18F / tts-buy-bug-bounty

Solicitation and acquisition documents created for the TTS Bug Bounty program that can be reused by other government agencies and organizations.

Other

19 stars 15 forks source link

FedRAMP assessor #16

Closed reedloden closed 5 years ago

reedloden commented 5 years ago

Question/Comment on TTS Bug Bounty RFQ

Name and affiliation

Reed Loden Director of Security HackerOne, Inc.

Section of RFQ documents

Addendum - Commercial Contract Clauses Low Impact Software as a Service (LiSaaS) – IT Security and Privacy Requirements https://github.com/18F/tts-buy-bug-bounty/blob/c0f3f6f4ad32be445694b45933621fb78da13c9f/2018-procurement/Addendum%20-%20Commercial%20Contract%20Clauses.md#low-impact-software-as-a-service-lisaas--it-security-and-privacy-requirements

Question/Comment

Is it expected that we use an external 3PAO for FedRAMP assessment, or would the GSA be our independent assessor?

MichelleMcNellis commented 5 years ago

GSA will facilitate the initial LiSaaS assessment for a 1 year ATO. Offerors will be required to work with GSA and submit requested documentation expeditiously to achieve the initial 1 year ATO. FedRAMP Tailored assessment of the implemented controls may be performed by an independent trusted third-party, a FedRAMP Accredited Third-Party Assessment Organization (3PAO) at the vendor’s option and cost.