Responsibilities of CSPs and 3PAOs for FedRAMP Annual Assessment
FedRAMP requires Cloud Service Providers (CSPs) to undergo an annual security assessment of their Cloud Service Offering (CSO) per security control CA-2. Both CSPs and Third Party Assessment Organizations (3PAOs) are responsible for submitting components of a complete Annual Assessment package. Outlined below is a high-level breakdown of the requirements for each stakeholder. For more detailed information review the FedRAMP Annual Assessment Guidance.
Required CSP Package Items:
- Current version of the System Security Plan (SSP) and all attachments
- Annual Incident Response Plan Test Report
- Annual Contingency Plan Test Report
- Plan Of Action and Milestones (POA&M)
Required 3PAO Package Items:
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR) and related artifacts, such as raw vulnerability scan results and other evidence collected during the assessment
In addition, it is the CSP’s responsibility to verify the 3PAO has uploaded the 3PAO-provided documents and to notify FedRAMP via firstname.lastname@example.org and the authorizing official, either the Joint Authorization Board (JAB) or Agency Authorizing Official (AO), that the package is ready for review and approval.