kagreen70
commented
6 years ago -
Taken from the FedRamp FAQ page: CSPs can partner with any service provider or consulting firm to prepare for the authorization process. Accredited 3PAOs are only required as the independent assessor when working with the Joint Authorization Board (JAB) for a Provisional Authority to Operate (P-ATO), submitting a Readiness Assessment Report (RAR) to be deemed FedRAMP Ready, or if required by an Agency (which is generally recommended by the FedRAMP PMO).
-
We estimate no more than 10 SCRs, with variable level of effort. We don’t have the exact changes planned this far in advance - the idea would be to scope out each change as needed.
-
We have not yet planned that.
-
This will have to be determined in collaboration with the JAB. It should be the standard 1/3 controls plus the default set. There are no agency-specific controls.
Name and affiliation
Felece Whitfield, Cyber Security Program Manager/ FedRAMP Technical Manager.
Section of RFQ documents
Factor 2. Similar Experience
The offeror shall provide at least one example, from private or public sector, past or current
assessments meeting substantially the same size, scope and complexity of the requirements
listed within section 3.0 of the RFQ. The Government will not accept any past experience
performed by the offeror’s parent company, other corporate affiliate, subcontractor or
teaming partner.
Question/Comment
Dakota Consulting acquired subcontractor's to augment for two CSPs initial assessment in 2016 in 2018 Will that be accepted that we used our employees and subcontractors?
How many significant CRs have been approved for cloud.gov within the year that will be in scope for independent testing?
For the annual assessment, has there been agreement between the JAB and Cloud.gov for the 1/3rd of FedRAMP security controls to be tested?
How many FedRAMP security controls and/or any agency specific controls in total?