO, agencies should submit their ATO letters to FedRAMP.”
Comments
0 comments
Please sign in to leave a comment.