Federal Risk and Authorization Management Program (FedRAMP) has updated a document designed to guide cloud service providers (CSPs) as they pursue a designation in the FedRAMP Marketplace. 

The document lists the requirements CSPs will need to satisfy before being designated in the marketplace, which federal agencies use to identify cloud service offerings that have achieved authorized, ready or in process status under FedRAMP, the program’s office said Thursday. 

The document has been updated to clarify how CSPs can achieve “in-process” designation and explain a new provision for when federal agencies no longer employ a CSO.

FedRAMP originally published the document in June 2019. The program aims to standardize the security of cloud products used by the federal government.

The Federal Risk and Authorization Management Program (FedRAMP) recently teamed up with the Cybersecurity and Infrastructure Security Agency (CISA) to apply CISA’s .govCAR methodology to score security controls of cloud service providers based on their capability to detect and respond to threats and now intends to use the framework to eight other aspects of the FedRAMP authorization process, FedScoop reported Thursday.

CISA uses the .govCAR method to perform threat-based assessments of cyber capabilities. 

FedRAMP now plans to integrate the methodology into annual reviews to focus on threat-based controls and use it in the agile authorization process. The program is also eyeing to use framework to help prioritize remediation initiatives, improve continuous monitoring of systems and facilitate the decision-making process with threat-based data. 

“FedRAMP is exploring how this data can be used to create a risk profile of each security capability in support of authorization decisions,” said Zach Baldwin, program manager for strategy, innovation and technology within FedRAMP’s program management office at the General Services Administration.

Baldwin noted that FedRAMP is performing control assessments and intends to issue updated risk scoring in an upcoming blog post.

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published new guidance to help organizations detect malicious cyber activity in the 5G cloud.

The Security Guidance for 5G Cloud Infrastructures: Prevent and Detect Lateral Movement helps organizations address lateral movements made by cyber actors that have breached through a 5G cloud system, NSA said Thursday.

The document is the initial entry to a four-part series produced by the Enduring Security Framework public-private working group, which tackles high-priority cyber issues threatening U.S. infrastructure.

“This series exemplifies the national security benefits resulting from the joint efforts of ESF experts from CISA, NSA and industry,” said Rob Joyce, cybersecurity director at NSA.

NSA’s list of cybersecurity guidance can be found here.