Skip to main content
-
What are some real-world examples (e.g. DLP or data tagging solutions) of how a CSP can implement CM-12(1)?
-
In the SSP Section 9 - Ports, Protocols, Service, what is the purpose of the Appendix Q reference number?
-
How can CSPs ensure vendors build and test in alignment with NIST 800-171 or equivalent framework as required by SR-6 in the High and Moderate baselines?
-
For SC-7(4), what is defined as control plane traffic?
-
For AT-2, Literary Training and Awareness, does FedRAMP require distinct basic security and privacy literacy training, advanced literacy training, and awareness techniques?
-
For supply chain controls, CSPs can define what systems, components, and services fall under the SCRM (SR-2), but is it the intent of the FedRAMP PMO that this only be focused on the paid-vendor or large components?
-
How do CSPs document deviations from STIGs/CIS Level 2 benchmarks?
-
CA-8(2) requires Red Team exercises. Are 3PAOs required to perform Red Team exercises as part of penetration testing?
-
Will FedRAMP provide a template for SR-2, Supply Chain Risk Management Plan?
-
CA-7 has a new "Additional FedRAMP Requirement" to perform monthly Service Configuration Scans. Does this require all CM-6 benchmark scans to be performed and uploaded monthly?
-
How should we handle conflicts between the FedRAMP control requirements and Security Technical Implementation Guides (STIGs)?
