Connect with, or explore creating, CSP community of practice.

[pburkholder]

In order to be more effective at this authorization business, and make the authorization process better all around, connect with other CSP folks doing this work to a) learn from each other's experience and b) provide feedback to FedRAMP on how to improve the overall process.

Security considerations

Make compliance align more with security.

[pburkholder]

There was a FedRAMP meeting on Feb 10, 2020:

The FedRAMP Program Management Office (PMO) and Joint Authorization Board (JAB) will be hosting a Technical Exchange Meeting (TEM) on Monday, February 10th from 9:00am to 12:30pm at GSA headquarters in Washington, D.C. The TEM will focus on Container Security and Cloud Service Providers (CSPs) will have the opportunity to exchange information with the PMO and provide feedback on a future guidance document to be released by the PMO. [snip]
The FedRAMP team is looking forward to seeing you at this first TEM.

I heard back from Catherine Lotterman - XAAB-C (FedRAMP)

[pburkholder]

I opened two issue with info@FedRAMP.gov. Number 58944 for CSPs community of practice, and Number 58943 for mailing lists -- am I subscribed to events for CSPs and do they hold them.

[pburkholder]

I'm rescoping this just to "Exploring CoP for CSPs" -- it turns out there isn't any that FedRAMP is aware of.

Currently we don't have a FedRAMP PMO-run CSP CoP, or are aware of any other CoPs specific to FedRAMP. Perhaps this is an idea we can explore in the future.

In Slack I heard from Gray that he was able to create the OpenSource and APIs CoP mailing lists across public/private boundaries: https://gsa-tts.slack.com/archives/C03EMDS6P/p1643323600125000

cop-management is inactive but has people in it who would have more guidance. I suspect that that activity takes place over in #digitalgov though, as I believe that they are under its aegis.

They may have more directions, but the short of it is that you create a listserve (east to do), decide the rules of the road (who can join, will messages be moderated, etc), ensure that you're up to manage it, and start inviting people with a prompt. When you're ready, the best move to advertise it is to share in relevant other communities or listserves. You'll want to think through a bit any of the public/private aspects that you might foresee, but both of the ones I started are that way, and there's no inherent blockers to that.

I'm closing this "explore" phase as done, and