The Federal Risk and Authorization Management Program has laid out requirements for cloud service providers and third-party assessment organizations with regard to completing annual assessments.
FedRAMP said Wednesday it requires CSPs to submit an assessment package that consists of a system security plan, an annual incident response plan test report, an annual contingency plan test report and plan-of-action milestones.
On the other hand, 3PAOs need to submit a security assessment plan and a security assessment report, as well as related artifacts including raw vulnerability scan results.
These requirements are made to guide CSPs as their offerings undergo annual security assessments per security control.