Due to the ongoing COVID-19 pandemic, FedRAMP announced that it is now allowing remote testing of data centers.
In a May 11 blog post, FedRAMP explained that Cloud Service Providers (CSPs) hire Third Party Assessment Organizations (3PAOs) to perform security assessments for their initial and annual assessment authorizations.
Typically, these assessments are performed onsite, including the physical and environmental controls provided by data centers housing CSPs’ information technology resources. However, due to safety guidelines from the Centers for Disease Control and Prevention, FedRAMP said that 3PAOs may be permitted to perform the testing of certain data centers remotely.
“When making the decision to perform either local or remote testing, the 3PAO should reference the state or territorial and local health department for up-to-date information regarding travel, testing requirements, stay-at-home orders, and quarantine requirements upon arrival,” FedRAMP said in its blog post. “However, in all instances prior to performing remote testing, the 3PAO must outline their request and ask for permission from the Authorizing Official (AO) or a delegated party.”
FedRAMP also noted that all remote testing must be explicitly detailed in the Security Assessment Plan (SAP) as well as any test cases used and any modifications to the test cases that were made to facilitate the remote testing.
With COVID-19 guidelines frequently changing, FedRAMP said it will revisit this guidance “periodically” and provide updates when guidance is modified.