Update faqs.html

content review updates
GSA · Mar 28, 2024 · d97343e · d97343e
1 parent a68e23f
commit d97343e
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/_layouts/faqs.html b/_layouts/faqs.html
@@ -118,7 +118,7 @@ <h4 class="usa-accordion__heading">
 						aria-controls="gen-fedramp-guidance"> Where are FedRAMP guidance documents and templates maintained? How is the FedRAMP community notified of new documents posted for public comment? </button>
           </h4>
           <div id="gen-fedramp-guidance" class="usa-accordion__content usa-prose">
-            <p>All official FedRAMP documentation is maintained on <a href="https://www.fedramp.gov/">FedRAMP.gov</a>. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods. To ensure you are notified of these opportunities, <a href="https://public.govdelivery.com/accounts/USGSA/subscriber/new?qsp=USGSA_2224" target="_blank"><i class="fas fa-external-link-alt fa-sm"></i> subscribe to the FedRAMP distribution list</a> for updates. Be sure to follow us on X (formerly Twitter) @FedRAMP to get notifications on other program updates.</p>
+            <p>All official FedRAMP documentation is maintained on <a href="https://www.fedramp.gov/">FedRAMP.gov</a>. Opportunities for large-scale public comment periods will be messaged via a number of channels and methods. To ensure you are notified of these opportunities, <a href="https://public.govdelivery.com/accounts/USGSA/subscriber/new?qsp=USGSA_2224" target="_blank">subscribe to the FedRAMP distribution list</a> <i class="fas fa-external-link-alt fa-sm"></i> for updates. Be sure to follow us on X (formerly Twitter) @FedRAMP to get notifications on other program updates.</p>
           </div>
           <h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
@@ -205,15 +205,15 @@ <h4 class="usa-accordion__heading">
 						aria-controls="fa-performing-conmon"> As the initial authorizing agency, are we responsible for performing continuous monitoring (ConMon) oversight on behalf of other leveraging agencies? </button>
           </h4>
           <div id="fa-performing-conmon" class="usa-accordion__content usa-prose">
-            <p>No. It is not the initial authorizing agency’s responsibility to conduct ConMon oversight on behalf of all other agencies. OMB Circular A-130 requires federal agencies to implement the Risk Management Framework (RMF) described in <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf" target="_blank">NIST SP 800-37</a><i class="fas fa-external-link-alt fa-sm"></i>. The RMF process includes a Monitor step. The purpose of this step is to maintain ongoing situational awareness about the security posture of the system in support of risk management decisions. Each agency that issues an ATO or ATU for a cloud offering must review the cloud service provider’s (CSP’s) ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly Plan of Action and Milestones (POA&M), approving deviation requests and significant change requests, and reviewing the results of the annual assessment. With the release of the FedRAMP Rev 5 baselines, security control CA-7 requires CSPs with more than one customer agency to implement collaborative ConMon. This approach is intended to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each agency still perform their due diligence related to ConMon. The PMO developed a recommended Collaborative ConMon approach, which is described in the <a href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Collaborative_ConMon_Quick_Guide.pdf" target="_blank">FedRAMP Collaborative ConMon Quick Guide</a>. Collaborative ConMon benefits agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests and the annual assessment - versus having to coordinate with each agency separately.</p>
+            <p>No. It is not the initial authorizing agency’s responsibility to conduct ConMon oversight on behalf of all other agencies. OMB Circular A-130 requires federal agencies to implement the Risk Management Framework (RMF) described in <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf" target="_blank">NIST SP 800-37</a> <i class="fas fa-external-link-alt fa-sm"></i>. The RMF process includes a Monitor step. The purpose of this step is to maintain ongoing situational awareness about the security posture of the system in support of risk management decisions. Each agency that issues an ATO or ATU for a cloud offering must review the cloud service provider’s (CSP’s) ConMon activities to ensure the security posture remains sufficient for its own use and supports an ongoing authorization. This includes reviewing the monthly Plan of Action and Milestones (POA&M), approving deviation requests and significant change requests, and reviewing the results of the annual assessment. With the release of the FedRAMP Rev 5 baselines, security control CA-7 requires CSPs with more than one customer agency to implement collaborative ConMon. This approach is intended to streamline the ConMon process and potentially minimize duplicative efforts in a way that helps each agency still perform their due diligence related to ConMon. The PMO developed a recommended Collaborative ConMon approach, which is described in the <a href="https://www.fedramp.gov/assets/resources/documents/FedRAMP_Collaborative_ConMon_Quick_Guide.pdf" target="_blank">FedRAMP Collaborative ConMon Quick Guide</a>. Collaborative ConMon benefits agencies by allowing them to share responsibility for ConMon oversight, and it benefits the CSP by creating a central forum for addressing questions and achieving consensus related to deviation requests, significant change requests and the annual assessment - versus having to coordinate with each agency separately.</p>
           </div>
 	<h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
 						aria-expanded="false"
 						aria-controls="fa-accept-ato-atu"> Does FedRAMP accept both an Authority to Operate (ATO) and an Authority to Use (ATU)? </button>
           </h4>
           <div id="fa-accept-ato-atu" class="usa-accordion__content usa-prose">
-            <p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf">NIST SP 800-37</a><i class="fas fa-external-link-alt fa-sm"></i> describes the ATO and ATU as very similar in that they both are the mechanisms for documenting and accepting risk of information systems, and approving the use of the system by the agency. ATUs are intended to be used for shared systems, but still document accepting risk and approving use (based on an external security assessment). Though FedRAMP accepts both ATOs and ATUs, there must be at least one ATO on file for the cloud service offering (CSO) in order for FedRAMP to accept an ATU.</p>
+            <p><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf">NIST SP 800-37</a> <i class="fas fa-external-link-alt fa-sm"></i> describes the ATO and ATU as very similar in that they both are the mechanisms for documenting and accepting risk of information systems, and approving the use of the system by the agency. ATUs are intended to be used for shared systems, but still document accepting risk and approving use (based on an external security assessment). Though FedRAMP accepts both ATOs and ATUs, there must be at least one ATO on file for the cloud service offering (CSO) in order for FedRAMP to accept an ATU.</p>
           </div>
 	<h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
@@ -268,7 +268,7 @@ <h4 class="usa-accordion__heading">
 						aria-controls="csp-get-started"> My company is looking to obtain FedRAMP authorization for one of our existing cloud products. I have executive support and an agency partner. How do I get started? </button>
           </h4>
           <div id="csp-get-started" class="usa-accordion__content usa-prose">
-            <p>As a first step, please complete the <a href="https://docs.google.com/forms/d/e/1FAIpQLScU4_x5UK53d0PUUDsOdqWyzUvAN1-yFJ1NxffT7PkGkCiuPg/viewform" target="_blank">FedRAMP Cloud Service Provider (CSP) Information Form</a><i class="fas fa-external-link-alt fa-sm"></i> to notify the FedRAMP team of your intent to pursue a FedRAMP authorization with a federal agency. Submission of the form will generate a FedRAMP Package ID for your cloud offering. In addition, you will receive an email that describes the next steps in the authorization process, along with links to a number of helpful resources.</p>
+            <p>As a first step, please complete the <a href="https://docs.google.com/forms/d/e/1FAIpQLScU4_x5UK53d0PUUDsOdqWyzUvAN1-yFJ1NxffT7PkGkCiuPg/viewform" target="_blank">FedRAMP Cloud Service Provider (CSP) Information Form</a> <i class="fas fa-external-link-alt fa-sm"></i> to notify the FedRAMP team of your intent to pursue a FedRAMP authorization with a federal agency. Submission of the form will generate a FedRAMP Package ID for your cloud offering. In addition, you will receive an email that describes the next steps in the authorization process, along with links to a number of helpful resources.</p>
           </div>
           <h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
@@ -489,7 +489,7 @@ <h4 class="usa-accordion__heading">
 						aria-controls="test-security-know-if-cryptographic-module-FIPS-validated">How do you know if a cryptographic module is FIPS-validated?</button>
           </h4>
           <div id="test-security-know-if-cryptographic-module-FIPS-validated" class="usa-accordion__content usa-prose">
-            <p>The status of a cryptographic module submitted for testing and validation can be found at the National Institute of Standards and Technology (NIST) <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program" target="_blank">Cryptographic Module Validation Program (CMVP) website</a><i class="fas fa-external-link-alt fa-sm"></i>.</p>
+            <p>The status of a cryptographic module submitted for testing and validation can be found at the National Institute of Standards and Technology (NIST) <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program" target="_blank">Cryptographic Module Validation Program (CMVP) website</a> <i class="fas fa-external-link-alt fa-sm"></i>.</p>
           </div>
 	  <h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
@@ -510,7 +510,7 @@ <h4 class="usa-accordion__heading">
 						aria-controls="security-know-if-cryptographic-module-NSA-approved">How do you know if a cryptographic module is NSA-approved?</button>
           </h4>
           <div id="security-know-if-cryptographic-module-NSA-approved" class="usa-accordion__content usa-prose">
-            <p>National Security Agency (NSA)-tested and approved cryptographic modules (CMs) are also acceptable. The NSA validation status of a CM can be found on the <a href="https://www.niap-ccevs.org/Product/index.cfm" target="_blank">National Information Assurance Partnership (NIAP) website</a><i class="fas fa-external-link-alt fa-sm"></i>. Since FIPS 140-validated CMs are by far more commonly used in cloud service offerings (CSOs) than NSA-approved CMs, we will refer to FIPS mode from here on.</p>
+            <p>National Security Agency (NSA)-tested and approved cryptographic modules (CMs) are also acceptable. The NSA validation status of a CM can be found on the <a href="https://www.niap-ccevs.org/Product/index.cfm" target="_blank">National Information Assurance Partnership (NIAP) website</a> <i class="fas fa-external-link-alt fa-sm"></i>. Since FIPS 140-validated CMs are by far more commonly used in cloud service offerings (CSOs) than NSA-approved CMs, we will refer to FIPS mode from here on.</p>
           </div>
 	      <h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"
@@ -699,7 +699,7 @@ <h4 class="usa-accordion__heading">
 						aria-controls="provide-sr2-template">Will FedRAMP provide a template for SR-2, Supply Chain Risk Management Plan?</button>
           </h4>
           <div id="provide-sr2-template" class="usa-accordion__content usa-prose">
-		  <p>FedRAMP is not providing a SCRM template at this time; however, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf" target="_blank">NIST SP 800-161</a><i class="fas fa-external-link-alt fa-sm"></i> includes sample SCRM templates in Appendix D.</p> 
+		  <p>FedRAMP is not providing a SCRM template at this time; however, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf" target="_blank">NIST SP 800-161</a> <i class="fas fa-external-link-alt fa-sm"></i> includes sample SCRM templates in Appendix D.</p> 
           </div>
 		  <h4 class="usa-accordion__heading">
             <button class="usa-accordion__button"