Many of our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns.
This week’s tips come from FedRAMP’s Accelerated event. Read the full list of questions asked during FedRAMP Accelerated here.
Send potential tips and questions that you would like published as a tip [via email].
Do Federal Agencies need an Interconnection Security Agreement (ISA) with a CSP?
Interconnection Security Agreements (ISAs) are not designed for use between a CSP and Federal Agency. An Agency ATO memo should be the governing document for Agency and CSP interaction and security requirement communications. CSPs should document security protections in place for agency access – whether through dedicated connections or publicly routable internet space. This documentation should be included within the standard FedRAMP-required templates, policies, and procedures.
Agencies should follow the documented processes for issuing ATOs included in the FedRAMP guidance and documentation available on FedRAMP.gov:
CSPs should also continue to utilize ISAs for cloud system interconnections that fall within the scope of the cloud boundary. These ISAs will be reviewed as part of the security assessment and testing process by 3PAOs and testing for control CA-3. The FedRAMP Agency or JAB P-ATO process should be the mechanism for validating ISA documentation.
How can a federal organization ensure it maintains reasonable investigation capabilities, auditability, and traceability of data within the cloud?
Federal Agencies can ensure they maintain reasonable investigation capabilities, auditability, and traceability of data by logging and monitoring the following application events: