Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization accepts the results of an assessment of [FedRAMP Assignment: (M)(H) organization-defined information system] performed by [FedRAMP Assignment: (M)(H) any FedRAMP Accredited 3PAO] when the assessment meets [FedRAMP Assignment: (M)(H) the conditions of the JAB/AO in the FedRAMP Repository].
NIST 800-53 (r4) Supplemental Guidance:
Organizations may often rely on assessments of specific information systems by other (external) organizations. Utilizing such existing assessments (i.e., reusing existing assessment evidence) can significantly decrease the time and resources required for organizational assessments by limiting the amount of independent assessment activities that organizations need to perform. The factors that organizations may consider in determining whether to accept assessment results from external organizations can vary. Determinations for accepting assessment results can be based on, for example, past assessment experiences one organization has had with another organization, the reputation that organizations have with regard to assessments, the level of detail of supporting assessment documentation provided, or mandates imposed upon organizations by federal legislation, policies, or directives.
NIST 800-53 (r5) Discussion:
Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program ISO 15408-1, the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.
38North Guidance:
Meets Minimum Requirement:
If the CSP has not gone through a FedRAMP assessment, but has gone through another assessment such as SOC, PCI, or ISO and they have an assessment plan to support either of those, this will suffice for the initial FedRAMP assessment.
If the CSP has conducted internal security assessments on the information system in scope, then they will need to meet all of the objectives in the above control to be compliant with CA-2.
Develop and document a Security Assessment Plan (SAP) that includes the purpose, scope (controls in scope of the assessment), testing methods and techniques, assessment schedule and POCs, etc.
Document the results of the security assessment within a Security Assessment Report (SAR) that includes the results of each control tested along with the compliance status of the overall information security system.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
List of approved external organizations that perform security assessments.
Copies of security test plans and reports related to security testing activities as part of the development processes (e.g., SOC, ISO, IRAP, etc.).
Annual Security Assessment Report (SAR) for developed by an Independent Assessor or 3PAO.
Annual security assessments including announced vulnerability scanning performed by an independent third party for the current year, and previous year.
CSP Implementation Tips:
None.
Page updated
Report abuse