FedRAMP will leverage NIST SP 800-161 as the requirements for supply chain considerations for all commercial, proprietary, and open source sources in cloud service offerings (CSO)s. If the technology is being used, or leveraged by the CSO, the supply chain controls apply. The supply chain risk management plan should enumerate all the products and the plan for managing any risks including open source. According to the supply chain controls, CSPs need to document the scope, methodology and the depth of documenting, managing and testing for the source of products or code being used. The supply chain controls are in scope for audits for FedRAMP but the supplier management is the responsibility of the CSP. 3PAOs will be examining the records and documents, not the individual suppliers.
Comments
0 comments
Please sign in to leave a comment.