Support Email:

I’M Big on NIST

NIST! is one of the leading and most prominent bodies that defines standards for many areas. I primarily focus on the bodies of Technology, especially security. some of my favorite publications are SP-800 docs as well as some of the FIPs publication, which defines the core of the cybersecurity framework, there are some great ISO guidelines that can are used to define the industry as well. ….. what are your thoughts?

What does FedRAMP say

Tips and Cues Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) often share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we send tips and address frequently asked questions and concernsWe will now be sending these twice a month, rather than each week in order to ensure quality and streamlined communications.  As always, please send potential tips and questions that you would like published as a tip to

The FedRAMP PMO just completed our most recent round of FedRAMP Connect, the process where Cloud Service Providers (CSPs) are prioritized to work with the Joint Authorization Board (JAB). CSPs that are selected to work with the JAB submitted business cases to the PMO in order to showcase the high demand for their cloud offering across the federal government and demonstrate their security readiness for the JAB process.

Before finalizing our prioritization decision, FedRAMP presented and vetted our analysis with the CIO Council, GSA’s Office of General Counsel (OGC), and the JAB CIOs and Technical Representatives. The focus of this process is to choose the CSPs that offer services that will benefit the widest variety of Agencies across the Federal Government.

We are delighted to announce that we’ve selected the following four vendors to be prioritized by the JAB.

  • Human Resources Technologies, Inc. (HRTec) – FedHIVE (High)
  • Jive Software – JiveGuard (Moderate)
  • Medallia – Medallia GovCloud (MGC) (Moderate)
  • TTEC Government Solutions – Humanify-G -CCaaS (Moderate)

Congratulations, HRTec, Jive, Medallia, and TTEC! The FedRAMP PMO looks forward to working with you through this process.

As we communicated in our JAB Prioritization Criteria and Guidance document, we accept business cases on a rolling basis and will have cut off dates quarterly (shared on our JAB Authorization webpage). Our next cut off date for FedRAMP Connect business cases will be on April 12th.

As always, the PMO is available for informational and coaching call to help CSPs prepare for FedRAMP Connect. If you have any questions or would like to set up a phone call, please e-mail for more information.

Federal Agencies  Q: Once a Deviation Request (DR) has been submitted for downgrading risk from High to Moderate, should CSP create a new POA&M ID and another separate DR for downgrading risk from Moderate to Low? A: The original detection of the vulnerability POA&M ID should remain separate from the adjusted risk. CSPs should also maintain separate DRs. For tracking purposes, the ConMon team would need another DR submitted by the CSP.