The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

FedRAMP Question and Answer session from PMO webinar

November 13, 2012, Tom McAndrew, EVP Commercial Services, Coalfire

Bookmark and Share

Tom McAndrew

On October 25, the FedRAMP PMO conducted its first webinar, in what will be a series of webinars, on the FedRAMP process. This first webinar covered the four methods that CSPs can get listed in the FedRAMP repository.

This webinar is well worth the time to listen to it. The PMO had a lengthy Q&A session, which we have transcribed for your convenience below. The FedRAMP PMO also provides a transcription, but leverages a speech-to-text service which garbled some of the phrases and meanings. Our human reviewed Q&A of that section of the webinar is below.

Again, please review the previous webinars and events that the FedRAMP PMO has conducted and signup for their future events.

Please find a reproduction of the Q&A segment from the Oct 25 FedRAMP PMO webinar below:

  1. Who do we e-mail to get access to the enclave?
    Government employees can email; cloud service providers should apply at and you will be contacted by the FedRAMP PMO.

  2. Will the repository maintain current weaknesses identified through various means such as audits and continuous monitoring with a related risk assessment for appropriate individuals to review when needed?
    Yes. Cloud service providers will provide information and artifacts to the repository throughout the life cycle of the security authorization process and through their continuous monitoring program.

  3. Will an agency be able to see a CSP's entire package?
    Yes. A leveraging agency will be granted permission to see a CSPs entire package.

  4. Can you please describe what NDAs are in place to ensure that CSP documentation is not shared inappropriately?
    Federal agencies are granted controlled access. Federal employees are governed by the Trade Secrets Act and government contractors for FedRAMP sign non-disclosure agreements.

  5. How many CSPs are currently listed in the repository?
    There are currently no CSPs listed in the repository.

  6. Can a CSP choose their own independent third party assessor (3PAO)?
    Yes. Typically, the relationship between -- the 3PAO that is chosen, is chosen by the CSP and paid for by the CSP.

  7. Are more 3PAOs being added?
    Yes, the 3PAO program is on rolling admissions and we are currently still accepting applications and processing them as they come in.

  8. Can the general public access the listing of authorized CSPs to allow them to make learning decisions?
    The list of CSPs that will be available for viewing by federal agencies will be available publicly. All security authorization documentation will only be available for viewing by federal agencies. Authorized for viewing by the FedRAMP PMO.

  9. Is there a way to tell what CSPs applied?
    No. We will not be releasing that information. But we are -- we have received over 60 applications and are processing all of the applications and reached out to every vendor that has applied.

  10. You mentioned common requirements are based on FISMA and NIST standards; do you anticipate inclusion any other cloud standard or requirements?
    FedRAMP is based off of FISMA requirements, while we take into account other security recommendations and programs, we are firmly based in FISMA and do not plan on including any other cloud standards in our requirements.

  11. Where can we find a 3PAO and do we [the FedRAMP PMO] recommend any?
    All of the 3PAOs that have been accredited by the FedRAMP PMO are available for viewing on FedRAMP does not promote any 3PAO over another. We have accredited them all to the same standard and believe all can provide the same quality of work.

  12. What prevents one CSP from viewing the package of another CSP?
    Each vendor is given their own enclave within the repository; vendors can't see any other enclaves or see other vendors who have enclaves within the repository. There are robust security and access control mechanisms around our enclaves within the repository. We are more than happy to provide review of the security documentation before you place any of your documentation in there.

  13. Will government providers have access to the FedRAMP repository to ensure we are using approved cloud providers?
    Yes. Government customers, government providers can see the public listing of who is in the repository and if they would like to see the security documentation, can get that granted through the FedRAMP PMO.

  14. Can you clarify the benefits of being in the repository but not having the FedRAMP review?
    We designed the FedRAMP repository to encourage leveraging by agencies. We believe that the bulk of leveraging will come across at the Agency ATO level and through CSP supplied packages. The joint authorization board said they did not want to limit the repository to those cloud providers that already had government contracts, which is why we are allowing CSP supplied packages and also due to the limited resources of the JAB, they did not want to limit only packages within the repository to be those that have been authorized through them. So the benefits are that federal agencies can see -- have one place to see where other federal agencies have authorized cloud services and it promotes leveraging at a faster pace than currently available throughout the government.

  15. When do you expect the first approved CSPs to be listed on the FedRAMP website?
    We expect the first list of CSPs granted a provisional authorization through the JAB, by the end of the calendar year. However, packages available through agency ATOs and provided by CSPs will become available as soon as they are submitted to the FedRAMP PMO.

  16. What was the June 24th deadline you mentioned?
    FedRAMP launched on June 6, 2012, part of the mandatory nature was that any future cloud services that were purchased by agencies after June 6, 2012, had to meet FedRAMP requirements. For any currently implemented cloud services, or cloud implementations at agencies, they had two years to update to the FedRAMP requirements which is June 6, 2014.

  17. Can a CSP contact a 3PAO directly?
    Or is there a formal process for initiating a 3PAO assessment? CSPs can directly contact 3PAOs and work with them independent of the FedRAMP office. If a CSP is working with the FedRAMP PMO for a JAB authorization, the FedRAMP ISSO will work collectively with the CSP and 3PAO once they are selected, to make sure all expectations are met…as a security authorization package is created.

  18. When will the repository be available to agencies?
    It is available now to agencies. And will be populated with security authorization packages as the FedRAMP PMO receives them. It is also available for cloud service providers if they have security authorization documents they would like to provide to the PMO and make listed as well.

  19. Is there a difference in requirements for providers of vendor hosted public FISMA compliant cloud versus private agency hosted clouds?
    No, there is not a difference in requirements for public or private; industry or government hosted clouds.

  20. Do agencies need to utilize independent 3PAO to assess their package?
    Agencies are required to utilize independent assessors to assess their package. Agencies are not required to use a FedRAMP accredited 3PAO but are encouraged to do so because we have accredited them according to Independence and their FISMA knowledge. Additionally, It will allow the CSP to have a JAB review for a potential provisional authorization by the JAB.

  21. If the security assessment package category a CSP supplies, does that prevent or allow a federal agency to use that CSP?
    If allowed, does the CSP still have to go through an assessment or can that agency use reciprocity and accept a CSP provided package? Agencies can accept the CSP provided package granted they do a risk assessment. All packages in this category will not have a risk review done by the FedRAMP PMO. There will be a completion review to make sure all requirements have been met but an agency will have to be the first person to do the risk review of that system from the SSP all the way through to the SAR.

  22. How many agencies are there in total that will be leveraging the repository to engage CSPs?
    Potentially every single federal government agency.

  23. After this call where can one get questions answered?
    On the screen you can see our website as well as our e-mail information at (

  24. For a project that has an agency ATO that was not performed by an accredited 3PAO it cannot be leveraged until an accredited 3PAO has done an assessment.
    This is not correct. Agency ATOs can be leveraged by other agencies; that is why we are including them within the repository. If an accredited 3PAO was not used, the JAB will not review that document for a potential provisional authorization because it does not meet the independence requirements set forth by using an independent accredited 3PAO.  Yes, an agency ATO, as long as it meets the FedRAMP requirements and listed in the repository, can be leveraged.

  25. The June 2014 deadline is still presenting confusion.
    The repository is available now. The June 2014 deadline is when all cloud services that agencies use must meet FedRAMP requirements. However, the repository is available now for federal agencies and CSPs and will be populated with security authorization packages as they become available.

  26. There is also confusion about whether the POA&Ms were mandatory or not.
    The POA&M template is not a mandatory template however they are a mandatory document that needs to be a part of any security authorization documented and will need to be updated on a regular basis by the CSP to maintain the currency of their security authorization package.

  27. What is the anticipated time frame between applying and being engaged with the FedRAMP PMO?
    The FedRAMP PMO contacts all applicants within one week to setup an intake call to understand which process the agency or cloud service provider is seeking within FedRAMP, if it is to seek a joint authorization board authorization or wishing to have a completed documentation listed in the FedRAMP repository. The process includes an interview, in which we assess the readiness and requirements to be listed in the FedRAMP repository. To date every single applicant for FedRAMP has been contacted by the FedRAMP PMO.

  28. Can we add documents to the enclave as they are completed?
    The FedRAMP PMO can work with cloud service providers to make the enclave work for them in the best way possible. We don't have a defined process that does not allow that to happen. We can work with each vendor to see what works for them.

  29. What is the difference between a JAB authorization and having an agency authorization in the repository?
    The JAB authorization provides a heightened level of government review. The joint authorization board is comprised of the CIOs of the DoD, DHS and GSA-- for a JAB provisional authorization, these three CIOs reviewed the security authorization package provided by a cloud service providing and recommending they can accept the risk so that agencies can use that CSP. An agency ATO or authorization means only a singular or multiple agencies reviewed that cloud service provider's security authorization package and they provided a risk review, not the joint authorization board.

  30. Can you state the four ways to get approval for FedRAMP to be listed in the repository one more time?
    First, there is the jab provisional authorization. Second, an agency ATO that utilized a FedRAMP accredited 3PAO for the independent assessment. Third, an agency ATO that did not use an accredited 3PAO and there is a cloud service provider supplied authorization package without an ATO.

  31. Is an enclave established once per cloud instance or per service?
    It is established for a cloud service provider and further delineated down by service for that cloud service provider.

Coalfire is an accredited FedRAMP 3PAO. We also provide a list of FAQs and answers based on our experience in working with cloud service providers engaged in this process.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics


RSS Feed

The Coalfire BlogSubscribe to Feed
Chrome users will need to install RSS Subscription Extension (by Google)