FedRAMP Annual Assessment Guide
“what” and “how” the CSP is implementing the portion they are responsible for, and there would be a
subsection in the implementation description where the “what” being provided by the leveraged system is
described; however, the description of “how” the leveraged system implements their portion of the control
would be found in the leveraged system’s SSP.
The scope of testing for the CSP leveraging a FedRAMP Authorized leveraged system includes only control
requirements that the CSP is responsible for implementing, either wholly or partially. The IA tests only the
control requirement implemented by the CSP and assumes the leveraged system is compliant with the
requirements based on their initial and continued P-ATO or ATO status. The scope of testing does not include
“testing” of the implementation by the leveraged system. If the leveraged system provides a service such as
auditing/logging or trouble ticketing, the IA must collect evidence from only the CSP that the leveraged
system is providing those services (e.g., audit logs/reports).
3.2. Methodology for Reporting and Managing Risks
Associated with Inherited Controls
The IA may have identified some known risks associated with the system leveraged by a CSP. These risks
may be due to a “gap” in implementation of all the requirements in a control between the CSP and the
leveraged system. These risks may result from the CSP not having fully implemented a requirement that they
are responsible for implementing.
The IA must include these known risks in the SAR, and the CSP must include these known risks in the
POA&M (including VDs) and track and report the status of those risks as part of ConMon activities (e.g., the
CSP indicates in the POA&M that they have communicated with the applicable POC of the leveraged system
to determine the current status of remediation of those risks at least every thirty (30) days).
Consider the following example: The IaaS CSP currently has some implementations based on FedRAMP
NIST SP 800-53, revision 4 requirements. The SaaS leveraging the IaaS has fully implemented FedRAMP
NIST SP 800-53, revision 5. During the assessment of the SaaS, it was determined that the leveraged IaaS
had not fully transitioned to implementation of FedRAMP NIST SP 800-53, revision 5. To be compliant, the
SaaS CSP must have the following:
● A SAR that identifies the gaps in the inherited controls (gaps from NIST revision 4 to NIST revision 5)
● A POA&M that tracks these deficiencies
● A SSP that reflects these inherited controls are partially implemented or planned based on the SAR
findings
The preceding is only an example. It does not imply the requirements only apply to SaaS providers. Similar
requirements apply whenever a CSP claims a VD as the reason for an open POA&M item. During the annual
assessment, the IA verifies the applicable requirements are met.