| 11
Cloud Service leveraging a system clearly defines the roles and responsibilities for every control
requirement. The CSP must describe how the control is implemented and how it is using the
inherited control in the leveraged system SSP. For example, a Physical and Environmental (PE)
control might be fully inherited from the leveraged system. The CSP describes “how” the PE
control requirement is implemented; including stating it is fully inherited from the leveraged
system. There is a subsection in the control implementation description that states “what” the
leveraged system is providing to meet the requirement but not “how” the leveraged system
meets the requirement. The 3PAO must verify the CSP is using the control consistent with the
SSP.
In another example, a control requirement might be a “shared” control, where the System and
the leveraged system implement portions of a requirement to fully meet the requirement. In
this case, the CSP would define “what” and “how” the CSP is implementing the portion they are
responsible for, and there would be a subsection in the implementation description where the
“what” being provided by the leveraged system is described. However, the description of “how”
the leveraged system implements their portion of the control would be found in the leveraged
system SSP.
The scope of testing for the CSP leveraging a FedRAMP compliant leveraged system includes
only control requirements that the CSP is responsible for implementing, either wholly or
partially. The 3PAO tests only the control requirement implemented by the CSP and assumes
the leveraged system is compliant with the requirements based on their initial and continued P-
ATO or ATO status. The scope of testing does not include “testing” of the implementation by
the leveraged system. If the leveraged system provides a service such as auditing/logging or
trouble ticketing, the 3PAO must collect evidence from only the CSP that the leveraged system
is providing those services (e.g., audit logs/reports).
3.2. METHODOLOGY FOR REPORTING AND MANAGING
RISKS ASSOCIATED WITH INHERITED CONTROLS
The 3PAO may have identified some known risks associated with the system leveraged by a CSP.
These risks may be due to a “gap” in implementation of all the requirements in a control
between the CSP and the leveraged system. These risks may result from the CSP not having
fully implemented a requirement that they are responsible for implementing or the leveraged
system may not have fully implemented and tested the FedRAMP NIST SP 800-53, revision
4baseline requirements.
The 3PAO must include these known risks in the SAR and the CSP must include these known
risks in the POA&M (including Vendor Dependencies) and track and report the status of those
risks as part of continuous monitoring activities. For example, the CSP indicates in the POA&M
that they have communicated with the applicable POC of the leveraged system to determine
the current status of remediation of those risks at least every 30 days.