Acquisitions
- What does FedRAMP require for personnel screening requirements from cloud service providers (CSPs)?
- Is a federal agency limited to only including FedRAMP requirements in a Cloud Service Provider (CSP) contract?
- Can an agency include specific data location requirements in a contract, such as Continental United States (CONUS) only?
- Can an agency require a FedRAMP authorization as a condition of the contract award?
- Is a cloud service provider’s (CSP) FedRAMP Ready designation on the FedRAMP Marketplace an indicator that they will have an easier time getting through the FedRAMP authorization process?
- Is a Federal Information Security Modernization Act (FISMA) Authority To Operate (ATO) sufficient to meet FedRAMP requirements?
- Do FedRAMP requirements apply even if they are not included in a contract?
- How can an agency show preference for types of FedRAMP authorizations when developing criteria for offeror evaluations?
- Does FedRAMP accept both an Authorization to Operate (ATO) and an Authority to Use (ATU)?
- Is there an additional level of effort associated with being the initial authorizing agency?
