JAB Transition
- The Joint Authorization Board (JAB) previously provided approval letters for annual assessments and significant changes. Now that the JAB no longer exists, will anyone provide these letters? How do agency customers know these have been approved?
- When will documents, the website, and policies be updated to reflect changes?
- How does the transition from JAB P-ATO Authorization to FedRAMP Authorization affect the client demand requirement?
- With the shift toward “One Authorization”, do the Boundary Guidance restrictions of “Non-JAB” to “JAB” data flow disappear?
- What support is FedRAMP providing during this transition?
- How will the transition impact CSPs current ConMon reviews of annual assessments, significant changes, and deviation requests?
Authorizations
- What is the process for handling false positives found during an initial or annual assessment when the security assessment report (SAR) is closed but has not yet been approved by the partnering agency?
- Is a penetration test required for FedRAMP authorization?
- If a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) resides on a FedRAMP Authorized Infrastructure-as-a-Service (IaaS), does that mean it is also FedRAMP Authorized?
Rev. 5
- What are some real-world examples (e.g. DLP or data tagging solutions) of how a CSP can implement CM-12(1)?
- In the SSP Section 9 - Ports, Protocols, Service, what is the purpose of the Appendix Q reference number?
- How can CSPs ensure vendors build and test in alignment with NIST 800-171 or equivalent framework as required by SR-6 in the High and Moderate baselines?
- For SC-7(4), what is defined as control plane traffic?
- For AT-2, Literary Training and Awareness, does FedRAMP require distinct basic security and privacy literacy training, advanced literacy training, and awareness techniques?
- For supply chain controls, CSPs can define what systems, components, and services fall under the SCRM (SR-2), but is it the intent of the FedRAMP PMO that this only be focused on the paid-vendor or large components?
Third Party Assessors (3PAO)
- What is the role of the third party assessment organization (3PAO) in continuous monitoring?
- Are cloud service providers (CSPs) required to use a FedRAMP recognized third party assessment organization (3PAO)?
- How does a company become a FedRAMP recognized third party assessment organization (3PAO)? How is the independence and quality of a 3PAO validated?
- What is a third party assessment organization (3PAO)?
Cloud Service Providers (CSPs)
- Does a cloud service provider (CSP) need to implement FIPS-validated multi-factor authentication (MFA) prior to a cloud service offering (CSO) achieving FedRAMP Ready, or can it be added to the Plan of Action and Milestones (POA&M) and addressed later?
- My company is looking to obtain FedRAMP authorization for one of our existing cloud products. I have executive support and an agency partner. How do I get started?
- How does a cloud service provider (CSP) get listed on FedRAMP's Marketplace?
Federal Agencies
- Should my agency use FedRAMP to authorize private cloud deployment?
- What happens if a cloud service offering (CSO) loses its agency customers?
- What happens if my agency decides to stop using the cloud service offering (CSO)?
- As the initial authorizing agency, are we responsible for performing continuous monitoring (ConMon) oversight on behalf of other leveraging agencies?
- What does it mean to be an initial agency partner?
- How do you request an extension beyond the 60-day access window for Connect.gov or obtain additional package permissions?
General
- Who is responsible for the cloud security controls?
- What is the difference between Federal Information Security Modernization Act (FISMA) and FedRAMP controls?
- How does FedRAMP handle Trusted Internet Connections (TIC) requirements in the cloud?
- Where are FedRAMP guidance documents and templates maintained? How is the FedRAMP community notified of new documents posted for public comment?
- Is FedRAMP Mandatory?
- What is FedRAMP's value to the federal government?
