Roles and Responsibilities¶
CSPs and 3PAOs should understand and agree on the division of roles and responsibilities with respect to the development of an authorization package. Although CSPs do not develop the SAP and SAR, they are responsible for reviewing and approving these documents. For this reason, this Playbook includes several tips on how to review the SAP and SAR for completeness, correctness, and consistency.
| CSP | 3PAO | |
|---|---|---|
| SSP | Develop SSP documentation using FedRAMP templates*. Validate work prepared by advisors (if applicable). | As an advisor, develop the SSP documentation**. As an assessor, validate the SSP documentation is complete and accurate**. |
| SAP | Review and approve the SAP. Sign the SAP. | Coordinate with CSP to define assessment scope and methodology. Deliver SAP and security test case procedures using FedRAMP templates***. Sign the SAP. Deliver penetration test plan that aligns with FedRAMP's guidance. |
| SAR | Provide required artifacts and evidence to the 3PAO during assessment. Work with the 3PAO to identify risks that must be remediated or mitigated prior to authorization. | Perform assessment of the CSO according to FedRAMP guidelines. Draft a SAR that aligns with the SSP/SAP detail and describes the findings of the assessment***. Deliver the SAR to the CSP. |
| POA&M | Create and maintain a POA&M that aligns with _FedRAMP's POA&M Template. Implement monthly ConMon. Use the POA&M to track and manage risks. | Validate the POA&M detail for a CSO as part of the annual assessment. If performing POA&M activities on behalf of a CSP, assume all CSP responsibilities for POA&M management. |
* CSPs are required to use FedRAMP templates for the SSP, security controls rules of behavior (RoB), information system contingency plan (ISCP), control implementation summary (CIS) and customer responsibility matrix (CRM) workbook, integrated inventory workbook, POA&M, and cryptographic modules table. CSPs develop their own policies and procedures, user guides, incident response plans, and configuration management plans. Additional guidance on each of these required documents is provided in Section 12 of the SSP template.
** Per the A2LA R311: Specific Requirements - FedRAMP, 3PAOs contracted to provide advisory services cannot provide assessment services for the same CSO for a period of two years.
*** 3PAOs are required to use FedRAMP templates for the SAP, security test case procedures, SAR, and risk exposure table (RET).