Professional Documents
Culture Documents
“To be
1. clear,
The OSCtheorC3PAO Assessment
the External Team
Cloud Service is nothas
Provider conducting a quasi-FedRAMP
provided a body of evidence
certification audit of
documenting howthe
theExternal CloudService
External Cloud Service Provider,
Provider’s for which
security controlsitare
is neither
authorizedequivalent to those
nor certified. provided
Rather, byC3PAO
the the FedRAMP Moderate
is applying thebaseline standard;
two criteria and
established by
DoD to determine
2. Said bodyifofFedRAMP Moderate
evidence has “equivalency”
been attested has beencredible,
to by an independent, attained and can be
professional source. recognized.”
Examples of items that could be included in such a BOE are an SSP that describes the system
“A FedRAMP
environment,Third-Party Assessment
system responsibilities, and Organization (3PAO),
the current status however,Moderate
of the FedRAMP retained by the
baseline OSC,
controls
required
mayforserve
the system, as role
in this well as
toaattest
Customer Implementation
to the credibilitySummary/Customer Responsibility Matrix
of the body of evidence.”
that summarizes how each control is met and which party is responsible for maintaining that control.
• Non-Duplication (Reciprocity)
• “Right now, with the CMMC AB, I don’t know if we’ve broached this
particular topic. We certainly have with the DIBCAC, and we’re giving
them credit. But we probably need to have that conversation with
the AB as well, just to make sure that they know that we do endorse
reciprocity.” ~ David KcKeown, July 6 Federal News Network
• What I’m hearing: “Dept not clear with one voice re: FedRAMP non-
duplication”
Plan and Prepare the Assessment Conduct the Assessment Report Close Out
Recommended POA&M’s (if
Assessment applicable)
Results and
Assessment
1. A practice that was implemented, but missing minor updates (e.g. updates to
policy signatures, procedural documentation that exists but is outdated, etc.), but
where the practice Evidence demonstrates the implementation has been in place
for a period of time; and
2. Consensus among the C3PAO Assessment Team that the practice in question does
not change and/or limit the effectiveness of another practice that has been scored
as “MET.”
DRAFT CAP V5.4 – Do not subtract points (5) if practice not permitted:
AC.L2-3.1.12 Monitor and control remote access sessions
AC.L2-3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions
AC.L2-3.1.16 Authorize wireless access prior to allowing such connections
AC.L2-3.1.17 Protect wireless access using authentication and encryption
AC.L2-3.1.18 Control connection of mobile devices