Authorizations
- What is the process for handling false positives found during an initial or annual assessment when the security assessment report (SAR) is closed but has not yet been approved by the partnering agency?
- Is a penetration test required for FedRAMP authorization?
- If a Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS) resides on a FedRAMP Authorized Infrastructure-as-a-Service (IaaS), does that mean it is also FedRAMP Authorized?
ET Prioritization Framework
- Will Cloud Service Providers (CSPs) that apply for an ET prioritization also be applying for a FedRAMP authorization at the same time?
- Do I have to have a complete package in the queue to be prioritized?
- What if a CSP hasn't started their FedRAMP authorization yet?
- I already have a FedRAMP Authorization. Can I reapply for an ET prioritization?
- What is a model card?
- Do you have any examples of a model card?
Rev. 5
- What are some real-world examples (e.g. DLP or data tagging solutions) of how a CSP can implement CM-12(1)?
- In the SSP Section 9 - Ports, Protocols, Service, what is the purpose of the Appendix Q reference number?
- How can CSPs ensure vendors build and test in alignment with NIST 800-171 or equivalent framework as required by SR-6 in the High and Moderate baselines?
- For SC-7(4), what is defined as control plane traffic?
- For AT-2, Literary Training and Awareness, does FedRAMP require distinct basic security and privacy literacy training, advanced literacy training, and awareness techniques?
- For supply chain controls: CSPs can define what systems, components, and services fall under the SCRM (SR-2), but is it the intent of the FedRAMP PMO that this only be focused on the paid-vendor or large components?
Third Party Assessors (3PAO)
- What is the role of the third party assessment organization (3PAO) in continuous monitoring?
- Are cloud service providers (CSPs) required to use a FedRAMP recognized third party assessment organization (3PAO)?
- How does a company become FedRAMP recognized third part assessment organization (3PAO)? How is the independence and quality of a 3PAO validated?
- What is a third party assessment organization (3PAO)?
Cloud Service Providers (CSPs)
- Does a cloud service provider (CSP) need to implement FIPS-validated multi-factor authentication (MFA) tool prior to a cloud service offering (CSO) achieving FedRAMP Ready or can it be added to the Plan of Action and Milestones (POA&M) and addressed later
- My company is looking to obtain FedRAMP authorization for one of our existing cloud products. I have executive support and an agency partner. How do I get started?
- How does a cloud service provider (CSP) get listed on FedRAMP's Marketplace?
Federal Agencies
- Should my agency use FedRAMP to authorize private cloud deployment?
- What happens if a cloud service offering (CSO) loses its agency customers?
- What happens if my agency decides to stop using the cloud service offering (CSO)?
- As the initial authorizing agency, are we responsible for performing continuous monitoring (ConMon) oversignt on behalf of other leveraging agencies?
- What does it mean to be an initial agency partner?
- How do you request an extension beyond the 60-day access window for Connect.gov or obtain additional package permissions?
General
- Who is responsible for the cloud security controls?
- What is the difference between Federal Information Security Modernization Act (FISMA) and FedRAMP controls?
- How does FedRAMP handle Trusted Internet Connections (TIC) requirements in the cloud?
- Where are FedRAMP guidance documents and templates maintained? How is the FedRAMP community notified of new documents posted for public comment?
- Is FedRAMP Mandatory?
- What is FedRAMP's value to the federal government?