Am I doing FedRAMP wrong?
Hello All,
Im looking for Feedback on my experience with CSPs and ESPs who are explicitly listed on the FedRAMP Marketplace.
Our C3PAO has asked us for the Body Of Evidence for FedRAMP services. We have worked with many services who provided their system, security plan and body of evidence with no issue.
however, other services direct us to use the FedRAMP package request form to get this information. The only issue is we do not have a .mil or .gov email address which is required for the FedRAMP Marketplace package request form unless it was through the 20x Program.
Am I asking the wrong questions from my provider? What evidence is sufficient?
We do internally generated documentation, which documents each control, and how that particular service is configured by us to meet the requirements.