Skip to main content
-
What are some real-world examples (e.g. DLP or data tagging solutions) of how a CSP can implement CM-12(1)?
-
In the SSP Section 9 - Ports, Protocols, Service, what is the purpose of the Appendix Q reference number?
-
How can CSPs ensure vendors build and test in alignment with NIST 800-171 or equivalent framework as required by SR-6 in the High and Moderate baselines?
-
For SC-7(4), what is defined as control plane traffic?
-
For AT-2, Literary Training and Awareness, does FedRAMP require distinct basic security and privacy literacy training, advanced literacy training, and awareness techniques?
-
For supply chain controls: CSPs can define what systems, components, and services fall under the SCRM (SR-2), but is it the intent of the FedRAMP PMO that this only be focused on the paid-vendor or large components?
-
How should a CSP prepare for privacy control requirements when preparing for an Authorization under Rev. 5? Will there be an updated Privacy Threshold Analysis/Privacy Impact Assessment (PTA/PIA) template released by FedRAMP to address Privacy controls?
-
How do CSPs document deviations from STIGs/CIS Level 2 benchmarks?
-
Is there (or will there be) a running list or spreadsheet of the cloud service offerings that have implemented Rev. 5?
-
CA-8(2) requires Red Team exercises. Are 3PAOs required to perform Red Team exercises as part of penetration testing?
-
Will FedRAMP provide a template for SR-2, Supply Chain Risk Management Plan?
-
Is the CSP permitted to create their own format for the delta/gap analysis between their current Rev. 4 implementation and the Rev. 5 requirements?
-
What must CSPs use for documenting the gap between their Rev. 4 implementations and the Rev. 5 requirements?
-
Documenting a CSP’s Rev. 4 vs Rev. 5 delta as plan of action and milestones (POA&Ms) may cause a large spike in a CSPs POA&M count if they carry those POA&Ms from September 1st 2023 until the CSP’s next annual assessment.
-
When transitioning to Rev. 5 as part of an annual assessment, how should the assessment scope be defined?
-
Is the expectation that cloud service providers will carry plan of action and milestones items for Rev. 5 controls until their transition assessment?
-
Is it required that each individual Rev. 5 control be tracked as a unique plan of action and milestone (POA&M), or is a high level transition finding acceptable?
-
Will Rev. 5 tranition plan be solely documented in the plan of action and milestones (POA&M) and system security plan (SSP), or is there an expectation of a work breakdown structure (WBS)?
-
CA-7 has a new "Additional FedRAMP Requirement" to perform monthly Service Configuration Scans. Does this require all CM-6 benchmark scans to be performed and uploaded monthly?
-
How should we handle conflicts between the FedRAMP control requirements and Security Technical Implementation Guides (STIGs)?
-
What are the Rev. 5 transition timeline requirements?
-
Please provide confirmation that significant change requests (SCR) being submitted will be based on the current revision level of the system. If an SCR is submitted, prior to the system undergoing a transition assessment to Rev. 5, the SCR would leverage