FedRAMP Weekly Tips & Cues – November 9, 2016
Many of our cloud service providers (CSPs), federal agencies, and third party assessment organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we will be providing weekly tips and address frequently asked questions and concerns.
Email us potential tips and questions that you would like published as a tip.
Cloud Service Providers (CSPs)
Question:
Why should CSPs spend time and money developing high quality documentation when their goal is to become FedRAMP Authorized?
Answer:
FedRAMP requires quality documentation (i.e., documentation that is clear, concise, consistent, and complete) to provide an accurate description of the risk posture of a cloud system. This, in turn, reduces an Agency’s level of effort to reuse an Authorization Package. Quality documentation also pays for itself by minimizing costly rework and time consuming delays caused by clarifying misunderstandings and waiting for missing documentation.
FedRAMP requires CSPs to spend as much time writing and editing the documentation as they do engineering the security.
Melpomenem/iStock/Thinkstock
Federal Agencies
Question:
How do security controls impact Quality of Service (QoS) of an application or system?
Answer:
Quality of Service (QoS) and security are interrelated. The implementation of security controls must be thoughtfully considered and deployed/implemented so as to not adversely impact an application’s or system’s QoS. This is important because improperly thought-out or excessive security controls can impact QoS. The CSP must plan the “right” amount of security as it pertains to the system performance and financial considerations.
This post was originally published on the FedRAMP blog.
Connect