FEDRAMP TIPS & CUES COMPILATION · FEDRAMP TIPS & CUES COMPILATION 2015 - 2017 ... 5. PROFESSIONAL...
Transcript of FEDRAMP TIPS & CUES COMPILATION · FEDRAMP TIPS & CUES COMPILATION 2015 - 2017 ... 5. PROFESSIONAL...
FEDRAMP TIPS & CUES COMPILATION
2015 - 2017
January 2018
|i
HelloEveryone!
TheFedRAMPPMObeganpublishingourweekly“TipsandCues”asawaytoaddresscommonconcernsandissuesbeingraisedbyFederalAgencies,CloudServiceProviders(CSPs),andThirdPartyAssessmentOrganizations(3PAOs).
Wehavereceivedalotofpositivefeedbackabouttheseposts.Inordertomakethemevenmoreaccessibletoourreaders,we’vecompiledeverytipwe’vepublishedintoasingledocument.
Wehopeyoufindthiscompilationhelpful.Ifyou’dliketosignuptoreceiveourweeklyTipsandCues,pleaseusethislink.
Thanksandallthebest,
MattGoodrich
FedRAMPDirector
|ii
TABLE OF CONTENTS
1. CONTINUOUSMONITORING................................................................................................................1
2. CONTROLS...........................................................................................................................................4
3. FEDERALAGENCY................................................................................................................................6
4. GENERALPROGRAM.........................................................................................................................13
5. PROFESSIONALWRITINGTIPS...........................................................................................................34
6. READINESSASSESSMENTREPORT.....................................................................................................37
7. SECURITYASSESSMENTPLAN(SAP)&SECURITYASSESSMENTREPORT(SAR)DOCUMENTS..............37
8. SYSTEMSECURITYPLAN(SSP)DOCUMENTATION..............................................................................47
9. OTHERDOCUMENTATION-PLANOFACTIONSANDMILESTONES(POA&M),READINESSASSESSMENTREPORT(RAR),SCANS,ANDINFORMATIONSYSTEMCONTINGENCYPLAN(ISCP)......................................57
KEY
CloudServiceProvider(CSP)Tip
FederalAgencyTip
TheirPartyAssessmentOrganization(3PAO)Tip
|1
1. CONTINUOUS MONITORING
TIP:CSPsmustaddresseveryvulnerabilitytheysubmitaspartoftheircontinuousmonitoringdata.Thereareafewdifferentoptionsformanagingthosevulnerabilities.
1. Remediatethefindingwithintherequiredtimeframe.Thisshouldbethedefaultapproachtovulnerabilitymanagement.
2. AspartoftheDeviationRequestprocess:a. Implementmitigationsandrequestariskadjustment,ifappropriate.b. SeekapprovalforanyFalsePositive(FP)findings.Besuretoprovideevidencethat
provesthefindingwasanFP.AnFPwouldnotbeappropriateininstanceswherethesystemsettingisnotactiveand,therefore,notvulnerable,butifitwereactive,thevulnerabilitywouldexist.ThistypeoffindingshouldbesubmittedasaRiskAdjustmentwithlayersofmitigationsthatpreventexposureifthesystemsettingisactivated.
c. SeekapprovalasanOperationalRequirement(OR).ORrequestsshouldbeinfrequentsinceitmeansthevulnerabilityremainsinproductionuntilitiseventuallyremediated.HighfindingsmustbemitigatedandRiskAdjustedtoatleastModerateforacceptanceasanOR.
3. JustifythefindingasaVendorDependencyandcheckinwiththevendorevery30days.Inthiscase,thevulnerabilitywillnotbeconsideredlate.TheCSPshouldseekvendorcomponentsthatareFedRAMPcompliantwhenpossibletoavoidanyVendorDependencies.Inthiscase,thevulnerabilitywillnotbeconsideredlate.
TIP:SelectyourmonthlycontinuousmonitoringscanandPlanofAction&Milestones(POA&M)deliverydatewisely.
Considervendorpatchreleaseschedulesandyourtypicaldurationbetweenthereleaseofavendorpatchanditsapplicationwithinyourenvironment.Planyourscansassoonaspossibleafterpatchesaretypicallyappliedeachmonth.Ifyourmonthlyscansareout-of-syncwithyourpatchcycle,thenumberofvulnerabilitiesreportedcanbeartificiallyinflated.
Forexample,ifyouhaveMicrosoft-basedhostsandatwo-weekpatchcycle,runningscansjustoneweekafter“patchTuesday”willreportallofthenewlyreleasedpatchesasnewvulnerabilitiesonthosehostsandinflateyourvulnerabilitycount.Scanningshortlyafteryourpatchcyclegivesyouradminstimetoremediateallofthosenewvulnerabilities.Therefore,onlytheexceptions–ifany–arereported.
|2
Q:Theeffortand/orcostsaretoogreattoremediateavulnerabilitywithintherequiredtimeperiod.Isitacceptabletosubmitariskadjustmentinthissituation?
A: Generally,levelofeffortand/orcostofimplementingaremediationarenotacceptablejustificationsforleavingasystemthatisauthorizedforprocessingfederaldatainavulnerablestate.Duringtheinitialassessmentofthesystem,theCSPisassessedtodetermineitsabilitytoperformcontinuousmonitoringsuccessfully,whichincludestimelyremediationofvulnerabilities.ThisalsoincludesanassessmentoftheCSP’sequipmentacquisitionandlife-cyclemanagementplantoensurevendorproductscanbemaintainedand/orreplacedtostayontopofsecurity.ThismeanstheCSPshouldbeawareofequipmentend-of-life/end-of-support.
Intherareeventthattimelyremediationsneedtobepostponed,itisincumbentupontheCSPtoemploymitigationsthatreducetheriskofthevulnerability.ThisriskmitigationandadjustmentshouldbedescribedindetailintheDeviationRequest,andaplanforultimateremediationandcomplianceshouldbeincluded.
Q:Howare“falsepositive”scanresultsmanaged?
A:AFalsePositive(FP)scanresultisnotedwhenanidentifiedvulnerabilitydoesnotactuallyexistonthesystem.Forinstance,avulnerabilityscannermightidentifyaweaknessforacomponentthatisnotinstalledorfailtorecognizearecentsystemupdate.Aslongasevidenceisofferedtosupportthenon-existenceofthecomponentand/ortheexistenceofthesystemupdateinstall,thisisnownotedasa“FP”.FortheSecurityAssessmentReport(SAR),theFPsarenotedinaFalsePositiveReportfortheInfrastructure,Databases,WebApplications,and“Other”miscellaneous(automatedandmanual)toolresults.TheFPsarerecordedonthe“Open”PlanofActionsandMilestones(POA&M)tabofthePOA&MworkbookuntiltheSecurityAssessmentPackageissignedoffandacceptedbytheJointAuthorizationBoard(JAB).Oncethepackageisaccepted,theseFPsarevalidatedandverifiedthroughtheProvisionalAuthorizationtoOperateprocess,andmovedtothe“Closed”POA&Mtab.
Fromthatpointforward,allFPsidentifiedthroughtheContinuousMonitoringprocessarerecordedasDeviationRequestsembeddedwithallsupportingevidence,andnotedontheOpenPOA&Mtab.OncetheDeviationRequestisacceptedbytheJABTechnicalReviewReviewers,theFPcanbemovedtotheClosedPOA&Mtab.
Q:WhataretheContinuousMonitoring(ConMon)rolesandresponsibilitiesassociatedwiththeFedRAMPProgramManagementOffice(PMO)foraFedRAMPAgencyAuthorization?IsthereaFedRAMPPMOISSOassignedtoeachFedRAMPAgencyAuthorization?
|3
A: ConMonisacriticalcomponentinunderstandingevolvingrisksassociatedwithanITsystem.CSPsarerequiredtofollowstringentConMonrequirementsandprovideAgencieswiththeinformationtheyneedonaperiodicbasis,toensuretheirdataremainssecuretoinclude,butnotlimitedto:monthlyPlanofActionandMilestones(POA&M),monthlydatabase,operatingsystem,andwebapplicationrawscanfiles,ad-hoc(asappropriate)incidentresponsenotifications,majorsystemchangerequests,andannualassessments.Thesedeliverablesarerequired,regardlessofauthorizationtype(JABorAgency)andarelocatedwithintheFedRAMPSecureRepositoryonOMBMAX.
EachAgencyshouldreviewthesematerials,regularly,toensuretheirATOremainsvalidandtheriskremainsacceptable.TheFedRAMPPMOdoesnothaveadedicatedISSOthatsupportseachAgencyAuthorization;but,providesthestructureandaccesstoeachCSPs’ConMonmaterialsinOMBMAX.Asalways,ifanyAgencyhasquestionsregardingspecificConMonvulnerabilitiesorisunabletoobtaintheinformationtheyneedpertainingtoConMonforanygivenCSP,theFedRAMPPMOisheretohelp.
Q:WhatscanningdepthdoesFedRAMPrequire?
A:FedRAMPrequiresfull-rangeauthenticatedscanswithallpluginsenabled.Thisrequirementpertainstoallnetwork,operatingsystem,database,andwebapplicationscans,usingthetype-specificscanningtoolset,whichmustbeconductedatleastmonthly.EachscanmustincludeallcomponentswithinthesystemboundaryandasagreedwithinthemostcurrentSecurityAssessmentPlan.DetailedrequirementsareprovidedintheFedRAMPJABP-ATOVulnerabilityScanRequirementsGuideandtheContinuousMonitoringStrategyGuide,bothlocatedinthe“Documents”sectionofwww.fedramp.gov.
CSPsand3PAOsshouldplanfor,andconfigure,scansthatmeetFedRAMPrequirementsfromtheoutset.Doingsohelpstoavoidtheneedtorescanandresubmitresults,whichcanleadtoscheduledelaysandadditionalcosts.
Q:WhydoesFedRAMPrequireauthenticatedscans,andhowdotheydifferfromunauthenticatedscans?
A:Unauthenticatedscansprovideaperimeterviewofthesystem,typicallyincludingopennetworkports,services,operatingsystems,anddataleaks.Incontrast,authenticatedscansutilizecredentialstodetectinternalvulnerabilitiesthatcouldprovideanintruderthatpenetratedtheperimeterwithprivilegedaccesstothesystem.ScanningmonthlywithauthenticationisaFedRAMPrequirementbecauseitidentifiesandpromptsthecloudserviceprovidertofixtheseinternaltargets.
|4
Q:Whatistherelationshipbetweencontinuousmonitoringandcontinuousdiagnostics&mitigation(CDM)andongoingauthorization?
A:TheFedRAMPandCDMmonitoringrequirementsarebothbasedonNISTSpecialPublication800-137guidanceforimplementinganInformationSecurityContinuousMonitoringprogram.TheCDMprogramhasinitiallyfocusedonprovidingtoolstoFederalAgenciestoensurethattheycanfulfillvulnerabilitymanagement,malwaredetection,assetmanagement,andconfigurationmanagementprogramresponsibilitiesandaggregatedatafromthosetoolsintoacentralconsoleordashboardtofacilitateamorerobustawarenessofone’sriskposture.AgencieswouldalsoprovideaggregateoutputfromthisdashboardtoDHStofacilitateagovernment-wideviewofvulnerabilitiesandassociatedrisks.FedRAMPsecuritycontrolsalsorequirethattheseelements(vulnerabilitymanagement,malwaredetection,assetmanagement,andconfigurationmanagement)beinplaceattheCSPtosupportvisibilityintotheoperationalstatusofasystem,muchliketheCDMprogram.However,FedRAMPdoesnotprescribetheexacttoolsanddashboardsnordoesitrequirereal-timeornearreal-timeuploadingofalltooloutputtoFedRAMP.
ThereisnoplannedintegrationofCDMandFedRAMPcontinuousmonitoringatthistimeasCDMisfocusedongovernmentassetsandnotexternalproviders.FedRAMPisinterestedinevolvingitscontinuousmonitoringprogramtofacilitateashiftfromacompliance-basedtoamorerisk-basedapproachandispreparingtosolicitfeedbackfromAgenciesandindustry.
2. CONTROLS
Q:Whatisanexampleofacommonlyoverlookedorinsufficientlyansweredcontrol?
A:FedRAMPdocumentationwriterstendtooverlook“ImplementingConfigurationSettings(CM-6).”Thisisasignificantcontrolbecauseitis(1)requiredand(2)becausewriterstypicallyuseitasanumbrellatomapfailures.
Whenwritingthiscontrol,besuretofollowthesesteps:
1. Includeinyouranswerallsystemcomponentsthatmustbeconfiguredwithinthesystemboundary.
2. Explainwherethesystemconfigurationdocumentationislocated.3. Identifyallthesystemcomponentsthataretobeconfigured.4. Identify,foreachcomponent,whoisresponsibleforconfiguringthecomponent.5. Identifyhowtheresponsiblepartyconfigureseachcomponentindetail.6. IdentifyandaddressanyspecialFedRAMPrequirementsincludedintheconfigurationprocessin
detail.
|5
7. Explainhowconfigurationsettingdeviationsareidentified,documented,andapproved.8. Explainhowtheorganizationmonitorsandcontrolschangestotheconfigurationsettings.
Explainhowthisprocessisinaccordancewithorganizationalpoliciesandprocedures.
Q:WhatarecommonmissedorneglectedFedRAMPand/orNationalInstituteofStandardsandTechnology(NIST)requirements?
A:ThePMOisunabletoevaluateauthorizationpackagesthatdonotcompletelyrespondtoFedRAMPand/orNationalInstituteofStandardsandTechnology(NIST)requirements.Althoughnotacompletelisting,thefollowingitemshighlightsomecommonincompleterequirements:
§ Notidentifyingportals§ Non-compliancewithmulti-factorauthentication§ Tenantseparationformultiplecustomers(governmentvs.public)doesnotexist§ HighvulnerabilitiesdetectedduringP-ATOtesting§ Authorizationboundaryisnotclearlydefined§ Policiesandproceduresthatdonotexist,incomplete,ornotwelldefined§ NothavingFIPS-140enabled
Q:HowdoIindicate“sole,”“shared,”or“customer”responsibilitieswhenansweringtheAwarenessandTraining(AT)controls?
A:WhenansweringAwarenessandTraining(AT)controls,itismutuallybeneficialforboththeCSPandtheAgencytosharethatresponsibilityinprovidingawarenessandtraining(e.g.,MandatorySecurityAwarenessTraining,specificsystemsleveltrainingandguidance).TheSSPimplementationshouldbecheckedasasharedcontrolresponsibilitybetweentheCSPandtheAgencyinadditiontoanyboxes.
ItisgoodpracticetohaveSecurityAwarenessTrainingincorporatedandasharedresponsibilityasopposedtosimplyrespondingtotheimplementationassolelya“corporate”or“customerresponsibility.”
Q:Mysystemusesvariousplatformsandoperatingsystems,sohowdoIrelatetechnicalcontrolimplementationstatements?
|6
A:Thesecuritycontrolimplementationstatementsfortechnicalcontrols(AC,AU,IA,SC,etc.)mustbedevelopedtoincludealloftheapplicableplatforms/operatingsystems(e.g.,Windows,Linux,Solaris,VMware)thatcomprisethecloudservicearchitecture.
Itiscriticalforreviewers(eitherJointAuthorizationBoard(JAB)orAgency)todelineateeachplatform/operatingsystemagainsttheapplicablesecuritycontrolrequirementtoensurecomplianceisadequatelybeingmet.
Q:WhenistheFIPS140compliant/validatedcryptographyapplicable?
A:Fordataflowscrossingtheauthorizationboundaryoranywhereelseencryptionisrequired,FIPS140compliant/validatedcryptographymustbeemployed.FIPS140compliant/validatedproductswillhavecertificatenumbers.ThesecertificatenumberswillberequiredtobeidentifiedintheSSPasademonstrationofthiscapability.JABTRswillnotauthorizeacloudservicethatdoesnothavethiscapability.
Q:IfaSoftware-as-a-Service(SaaS)isbuiltonapreviouslyauthorizedInfrastructure-as-a-Service(IaaS),doestheIaaS’sauthorizationboundarycovertheSaaSaswell?Ifitdoes,isanAuthoritytoOperate(ATO)letternecessaryfortheSaaS?
A:TheIaaS’sauthorizationboundarydoesnotcompletelycovertheSaaS.Allpiecesofthecloudstackhavetobeauthorized—whichmeanstheIaaShasitsownauthorizationboundary(whatitisresponsiblefor),andtheSaaShasitsownauthorizationboundary.However,yourSaaScaninheritsomeofthesecuritycontrolsfromtheIaaS,dependingontheservicesusedfromtheIaaS.
EachportionofthecloudstackrequiresitsownATOletter,sotheSaaSwillneedanATOseparatefromtheIaaS.
3. FEDERAL AGENCY
Q:HowdosecuritycontrolsimpactQualityofService(QoS)ofanapplicationorsystem?
|7
A:QualityofService(QoS)andsecurityareinterrelated.Theimplementationofsecuritycontrolsmustbethoughtfullyconsideredanddeployed/implementedsoastoNOTadverselyimpactanapplication'sorsystem’sQoS.Thisisimportantbecauseimproperlythought-outorexcessivesecuritycontrolscanimpactQoS.TheCSPmustplanthe"right"amountofsecurityasitpertainstothesystemperformanceandfinancialconsiderations.
Q:DotheFedRAMPsecuritycontrolsrestrictdatatoresideonlywithintheUnitedStates?
A:TherearenoFedRAMPrequirementsrestrictingdatatowithintheUnitedStates.Therearemultiplesecuritycontrolsthatdetailwheredataisstored,whattheboundaryofthesystemis,andwhereandhowdataintransitisprotected.WehavesomeprovidersthatareauthorizedthroughFedRAMPthatarelocatedglobally,althoughamajorityofserviceprovidersdorestricttheirdatatotheUnitedStates.ItisuptoeachindividualAgencyandauthorizingofficialtoplacerestrictions,ifneeded,ondatalocation.
Q:CanaFederalAgencyrequireCSPstobeFedRAMPauthorizedinarequestforproposal(RFP)?
A:FederalAgenciescannotrequireCSPstobeFedRAMPauthorizedaspartoftheirRFPbutcanstatethataCSPneedstobeFedRAMPauthorizedoncefederaldataisplacedinthesystem.Formoreinformationoncontractclauses,pleasereviewtheFedRAMPStandardContractualClauses.
Q:HowdoesaFederalAgencyaccessJABapprovedandAgencyAuthorizedpackagesintheOMBMAXSecureRepository?
A:ToaccessaCSP’sP-ATOand/orAgencyATOsecuritypackagedocumentation,FederalAgencyemployeesorcontractorsmustcompleteaPackageAccessRequestformavailableatwww.FedRAMP.govandsubmitthecompletedformtoinfo@fedramp.gov.ThePMOwillthenreview,validate,andgrantaccesswithin72hoursifallrequiredfieldsarepopulatedintheform.
Q:DoFederalAgenciesneedanInterconnectionSecurityAgreement(ISA)withaCSP?
|8
A:InterconnectionSecurityAgreements(ISAs)arenotdesignedforusebetweenaCSPandanAgency.AnAgencyATOmemoshouldbethegoverningdocumentforAgencyandCSPinteractionandsecurityrequirementcommunications.CSPsshoulddocumentsecurityprotectionsinplaceforAgencyaccess–whetherthroughdedicatedconnectionsorpubliclyroutableinternetspace.ThisdocumentationshouldbeincludedwithinthestandardFedRAMP-requiredtemplates,policies,andprocedures.
AgenciesshouldfollowthedocumentedprocessesforissuingATOsincludedintheFedRAMPguidanceanddocumentationavailableonFedRAMP.gov.
CSPsshouldalsocontinuetoutilizeISAsforcloudsysteminterconnectionsthatfallwithinthescopeofthecloudboundary.TheseISAswillbereviewedaspartofthesecurityassessmentandtestingprocessby3PAOsandtestingforcontrolCA-3.TheFedRAMPAgencyorJABP-ATOprocessshouldbethemechanismforvalidatingISAdocumentation.
Q:HowcananAgencyensureitmaintainsreasonableinvestigationcapabilities,auditability,andtraceabilityofdatawithinthecloud?
A:Agenciescanensuretheymaintainreasonableinvestigationcapabilities,auditability,andtraceabilityofdatabyloggingandmonitoringthefollowingapplicationevents:
§ Managementofnetworkconnections§ Additionorremovalofusers§ Managementofchangestoprivileges§ Assignmentofuserstotokens§ Additionorremovaloftokens§ Managementofsystemadministrativeprivilegesaccess§ Actionsbyuserswithadministrativeprivileges§ Useofdataencryptingkeys§ Managementofkeychanges§ Creationandremovalofsystemlevelobjects§ Importandexportofdata,includingscreen-basedreports
§ Submissionofuser-generatedcontent,especiallyfileuploads
Q:WouldacloudservicerequireaFedRAMPauthorizationifitalreadyhasaFISMAATO?Ifso,canyoureferencethespecificlanguageintherequirement?
A:WhileFISMAandFedRAMPauthorizationsaresimilar,FedRAMPauthorizationsinvolveextrarequirementsandparametersspecifiedintheFedRAMPtemplates/baselinerequirementsdocumentation,availableonfedramp.gov.Agenciesthatareusingacloudsystemorservicesmust
|9
followFedRAMPrequirementsandgothroughtheFedRAMPAuthorizationprocess.ThedrivingpolicyforFedRAMPisapolicymemoreleasedbyOMB.
Theinitialcloudsystem/serviceauthorizationpackage(toincludetheATO,forAgency-authorizedsystems)mustbereviewedandapprovedbytheFedRAMPPMOtoreceiveaFedRAMPAuthorization.
Q:WhoismyFedRAMPapprovertosignoffonanaccessrequestform?
A:YourFedRAMPapproveriseitheryourAgency’sCISOorDAA.IftheformissignedbyaDAA,thatpersonmustbeatalevelthathastheauthoritytograntanATOforasystem.
Q:CananAgencysharecompleteAuthorizationtoOperate(ATO)packagematerialswithanotherAgency?
A:Yes,AgenciescansharecompleteATOpackagematerialwithotherFederalAgencies.ButitisrecommendedthatAgenciesreceivethisinformationdirectlyfromtheFedRAMPPMO,asitensuresdocumentationisvalidatedagainstFedRAMPstandards.
Q:IreceivedarequestfromaFederalAgencytoreviewmysystem’sProvisionalAuthorizationtoOperate(P-ATO)letterandIamconcernedthatsharingtheletterwillviolatesensitivitypolicies.IsitappropriatetoshareanauthorizationletterwithAgencies?
A:Yes!TheAuthorizationLetterisintendedtoserveasevidencethattheCSPhasobtainedtheirFedRAMPP-ATO.TheCSPmayshoworevenprovideacopytoarequestingAgency.Indeed,theAgencymayneedacopyfortheirownATOpackageasevidencetheyselectedaCSPwithavalidFedRAMPP-ATO.
Q:IfanAgencywantstoleverageanotherAgency’sFedRAMPauthorization,butrecognizestheexistenceofriskthatthepotentialleveragingAgencyisunwillingtoaccept,isthereanoptiontoworkwiththeCloudServiceProvider(CSP)toresolvetheseriskspriortoauthorization?
|10
A: IfanAgencyisalreadyusingaCSPandhasnotyetissuedanauthorizationtousethatcloudservicewithintheiroperatingenvironment,theAgencycanleverageanexistingAgencyAuthorizationasitapplieswithintheiroperatingenvironment.IfaleveragingAgencyisunwillingtoacceptrisksassociatedwiththeexistingAgencyauthorization,theAgencyshouldworkwiththeprovidingAgencytodeterminehowtoremediateandmitigatetheamountofriskassociatedwiththeleveragedAgencypackagesothattheriskcanbemanagedtoanacceptablelevelwithintheirownAgencyenvironment.TheCSPhastheopportunitytoremediatevulnerabilitiesatanytime.AnAgencycanengagewiththeCSPtoresolveissuesthattheAgencyisunwillingtoaccept.
Formoreinformation,pleasevisittheOfficeofManagementandBudget(OMB)A-130Revised,datedJuly28,2016,AppendixI-22,(OMBCircularA-130,“ManagingFederalInformationasaStrategicResource”(7/28/2016-85pages))sectionj.JointandLeveragedAuthorizationsonpage59.
Q:IfanAgencyleveragesanAgencyauthorizedsecuritypackagetomeettheirFISMAauthorizationrequirements,howdoestheContinuousMonitoringthencomeintoplay?
A: EachAgencyisresponsibleformeetingtheirorganizationalresponsibilitiesforFISMAandContinuousMonitoringinmonitoring,evaluating,andreportingtheriskposturemonthlyfortheAgencyinformationsystems.
AccordingtoOMBA-130AppendixI-23,sectionk.ContinuousMonitoring:
“Agenciesmustdevelopinformationsecuritycontinuousmonitoring(ISCM)andprivacycontinuousmonitoring(PCM)strategiesandimplementISCMandPCMactivitiesinaccordancewithapplicablestatutes,directives,policies,instructions,regulations,standards,andguidelines.AgencieshavetheflexibilitytodevelopanoverarchingISCMandPCMstrategy(e.g.,attheAgency,bureau,orcomponentlevel)thataddressesallinformationsystems,orcontinuousmonitoringstrategiesthataddresseachAgencyinformationsystemindividually.TheISCMandPCMstrategiesmustdocumentallavailablesecurityandprivacycontrolsselectedandimplementedbyAgencies,includingthefrequencyofanddegreeofrigorassociatedwiththemonitoringprocess.ISCMandPCMstrategies,whichmustbeapprovedbytheappropriateAgencyAuthorizingOfficialandtheSeniorAgencyOfficialforPrivacy,respectively,mustalsoincludeallcommoncontrolsinheritedbyAgencyinformationsystems.”
TIP:WhileAgencyuseofaccredited3PAOsisnotmandatory,itisrecommended.BelowistheguidanceprovidedintheFedRAMPSecurityAssessmentFramework.
|11
1.6.8.THIRD-PARTYASSESSMENTORGANIZATIONS
“3PAOsplayacriticalroleintheFedRAMPsecurityassessmentprocess,astheyaretheindependentassessmentorganizationsthatverifycloudproviders’securityimplementationsandprovidetheoverallriskpostureofacloudenvironmentforasecurityauthorizationdecision.Theseassessmentorganizationsmustdemonstrateindependenceandthetechnicalcompetencerequiredtotestsecurityimplementationsandcollectrepresentativeevidence.3PAOsmust:
§ PlanandperformsecurityassessmentsofCSPsystems§ ReviewsecuritypackageartifactsinaccordancewithFedRAMPrequirements
TheSecurityAssessmentReport(SAR)createdbythe3PAOisakeydeliverableforleveragingAgenciestouseFedRAMPsecurityassessmentpackages.TheFedRAMPJABrequiresthata3PAObeaccreditedthroughtheFedRAMP3PAOProgramforanyJABP-ATOs.AgenciesarehighlyencouragedtousetheseorganizationsforAgencyauthorizationsthatmeettheFedRAMPrequirements.WhileAgenciesarefreetousenon-3PAOIndependentAssessors(IA),useofa3PAOassessorremovestheAgencyrequirementtoprovideanattestationtotheindependenceandcompetencyofthesecuritycontrolassessor.”
AND
2.1.2.FEDRAMPAGENCYATO
“CSPsmayworkdirectlywithanAgencytoobtainaFedRAMPAgencyATO.Inthiscase,theFederalAgencywillprovidetheriskreviewofalldocumentationprovidedbytheCSPinitssecurityauthorizationpackage.CSPswillworkdirectlywiththeFederalAgencysecurityofficeandpresentalldocumentationtotheAuthorizingOfficial(AO)orequivalentforanauthorization.AsnotedinSection1.6.8,FederalAgenciesmayelecttouseaFedRAMPaccredited3PAOoranon-accreditedIAtoperformtheindependentassessment.Ifanon-accreditedassessorisused,theAgencymustprovideevidenceoftheassessor’sindependenceandprovidealetterofattestationoftheassessor’sindependencewiththesecurityauthorizationpackage.TheFedRAMPPMOhighlyrecommendsAgenciesselectanassessorfromtheFedRAMP3PAOaccreditationprogram.
OnceanAgencyauthorizesapackage,theAgencymustinformtheFedRAMPPMObysendinganemailtoinfo@FedRAMP.gov.ThePMOtheninstructstheCSPhowtosubmitthepackageforPMOreview.AfterreviewingthepackagetoensureitmeetsalloftheFedRAMPrequirements,theFedRAMPPMOwillpublishthepackageintheSecureRepositoryforotherAgenciestoleverage.”
TIP:ThecurrentOMBA-130clarifiesspecificAgencyAuthorizationresponsibilitiesforprotectingandmanagingFederalinformationresources.HerearesomewaysOMBA-130furtherrefinesAgencyinteractionwithFedRAMP.
|12
OfficeofManagementandBudget(OMB)CircularA-130revised7/28/2016nowexplicitlyoutlinesAgencyresponsibilitiesfortheirinformationandinformationsystemsandlinkstheirinformationsecurityprogramtoOMBCircularA-123,Management’sResponsibilityforEnterpriseRiskManagementandInternalControls.OMBCircularA-130AppendixIincorporatesrequirementsoftheFederalInformationSecurityManagementAct(FISMA)(44U.S.C.Chapter35),theE-GovernmentActof2002(44U.S.C.Chapters35and36),thePaperworkReductionAct(44U.S.C.Chapter35),andthePrivacyActof1974,andresponsibilitiesassignedinExecutiveOrdersandPresidentialDirectives.
Agenciesareresponsiblefor:
§ EnsuringallnewCloudServiceProvider(CSP)CloudServiceOffering(CSO)projectsminimallyusetheFedRAMPbaselinecontrolsandtemplatesforLow,Moderate,andHighbaselinesystems.
§ Ensuringexistingcloudprojects(implementedorintheacquisitionprocess)meetFedRAMPrequirements.
§ AddingormodifyingcontractualprovisionsthatrequireCSPsandtheassociatedCSOprojectsmeetFedRAMPrequirements.
§ UpdatingOMBPortfolioStatdataquarterlytoidentifyuseofCSPsandAgencyplanstomeetFedRAMPrequirementsandprovideAgency-specificrationaletosupportlackofcompliance.
§ IssuingtheinitialAgencyAuthorization.§ ReviewingCSPdocumentationandtestresultspriortoleveragingaJointAuthorizationBoard
(JAB)ProvisionalAuthoritytoOperate(P-ATO)orleveragingtheAgency-issuedAuthorizationtoOperate(AgencyATO).
§ ReviewingPlansofActionandMilestones(POA&Ms)forleveragedCSPCSOs.§ AddinganyAgency-specificcontrolsthatmayexistabovetheFedRAMPbaselineorabovethe
baselinerequiredbyapartneringAgency.§ EnsuringthesubmittalofAgencyATOsecuritypackages.§ ReviewingallCSPand3PAO-provideddocumentationfortheATOandContinuousMonitoring,
asappropriate.
TIP:UsetheFedRAMPPackageAccessRequestFormontheFedRAMPwebsitetoreviewaFedRAMPSecurityPackage.
TheFedRAMPPackageAccessRequestFormistheformcompletedbyfederalemployeesandgovernmentcontractorswhodesireaccesstoviewaCSP’ssecurityauthorizationpackagetodeterminesuitabilityoftheserviceforusewithintheirindividualAgency/organization.
Applicantsmustbesuretocompleteeverysectionoftheformandmakesuretofillintheboxeswithinitials,asappropriate.Donotusecheckmarksor“X’s”intheareasthatrequireinitials.TheAgencyAccessRequestFormincludingAttachmentA:FederalContractorNon-DisclosureAgreementforFedRAMPisonthewebsite,underFedRAMPAuthorizedProducts.
|13
BesuretofillouttheFedRAMPApproversectionslocatedatthebottomofPage1under“AccessAuthorization”andpage3“AgreementforAuthorizedFedRAMPApprover(CISO;DAA)”,initsentirety.TheseApproverSectionsareoftenleftblankresultinginthePMOsendingtheformsbacktotheapplicant.Thisresultsindelaysfortheapplicantbeingabletoviewthepackages.
4. GENERAL PROGRAM
Q:Doesthe“FedRAMPReady”designationallowCSPstobidoncontractswithouthavinganexistingATO?Ifnot,howwillaCSPthatdoesnothaveacurrentATOrespondtoaRFP?WilltheCSPberequiredtoobtainaJABP-ATO?
A:CSPswithoutexistingATOsareallowedtobidoncontracts.AgenciescanrequestaCSPtohaveatimelineforobtaininganATObutshouldnotlimittherequesttoCSPswithATOs.PleasecontacttheFedRAMPPMOifanAgencyisdoingsuchanaction.
The“FedRAMPReady”designationisamarketindicatortoAgenciesthatasystemhasahighlikelihoodofobtainingaJABP-ATOoranAgencyATO.AgenciescanbeconfidentthatsystemsthatmeettheFedRAMPReadyrequirementsactuallyhavethekeycapabilitiesneededtofittheirsecurityneeds.Therefore,asmallcloudserviceproviderwillhavetheabilitytoattainFedRAMPReadyandbeavailableforAgencyreviewintheFedRAMPMarketplace.TheAgencycanthendecidetoissueanATObasedontheunderstandingthatthesystemmeetstheReadinessAssessmentrequirements.
Q:Willthesame3PAObeabletoperformboththeFedRAMPReadinessAssessmentandthecompletesecurityassessmentduringaJABP-ATOprocess?
A:Thesame3PAOcanperformboththeReadinessAssessmentandcompletethesecurityassessmentfortheATOprocesswithoutconflictofinterest,providedthatthe3PAOdoesNOTprovideanyconsultingdutiesforthesameauthorizationpackage.So,a3PAOcanhelpwritetheSSP,SAP,SAR,andPOA&Mbutcannotdoanyofthetesting.ItisfairlysimilartothecurrentATOprocesswheredifferent3PAOsdotheconsultingandtestingforaCSP’sauthorizationpackage.
|14
Q:Whatisamajordifferencebetweenatruecloudserviceprovider(CSP)andamanagedserviceprovider(MSP)?
A:ThedifferencebetweenaMSPandaCSPisthedeliveryoftheservice.
AMSPprovidesaservicethatisspecifictoanindividualcustomer.Thecustomerdictatesboththetechnologyandtheoperationalprocedures.ThatserviceisgovernedbyastrictServiceLevelAgreement(SLA)betweentheindividualandtheMSPandislimitedtotheagreementbetweenthecustomerandtheMSP.
ACSPoffersthetechnologyandtheoperationalproceduresonasubscriptionbasis.Ifthecustomerdoesnotacceptthetechnologyandtheoperationalprocedures,thenthecustomercanshopelsewhere.TheCSPprovidesafullenvironmentthatencompassesdatacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity).Thisenvironmentissecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervals.Thisensuresprotectionfromunauthorizedinterceptionordamageanddesignedwithautomatedfail-overorotherredundanciesintheeventofplannedorunplanneddisruptions.
Q:HowcanIensureI’vesubmittedallofthedocumentsrequiredforFedRAMPauthorization?
A:TheFedRAMPDocumentationChecklist(foundonFedRAMP.gov)includesalistoftherequiredauthorizationpackagedocumentsthatmustbesubmittedforreviewtoachieveFedRAMPAuthorization.TheChecklistspecifiesthecorrectformat(e.g.Word,orExcel,etc.)thatthedocumentationmustbesubmittedin,aswellasiftheCSPmustuseaFedRAMP-providedtemplateforthedocument.NotonlyistheChecklistausefultoolfortheCSPtohelpensurethecorrectdocumentationisuploaded,butitisalsorequiredtobecompletedandincludedwiththeuploadedmaterial.Thisisimportantsinceitincludesfieldsforeachdocument'sfilename,date,andversionnumber,sothattheFedRAMPReviewerknowsthateachuploadeddocumentistheintendedversion,andnotanolderdraft.CompletingandsubmittingtheChecklistwiththepackagehelpstoenableanefficientreviewoftheauthorizationpackage.
Q:IfaCSPwantstocompleteaFedRAMPReadinessReview,butisthengoingtopursueanAgency-sponsoredFedRAMPauthorization,cantheCSPusethesame3PAOforbothassessments?
|15
A:ACSPcanusethesame3PAOforcompletingtheirReadinessAssessmentReport(RAR)andtheirfullsecurityassessmentwhenworkingwithanAgencyortheJAB.Thesame3PAO,however,cannotconsultbetweenassessments–thisisoutlinedintheISO17020requirementsandFedRAMP-A2LA3PAOaccreditationrequirements.
Additionally,tohelpensuresuccessfulcompletionoftheRAR,theFedRAMPPMOhascreatedaFedRAMPRARGuidefor3PAOsthatincludesusefultipsandlessonslearned.
Q:WhatdoesFedRAMPReadystatusmean?IsitarequirementforCSPswhowouldliketopursueanAgencyauthorization?
A:FedRAMPReadyisadesignationintendedtodemonstrateaCSP’sabilitytocompletethefullFedRAMPAuthorizationprocess.ItisamandatorystepinpursuingaJABProvisionalAuthorizationtoOperate(P-ATO)andisoptionalforthosepursuinganAgency-basedFedRAMPAuthorization.AlthoughitisoptionalforAgencies,someAgenciesmayprefertoworkwithCSPsthatare“FedRAMPReady”sinceitofferskeyinsightintotheircapabilitiesandabilitytoachieveanauthorization.
TheFedRAMPAuthorizationprocessisrigorousandintensive.Itinvolvesalotofhardworkandeffort,soitmakessensethataCSPwouldwantsomeassurancethattheircloudofferingislikelytoattainauthorization.Thisiswhyreaching“FedRAMPReady”isanimportantfirststepintheFedRAMPprocess.
Q:CouldyouexplainthepurposeandprocessbehindrequiringaCSPtocompleteanincidentresponsetestandcontingencyplantestbeforetheir3PAOassessment?
A:IfaCSPdoesnotcompleteanincidentresponsetestandcontingencyplantestbeforethe3PAOassessment,theJointAuthorizationBoard(JAB)willnotissuethecloudofferingaProvisionalAuthorizationtoOperate(P-ATO).ThesetestsmustbeconductedinaccordancewithNISTSP800-53,andtheresultsshouldbemadeavailabletothe3PAOforevaluation.OnceaP-ATOisgranted,thetestsshouldcontinuetobecompletedpriortotheannualassessmentsothatthe3PAOcanevaluatetheresultsaspartofthatassessment.
Q:IamdevelopingacloudsystembutwanttomakesureitisFedRAMPcompliantbeforeproducingitandmakingitoperational.WillFedRAMPevaluateacloudsystem(evenforFedRAMPReady)thatisnotinproductionandoperational?
|16
A: No.FedRAMPonlyevaluatesdocumentationforsystemsthatexistandareoperational.FedRAMPworkswithCSPstoprovideAgencieswithsecurecloudcomputingoptions,soitisrequiredthatCSPshaveanoperationalcloudsystembeforeengagingwiththeFedRAMPTeam.CSPscanusetheFedRAMPReadinessAssessmentReport(RAR)asaself-assessmenttounderstandifthereareanygapsintheirserviceoffering’ssecuritypriortopursuinganAuthoritytoOperate(ATO)withanAgency.TheReadinessAssessmentReportTemplateforHighandModeratesystemscanbefoundontheTemplatespageoffedramp.gov.
TIP:YourFedRAMPInformationSystemSecurityOfficer(ISSO)orgovernmentliaisonisheretohelpguideyouthroughtheFedRAMPprocess.CommunicationisimperativetogetthroughtheFedRAMPprocess!Thebettercommunicationyouhave,thesmoothertheprocesswillgo.
Ifyouhaveanyquestionsorconcerns,orjustwanttobrainstormideas,yourFedRAMPpoint-of-contactcansharepotentialimpactsofanyproposalyouhave.Ifyou’renotsureacontrolimplementationshouldbe“NotApplicable”oran“AlternativeImplementation,”yourISSOcanhelp!Andifyou’reunclearonhowtodescribeyourPIV/CACimplementation,yourgovernmentliaisoncanpointyouintherightdirection!
Q:IkeepreceivingcommentaryfromtheJABondocumentsinmyauthorizationpackageandthishasextendedmyreviewtime.WhatcanIdotolessentheamountofcommentsmyauthorizationpackagereceives?
A:WhenpreparingdocumentationforfinalsubmissiontotheJABTechnicalRepresentatives,onemustrememberthatthedocumentistellingastoryabouttheeffort.Iftherearegapsinthestoryline,therewillbecommentstoaddressthegaps.Themoregapsinthestoryline,themorenumerousthecommentswillbecreatedtotrytofillinthegaps–whichwillinturnslowdownyourreviewtime.Theauthorshouldframeeachanswerinawaythatthereadercanfollowthecompletethreadfromthebeginningtotheend.Theauthormustneverassumethatthereaderalreadyknows“details”aboutthestorywithoutidentifyingthedetail’slocationinthedocument.Forinstance,whenprovidingthePenetrationTestingReport,the3PAOshouldprovidethefullnameandversionsofthetoolsused,whythesewerechosen,andthenwhattheoutcomewasfromthetesting.Thesequestionsarebasictoinformationgatheringandreporting.Foreachsectionwithinthedocumentation,eachofthesequestionsmusthaveafactual,detailedanswerforthestorytobecomplete.
Q:WhyshouldCSPsspendtimeandmoneydevelopinghighqualitydocumentationwhentheirgoalistobecomeFedRAMPAuthorized?
|17
A:FedRAMPrequiresqualitydocumentation(i.e.,documentationthatisclear,concise,consistent,andcomplete)toprovideaclearandcompletedescriptionoftheriskpostureofacloudsystem.This,inturn,reducesanAgency’slevelofefforttoreuseanAuthorizationPackage.Qualitydocumentationalsopaysforitselfbyminimizingcostlyreworkandtime-consumingdelayscausedbyclarifyingmisunderstandingsandwaitingformissingdocumentation.FedRAMPrequiresCSPstospendasmuchtimewritingandeditingthedocumentationastheydoengineeringthesecurity.
Q:IsthereanOMBmemooranyotherguidancethatstateswhen(orif)thereisa“dropdead”dateforFederalITsystemstobeinthecloud?
A:AccordingtotheinitialCloudFirstStrategy,dated2010,theFederalGovernmentshouldhavebeenmovedtothecloudwithin18months,sothiswouldbeapproximatelyJune9,2012.However,sincetheefforttomoveallAgenciestothecloudwasmorecomplexthaninitiallyanticipated,theCloudFirstStrategywasupdatedonFebruary8,2011andstates:
"Ourresponsibilityingovernmentistoachievethesignificantcost,agilityandinnovationbenefitsofcloudcomputingasquicklyaspossible.Thestrategyandactionsdescribedinthispaperarethemeansforustogetstartedimmediately.GiventhateachAgencyhasuniquemissionneeds,securityrequirements,andITlandscape,weaskthateachAgencythinkthroughtheattachedstrategyasanextstep.EachAgencywillevaluateitstechnologysourcingstrategysothatcloudcomputingoptionsarefullyconsidered,consistentwiththeCloudFirstpolicy."
Therefore,itistheresponsibilityofeachindividualAgencytodefineitsCloudFirstStrategy.
Q:WhatisimportanttoconsiderforCSPsleveragingotherservices?
A: ItisaverycommonpracticeforaSaaSCSPtousesomeoftheservicesavailablefromanunderlyinginfrastructure(IaaS/PaaS)thattheSaaSishostedon.Thisiscalledleveraging.However,buyerbeware–someservicesthatanIaaS/PaaSCSPmayoffer,maynotbeFedRAMPauthorized.OnlyFedRAMPauthorizedservicesmaybeusedbygovernmentcustomers.
Ifyourserviceofferingisleveraginganothersystem,thesystemyouareleveragingitselfmustbeFedRAMPAuthorizedbyhavingaFedRAMPP-ATOoranAgencyATO.Thisincludessub-services.Forexample,alargeCSPmayhaveacommercialserviceofferingandaseparateserviceofferingwithaFedRAMPAuthorization.ThatCSPmayoffermultiplesub-services–someofwhichmaybeincludedintheFedRAMP-authorizedservice’sauthorizationboundary,whileothersub-servicesarenot.OnlyserviceofferingswithaFedRAMPAuthorizationmaybeleveragedforusebygovernmentcustomers.PleasevalidatethatservicesareFedRAMPauthorizedandanyassociatedsub-servicesarewithinthe
|18
authorizationboundaryofaFedRAMP-authorizedservicebeforeleveragingthemforusebyyourgovernmentcustomers.
Note:ThisisamandatoryrequirementforachievingFedRAMPReadystatusundertheReadinessAssessmentprocess.3PAOsarerequiredtovalidatetheFedRAMPauthorizationofallleveragedservicesandsub-services.
Q:WhathappensifaSaaSishostedatanon-FedRAMPIaaSandonanon-FedRAMPPaaS?
A: WhenaCSPhasitssystem/servicehostedinanon-FedRAMPAuthorizedcloudservice(e.g.,IaaS,PaaS)thereisno"leveraging/inheritance"relationship.Inthissituation,theSaaSproviderneedstoincludetheinfrastructureandplatform,aswellasitsownsoftwareapplicationwithinitsauthorizationboundary.ThismeansthattheCSPisresponsiblefortheentirestack.Hence,theCSPisnot"leveragingorinheriting"anysecuritycontrolsfromanIaaS/PaaSauthorization.InorderforaSaaStoreceiveFedRAMPapproval,theunderlyingstackpieces(IaaS/PaaS)mustbeconsideredanddefinedinthesystemsecurityplan.
Q:IneedtodevelopaConfigurationManagementPlan(CMP);canyoupleasedirectmetosomeguidanceoratemplateforCMPs?
A: SecurityControlCM-9requiresCSPstodevelopaConfigurationManagementPlan(CMP)andthatPlanisarequireddocumentwithintheirsecurityauthorizationpackages.FedRAMPdoesnotprovideatemplateforCMPshoweverNISTSP800-128,GuideforSecurity-FocusedConfigurationManagementofInformationSystems,providesawealthofinformationaboutconfigurationmanagementandalsoprovidesasampleoutlineforaCMPinitsAppendixD:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf.
TIP:Securitycontrolimplementationscanonlybeinherited(leveraged)fromaCloudServiceOffering(CSO)thathasbeenapprovedandgrantedaFedRAMPProvisionalAuthorizationtoOperate(P-ATO)oranAgencyATO.
Itisveryimportanttoclearlyidentifywhatcontrolsorsectionsofcontrolsareinherited.SimilartotheCustomerResponsibilityRequirements,thecontrolwritermustidentifywhatsectionsofthecontrolareinheritedfromtheleveragedCloudServiceOfferingorotherentity.
|19
TheFedRAMPSSPtemplatesallhaveasectionforeachcontrol,labeled,"ControlOrigination".Withinthissectionistheareaforthecheckboxnamed,"Inheritedfrompre-existingFedRAMPAuthorizationforClickheretoentertext.,DateofAuthorization".
TheSSPwritershouldclearlyindicatewhatsectionsofthesecuritycontrolareinheritedandprovideadescriptionofwhatisinherited.Ifanentirecontrolisinherited,itmustbecleartotheAssessorwhatisinherited.Thewriterdoesnotneedtodescribehowtheleveragedserviceisperformingtheparticularfunction.ThatdetailisfoundintheSSPoftheleveragedsystemfromwhichthecontrolisinherited.
Ifapolicyhasbeenpublishedandisreferencedasisthebasisfortheimplementationoftheinheritedsecuritycontrol,makesurethatpublisheddocumentisprovidedasanattachment,orasupportingartifactwiththeSSPwhensubmittedforFedRAMPreview.
Inheritance
AccordingtoNISTSP800-53Revision4,securitycontrolinheritanceis"asituationinwhichaninformationsystemorapplicationreceives(fullinheritance)protectionfromsecuritycontrols(orportionsofsecuritycontrols,i.e.,partialinheritance)thataredeveloped,implemented,assessed,authorized,andmonitoredbyentitiesotherthanthoseresponsibleforthesystemorapplication;entitieseitherinternalorexternaltotheorganizationwherethesystemorapplicationresides."
Securitycapabilitiesprovidedbycontrolscanbeinheritedfrommanysourcesincluding,forexample,organizations,organizationalmission/businesslines,sites,enclaves,environmentsofoperation,orotherinformationsystems.Manyofthecontrolsneededtoprotectorganizationalinformationsystems(e.g.,securityawarenesstraining,incidentresponseplans,physicalaccesstofacilities,rulesofbehavior)areinheritablebyothersystems.Inaddition,therecanalsobeavarietyoftechnology-basedinheritablecontrols(e.g.,PublicKeyInfrastructure[PKI],authorizedsecurestandardconfigurationsforclients/servers,accesscontrolsystems,boundaryprotection,cross-domainsolutions).Bycentrallymanaginganddocumentingthedevelopment,implementation,assessment,authorization,andmonitoringofinheritablecontrols,securitycostscanbeamortizedacrossmultipleinformationsystems.
Inheritablecontrols,whetheremployedinorganizationalinformationsystemsorenvironmentsofoperation,mustbeauthorizedbyseniorofficialswithatleastthesamelevelofauthority/responsibilityformanagingriskastheauthorizationofficialsfortheinformationsystemsinheritingthecontrols.
Q:HowdoIwriteaBusinessImpactAnalysisrequiredbyFedRAMP?
A: FedRAMPdoesnotprovideaBusinessImpactAnalysistemplate.However,atemplatecanbefoundinNISTSP800-34Revision1,ContingencyPlanningGuideforFederalInformationSystems,datedMay2010;AppendixB—SampleBusinessImpactAnalysis(BIA)andBIATemplate
|20
Q:HowdoItreattheimplementationforSA-11(1)?
A: FedRAMPseesthatmanyCSPsfailtheSA-11(1)requirement.ThisistruenotbecausethecontrolfailsbutbecausetheCloudServiceProvider(CSP)failstodocumentthisenhancementintheContinuousMonitoringPlan.PleasebeawarethatControlEnhancementSA-11(1)mustbeimplementedforFedRAMPCloudServiceOfferings.SA-11(1)is"Theorganizationrequiresthedeveloperoftheinformationsystem,systemcomponent,orinformationsystemservicetoemploystaticcodeanalysistoolstoidentifycommonflawsanddocumenttheresultsoftheanalysis."ThentheSA-11(1)AdditionalFedRAMPRequirementwhichisalsoarequirementforSA-11(1)andSA-11(8):TheserviceproviderdocumentsintheContinuousMonitoringPlan,hownewlydevelopedcodefortheinformationsystemisreviewed.
Q:CanaCSPsimplygofromanAgencyATOtoaJABP-ATOwithoutgoingthroughtheJABAuthorizationeffort?
A: ACSPinterestedintransitioningtheirAgencyATOtoaJABP-ATOmustgothroughtheJABP-ATOprocess.EachAgencycanacceptvaryinglevelsofrisk,perFISMA,whengrantinganATO.TheJABworksinasimilarfashion,inthattheymustreviewtheentireauthorizationpackagetounderstandassociatedriskwiththesystemandmakeadecisionwhetherornottoissueaJABP-ATO.TheJABP-ATOprovidestheAgencycommunitywiththeassurancethattheJABentities(DoD,DHS,andGSACIOs)reviewedthepackageanddeemedtherisktobeacceptableforAgenciestoissuetheirownATOs.TheJABcannotacceptriskonbehalfofanyAgencywhichiswhytheJABauthorizationistitleda“ProvisionalAuthorization.”IfanAgencydecidestouseasystemwithaProvisionalAuthorization,theAgencywillneedtoissueitsownATOlettertoindicatethattheyaccepttheriskassociatedwithusingthesystem.WeaskthattheseATOsaresenttoinfo@fedramp.govforrecord-keepingandincidentresponsenotifications.
AJABProvisionalAuthorizationmaynotnecessarilybeoptimalforeverysystemandeveryCSP.Ingeneral,theJABgrantsProvisionalAuthorizationsforthosesystemsleveragedgovernmentwide.FedRAMPwasdesignedwiththeobjectivetoauthorizeasystemonceandreusethatauthorizationmanytimes.IfaCSPonlyhasoneortwoAgencycustomersshowinginterestinusingtheirsystem,itisjustasefficientfortheCSPtoobtainanauthorizationdirectlythroughtheoneAgencyofinterest.
TIP:TheCSPhasthemostsignificantresponsibilitybeforebeginningtheFedRAMPprocesses-adequatelyandaccuratelydefiningtheinformationsystemsecurityboundary.
|21
BeforeaCSPlaunchesintotheFedRAMPprocess,andbeforegettinga3PAOconsultantorassessorinvolvedintheprocess,aCSPshoulddraftanaccurateillustrationofthesystemauthorizationboundaryandallassociateddataflowdiagrams.
TheCSPsystemauthorizationboundaryillustrationmustincludenetworkandarchitecturediagram(s)andprovideawrittendescriptionoftheAuthorizationBoundary.Ensureeachdiagram:
§ Includesaclearlydefinedauthorizationboundary.§ Clearlydefinesserviceswhollywithintheboundary.§ Depictsallmajorcomponentsorgroupswithintheboundary.§ Identifiesallinterconnectedsystems.§ Depictsallmajorsoftware/virtualcomponents(orgroupsof)withintheboundary.§ Isvalidatedagainsttheinventory.
TheCSPsystemboundarydescriptionmustclearlydefinethefollowing:
§ Allsharedcorporateservices,withexplicitrationaleofanythatarenotwithintheboundary,suchasacorporateSecurityOperationsCenter(SOC)orcorporatesecurityawarenesstraining.
§ Allotherexternalserviceswithexplicitrationaleofanythatarenotwithintheboundarythatincludesallleveragedservices.
§ Allsystemsrelatedtobutexcludedfromtheboundary.
Inadditiontodescribingthese,alloftheservicesmustalsobedepictedeitherintheCSPsystemauthorizationboundarydiagramsorinseparatediagrams.
TheCSPsystemdataflowdiagram(s)must:
§ ClearlyidentifyanywhereFederaldataistobeprocessed,stored,ortransmitted.§ Clearlydelineatehowdatacomesintoandoutofthesystemboundary.§ Clearlyidentifydataflowsforprivileged,non-privilegedandcustomersaccess.§ Depicthowallports,protocols,andservicesofallinboundandoutboundtrafficarerepresented
andmanaged.
Thedataflowdiagramsmustbeaccompaniedbyawrittendescriptionofthedataflows.
IftheCSPboundaryisnotadequately/accuratelyrepresented,the3PAOwillidentifyboundarydeficienciesthatcouldleadtosubstantialdelaysintheCSPReadinessAssessmentprocess.
Q:HowdoesanAgencyrecognizeiftheCSP’sCloudServiceOffering(CSO)acceptsPersonalIdentityVerification(PIV)andCommonAccessCard(CAC)?
A:TheIA-2(12)IdentificationandAuthenticationAcceptanceofPIV/CACCredentialsisoneofFedRAMP’scriticalcontrols.Intable4-4oftheReadinessAssessmentReport(RAR)thefirst"Question"
|22
asksifthesystemsupportsfederaluserauthenticationviaCAC/PIVcredentials.IftheCSP’sanswertothisquestionis"no,"theyfailtheReadinessAssessmentReview.
Inordertosecurelyprovidethiscapabilityinthecurrent,secure,technologyenvironment,thismaybeaccomplishedthroughatypeofFederatedIdentityManagement.FederatedIdentityManagementisavailableasaserviceofferedbycertainFedRAMPCSPsintheirCSO.WhenaCSOacceptsGovernment-issuedPIVorCAC,thatCSPhaslikelyarchitectedtheirsolutiontoincludesometypeofFederatedIdentityManagement.
AteachCSPlevel,whetheranIaaS,PaaS,orSaaS,theCSPmayincludeintheirCSOaFederatedIdentityManagementsolution.AgenciesshouldvalidatethatIA-2(12)isindicatedasimplementedintheCSP'spackageandshouldvalidatethatthetestingintheSARindicatestheCSP'ssolutionadequatelymeetsthecontrolrequirement.
Q:Whattypesofsoftwaremustbeincludedintheinformationsystemboundary?
A:Intermsofcomputing,softwareisthevariablepartandhardwaretheinvariablepart.FedRAMPsoftwareinventorymusttakeintoaccountallthe"variable"parts.
Historically,applicationsoftwareisdividedintotwogeneralclasses:systemssoftwareandapplicationssoftware.FedRAMPrecognizesapplicationssoftwareandsystemssoftwarewhichincludestheoperatingsystemsandanyprogramthatsupportsapplicationsoftware.Applicationssoftwareisalsocalledend-userprogramsandincludessuchthingsasdatabaseprograms,wordprocessors,Webbrowsersandspreadsheets.Anapplicationprogram(apporapplicationforshort)isacomputerprogramdesignedtoperformagroupofcoordinatedfunctions,tasks,oractivitiesforthebenefitoftheuser.Thiscontrastswithsystemsoftware,whichismainlyinvolvedwithrunningthecomputer.Systemsoftwareisatypeofcomputerprogramthatisdesignedtorunacomputer'shardwareandapplicationprograms.Ifwethinkofthecomputersystemasalayeredmodel,thesystemsoftwareistheinterfacebetweenthehardwareanduserapplications.TheOperatingSystemmanagesalltheotherprogramsinacomputer.
FedRAMPrecognizesmiddlewareasprogrammingthatmediatesbetweenapplicationandsystemsoftwareorbetweentwodifferentkindsofapplicationsoftware.Middlewareiscomputersoftwarethatprovidesservicestosoftwareapplicationsbeyondthoseavailablefromtheoperatingsystem.Itcanbedescribedas"softwareglue".Aservice-orientedarchitecture(SOA)isastyleofsoftwaredesignwhereservicesareprovidedtotheothercomponentsbyapplicationcomponents,throughacommunicationprotocoloveranetwork.Thebasicprinciplesofservice-orientedarchitectureareindependentofvendors,products,andtechnologies.
FedRAMPalsorecognizesutilitysoftware,asapplicablewithinthesystem.Utilitysoftwareisalsoknownasautilityprogram,andautilitytool.Thisutilitysoftwaremayhaveitsownstripped-downOS;canbeinstalledseparatelyandusedindependently.Utilitysoftwareissystemsoftwaredesignedtohelpanalyze,configure,optimizeormaintainacomputer.Itisatypeofsystemsoftware,usedtosupportthe
|23
computerinfrastructureincontrasttoapplicationsoftware,whichisaimedatdirectlyperformingtasksthatbenefitordinaryusers.Autilityprogrammaybeonethatperformsaveryspecifictask,usuallyrelatedtomanagingsystemresources.Operatingsystemscontainanumberofutilitiesformanagingdiskdrives,printers,andotherdevices.
Ifyouinventoryallthesetypesofsoftware(includingallrelevantinformationconcerningeachpieceofsoftware,i.e.,version,patchlevel,date,etc.)withinyoursystemboundary,thenthechancesaregoodthatyouhaveincludedallrequiredsoftwareintheFedRAMPsoftwareinventory.
Q:ForcontrolRA-3,theFedRAMPparameterindicatesthattheresultsoftheriskassessmentshouldbedocumentedina"SecurityAssessmentReport."IsthisdocumentthesameastheSARthe3PAOproduces?
A: Yes-thisdocumentisthesame.FedRAMPdoesnotrequireaseparateriskassessment;theresultsoftheriskassessmentarereportedinthe3PAO'sSAR.
Q:WhenaddinganewserviceorfeaturetoaJAB-authorizedsystem,howdoesaCSPdeterminewhichprocesstofollow-theNewServicesOnboardingprocessortheSignificant Changeprocess?
A: Ifonboardingthefeatureorserviceseverelyimpactsthesecuritypostureofthesystem,theCSPshouldfollowtheSignificantChangeprocess.TohelpCSPsand3PAOsdeterminewhichprocesstofollow,FedRAMPhasdefinedthefollowingparametersforwhatconstitutesafeatureorservicethatqualifiesforonboarding:
§ Doesnotreplaceanexistingservice/featurepreviouslyincludedintheoriginalsystemassessment;
§ IsnotanoutsourcedservicebelongingtoadifferentCSP;§ DoesnotchangethecategorizationoftheCloudServiceOffering;§ Doesnotintroducevulnerabilitiesaffectingthecurrentsecuritypostureofthesystem;§ Doesnotaffecttheexistingsecuritycontrolsimplementationdetailsofanycontrolsascaptured
intheSystemSecurityPlan;and/or§ Doesnotaddauniqueoralternativeimplementationofanyofthesecuritycontrolsascaptured
intheSystemSecurityPlan
Q:HowaredatacenterstreatedforFedRAMPAuthorizations?
|24
A: DatacenterfacilitiesareincludedinFedRAMPauthorizationsbutthedatacenters,themselvesarenotspecificallyauthorizedseparatelyas"datacenters."Inotherwords,aserviceproviderthatoffersinfrastructure,platform,and/orsoftwareasaservicemustincludetheunderlyingdatacenter,i.e.,thephysicalproperty(ping,power,andpipe)withinitsauthorizationboundary.FedRAMPauthorizestheinfrastructure,platform,and/orsoftwareasaservice.
Q:HowshouldIuploadmypackagedocumentation?InwhichfileformatshouldthefilesbeandwhatfilesisFedRAMPlookingfor?
A: AllpackagedocumentationshouldbeuploadedtoMAX.govusingthefolderstructurethathasbeenprovided.Filesshouldbeuploadedintheirnativeformatbasedonthefile,i.e.,Word,Excel,PowerPoint.UploadingafileinitsnativeformatwillfacilitateFedRAMPreviewofyourdocumentationtoprovidequickerturnaround.Foracompletelistoftheappropriatefileformatsrequiredinacloudpackage,pleaseseetheFedRAMPInitialAuthorizationpackagechecklist(foundonfedramp.gov).ThischecklistcanbeusedforAgencyorJABAuthorizationstoprepareyourpackageorAnnualAssessmentforFedRAMPreview.
TIP:Authorizations(ProvisionalAuthorizationsandAgencyAuthorizations)arenow“ongoingauthorizations.”
OfficeofManagementandBudgetCircularA-130(OMBA-130),Subject:ManagingInformationasaStrategicResource,revised7/28/2016,enablesongoingauthorizationtomaintainthesecuritystateandtheriskpostureofthesystematthelevel(Low,Moderate,orHigh)asapprovedbytheinitialauthorization.OMBA-130requiresthatAgenciestestinformationsecurityandprivacycontrols,inanongoingmanner,atleastannuallybutataratethatisacceptabletoeachAgencies’riskposture.Theauthorizationletterissignedatinitialapproval.AgenciesmustcollaboratewithCSPstoensurethatcloudserviceofferingsaretestedandevaluatedatleastannually.
Pleasesee:
OMBA-130,pg.33
54.“Ongoingauthorizationisatime-drivenorevent-drivenauthorizationprocesswherebytheauthorizingofficialisprovidedwiththenecessaryandsufficientinformationregardingthesecurityandprivacystateoftheinformationsystemtodeterminewhetherthemissionorbusinessriskofcontinuedsystemoperationisacceptable.”
OMBA-130,AppendixI-19,sectione.SecurityandPrivacyAssessments
|25
“Agenciesmustensurethatperiodictestingandevaluationoftheeffectivenessofinformationsecurityandprivacypolicies,procedures,andpracticesareperformedwithafrequencydependingonrisk,butatleastannually.However,thisgeneralrequirementtotestandevaluatetheeffectivenessofinformationsecurityandprivacypolicies,procedures,andpracticesdoesnotimplythatAgenciesmustassesseveryselectedandimplementedsecurityandprivacycontrolatleastannually.Rather,Agenciesmustcontinuouslymonitorallimplementedsecurityandprivacycontrols(i.e.,system-specific,hybrid,andcommoncontrols)withafrequencydeterminedbytheAgencyinaccordancewiththeISCMandPCMstrategies.Thesestrategieswilldefinethespecificsecurityandprivacycontrolsselectedforassessmentduringanyone-yearperiod(i.e.,theannualassessmentwindow)withtheunderstandingthatallcontrolsmaynotbeformallyassessedeveryyear.”
TIP:MandatoryrequirementsforFedRAMPReadinessReviewsarejustthat-mandatory.
CSPsareresponsibleforunderstandingwhatittakesforthemtobe"FedRAMPReady."AnyCSPthatisconsideringtooptforModerateorHighbaselineFedRAMPReadinessshoulddownloadthemostrecentcopyofeithertheModerateorHighbaselineReadinessAssessmentReport(RAR)Templatefromfedramp.gov.EachpotentialCSPapplicantshouldreadthroughthedocumenttounderstandthecompulsoryitemsrequiredwithintheCloudServiceOffering.Thesecompulsoryrequirementscannothavealternateimplementationsandmustbeimplemented.
1. The"showstopper"requirementsarelocatedinRARSection4.1FederalMandatesforboththeModerateandtheHighBaselineCloudServiceOfferings.
2. AreFIPS140-2ValidatedorNationalSecurityAgency(NSA)-Approvedcryptographicmodulesconsistentlyusedwherecryptographyisrequired?
3. CanthesystemfullysupportuserauthenticationviaAgencyCommonAccessCard(CAC)orPersonalIdentityVerification(PIV)credentials?
4. IsthesystemoperatingattheminimumeAuthlevelforitsFIPS-199designatedlevelofoperation(Level3forModerate,Level4forHigh)?
5. DoestheCSPhavetheabilitytoconsistentlyremediateHighvulnerabilitieswithin30daysandModeratevulnerabilitieswithin90days?
6. DoestheCSPandsystemmeetFederalRecordsManagementRequirements,includingtheabilitytosupportrecordholds,NationalArchivesandRecordsAdministration(NARA)requirements,andFreedomofInformationAct(FOIA)requirements?
IfyouareaCSPlookingatthesefiverequirementsandyouanswer“No”toanyoneofthese,youarenot“FedRAMPReady.”Keepinmindthat,whiletheCSPcanincludecustomerresponsibilitiesassociatedwithmeetingsomeofthemandatoryrequirements,suchasPIVAcceptance,theymaynotpasstheresponsibilitytothecustomer.Asanexample,citingthePIVacceptance,theCSPmusthavethecapabilitytoacceptPIVs/CACsregardlessofthecustomer'smechanismforuseofPIVs/CACs.Soanalternativeimplementationisnotacceptable.
|26
FedRAMPrecommendsthatifaCSPisdeficientinanyoftheFedRAMPmandatoryrequirementsareas,theyseekassistancetodeterminethefeasibilityofarchitecting/re-architectingtheenvironmenttoaccommodatetheFedRAMPReadyrequirements.
TIP:ASaaSisresponsiblefortheentirestackif…
IfaSaaSisonaninfrastructureand/orplatformthatisnotFedRAMPauthorized,theSaaSCSPwouldeitherneedtoincludetheIaaS/PaaSinitsownauthorizationboundary(whichwouldbeindicatedintheReadinessAssessmentReport)ORwaitforthetheIaaS/PaaStobeauthorizedseparatelypriortosubmittingtheRAR.Alllayersneedtobeauthorizedorhavethepotentialtobeauthorized.
Assuch,aSaaSCloudServiceOfferingisresponsiblefortheentirestack(IaaS/PaaS/SaaS)iftheunderlyingIaaS/PaaSdoesnothaveaFedRAMPauthorization,eitheraProvisionalAuthorizationthroughtheJABoranAgencyAuthorization.TheSaaSisresponsibleforallthesecuritycontrolsthatarenormallyinheritedfromtheIaaS/Paas,suchastheping/power/pipeandrentedcagewithinthedatacenter,andforthephysical,environmental,andallotherrelatedcontrols.
IftheIaaS/PaaSarenotFedRAMPauthorized,theSaaSCloudServiceOfferingmayworkwiththedatacenterproviderthroughServiceLevelAgreementsand/orRentalAgreementstoensurethattherequirementsfortheping,power,pipe,cage,allphysical,environmental,andallrelatedsecuritycontrolsareimplementedpertheappropriateFIPS199Level(Low,Moderate,orHigh).Intheagreement(s),theSaaSCSPmustensurethatthedatacenterproviderhastheappropriatelevelofsecurityimplementedtoensurethesecurityoftheSaaS.
Q:WhyshouldaCSPuseanaccredited3PAOwhenpursuingaFedRAMPAgencyATO?
A: WhilethereisnospecificrequirementforanAgencytorequirethattheaCSPuseaFedRAMPaccredited3PAOtoperformthesecurityassessment,FedRAMPrecommendsthatAgenciesrequireCSPstoengageaFedRAMPAccreditedAssessortoevaluatetheimplementationoftheFedRAMPbaselinesecuritycontrols.
CSPsthatseekaJABP-ATOmustuseaFedRAMPAccreditedAssessor.CSPssubmittinganAgencyAuthorizationpackagemayhavetheircloudsystemassessedbyanAgency-validatedIndependentAssessor.However,FedRAMPhasnoinsightandcontroloveranAgency-validatedindependentassessor.TheAgencyhasnorecourseandmusthaveanotherassessmentperformed,ifanAgency-validatedIndependentAssessorprovidestheAgencyadeficientsecurityassessmentinwhichthesecurityoftheCSPsystemisinappropriately/poorlytested.UsingaFedRAMPAccredited3PAOprovidesgreaterconfidencetootherleveragingAgenciesastotherigoroftheinitialpartneringAgency'sassessment.Furthermore,iftheCSPintendstolaterpursueaJABP-ATO,therigorprescribedbythe
|27
FedRAMPAccredited3PAOtotheassessmentprocessprovidestheCSPwithamoreaccurateunderstandingoftheirriskposturefromatrueFedRAMPperspectiveandtheirreadinesstopursueaJABP-ATO.
Q:WhataresomefrequentlyaskedquestionsforCSPswhocurrentlyholdanAgencyAuthorizationtoOperate(ATO)attheModeratelevel,butwishtoapplyforanAgencyHighBaselineAuthorization?
A:ForsomeCSPs,theATOtransitionbetweenaModeratebaselineandaHighbaselineissimplebecausethesysteminquestionwasoriginallyarchitectedattheHighbaselinelevelbuttheCSPoptedfortheFedRAMPModeratebecausethatisallFedRAMPofferedatthetime.
ForotherCSPswhowishtotransitiontothehighbaseline,FedRAMPrecommendsthattheCSPandtheattesting3PAOdownloadacopyoftheFedRAMPHighReadinessAssessmentReport(RAR)TemplatefromtheFedRAMPwebsiteandreadthroughthecontentsoftheRARtounderstandthedepthofscrutinyrequiredforaHighBaselinesystem.
Herearesomefrequentlyaskedquestionsregardingthistransition:
1. IstheATOtransitionbetweenaModeratebaselineandaHighbaselinemerelyanamendmenttotheModerateATO?OrwillthisprocessinvolveanewATO?
Answer:TheHighBaseline(HBL)AuthorizationisanewAuthorizationattheHighBaselinelevel.ThisrequiresthattheCSPengagewithapartneringAgency(eitherexistingornew)andaFedRAMP-accredited3PAOorotherindependentassessortomaneuverthroughtheHBLAuthorizationprocess;i.e.,capturingHBLrequirementsintheSSPandattachments,undergoingtestingoftheHBLcontrols,ataminimum,andre-authorizationoftheServiceattheHBLlevel.Thisassumesthatthecloudservice’smoderate-leveltestingiscurrentandcompliantwithFedRAMPguidelines.
2. IsthereaFedRAMP-approveddocumentthatspeakstothe“net-new”controlsbetweentheModeratebaselineandtheHBL?
Answer:No.Basedontheextentofthecontrolandparameterchanges,theCSPmustreviewtherequirementsasenumeratedintheHighBaseline(HBL)SSPtemplate,andtheHBLRARtemplatetoensurethattheCSPorganizationalarchitecturewillsupporttheHBLrequirements.Further,thereviewwillensurethatthecloudservicearchitecturecanmeettheHBLrequirements.
3. ArethereanysignificantnewrequirementsforNewSystems?
Answer:Yes.TherearechangesincorporatedinthecurrentFedRAMPHBLsetofcontrolspostedontheFedRAMPwebsite,basedontheFedRAMPPMOandJointAuthorization
|28
Board(JAB)collaboration.Someofthechangeswereadditionalcontrols;otherchangesweremorestringentparametersandAdditionalGuidance.PleaseseetherequirementsintheHBLSSPtemplate,andtheHBLReadinessAssessmentReporttemplate.SomeexamplesofchangesintheHBLrequirementsinclude:
a. Moreemphasisisplacedontheuseofautomationforcontrolimplementationsb. AllCSOservicesmustbeincludedintheauthorizationboundaryc. TheeAuthrequirementis"Level4"(includesin-personidentityproofing)versusthe
Moderate"Level3orhigher"
Thereareaddedcontrolsthatareparticularlychallenging,eitherintermsofresourcesortechnicalcomplexity,baseduponthecloudservicearchitecture,i.e.,SC-3SecurityFunctionIsolation
Q:OneoftheModerateandHighRARFederalMandatesthatisoverlookedis(5.)DoestheCSPandsystemmeetFederalRecordsManagementRequirements,includingtheabilitytosupportrecordholds,NationalArchivesandRecordsAdministration(NARA)requirements,andFreedomofInformationAct(FOIA)requirements?WhatdoesthisreallymeantoaCSP?
A: SincetheFedRAMPmandateisarequirementthatmustbemet,itisimportantthattheCSPunderstandstheFederalRecordsRetentionRequirementstoachievecompliance.SinceCSPsstore,transmit,andprocessGovernmentdata,aCSPmustbeawarethatthereareretentionschedulesprovidedbyNARAthatgovernthedispositionofthesefederalrecords.FromtheAgencyperspective,theAgencyprogramofficialsarerequiredtocoordinatewithAgencyrecordsofficersandwithNARAtoidentifyappropriateretentionperiodsanddisposalmethods.SinceCSPsandtheCSOsarenowmostlythedefactocloud-basedkeepersofthefederalrecords,CSPsmustunderstandtheNARAandFOIArequirementsforthefederaldataandinformationthatistraversingandbeingheldintheCSPsystem.Therequirementsshouldbefullyoutlinedinthecontractawardinformation,butitisincumbentupontheCSPcontractorstounderstandFederalRecordsManagementRequirements.ThebasicrequirementsforFederalRecordsManagementcanbefoundat:
https://www.archives.gov/about/regulations/regulations.html
RegardingFOIA,“Since1967,theFreedomofInformationAct(FOIA)hasprovidedthepublictherighttorequestaccesstorecordsfromanyFederalAgency.Itisoftendescribedasthelawthatkeepscitizensintheknowabouttheirgovernment.FederalAgenciesarerequiredtodiscloseanyinformationrequestedundertheFOIAunlessitfallsunderoneofnineexemptionswhichprotectinterestssuchaspersonalprivacy,nationalsecurity,andlawenforcement.”
Currently,additionalinformationfortheFOIAcanbefoundhere:
https://www.foia.gov/index.html
|29
TheFOIAappliestoallfederalAgencies,whichmeansitdoesnotapplyto:
§ TheJudicialBranchandFederalCourts§ TheLegislativeBranchandCongress§ StateGovernmentsandCourts
Q:IsthereanestablishedprocessforwhatissupposedtooccurwhenownershipofanauthorizedservicetransfersfromoneCloudServiceProvider(CSP)toanother?
A: IftherewereNOchangestotheservice,NOchangetothesecurityposture,NOchangetotheriskmanagementstrategyoftheoverallorganization,anditwassimplyanamechange,thentheprocesscouldbeaseasyasnotifyingtheAuthorizingOfficial(s)ofthenamechange.ThiscouldbeaddressedasanadministrativechangebasedupontheAOdetermination.TheCSPshouldnotifyFedRAMPalso,ofthechange.TheCloudServiceOfferingauthorizationpackagedocumentationshouldbechangedaswelltoreflecttheownershipchange.
Moreoftenthannot,whenserviceschangeowners,organizationalpoliciesandprocedureschangewhichchangesthesecuritypostureandtheriskmanagementstrategyofthesystem.Changeslikethisaresignificantandmustbedocumentedappropriately.Ifthatisthecase,theCSPshouldaccountforandmakeassociatedupdatestotheCSOpackageasearlyaspossible.ThechangesmustbeclearlydocumentedandsubmittedtotheAOforreviewandapproval.
Ofcourse,theCSPandinvolvedAgencieswillneedtofacilitatecontractualchangestoreflectthechangeofownership.
Q: DoesFedRAMPstillassignInformationSystemSecurityOfficers(ISSOs)toeachCloudServiceProvider(CSP)thatisengagedintheJointAuthorizationBoard(JAB)provisionalauthorizationprocess?
A:FedRAMPnolongerhasFedRAMPISSOsassignedtoeachCSP.Now,eachCSPhasadirectrelationshipwithaprimaryandsecondaryJABReviewer.EachCSPshouldensurethattheSSPdocumentation,whenreferringtodesignatedcontacts,ischanged(forexample,changing“FedRAMPISSO”to“PrimaryJABReviewer”and“SecondaryJABReviewer.”
Pleasenotethatintherecentpast,the“JABReviewer”wascalledthe“JABTechnicalReview-Reviewer.”SincetheFedRAMPJABProvisionalAuthorizationadjustments,andtheshiftingoftheresponsibilities,theJABTechnicalReview-Reviewerisnowcalledthe“JABReviewer.”
|30
Q: WhensubmittingacompletedauthorizationpackagetoFedRAMP,whatarethethreecategoriesoftestingevidencewithtimelinesscriteria?Pleasedefinethetimelinesscriteriarequired.
A: Thethreecategoriesoftestingevidencewithtimelinesscriteriaarepenetrationtesting,securitycontrolstesting,andvulnerabilityscanning.VulnerabilityscanningmustbeforOperatingSystem(OS)/infrastructure,databases,andwebapplicationcomponents.TheCSP/3PAOmustensurethattheassociatedtestingevidenceisconsidered“timely”bythePMO(JAB&PMOfollowsamerequirements).
TimelinessRequirementsforPenetrationTesting
§ WhensubmittingacompletedauthorizationpackagetoFedRAMPtobegintheJABP-ATOprocess,thePenetrationTestcannotbeolderthan6months
§ CSPsshouldensurethePenetrationTestisexecutedascloseaspossibletoaCSP’ssubmissionoftheauthorizationpackage
§ OnceaJABP-ATOisgranted,CSPsmusthavea3PAOcompleteanewPenetrationTestatminimumonceayear
TimelinessRequirementsforSecurityControlTesting
§ WhensubmittingacompletedauthorizationpackagetoFedRAMP,securitycontroltestingevidencemustbecurrentwithin:
- 120days,ifthesystemdoesnothaveanexistingFedRAMPAgencyauthorization- 12months,ifthesystemhasanexistingFedRAMPAgencyauthorization
TimelinessRequirementsforVulnerabilityScanning
§ WhensubmittingacompletedauthorizationpackagetoFedRAMPtobegintheJABP-ATOprocessortheAgencyATOprocess,thescanscompletedbya3PAOandreflectedintheSecurityAssessmentReport(SAR)mustbecurrentwithin120days
§ Additionally,CSPsmustsubmitscansandaPOA&Mcurrentwithin30dayspriortothedateoftheJABP-ATOprocesskickoff
§ DuringtheJABP-ATOprocessandafterwards,vendorsmustsubmitmonthlyvulnerabilityscans,inaccordancewithsecuritycontrolsRA-5andRA-5(5);andmatchingPOA&Ms,inaccordancewithsecuritycontrolCA-5
§ AgencyATOsystemsshouldbesubmittingtimelymonthlyscanresultsandPOA&MstothepartneringAgency(ies)
TIP:WhensubmittingaReadinessAssessmentReportoranauthorizationpackage,[email protected]
|31
CloudServiceProviders(CSPs),PartneringAgencies,and/orThirdPartyAssessmentOrganizations(3PAOs)mustsendanemailnotificationtoinfo@fedramp.govtolettheFedRAMPPMOknowexactlywhenanAgencyFedRAMPPackageoraReadinessAssessmentReport(RAR)ispostedtoOMBMAX.BecauseboththeRARandtheCSPpackageculminatesintheSecurityAssessmentReport(SAR)andthe3PAOrecommendationtotheAuthorizingOfficial(AO)concerningtheriskpostureand/orauthorizationofthesystem,itisidealifthe3PAOuploadsthedocumentation.ThisemailnotificationfacilitatesthebeginningoftheprocesstogettheCloudServiceOffering(CSO)PackageintotheFedRAMPprocessorattheleastgettheAOMemopostedtothewebsite.TheOMBMAXfacilitatorwillsetuptheCSOpackageskeletononMAXintowhichthepackageisuploaded.OtherencryptionpoliciesapplyiftheCSOisaHighBaselinepackage.
PleasebeadvisedthatOMBMaxsubmissionsdonotgenerateanautomaticnotificationtotheFedRAMPPMOatthistime.IfaRARorauthorizationpackageissubmitted,butthePMOisnotmadeawareofthesubmission,thereviewwillbedelayed.
Q: AreCSPsrequiredtoperformbackgroundchecksonstaffmembers?
A:Yes.PersonnelSecurity(PS)-3PersonnelScreeningisrequiredforallFedRAMPdefinedbaselines(High,Moderate,Low,andFedRAMPTailored).Specifically,thecontrolrequirementisthattheorganization:
a. Screensindividualspriortoauthorizingaccesstotheinformationsystem;andb. Rescreensindividualsfornationalsecurityclearances-areinvestigationisrequiredduringthe
5thyearfortopsecretsecurityclearance;the10thyearforsecretsecurityclearance;and15thyearforconfidentialsecurityclearance.Additionally,formoderaterisklawenforcementandhighimpactpublictrustlevel,areinvestigationisrequiredduringthe5thyear.Thereisnoreinvestigationforothermoderateriskpositionsoranylowriskpositions.
Theobjective/intentofpart(a)ofthisPS-3controlistoensurethattheCSPelaboratesuponwhattypeofpersonnelscreeningisaccomplishedbeforethepersonnelareallowedsystemaccess.TheCSPmustbeawarethatwhencontractingwiththeFederalGovernmentitisatthediscretionofthepartneringAgencytodeterminewhatlevelofpersonnelscreeningmustbeaccomplished.SincetheCSPiscontractingandactingonbehalfoftheAgency,theCSPisrequiredtofollowtheAgencyrequirementsforsuitabilitytoperformservicesonbehalfoftheAgency.
Further,forFedRAMPModerateandHighbaselinesystems,PS-3(3)PersonnelScreening|InformationwithSpecialProtectionMeasures,thecontrolrequirementisthattheorganizationensuresthatindividualsaccessinganinformationsystemprocessing,storing,ortransmittinginformationrequiringspecialprotection:
a. Havevalidaccessauthorizationsthataredemonstratedbyassignedofficialgovernmentduties;and
b. Satisfypersonnelscreeningcriteria–asrequiredbyspecificinformation.
|32
NISTSupplementalGuidance:
Organizationalinformationrequiringspecialprotectionincludes,forexample,ControlledUnclassifiedInformation(CUI)andSourcesandMethodsInformation(SAMI).Personnelsecuritycriteriainclude,forexample,positionsensitivitybackgroundscreeningrequirements.
TIP:ACSPusingnon-USpersonstosupporttheirsystemisFedRAMPcompliantbutwillfindtheirmarketlimitedamongFederalAgencies.
Usingnon-USpersonstosupportaFedRAMPsystemisabusinessdecisiontheCSPmustmake.ThereisnoFederalrequirementaboutcitizenship.SomeAgencieshavenoissuewiththeuseofnon-USpersonssupportingthesystem;however,manyAgencieshavetheirowncitizenshiprequirements.ForsomeAgencies,therequirementisblanket.Forothers,itmaydependonthesensitivityofthesystem.
Q:WhodoIcontactifIhavechangestotheinformationthatIsubmittedinmyCSPInformationFormortheinformationthatisdisplayedonmyFedRAMPMarketplacepage?
A: [email protected]/orupdatestoinformation(e.g.,offering,description,pointofcontact).
TIP:US-CERThasupdatedincidentresponseguidance(effectiveApril1,2017).
https://www.us-cert.gov/incident-notification-guidelines
Organizationsmustreportinformationsecurityincidents,wheretheconfidentiality,integrity,oravailabilityofafederalinformationsystemwiththerequireddataelements,aswellasanyotheravailableinformation,withinonehourofbeingidentifiedbytheorganization.Insomecases,itmaynotbefeasibletohavecompleteandvalidatedinformationpriortoreporting.Organizationsshouldprovidetheirbestestimateatthetimeofnotificationandreportupdatedinformationasitbecomesavailable.Eventsthathavebeenfoundbytheorganizationnottoimpactconfidentiality,integrityoravailabilitymaybereportedvoluntarily.
Q:Whatisthefirststeptomovefromamoderatesystemtoahighsystem?
|33
A:PleasevisittheFedRAMPTemplatespageandfindtheFedRAMPFIPS-199CategorizationChangeFormTemplateunderthe“ContinuousMonitoring”section.Oncetheformiscompleted,sendtheform,alongwiththeletterfromanAgencydemonstratingdemand,toinfo@fedramp.gov.YourJABreviewerwillthencontactyouregardingtherequest(withrequestforclarification,approval,ordenial).
Q:HowdoIgetaccesstomyCertificateofCompletionafterIcompleteTrainingmodule300-G?
A:Todownloadandprintyourcoursecertificateyoumustfirstcompletethe3PAORARTraining,3PAORARFinalExam,andFedRAMPCourseSurvey.ThesetrainingscanbeaccessedonourFedRAMPTrainingpage.Oncethecoursesurveyiscomplete,clickonthebox‘MarkedReviewed’belowthedescription.Thisactionwillrefreshthescreenandbringupyourcoursecertificate.Toviewthecoursecertificate,clickonthebox“MarkedReviewed”andthenclickon“Certificate”intheupperleft-handindexunder“StartHere.”Thisactionwillbringupanotherwindowwiththecertificateandyoucanprintitusingthecontrolsontheright.
Q: TheAgencyI’mworkingwithrequiresthattheirdatabecryptographicallyprotected.WhatrequirementsmustIfollow?
A: AnysystemthathandlesGovernmentdatamaybethetargetofacyber-attack,particularlythosesystemswithsensitivedata.Becauseofthis,ifanAgencyrequiresthattheirdatamustbecryptographicallyprotected,thenFIPS140-2applies,andcryptomodulesmustbevalidatedusingTransportLayerSecurity(TLS)services.
Version1.2iscurrentlythemostsecure;however,version1.3isindraftandmaycausecompatibilityissueswhenitisreleasedbecauseitwillnotsupportmanyobsoletecryptofeatures.
TotakeadvantageofthebenefitsofTLS1.2,itisimportanttouseaTLSservice(e.g.library,webframework,webapplicationserver)thathasbeenFIPS140-2validated.Inaddition,thecryptomodulemustbeinstalled,configuredandoperatedineitheranapprovedoranallowedmodetoprovideahighdegreeofcertaintythattheFIPS140-2validatedcryptomoduleisprovidingtheexpectedsecurityservicesintheexpectedmanner.
IfthesystemisrequiredtouseFIPS140-2encryption(i.e.,ownedoroperatedbyoronbehalfoftheU.S.Government),thenTLSmustbeused,andSSLdisabled.Formoreinformationonthis,seeSection7.1(nowD.2)ofImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram.
Cryptographicmodulesvalidationlistingscanbefoundat:https://csrc.nist.gov/projects/cryptographic-module-validation-program/module-validation-lists
|34
Cryptographicalgorithmvalidationlistingscanbefoundat:https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation
Q: IalreadyhaveaProvisionalAuthorizationtoOperate(P-ATO)withtheJointAuthorizationBoard(JAB).Isnon-complianceonaparticularcontroloronbusinessissuesallowed?
A: OnceaCSPachievesaP-ATO,itisincumbentonthemtomaintaintheirauthorizationtothebestoftheirability.Anynon-compliancemustbeaddressedexpedientlyandtothesatisfactionoftheJAB.Thisincludesensuringconsistent,successfulmonthlycontinuousmonitoringwithremediationsandannualassessments.CorrectiveActionPlans(CAPs)willbeinstitutedifdeemednecessary.Thisleveloffidelityisnecessarytoensurethesecurityofgovernmentdataandsystems.
5. PROFESSIONAL WRITING TIPS
TheFedRAMPauthorizationprocessrequirescloudserviceproviders(CSPs)and3PAOstodevelopalargenumberoftechnicallywrittendocuments.HerearesometipsfromourQualityManagementteamonhowtowritetoawell-writtendocument.
Writeshortsentences.
Sticktoasingleideaineachsentence.Structurethemwithbulletedlistsinmanycases.Avoidasentencelikethis:“InordertofulfillcontrolrequirementXX-Y,thesystemimplementsfeatureQ,controlledbyparametersinitializedtofactorysettingsZZZ,andchangedinaccordancewiththehistoryofuserrequeststonewsettingstosolveanyrevealedproblems,reviewedmonthlybytheproductmanager.”
Sayrather:
§ “ControlrequirementXX-Yissatisfiedasfollows:§ FeatureQisusedtofulfillthisrequirement.§ FeatureQisinitializedtofactorysettingsZZZ.§ Theproductmanagerreviewsthepastmonth’suserrequests.§ Theproductmanagerchangesthesettingsbasedonthepastmonth’suserrequests.§ Thenewsettingsaredeterminedaccordingtothefollowingtable:”[Youshouldincludeatable
hereshowingcriteriaforchangingthesettings.]
Eachtimeanewversionofadocumentis“published,”theversionnumbershouldbeincremented,andthedateofpublicationshouldbecomethedocumentdate.
|35
Thedocumentshouldbemarkedwiththesetwoimportantitemsonthecoverpageataminimum.Ideally(andwhererequiredbytemplates)theversionanddateappearalsoinadocumentrevisionhistoryandintheheaderorfooterofeverypageofthedocument.Formajorrevisions,incrementthewholenumbertotheleftofthedecimal.Forminorrevisions,incrementthenumbertotherightofthedecimal.
Forexample,theinitialSSPwouldstartoutasVersion1.0.AstheCSPrevisestheCSPinresponsetoJABTRcomments,theSSPversionnumbershouldincrementto1.1,then1.2,etc.AsaCSPtransitionsfromNISTSP800-53Rev3toRev4,theresultingSSPversionnumberwouldchangeto2.0.ThenastheSSPisrevisedasaresultofISSOorJABfeedbacktheversionwouldchangeto2.1andthento2.2foreach“published”revision.
Reviewers,auditors,andusersofthesedocumentsrelyoncorrectversionnumbersanddatestoensuretheyarelookingatanappropriateversionofadocument.Propermanagementofdocumentversionnumbersanddateseliminatesambiguityastowhichversionofadocumentisthelatestandwhenitwentintoeffect.
Q:Whenisitappropriatetouse“bytes”andwhenshouldIuse“bits”?
A:Youmayalreadyknowthisandtherecanbeexceptionsbutasaruleofthumb:
Whendiscussingstorage,sizeisexpressedin“bytes.”Whendiscussingcommunications,speedsaretypicallyexpressedin“bitspersecond.”Storageincludestapebackup,SAN,RAM,ROM,disks,thumb-drives,etc.andstoringprogramfilessuchasexecutables,OS’,MicrosoftOAfilessuchasWord/Excel,andpictures,sizeisexpressedinbytes(KB,MB,GBandSANandtapestoragecanbeterabytes(TB)andpetabytes(PB)).Asanexample,GSA’semailgatewayhasalimitofa45MB(megabytes)fileattachmentsize.
Communicationsspeedsandsizes,ontheotherhand,areexpressedin“bitspersecond.”GSA’sInternetlinksareprobably1Gbps(gigabitspersecond).CorporateWideAreaNetworksanddatacenterbackbonesaretypically10Gbpsandcommunicationsbetweenworkstationsandserversaretypically100Mbps(megabitspersecond)or1Gbps.Wi-Fi,thesedays,isatleast54Mbpsandgettingfaster.
So,bytesforstorage,andbitspersecondforcommunications.
Bewaryofusingpronounsinyourwriting.
Alwaysbeabsolutelyclearwho,orwhatorganization,isresponsibleforanaction.Itismuchbettertorepeattheresponsibleparty’s/organization’snamethantoleavethereaderindoubtastowhoorwhatapronounrefersto.
|36
Inyourwrittenwork,alwaysrefertothesameperson,position,orthingbythesamename.Avoid,forexample,calling“thetestteam”byothernames,like“thetestgroup,”“thetesters,”or“theevaluationteam.”
ProvideallrelevantinformationfortheJABTRstopreventslowingdownthereviewprocess.
WhenreviewingeachoftheNISTSP800-53Revision4controls,besuretoreadthecontroldescriptionthoroughlytounderstandthenounsandtheverbsineachoftheindividualrequirementsforeachindividualsecuritycontrol.Oncethewriteridentifieswhoorwhatshouldbeperformingtheaction(s),thenprovideadescriptionregardinghowtheactionisand/ortheactionsareperformedwithintheenvironment.Besuccinctforeachactionverb,i.e.,“monitors”and“updates”.Thewritermustdescribehowsomethingismonitoredandthenhowsomethingisupdated.(Pleasenotethatmanytimesthemonitorsandupdatesrequireaspecificfrequency,aswell.)TheNISTSP800-53ARevision4testingcriteriacanbeusedasthecrossreferenceforeachofthesecuritycontrolsinorderthatthewriterunderstandtheobjectivesforeachcontrol.
Q:Whichisthebettersentence?“ThereportissenttotheAgency.”OR“TheContractor’sProjectManagersendstheMonthlyStatusReporttotheAgencyProgramManagerbythefifthdayofeachmonth.”
A:Thefirstsentenceiswritteninpassivevoice.ItdoesnotspecifywhosendsthereportorwhichAgencywillreceiveit.
Tip:SendalldocumentsandwritinginanActiveVoice.Writinginactivevoicegivesclarityandspecificity–amustforallFedRAMPdocumentation.
Manyreaderscommonlyconfusethemeaningsofi.e.ande.g.I.e.ande.g.arebothabbreviationsforLatinterms.I.e.standsfor“idest”andmeansroughly“thatis.”E.g.standsfor“exempligratia,”whichmeans“forexample.”Itisbesttowriteoutthemeaningsoftheseabbreviationstoavoidanymisunderstanding.
Avoidusing“etc.”Ifanitemisimportantenoughtobeinalist,thenitisimportantenoughtoname.Onlyuse“etc.”ifitiscompletelyclearhowtherestofthelistwillrun.Alternatively,explainthecharacteristicsoftheitemsinthelist,andthensay,“Forexample.”
Beconsistentwithyournamingconventions.Alwayscallthesamethingbythesamenamethroughoutyourwrittenwork.
EXAMPLE:“TheEmergencyResponseTeamshallresolveallproblemswithinfourhoursofreceivingareport.Onceaproblemisfixed,theresponseteamleaddocumentsthesolutionandsendsthe
|37
requestingteamthecorrectionreport.”Thissentencecalls“TheEmergencyResponseTeam”byanothername,“responseteam.”Theseareprobablythesame,butthedifferentnamesanddifferingcapitalizationcanbeconfusing.Additionally,whattheEmergencyResponseTeamdoesisreferredtowiththreedifferentverbs:resolve,fix,andcorrect.Sticktoonenameandtrytosticktooneverbthataccuratelydescribestheaction.
6. READINESS ASSESSMENT REPORT
TIP:WhensubmittingaRARorRARupdate(3PAOs)oranauthorizationpackage(CSPsorAgencies),[email protected].
SubmissiondoesnotgenerateanautomatednotificationtoPMOatthistime.SometimesRARsandauthorizationpackagesaresubmitted,butPMOisnotmadeawareofthesubmission,tobeginreview.
Wealsoaskthatyouemailinfo@fedramp.govandgiveusatleasttwoweeksadvancenoticeBEFOREyousubmitanyauthorizationforreviewtoOMBMAX.
Bygivingusadvancenoticeofyouranticipatedsubmissiondatethroughinfo@fedramp.gov,theFedRAMPPMOcanensureourreviewsarecompletedinapromptandefficientmanner.OurgoalistocompleteourreviewsasquicklyaspossibleandinturnupdateyourCSP’sstatusontheFedRAMPMarketplaceto“Authorized”asclosetoyourAgencygrantinganATOaspossible.
Withoutprovidinguswithanestimatedcompletiondateandprovidingatwo-weekwarning,wewillbeunabletoensurewehavetheappropriateresourcesandcommittoyouthatourreviewwillbecompletedinatimelymanner.
Ifyouhaveanyquestionsaboutthisrequest,[email protected].
7. SECURITY ASSESSMENT PLAN (SAP) & SECURITY ASSESSMENT REPORT (SAR) DOCUMENTS
TIP:Findingsthatthe3PAOhasvalidated/determinedtobeFalsePositivesareNOTincludedintheP-ATOSARPOA&M.
Otherwise,theyaresimply“findings”whichneedtobeincludedintheP-ATOSARPOA&M.However,ifthefindingsthatthe3PAOdeterminedtobe“FalsePositives”intheP-ATOSARarenotapprovedby
|38
JAB,thenatContinuousMonitoringphase,thosefindingsmustbeaddedtotheConMonPOA&Mfortrackingthroughthemonthlyreportinguntilremediated.(Note:Thesefindingsaredeliberatelynotcalled“FalsePositives”becauseatthatpointtheywillhavebeendeterminedtobesimply“openfindings.”)
Q:Whatisthe3PAO’sresponsibilityifitisnotconductingthevulnerabilityscanningforanassessment?
A:Ifthe3PAOisnotconductingthevulnerabilityscanningforanassessment,thentheSecurityAssessmentPlan(SAP)shouldidentifythealternativemethodology.The3PAOshoulddescribeprocessestoensureintegrity,completeness,accuracy,reliability,andtheindependentnatureofthescanresults.Ataminimum,the3PAOisresponsiblefor:
§ Reviewingscanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted(i.e.,describingwhattheappropriate/expectedconfigurationsarethatwillbeverified)
§ EnsuringscanscomplywiththeFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide§ Overseeingandmonitoringscansfrominitiationtocompletion§ Describingtheprocedurestoensurechain-of-custodyofthescanresults
Q:WhendevelopingaSystemAssessmentPlan(SAP),howshoulda3PAOselectwhichcontrolstoassess?
A:GuidancedocumentsforselectingcontrolstoincludeintheSAPcanbefoundontheFedRAMPwebsite.ForAnnualAssessments,asanexample,the3PAOshouldselectcoresecuritycontrols,aswellasothercontrolsrequiredbytheCSP,allcontrolsthathaven’tbeentestedwithinthethree-yearcycle,andcontrolsthatwerePlanofActionandMilestones(POA&M)items,involvedwithDeviationRequests,etc.
Asatip:WhendevelopingtheSAP,3PAOsshouldreviewthecontrolslistedintheclosedPOA&Msasabasisfortheselectionofcontrolstoassess.Then,insteadoffulltestingofthecontrol,simplyassesstheremediationactions/documentationassociatedwiththeclosedPOA&MtoensurethespecificissuenotedinthatPOA&Mwasaddressed.
Q:Whatisthethirdpartyassessmentorganization’s(3PAO)responsibilityifitisnotconductingthevulnerabilityscanningforspecificcontrolsinanassessment?
|39
A:Generally,anassessmentbythe3PAOincludesseveralmethodologies:personalinterviews,documentandevidencereviews,vulnerabilityscanning,andpenetrationtesting.TheSecurityAssessmentPlan(SAP)shouldaddresstheassessmentmethodologyindetailsothatitcanbereviewedandapprovedpriortoassessmenttesting.Forvulnerabilityscanning,3PAOresponsibilitiesinclude:
§ Reviewingscanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted(i.e.,describingtheappropriate/expectedconfigurationsthatwillthenbeverified)
§ EnsuringscanscomplywiththeFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide§ Overseeingandmonitoringscansfrominitiationtocompletion§ Describingandexecutingtheprocedurestoensure3PAOchain-of-custodyofthescanand
results
Q:WhencompletingtheSecurityAssessmentReport(SAR),isitappropriatetoassignthesamevaluestotablesES-1andF-1/F-2iftherearenoPOA&Mentriesintheinitialassessment?
A:ItisnotappropriatetoassignthesamevaluestotablesES-1andF-1/F-2iftherearenoPOA&Mentriesintheinitialassessment.SARTableES-1representsthetotalrisktothesystembeingassessed,whiletablesF-1andF-2representonlythefindingsfromtheassessmenttestingitself.
Forinitialassessments,thefindingsrepresentthetotalrisktothesystem,thustableES-1endsupwiththesametotalsastablesF-1andF2.Forannualassessments,POA&Mitemsnotduplicatedthroughtestingarealsopartofthetotalsystemrisk,thustableES-1totalsmustreflectbothtestingtotalsandPOA&Mtotalsafterduplicateshavebeenidentifiedandremovedfromthecount.
Q:IstheCSPresponsibleforensuringthequalityoftheworkperformedbythe3PAO?
A:Whileaccredited3PAOsperformsecurityassessmentsofFedRAMPcloudservices,itistheCSPthatisresponsibleforall3PAOactivitiesanddeliverablesrelatedtotheassessmentoftheircloudoffering.TheCSPmanagesandoverseestheseactivitiesaccordingly.ExceptionsaredeliveryoftheSecurityAssessmentPlan(SAP),SecurityAssessmentReport(SAR),andtheSARresults.Inordertomaintaintheintegrityandindependenceofthesedocuments,theymustbeprovidedtothePMOdirectlyfromthe3PAO.Whilethe3PAOmakesthefinaldeterminationonthesecurityresultsintheSAR,theCSPshouldensurethequalityoftheSARandall3PAOdeliverablesprovidedtoFedRAMP.
|40
Q:AreHighfindingsacceptablewhensubmittingaSecurityAssessmentReport(SAR)foraninitialJointAuthorizationBoard(JAB)ProvisionalAuthorizationtoOperate(P-ATO)?
A:WhensubmittingaSARforaninitialJABProvisionalAuthorizationtoOperate(P-ATO),theremustbenoHighfindings.ForHighfindingsthatcannotberesolved,suchasvendordependencies,sufficientadditionalmitigatingcontrolsmustbeinplacetojustifyariskreductiontoModerate.
SomeCSPsincorrectlybelievethataHighfindingisacceptableifitisavendordependencyoroperationallyrequiredvulnerability.Thisisnotthecase.IfaHighfindingcannotberesolved,itmustatleastbemitigateddowntoaModerate.
Q:DothetoolsusedforthepenetrationtestneedtobelistedanywhereelsebesidesinthePenetrationTestPlandocument?
A:Yes.ThetoolsusedforthepenetrationtestmustalsobelistedintheSecurityAssessmentPlan(SAP)andmatchthoselistedinthePenetrationTestPlandocument.WhencompletingTable5-3intheSAP,besuretoincludeeachtoolusedforthesecuritycontrolsassessment,vulnerabilityscanning,andpenetrationtest.
Q:ArelowriskfindingstrackedonthePlanofActionandMilestones(POA&M)?Ifso,whatisthetimewindowtocorrectlowriskfindings?TheFedRAMPguidanceonlystatesremediationtimeframesforhigh/moderateriskitems.
A:Yes,allfindingsmustbedocumentedinthePOA&M,includinglowriskfindings.Lowriskfindingsshouldberemediatedwithin180days,andtheremediationwillbevalidatedduringthenextannualassessment.
Q:Whataretherolesandresponsibilitiesofthethirdpartyassessmentorganization(3PAO)andthecloudserviceprovider(CSP)duringtheassessment?
A:WhileFedRAMPcertifies3PAOstoperformsecurityassessmentsofFedRAMPcloudservices,theCSPisultimatelyresponsibleforall3PAOactivitiesanddeliverablesrelatedtotheassessmentoftheircloudoffering.TheCSPdevelopsandmaintainstheSystemSecurityPlan(SSP),PlanofActionandMilestones(POA&M)andothersupportingdocuments;however,theCSPalsomanagesandoverseesthe
|41
assessmentactivitiesaccordingly.The3PAOdevelopsanddeliverstheSecurityAssessmentPlan(SAP),andSecurityAssessmentReport(SAR),andSARevidence/attachments.Whilethe3PAOmakesthefinaldeterminationonthesecurityresultsintheSAR,theCSPshouldensurethequalityoftheSARandallother3PAOdeliverables.
Q:WhendevelopingtheSecurityAssessmentReport(SAR),whatistheprocedureormethodfordocumentingfindingsthatwerecorrectedduringtestingoridentifiedasfalsepositives?
A:FalsepositivesandvulnerabilitiesthatwerecorrectedduringtestingarereportedindesignatedSARtables.ConsulttheSARtableofcontentstoidentifytheselocations.Whendescribingwhatwasdonetoconfirmthatsomethingwasafalsepositiveorcorrectedduringtesting,citethespecificitemofevidence(screenshot,scanfile,etc.)byfilenameinthetableentry.Providetheevidencefile(s)withtheSAR.ThisapproachwillensuretheSARreviewerscaneasilynavigatethedocumentwhenevaluatingtheseitems.
Q:CantheSecurityAssessmentPlan(SAP)ortheSecurityAssessmentReports(SAR)templatesbemodified?
A:TemplatesfortheSAPandtheSARcanbemodifiedtoaddcontent,butcontentcannotberemovedfromthetemplate.Soyouwillbeabletoaddinformationtohelpbolstersecuritypackages,butyoucannoteliminatepartsorportionsofthetemplates.
Q:Howdoesa3PAOindicatethatavulnerabilityis“closed”intheSecurityAssessmentReport(SAR)?
A: Foranyscan-relatedfindingthatwasfoundandcorrectedduringtesting,pleasemakesuretoincludea“targeted”scanthatreflectsthevulnerabilityasclosed.Itisrecommendedthattheseremediationscansaretargetedscans,wherescansareconductedtotargetthespecificvulnerabilitiesandspecificallyimpactedcomponentsprovingclosure,soasnottoskewtheassessmentresults.PleaseprovidethesetargetedscansaspartofthefinalSARdeliverablethatissubmittedtoFedRAMP.
|42
Q:AretherelimitationsonthetypesoffindingsthatcanbereportedintheSecurityAssessmentReport(SAR)?
A:TherecannotbeanyunmitigatedorunremediatedhighfindingsreportedintheSARforP-ATO.Hence,TableES-1,shouldn’thaveanyhigh’slistedwithinthecomposite
Q:Whatdoesthe3PAOneedtoprovidewithregardtovulnerabilitiesthatwerefixedduringtesting,downgraded,operationallyrequired,orfalsepositives?
A: Forvulnerabilitiesthatwereremediatedduringassessmenttesting,riskadjusted,operationallyrequired,ordeterminedtobeafalsepositive,the3PAOmustprovidecompellingevidenceintheformofartifactsanddetailedrationalewithintheappropriateSecurityAssessmentReport(SAR)tablestojustifytheadjustedstatus.Pleasereferencethespecificevidencefile(s)andprovidethemwiththeSAR.
Q:ShouldaSecurityAssessmentPlan(SAP)besubmittediftheinventorydiffersfromtheSystemSecurityPlan(SSP)?
A:AtthetimetheSAPissubmittedbythe3PAO,theSSPandSAPshouldreflectthesameinventory.Posttesting,iftherearedevicesthatarediscoveredandnotdisclosedwithintheSSPand/orSAP,theSecurityAssessmentReport(SAR)mustreflectadeviationfromtheSAP,andtheSSPmustbeupdatedpriortoauthorizationwiththeaccurateinventorylisting.
Q:Howdoesa3PAOensurerepeatableandconsistentresultswhenreportingtheresultsofanassessmentmethod?
A:Whenreportingtheresultsofanassessmentmethod(documentexaminations,personalinterviews,andsystemtests),ensurethereisenoughdetailsothattheassessmentmethodandresultcanberepeatedbysomeoneelse.ThisgenerallyreferstoAppendixBoftheSecurityAssessmentReportSAR),spreadsheettab:“ProcedureandEvidence”.Foreachcontrol,thereshouldbesufficientdetailtodescribetheassessmentmethodthatincludestheprocedure,evidenceandresults.Thisshouldhaveaconsistentlookandfeelfromcontroltocontrol,forrepeatabilityandconsistency.
|43
Q:Whena3PAOisprovidingtheAuthorizationRecommendationforaCSPProvisionalAuthorizationToOperate(P-ATO),theSecurityAssessmentReport(SAR),Section7needstobeupdated.WhatupdatesmustbeprovidedintheSARtemplatesection7-AuthorizationRecommendation?
A:Section7oftheSARistemplatedsothatthe3PAOmayprovideanexecutivesummarytypeofoverviewfortheanalysisofriskidentifiedwithinthesystemenvironment.Thesummaryincludesthenumbersoftypesofvulnerabilitiesidentified(i.e.,therewere<Number>Highrisks,<Number>Moderaterisks,<Number>Lowrisks,and<Number>ofOperationallyRequiredrisks).Operationallyrequiredrisksmustbeidentifiedbecausethesevulnerabilitiesarerisksthatcannotreadilyberemediatedormitigatedbecausetheremediationormitigationwouldadverselyaffecttheoperatingenvironmentofthesystem.TheFedRAMPProgramManagementOffice(PMO)expectsthatthe3PAOprovidestheirprofessionalrecommendationregardingtheanalysisofrisksforthesystembasedontheresultsofthesecurityassessment.However,the3PAOrecommendationmustbefullyvalidatedbycollectedartifactsandevidence.TherecommendationisreviewedbytheJointAuthorizationBoard(JAB)fortheProvisionalAuthorizationToOperate(P-ATO)decisionandbytheAgencyAuthorizingOfficial(AO)fortheAgencyAuthorization.
TIP:ACertified3PAOPenetrationTestingMethodologymustcontainalloftheFedRAMPPenetrationTestingcomponents.
Every3PAOhasadoptedaspecificPenetrationTestingMethodology.However,inorderforthe3PAOtobeFedRAMPcompliantandperformFedRAMPCompliantPenetrationTesting,theFedRAMPPenetrationTestGuidance,Version1.0.1,datedJuly6,2015andthemethodologycontainedthereinmustbetightlyinterwoveninthe3PAOPenetrationTestingMethodology.
Forinstance,ifa3PAOistestingroles,foreachroledefined,thepenetrationtestingmethodologyusedbythe3PAOmustincorporateattackvectorsdefined,ataminimum:
1. ExternaltoCorporate–ExternalUntrustedtoInternalUntrusted2. ExternaltoTargetSystem–ExternalUntrustedtoExternalTrusted3. TargetSystemtoCSPManagementSystem–ExternalTrustedtoInternalTrusted4. TenanttoTenant–ExternalTrustedtoExternalTrusted5. CorporatetoCSPManagementSystem–InternalUntrustedtoInternalTrusted6. MobileApplication–ExternalUntrustedtoExternalTrusted
EvenifthenetworksarecalledsomethingelseandarenotreferredtoasgenericallyastheFedRAMPlisting,theproofmustbeprovidedthatatleasttheminimumattackvectorslistedintheFedRAMPguidancemustbepenetrationtestedandmustbepartofthe3PAOFedRAMPPenetrationTestingMethodologyfortheCSP.
|44
TIP:AssignuniqueVulnerabilityIdentifiersfortheSAR/DeviationRequests/POA&Mworkbooks.
Thiscanbeinanyformatornamingconventionthatproducesuniqueness,butFedRAMPrecommendstheconventionV-<incrementednumber>(forexample,V-123).ThisuniqueidentifierisassignedtoaspecificallyidentifiedvulnerabilityintheCSPsystem.Therequirementisthatifavulnerabilityisidentifiedduringtheannualassessmentand/orthemonthlycontinuousmonitoringeffort,andthatvulnerabilityisthesamevulnerabilityalreadyuniquelyidentifiedintheexistingPOA&M,theCSPand3PAOmustusethesamePOA&MIDasforpre-existingandopenvulnerabilities.Inotherwords,donotassignadifferentIDtoavulnerabilitythatisalreadydocumentedinthePOA&M.
Q:WhataretheFedRAMPrequirementsforvulnerabilityscanning?
A:VulnerabilityscanningmustoccurforOperatingSystem(OS)/infrastructure,databases,andwebapplicationcomponentsintheCloudServiceofferingauthorizationboundary.ThescanningparametersforthecomponentsmustbedefinedintheSecurityAssessmentPlan(SAP).Ifthe3PAOhasnotorisnotconductingthevulnerabilityscanningfortheassessment,thentheSAPidentifiesthealternativemethodology.Thisstandardthenbecomesintegratedinthemethodology.InordertomaintainFedRAMPscanningcompliance,the3PAOmustdescribeprocessestoensureintegrity,completeness,accuracy,reliability,andtheindependentnatureofthescanresults.
Ataminimum,the3PAOmust:
§ Reviewthescanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted.
§ Overseeandmonitorthescansfrominitiationtocompletion.§ Describetheprocedurestoensurechain-of-custodyofthescanresults.§ Comparethelistofcomponentsidentifiedinthescansandthoseintheinventoryandprovide
anexplanationforthedifferenceintheSAR.§ Assessacomponentthroughothermeans(manualmethods),ifacomponentcannotbe
scanned.
OncethemethodologyisapprovedviatheSAP,themethodologymaybefollowedforthesystemuntilthereisasignificantchangeorthenextannualassessmentwherebythemethodologymaybealteredwithinthenextSAP.
Vulnerabilityscansmustbeperformedusingsystemcredentialsthatallowfullaccesstoscanningtheentireauthorizationboundarytoincludeallhardwareandsoftware.Scannersmusthavetheabilitytoperformin-depthvulnerabilityscanningofallsystems(asapplicable).Systemsscannedwithout
|45
credentialsprovidelimitedornoresultsoftherisks.Allunauthenticatedscanswillberejectedunlessanexceptionhasbeenpreviouslygrantedduetoapplicabilityortechnicalconsiderations.
Q:Forvulnerabilityscans,doallpluginshavetobeenabled?
A:Allnon-destructivepluginsmustbeenabled.Toensureallvulnerabilitiesarediscovered,thescannermustbeconfiguredtoscanforallnon-destructivefindings.Anyvulnerabilityscanswherepluginsarelimitedorexcludedwillberejected.Exceptionsmayoccurbasedonspecificrequestsfromthegovernmentforre-scansortargetedscans.Thesescansmustcomplywiththedirectionsprovidedbythegovernment.Formoreinformation,pleaseseeourFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide.
TIP:WhatdoesatypicalThirdPartyAssessmentOrganization(3PAO)TeamperformingaCloudServiceOffering(CSO)assessmentlooklikeaccordingtoFedRAMP?
FedRAMPrequiresthatallassessmentsmustbestaffedbyanappropriatenumberof3PAOteammembersbasedonthecomplexityoftheCSObeingassessed.This3PAOstaffingincludes,butisnotlimitedto,individualsresponsibleforscanning,interviews,theexaminingofartifacts,andreportwriting.The3PAOteammustconsistofatleastthreepeoplefromthe3PAO,whoparticipateinandsupporttheassessment,oneofwhichisanindividualconsideredtobetheseniorrepresentativeofthe3PAO,oneofwhichisapenetrationtester,andoneofwhichisanindividualdedicatedtoqualitymanagementofthe3PAOprocess.
TheseniorrepresentativeisresponsibleforensuringtheassessmentactivitiesandevidenceiscompletedfullyandmeetstheFedRAMPrequirementsandstandards.
ThepenetrationtesterisresponsibleforensuringthepenetrationtestingisfullycompliantwithFedRAMPPenetrationTestGuidance.
Theindividualdedicatedtoqualitymanagementisresponsibleforensuringthatalldeliverablesfromthe3PAOmeetthequalitystandardssetforthbyFedRAMP.
Any3PAOwhowishestocompleteanassessmentwithlessthanthreepeoplemustseekapprovalfromtheFedRAMPPMO.Theseniorrepresentativemusthavetheauthoritytosignoffontheworkoftheotherindividualswhoworkontheproject.DuringtheonsiteassessmentbyA2LA,the3PAOmustdemonstratetheabilitytomeettheteamstaffrequirements.
|46
TIP:WhatarethebasicFedRAMPrequirementsfor3PAOsdeliveringasecurityassessmentreportorareadinessassessmentreport?
Alldeliverablesshouldbesignedoffbythe3PAOqualitymanagementleadbeforebeingdeliveredtoaCSPorgovernmentauthorizingofficialteam.Thequalityreviewprocessforthe3PAOshallincludecheckingalldeliverablestoensurethefollowing:
§ Therearenospellingorpunctuationerrors.§ Allsectionsofeachdocumentdeliveredarecomplete,clear,concise,andconsistentwitheach
other.§ Allteammembersoftheassessmenthavereviewedthedeliverables.§ Documentsarepreparedusingthemostrecentstandardtemplates,withoutalterationsor
deletions,andinsertionsmustbeagreedupon.
AllSARswrittenbythe3PAOshallincludeanauthorizationrecommendationonwhetherthesystemcanappropriatelysafeguardgovernmentdatainaccordancewiththesecurityclassificationofthesystem.Therecommendationshallincludeasummarystatementandjustificationstatement.
AllSARswrittenbythe3PAOshallincludeallscanresultsinareadableformatsuchthatsomeonewithoutascannerlicensecanreadtheresults.
AllRARswrittenbythe3PAOmustadheretotheguidancewithintheFedRAMPHighReadinessAssessmentReport(RAR)templateandtheFedRAMPModerateReadinessAssessmentReport(RAR)template.
AllRARswrittenbythe3PAOshallincludeanalysisofresultsfromactivitiesincluding,butnotlimitedto,discoveryscansandinpersoninterviewsandphysicalexaminationswhereappropriate.IntheeventthatscanresultsarerequestedbythePMO,theyshouldberetainedinareadableformatsuchthatsomeonewithoutascannerlicensecanreadtheresults.
Q:Whatarethereportingexpectationsforthepenetrationtestplan?
A:TheSSP(andsupportingdocuments)containinformationthatcontributestothereconnaissance/informationgatheringphaseofthepenetrationtest.Thisinformationincludesthesystemandnetworkarchitecture,inventory,ports,andprotocolsandservices.TheSAPshouldincludetailoredpenetrationtestassessmentsteps(includingmanualsteps)thataretheuniqueresultofevaluatingtheinformationinthisdocumentation.
|47
8. SYSTEM SECURITY PLAN (SSP) DOCUMENTATION
Q:HowdoIavoidmakingmistakeswhencreating/updatingtheSystemSecurityPlan(SSP)document?
ForEVERYsecuritycontrolimplementation:
1. Describethesolutionimplementedforthissecuritycontrolandhowitmeetsthesecuritycontrolrequirement.
2. Specifytheperson(s)responsibleforimplementing/enforcingthesolutiontothissecuritycontrol.
3. Describehowoften(daily,weekly,monthly,quarterly,annually,etc.)thissecuritycontrolanditsimplementationareperiodicallyreviewed.
a. Besuretoinclude:i. Whoperformsthereview.ii. Whattriggersaperiodicreview.Isitaspecificdateorevent?
4. Howarespecifiedperiodicreviewsdocumentedandwhatartifactscanprovethiscontrolisactivelyimplementedandreviewed?
5. Ifapolicyhasbeenpublishedandisreferencedasthebasisfortheimplementationofthissecuritycontrol,makesurethatpublisheddocumentisprovidedasanattachment,orasupportingdocumentwiththeSSPwhensubmittedforFedRAMPreview.Thisisespeciallytrueforinheritedcontrols.
a. Securitycontrolimplementationscanonlybeinherited(leveraged)fromsystemsthathavealreadybeenapprovedandgrantedaFedRAMPauthorization.
Providingacompleteresponsetotheitemsabovewillgreatlyimprovethelikelihoodofasuccessfulreviewonthefirstsubmission.
Q:Howcana3PAOensurehighqualityassessmentsanddeliverables?
A:TheFedRAMPPMOsuggests3PAOstoperformapeerreviewthatasksthefollowingquestionstoensurehighqualityassessmentsanddeliverables:
§ Canthedocumentedassessmentsteps(eitherdescribedan/orasshownintheevidencefiles)beeasilyrepeatedbysomeoneelse?
§ DidyouperformanexaminationoftheSystemSecurityPlan(SSP)orPolicies&Procedures(P&P)whenanexaminationofrecordswasrequired?
§ Whenatestwasrequired,didyouperformanintervieworusetheexamineassessmentmethod?
§ Wasaninterviewassessmentmethodusedwhenanexamination/observationwasrequired?
|48
§ Isareasonprovidedforperformingadifferentassessmentmethodthantheonerequired(e.g.examineinlieuofatest)?
§ Isevidenceprovided?§ Istheevidencespecificallycitedsoitcanbeeasilylocated?§ IstheevidencespecificallycitedorprovidedsothatISSOcanverifythatthesampling
methodology(asdescribedintheSecurityAssessmentPlan)wasfollowed?§ Dotheobservationsandevidencediscussadifferentcontrolthanthecontrolinthetestcase?§ AretheobservationsandevidencedescriptionsconsistentwithFindingscolumn(foundinthe
“AssessmentTestCases”template)?§ DotheResultsshowaContingencyPlan(CP)testwasconducted?§ DotheResultsshowtheCPtestwasatable-topexerciseratherthanafunctionaltest?§ DotheResultsshowanIncidentResponse(IR)testwasconducted?§ DotheTestcasesincluderesultsofthevulnerabilityscansandpenetrationtest?
Q:DoestheFedRAMPPMOhavefiletyperequirementsfordocumentssubmittedforreview?
A:WhensubmittingdocumentationtotheOMBMAXSecureRepositoryforFedRAMPPMOReview,theSystemSecurityPlan(SSP)mustbeinWordformatandunprotected.TheFedRAMPPMOcannotproperlyconductaformalreviewifdocumentationisinanyotherformat.Forconcernsregardingthis,pleaseaddressthemtotheFedRAMPPMOatinfo@fedramp.govpriortouploadingdocumentationtoMAX.
Q:CouldyouexplaintheinterdependenciesofcontrolswithintheSystemSecurityPlan(SSP)?Specifically,doeshaving“N/A”formySystemSecurityPlan(SSP)AccessControl(AC)-17forRemoteAccesshaveimplicationsonothercontrols?
A:WhencreatingtheSystemSecurityPlan(SSP),understandthattheplantellsthe“story”ofthesystem.Whileitmaynotbeclearwhenyoubeginthistask,thesecuritycontrolsareinterrelatedandhaveinterdependencies.OneofthemostcommonissuesunfoldswhentheSSPAccessControl(AC)-17RemoteAccesshas“N/A”fortheimplementationdetail.Inourevolvingtechnologicalworld,allaccesstothesystemisnowremoteaccess.Thiscontrolisinterdependentwithmanyothercontrols,specifically:AC-2,AC-3,AC-18,AC-19,AC-20,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,MA-4,PE-17,PL-4,SC-10,SI-4.SoifthereisamisinterpretationofAC-17,chancesareverygoodthattheinter-relatedcontrolswillalsohaveissues.
Q:Whatisasecurityarchitecturediagramandwhatshoulditinclude?
|49
A:Asecurityarchitecturediagramisacomponentofthesecurityarchitecturedocument,whichillustrateshowtechnicalsecuritycontrolsareimplementedintheenvironment.Italsoarticulatestheoverallsecurityprogramstrategyinalignmentwiththepositionandselectionofsecuritycontrolimplementations.AsecurityarchitecturediagramMUSTbeastand-alonedocumentandaddresstherequirementsoutlinedinthecontrolsupplementalguidanceinPL-8,itisnotsufficienttoreferencetheSSPoroutsideproductguides.
ArchitecturalandnetworkdiagramsmustincludeallpossiblecommunicationlinksbetweentheCSPandfederalAgencies,aswellaspathsintothesystemboundary.Ifcustomersarenotyetconnectingdirectly,aCSPcanidentifyallplannedconnectionpointsintheSSP.Describingthearchitecturethatwillbeofferedcanhelpensurethatitwillbeauthorizedbeforeacustomerneedsit.Theboundarydiagramsshouldbecompletedpriortowritingimplementationstatements.
Q:Whataresometipstowritingadetailedandaccuratecontrolimplementation?
A:Thinkofeachimplementationasalittlestory.Alwaysincludewhoisresponsible,howthecontrolisimplemented(bespecific–getgranular),andwhatcomponentsareaffected.
Q:ShouldIrepeatthecontrolrequirement?
A:Donotrepeatthecontrolrequirement.Feelfreetouseitthoughasajumpingoffpointtowriteadetailed,specificimplementation.Additionally,usethesameactionandkeywordswithinthecontrolrequirementwhendescribingyourimplementationsoitisclearexactlyhowtheimplementationmeetsthestatedrequirements.
Q:Whyisitimportanttomaintainconsistencybetweenthesecuritycontrolimplementationstatementsandthetechnicaldiagrams?
A:ThesecuritycontrolimplementationstatementsprovideadetailedexplanationastohowcompliancewithNISTSP800-53andFedRAMPrequirementsaremet.Generally,complianceismetwiththeimplementationoftechnicalcomponents,policy/procedure,andothermechanisms.TheBoundary,Network,andDataFlowdiagramsprovideavisualdepictionofthesecomponentswithinthesecureenvironment,soit’sveryusefultoreviewerstomapcontrolimplementationstothespecificcomponents.Further,manycontrolsareoftensatisfiedwiththeimplementationofthesamecomponentsandaresubjecttosecuritytestandContinuousMonitoringtoassureeffectiveness.It’simportant,therefore,thattheimplementationstatementsandthediagramsareconsistentandaccurate.
|50
TIP:AvoidaddingtimetoyourauthorizationprocessbysuccessfullycompletingtheSystemSecurityPlan(SSP)reviewthefirsttime!HerearesometipsfromtheFedRAMPPMOonhowtocreateastrongSSP:
“TheEmergencyResponseTeamshallresolveallproblemswithinfourhoursofreceivingareport.Onceaproblemisfixed,theresponseteamleaddocumentsthesolutionandsendstherequestingteamthecorrectionreport.”
1. Submitacompleteandwell-structuredSSP.2. ExpertiseandknowledgeofNIST/FedRAMPsecuritycontrols.3. Enoughresources–oftenonewriterisnotenough,andyoumayhavetoallotadditional
resourcesandsubjectmatterexpertstocompleteSSP.4. EmploythefourC’sofwriting:Clear–straightforward,avoidingconvolutedphrasesorover-
longphrases;Concise–packthemostmeaningintoyourwords;Concrete–concretewritingispreciseanddetail-oriented;andfinally,Correct–correctgrammar,mechanics,andformatarebaselineexpectationsforwriting.
5. Thewriter(s)hasknowledgeofthesystemand/orcanobtaintheinformationfromothersandbeabletocommunicatetheirtechnicalknowledge.
6. PerformqualityreviewontheSSP.DoingthesethingscannotguaranteeasuccessfulSSPreviewbutwillgreatlyenhanceyourchances.
Anotherwritingtip:Forthefirstcontrolineachfamily(e.g.AC-1,AU-1etc.),usethefollowingasachecklisttoensureconsistencyamongallofthe“first”controlstoensuretheycontaintherequiredinformationintheappropriatepart.
PartA:
(1)
§ Referencethepolicydocumentspecifically§ Discusshow/wherethepoliciesaremadeavailabletopersonnel
(2)
§ Referencetheproceduresdocumentspecifically§ Discusshow/wheretheproceduresaremadeavailabletopersonnel
PartB:
§ Identifyfrequencyofreviewandupdateofpolicy§ Identifyfrequencyofreviewandupdateofprocedures
Note1:Ifthepoliciesandproceduresareallinonedocument,thereisnoissuewithreferencingthatdocumentinbothPartsaandb.
|51
Note2:Beawarethat800-53Rev4reorganizedthesecontrolrequirements.
“SecurityProcedures”asdefinedbyNISTinSP800-12:“Proceduresnormallyassistincomplyingwithapplicablesecuritypolicies,standards,andguidelines.Theyaredetailedstepstobefollowedbyusers,systemoperationspersonnel,orotherstoaccomplishaparticulartask(e.g.preparingnewuseraccountsandassigningtheappropriateprivileges).”
SecurityProceduresgenerallyexplainhowtoperformatasksuchasatechnicaltaskorabusinessprocess.
Examplesofproceduresare:
§ HowToCreateUserAccounts§ HowToTestBackups§ HowToAuthorizeAUserAccount§ HowToPerformFriendlyTerminations§ HowToPerformUnfriendlyTerminations§ HowToLockdownaWindows2012Server§ HowToManuallyTurnOnaGenerator§ StandardOperatingProceduresForAddingNewStorageArrays§ MediaSanitizationProcedures§ ProceduresForAddingFirewallRules§ ProcedureForConfiguringLiveMigrationsofVirtualMachines§ HowToReviewaLogFileforSuspiciousActivity§ HowToConfigureAuditStorageCapacityAlerts§ HowToUseCronToScheduleAlerts§ HowToConfigureTheLogDeliveryService§ HowToTestTheContingencyPlan
Q:AllofthecontrolslistedintheSystemSecurityPlan(SSP)donotapplytomysystem,soIonlycompletedthosethatareapplicableandlefttheothersblank.Isitpermissibletoleaveacontrolblankifithasnotbeenimplemented?
A:EverysectionwithintheSSPisrequiredtohaveananswer–includingeachcontrol.Sosimplyleavingitblankisnotpermissible.Youmustlistthecontrolas“n/a”andanyappropriaterationaleastowhythatcontroldoesnotapplytoyoursystem.Veryfewcontrolsareeverconsidered“notapplicable.”TheaverageFedRAMPCSPsystemhasnomorethanahandfulofcontrolsthataretrulynotapplicableandtypicallyincludecontrolsinvolving“Wi-Fi”and“Mobile,”wherethesecomponentsaresimplynotused.However,thereshouldbeverylimitedornocontrolslistedas“notapplicable”fortechnicalcontrols
|52
suchasAC,AU,IAandSCetc.CSPsmustthinkofthesystemasawholewhendeterminingapplicability.Ifthecontrolappliestothesysteminanywayfromtheprovidertotheconsumer,itisapplicable.Aprovidermustdescribeanyportionthecontrolthattheproviderisresponsibleforaswellasanyresponsibilitiesofconsumers.Forexample,forIA-2(12),whichrequiresmulti-factorauthenticationforendusersviaPIVorCACcardsmightnotsoundapplicableforaCSP.ControlslikethisaretrickybecauseaCSPusuallydoesn’tworkwithendusersatAgenciestoissuePIVorCACcards.However,CSPsarerequiredtohavethecapabilitiesinplaceforenduserstoauthenticateviaPIVorCACcards.Inthiscase,insteadofthiscontrolbeingnotapplicable,aCSPmightdescribehowtheyacceptSAMLauthenticationmechanismsfortheenduser,andalsothecustomerresponsibilitiesrelatedtoPIV/CACandSAMLinteractionswiththeCSP.
Q:ThereseemtobesomeinconsistenciesintheSystemSecurityPlan(SSP)template.Forexample,the-1controlsdonothaveasmany“checkboxes”asothercontrols.AmIallowedtoalterorupdatethetemplatetofitmyneeds?
TheSSPtemplateshouldnotbealteredbytheCSP.Forexample,donotadd“checkboxes”ormakeanyotherchangestotheoriginaltemplate.Tablesmaybeadded,forexample,butexistingtablescannotbemodified.The-1controlsdonothaveasmany“checkboxes”astheothercontrols,andthisisintendedbythePMO.ThetablesareintendedtobeconsistentacrossallFedRAMPSSPstofacilitateAgencycustomerreviews.
Q:HowdopoliciesandproceduresdifferfromtheSystemSecurityPlan(SSP)?
A:PoliciesandproceduresareacriticalsupplementtotheSSPandarerequiredbythefirstcontrol(knownasthe“dashones,”i.e.AC-1)foreachcontrolfamily.ThesedocumentsaresubmittedwiththeSSPandprovidetheguidelinesunderwhichtheproceduresaredevelopedandbywhichtheSSPcontrolsareimplemented.Policiesaddresswhatthepolicyisanditsclassification,whoisresponsiblefortheexecutionandenforcementofthepolicy,andwhythepolicyisrequired.Proceduresdefinethespecificinstructionsnecessarytoperformatask.Proceduresdetailwhoperformstheprocedure,whatstepsareperformed,whenthestepsareperformed,andhowtheprocedureisperformed.
Q:IreferencedadocumentinmySystemSecurityPlan(SSP)butdidnotprovidethe referenceddocumentbecauseitcontainsproprietaryorsensitiveinformation.Howwillthisaffectmyreview?
A:Everyattemptshouldbemadetopreventthissituation.Theassessmentpackageshouldstandonitsownwithoutreferencingdocumentsthatrequirecomplexretrieval,whichcanbeconfusing,time
|53
consuming,andcausedelaysintheassessment.Intherarecircumstancethiscan’tbeavoided,youmightaddastatementthatsays,“Thedocumentisavailableonsiteforreviewuponrequestorasrequiredforauditsandassessments.”
Q:Howshouldacloudserviceprovider(CSP)addressplatformscopewithintheSystemSecurityPlan(SSP)?
A:Therearemultipleplatforms/platformgroupsinasystemasidentifiedbytheinventory.Aplatformhascertaincontrols(e.g.,accesscontrols,auditlogging,sessionlock,etc.)configureduniquelyforeachdevicetype.Itisexpectedthatuniqueimplementationswouldbeaddressedbyplatformforthefollowingcontrols/controlfamilieswhereapplicable:AC,IA,AU,CM,SI-2,SI-3,SI-5,SI-11.Werecommendusingastandardformatforaddressingcontrolsbyplatform(e.g.,haveasubheaderwithinthecontrolpart/partsfor“Cisco,”“Brocade,”etc.).
Q:HowdoIcaptureCustomerRequirementsinmysecuritycontrolimplementationdetail?
A:Pleaserememberthatclarityandconsistencyiskeyinsecuritycontrolimplementationdetail.OncethewriteroftheSSPmakesadeterminationastohowtheCustomerRequirementisportrayedforonesecuritycontrolimplementationdetail,thatsameformatshouldbeusedthroughouttheSystemSecurityPlan(SSP)foreachcontrolthathasaCustomerResponsibilityrequirement.WesuggestthatyoubegintheCustomerResponsibilitysectionineachsecuritycontrolimplementationdetailbyframing"CustomerResponsibility"or"CustomerResponsibilityRequirements"directlyandstayconsistentthroughouttheSSP.
Followingthe"CustomerResponsibility"or"CustomerResponsibilityRequirements",clearlydescribewhatthecustomerisexpectedtodo.AstheCloudServiceProvider(CSP),youdonothavetodescribehowthecustomerimplementstherequirement.Thatdescriptionistheresponsibilityofeachindividualcustomerusingyourserviceoffering.YoumustonlydescribethatitisaCustomerRequirementasbasedonthesecuritycontrolimplementation.MakesurethatallcustomerrequirementsintheSSPMATCHtheCustomerRequirementsintheFedRAMPControlImplementationSummary(CIS)forSSPLowModerateBaseline(CIS)benchmarkandintheCustomerResponsibilityMatrix(CRM).PleasenotethatthisCIStemplatefortheLowandModerateCloudServiceOfferingsislocatedonTheFedRAMPwebsiteviathisurl:https://www.fedramp.gov/files/2016/07/A09-FedRAMP-CIS-Workbook-LM-Template-2016-06-20-v02-00.xlsx
TheFedRAMPwebsitealsohasaFedRAMPHighControlImplementationSummary(CIS)Workbooktemplateasitmayapplytosomesystems.
|54
Q:WhataresomecommonmistakesthatarisewhenaddressingControlImplementationstatements?
A:ThereareseveralmistakesthatCSPsencounterwhendraftingtheirControlImplementationstatements.Someofthoseinclude:
§ CustomerResponsibility:Thecustomerspecificresponsibilityshouldbeaddressedexplicitlyandconsistently(e.g.addressedundera"CustomerResponsibility"heading).ThisissocustomersknowexactlywhattheirresponsibilitiesarewithregardtomeetingthecontrolrequirementexclusivelyorinpartnershipwiththeCSP.
§ ControlScope:Therearemultipleplatformsanddevicetypesinasystemidentifiedinthesysteminventory.Ataminimum,eachdevicetypehas(forinstance)accesscontrols,auditlogging,andflawremediation.Eachdevicetypemayhavethosecontrolsconfigureduniquelydependinguponthelocationofthedevicewithinthedefense-in-depthfortheoverallsystemriskmanagementstrategy.Uniqueconfigurationsandimplementationsareaddressedbydevicetypeand/orlocationinthesecuritydefensestrategyforthesystem.ThiswillnormallyaffecttheAC,IA,AU,CM,andSIcontrolfamilies.Thismeansthatthesecuritycontrolimplementationdetailsforthosefamiliesandthentheparticularcontrolswithinthefamilieshavegreaterdepthofdetailrequired.
§ Beforeattemptingtopopulatethesystemsecurityplan(SSP),itisrecommendedthatonetakealookattheoverallsystemauthorizationboundaryandallthedevicesandcomponentswithintheboundarytounderstandwhatcontrolsaffectwhichdevicesandcomponents.ThismappingiscalledaSecurityControlsRequirementsMatrix.DevelopingamatrixsavestimeinthelongrunwhendocumentingthesystemviatheSSPanditbecomeseasiertouseastandardformatforaddressingcontrolsbydeviceorcomponent(e.g.,haveasubheaderwithinthesecuritycontrolimplementationdetailfor"Cisco","Brocade",“Windows”,“Linux”,and/or“Oracle”).Additionally,whereapplicable,eachfacilityshouldbeaddressedincludingalternate,backup,andoperationalfacilities.
§ DocumentReferences:Policiesandproceduresaswellassupportingdocumentsshouldbeexplicitlyreferenced(title,dateandversion)soitisclearwhichisactive.Iftheentirereferenceddocumentdoesnotapply,specificsectionsreferencesshouldbeprovidedsotheapplicablesectionscanbelocatedeasily.Thereviewershouldnothavetorelysolelyonfollowingthereferencestounderstandthecontrolimplementation.AnoverviewofwhatthereferenceddocumentaddressesanddirectrelevancytothecontrolrequirementshouldbeprovidedsotheSSPcanstandonitsown.
YoucanhaveatableattheendoftheSSPthatspecifiesallreferenceddocuments,theirtitle,date,andversion.Thenreferencethattablewhenadocumentiscited.Thiswayyouonlyhavetomaintaindateandversioninoneplace.
|55
Q: DoesFedRAMPprovideatemplateforanIncidentResponsePlan?
A: SecurityControlIR-8requiresCSPstodevelopanIncidentResponsePlan(IRP).TheIRPisarequireddocumentwithinsecurityauthorizationpackages.FedRAMPdoesnotprovideatemplateforIRPs;however,NISTSP800-61Rev2,ComputerSecurityIncidentHandlingGuide,providesguidanceonthedevelopmentofIncidentResponsePoliciesandProcedures,aswellasguidanceonthedevelopmentofanIncidentResponsePlan.
Q:AlthoughtheFedRAMPPMOdoesnotprovideatemplateforContingencyPlansandIncidentResponsePlans,isthereanyinformationthatneedstobeincluded?
A: ForContingencyPlansandIncidentResponsePlans,itishelpfultoincludethefollowinginformation:
§ Name/Titleofattendees§ Dateandtimeoftheexercise§ Descriptionspecificexercise§ Expectedresults§ Actualresults§ Wastheparticularexercisesuccessful?§ Whoperformedthespecificpartoftheexercise?§ Lessonslearned
ForLowsystems,atabletopexerciseissufficient.Formoderateandhighsystems,werequireafunctionalexercise.
TIP:IncidentResponseplansmustincludetheresponsetimeforFederalAgencyIncidentCategories.
MinimumresponsetimesareprovidedbyUSCERTathttps://www.us-cert.gov/government-users/reporting-requirements.FedRAMPisespeciallyconcernedwiththeresponsetimeforCAT1incidents,unauthorizedaccess.FedRAMPexpectsreportingofsuspectedunauthorizedaccesswithinonehourofwhentheimpactedcustomerAgencyisidentified.TheCSPshouldnotwaitforafullanalysistobecompletebeforereportingthesuspectedbreach.
|56
TIP:IfaCSP’sorAuthorizingOfficial’sinformationhaschanged,besuretomakethesechangesintherolesectionoftheSystemSecurityPlan(SSP)immediatelyafterthechange.
TherehavebeenalotofpersonnelchangesinCSPsandAgencies.It’scriticalthatCSPsupdatetheirSSPstoreflectthesechanges,asthisissomethingthatisvital,butoftenoverlooked.
TIP:AC-2andIA-2arecloselyrelated.
Everygroup,account,orroledefinedinAC-2mustbeexplicitlyaddressedinIA-2.AC-2isusedtodefinethegroups,accounts,androles,whomaybeassignedtoone,andhowtheyaremanaged(approvalprocess,creation&modificationprocedures,monitoring,etc.).IA-2definestheauthenticatorsusedforeachgroup,account,orrole,aswellasthetypesofaccesstothesystemutilizedbythesegroups,accounts,androles.Differentrolesoractivitiesrequiredifferingstrengths/levelsofauthentication.Eachauthenticationmechanismandusecasemustbeclearlydocumentedtoensurecompleteandadequatecoverageofauthentication.
TIP:TheSystemSecurityPlan(SSP)Boundary,Network,andDataFlowDiagramsshouldbeasdetailedaspossibletoclearlydefinetheAuthorizationBoundaryandservices,aswellasshowmajorhardwareandsoftwarecomponentsandinterconnectivity.
EachcomponentshouldalsoappearwiththesamedescriptionintheHardwareandSoftwareInventories.DeviationRequestsandPlanofAction&Milestones(POA&Ms)thatreferencethesecomponentsshouldincludethesamedescriptionssothattheyareeasilycross-referencedbetweendocuments.DataFlowDiagramsshouldidentifywherefederaldataisprocessedandstoredanddescribealldatatrafficinandoutoftheboundary.Itisalsonecessarytodescribedataflowforprivileged(suchassystemsadministrators)andcustomeraccessandaddressports,protocolsandservicesformanagingthistraffic.Thisassuresamuchbettermappingbetweendocumentsandhelpseliminateconfusion.
Q:CanaCSPmarkacontrolasboth“Implemented”and“AlternativeImplemented”intheSystemSecurityPlan(SSP)?
|57
A: Usuallynot.Ifacontrolisfullyimplemented,thenonlythe“Implemented”boxischecked.Ifthereisan“AlternativeImplementation”or“PartialImplementation”ofanycomponentofthecontrol,theneitherAlternativeorPartialisselectedasappropriate.Asanexample,theremaybe2typesofAccessControlmethods:oneforanadministratorwithelevatedprivilegesthatisfully“Implemented;”andthesecondaccesstypeisfornon-privilegedusersthathasan“AlternativeImplementation.”TheCSPwouldonlychecktheboxforAlternativeImplementationbutexplainthetwoimplementationsinthedialogboxforthatcontrol.Thisisbecauseduringtesting,the3PAOwillonlydeterminewhetherthecontrolisImplemented,AlternativeImplementation,PartialImplementationetc.,butnocombination.Then,the3PAOwilldetermineifthecontrolimplementationisSatisfiedorOtherthanSatisfiedfortheimplementationtypeprovided.
Q:CansharewareorfreewarebeanintegralpartoftheoperationalinfrastructureofaCSP?
A: SharewareandfreewareproductsthataretypicallyavailableforPCormobiledeviceusagearenotpermittedinFedRAMPenvironments.
OpenSource(noproductorsupportcosts)products,however,arepermittedfromreputablesourceswheretheCSPhascontroloverthesourceandexecutablecode.Theproductmustbesubjectedtocontinuousmonitoringfunctionsandvulnerabilityremediation.
9. OTHER DOCUMENTATION – PLAN OF ACTIONS AND MILESTONES (POA&M), READINESS ASSESSMENT REPORT (RAR), SCANS, AND INFORMATION SYSTEM CONTINGENCY PLAN (ISCP)
TIP:WhensubmittingthemonthlyPlanofActionsandMilestones(POA&M)spreadsheet,thefindingsonthespreadsheetmustbereconciledeachmonthwiththescanresultstoensurePOA&Maccuracy.Thismeansthatanyitemsthathaveclosedthroughoutthemonthshouldbemarkedassuchandappropriateartifactsshouldbeprovidedtovalidateclosure.
AllfindingsmustberecordedontheopentabofthePOA&M.Afalsepositive(FP)vulnerabilityremainsintheopentabuntilthedeviationrequest(DR)isapproved.Anoperationallyrequired(OR)vulnerabilityremainsontheopentabindefinitelyandisonlyclosedifthecircumstancescreatingtheORareresolved,suchasmigrationtoanewtechnology.Avendordependencyalsoremainsontheopentab
|58
indefinitelyandisonlyclosedoncetheCSPresolvestheissuebyapplyingavendorapprovedfixorupgrade.
Q:IstheFedRAMPHighrequirement,inNIST800-53IdentificationandAuthentication(1A)-2(4),metbyaseconddevice(suchasasmartphone)receivingaone-timepasswordormustahardwaretoken(i.e.CAC/PIV)beused?Theglossaryseemstoindicatetheyareequivalentasfarasmeetingtherequirement,sincethe“SomethingYouHave”categorylistsboth.
A:TheFedRAMPHighbaselinerequirestheuseofFIPSPub201-compliantcredentials–andPIVs/CACsmeetthisrequirement.OMBMemo11-11requiresfederalAgenciestocontinueimplementingtherequirementsspecifiedinHSPD-12toenableAgency-wideuseofPIVcredentials.Pleaseseethislinkformoreinfo:
http://www.nist.org/nist_plugins/content/content.php?content.49
TheFedRAMPJABhasprovidedthefollowingGuidancetoCSPsonthesubject:
§ WhenfirstfactorisPassword,secondfactormustbeoneofthefollowing:§ Look-upSecret–e.g.,bingocardwhereyoulookuptheOTP§ OutofBand–e.g.,smartphonewithsecurecommunicationsprotocoltoreceiveOTP§ SingleFactorOTPDevice–e.g.,RSASecureIDorOTPgeneratoronCMDs§ SingleFactorCryptographicDevice–e.g.,digitallysignednonceusing’embedded’‘non-
exportable’keys§ EmailisnotpermittedforOTP§ SMSisnotpermittedforOTP
Q:WhatarethecurrentvulnerabilityremediationtimelinesrequiredtobeFedRAMPAuthorized?
A:TheFedRAMPPMOdoesnotdifferentiatebetween“Critical”and“High.”However,FedRAMPrequiresmitigationofHigh-riskvulnerabilitieswithin30daysfromdiscovery,Moderate-riskvulnerabilitieswithin90daysfromdiscovery,andLow-riskvulnerabilitieswithin180daysfromdiscovery.
|59
Q:OurCSPclienthasdatacentersinmultiplelocationsthroughouttheUnitedStates.AspartoftheReadinessAssessmentReport(RAR),FedRAMPrequiresin-personinterviews.DoesvisitingonedatacentersatisfyFedRAMP’srequirement,ordoweneedtovisiteachlocation?
A: Visitingdatacentersisabestpracticetoenableyoutoviewthesecurityatthefacilityfirst-handaspartofyourverificationandvalidationefforts.IfaCSPhasmultipledatacenters,youarenotrequiredtovisiteachoneaspartoftheRAReffort;however,duringtheSecurityAssessmentReport(SAR)phase,weexpectthe3PAOtovisiteachdatacentertoperformin-personinterviews,reviewdocumentsasnecessary,andvalidatesomeofthecontrols.MostCSPsremotelymanagetheirsystems,andthe3PAOneedstovalidatethatthesecuritycapabilitiesareactuallyinplace.
Q:WhatisthepurposeofanInformationSystemContingencyPlan(ISCP)?
A:EachCSPmustdevelopandmaintaincontingencyplanstoaddressoperationaldisruptions.Thecontingencyplan(andtestresults)providesmanagementwithanevaluationofthepreparednessoftheCSP'scloudserviceofferingintheeventofamajordisruptionand/oracatastrophicevent.Thecontingencyplanensuresthatoperationsresumeandareeventuallyrestoredtoaknownstate.TheISCPandServiceLevelAgreementsdrivetherecoverytestfrequencyandcomplexityandrecoverytimeframes.Thesecontingencyplansareacomponentofaneffectivesecurityoperationsimplementation.
Q:Whattypesofdatabasesarerequiredtobescannedandhowshouldtheybetested?
A:Thedatabasescanningormanualtestingrequirementsapplytoalldatabaseswithinthesecurityboundary(i.e.,thosethatreside/areembeddedinahost/applicationaswellasotherdatabases).Databasesthatresideinahost(suchasanappliance)needtobetestedandmayrequirethetestertoworkwiththerelevantvendortoensuretheappropriatesecuritypostureofthedatabasethatresidesinahostissecure.Ifthedatabasesarenotaccessiblebythescanners,alternatemethodsofdatabasetesting(suchasmanualtests)shouldbeexplored.Thehostonwhichthedatabasesresideshouldbescannedaspartoftheinfrastructurescanning.
Q:WhatcanaCSPdotoprepareforpenetrationtestingandwhatrisksareinvolved?
|60
A:TheFedRAMPPenetrationTestingMethodologyiscomprehensiveandfollowsNISTSP800-115.Beforeconsideringthisactivity,aCSPshouldworkwithaThirdPartyAssessmentOrganization(3PAO)assessmentteamtodiscusstheramificationsofutilizingtheFedRAMPPenetrationTestingMethodology.Boththe3PAOassessmentteamandtheCSPmustdetermine,inwritingandpriortotheonsetofthetesting,thelevelofrisktheyarewillingtoacceptfortheassessmentandtailortheapproachaccordingly.
Oncetheparametershavebeententativelyagreedupon,the3PAOpenetrationtesterandassessmentteamshouldbeginthesecurityassessmentactivitieswithaplanningphasethatincludesgatheringinformationabouttheCSPenvironmentanddevelopingthetestprocedures.Onlyaftercompletingtheplanningphaseshouldthe3PAOassessmentteamproceedtotheexecutionphase.
Duringexecutionphase,theassessmentteamidentifiesvulnerabilitiesandvalidatesthatthevulnerabilitiesarenotfalsepositives.Attheconclusionoftheexecutionphase,theassessmentteamhasalistoftechnicalandprocessvulnerabilities.Thislistisusedduringthepost-executionphasetodeterminerootcausesofvulnerabilities,recommendremediationactions,anddocumentthetestresultsintheSecurityAssessmentReport(SAR).
Penetrationtestingriskscanrangefromnotgatheringsufficientinformationontheorganization’ssecuritypostureforfearofimpactingsystemfunctionalitytoaffectingthesystemornetworkavailabilitybyexecutingtechniqueswithoutthepropersafeguardsinplace.
Communicationandthoroughunderstandingiskey.
Q:WhatpurposedoesthePlanofAction&Milestones(POA&M)documentserve?
A: ThepurposeofthePOA&MistofacilitateadisciplinedandstructuredapproachtomitigatingrisksinaccordancewiththeCSP’sriskmitigationstrategy.ThePOA&Msincludethefindingsandrecommendationsofthesecurityassessmentreportandthecontinualsecurityassessments.ThePOA&Midentifies:(i)thetaskstheCSPplanstoaccomplishwitharecommendationforcompletioneitherbeforeorafterinformationsystemimplementation;(ii)anymilestonestheCSPhassetinplaceformeetingthetasks;and(iii)thescheduledcompletiondatestheCSPhassetforthemilestones.
FedRAMPusesthePOA&MtomonitorCSPprogressincorrectingweaknessesordeficienciesnotedduringtheinitialassessment,annualsecuritycontrolassessment,andthroughoutthecontinuousmonitoringprocess.ThePOA&MhascolumnslabeledfromAthroughZwhichmustbefilledinforeachrowwhichisauniquelyidentifiedvulnerability.
UsetheFedRAMP’sPlanofActionandMilestones(POA&M)TemplatetotrackandmanagePOA&Ms.Pleasenotethatwww.fedramp.govistheofficialwebsitefromwhichtodownloadFedRAMPtemplates.
|61
ThePOA&Mworkbookhastwospreadsheets,the“Open”tabandthe“Closed”tab.TheOpenPOA&Mspreadsheetincludesknownsecurityweaknesseswithinthecloudinformationsystem.OpenPOA&Mitemsmustcomplywiththefollowing:
§ IfafindingisreportedintheSecurityAssessmentReport(SAR)and/orinthecontinuousmonitoringactivities,thefindingmustbeincludedasanitemonthePOA&M.
§ FalsepositivesidentifiedintheSAR(AppendicesC,D,andE),alongwithsupportingevidence(forexample,cleanscanreport)donothavetobeincludedinthePOA&M.
§ EachlineitemonthePOA&Mmusthaveauniqueidentifier.ThisuniqueidentifiermustpairwitharespectiveSARfindingand/oranycontinuousmonitoringvulnerability.
§ AllhighandcriticalriskfindingsmustberemediatedpriortoreceivingaJABProvisionalAuthorization.
§ HighandcriticalriskfindingsidentifiedfollowingJABProvisionalAuthorizationthroughcontinuousmonitoringactivitiesmustbemitigatedwithin30daysafteridentification.
§ Moderatefindingsshallhaveamitigationdatewithin90daysofJABProvisionalAuthorizationdateorwithin90daysofidentificationaspartofcontinuousmonitoringactivities.
§ ThePOA&MmustbesubmittedinanappropriateformatfortheFedRAMPautomatedprocesses.
Q:WhatcriteriamustaPlanofActions&Milestones(POA&M)documentmeetinordertoaccuratelyrecordthefindingsoftheannualassessmentSecurityAssessmentReport(SAR)?
A: WhenrecordingthefindingsoftheAnnualAssessmentSARinthePOA&M,aCloudServiceProvider(CSP)needstoensurethattheyareutilizingthemostcurrentFedRAMPPOA&MtemplateavailableontheFedRAMPwebsite.Ifthetemplatehasbeenupdatedsincethelastannualassessment,theCSPshouldupdateandtransferdataandinformationtothelatestversion.
TheAnnualAssessmentPOA&MdiffersfromtheinitialPOA&MastheinitialPOA&MdoesnottrackPOA&MitemsthroughtheContinuousMonitoringprocess.IfaCSPhasanexistingPOA&MworkbookthathasbeenmaintainedsinceP-ATO,thePOA&MisupdatedwithalloftheitemsfromtheAnnualAssessmentSAR.ThefindingsintheSARmustexactlymatchtheitemsrecordedinthePOA&M“Open”tabsothatduringtheThirdPartyAssessmentOrganization(3PAO)assessment,a3PAOcaninvestigateandvalidatethestatusofany“Open”POA&Mitems.
TheSARmustthenaccuratelyreportallriskitemsthatarestillopen(recordedonthe"Open"tabofthePOA&M),andthenrecordanynewitemsidentifiedduringtheassessment.IfaCSPhasanexistingPOA&MthathasbeenmaintainedsinceP-ATO,allthefindingsfromtheAnnualAssessmentneedstobeappendedtothePOA&Minthe“Open”tab.UntiltheSARisJAB-approved,thenewitemsderivedfromtheAnnualAssessmentwillbeinapendingstatus,butarestillvalidrisksidentifiedbythe3PAOforthesystem.OncetheSARisapproved,theCSPwillreconciletheJABapprovals/concernswithwhatisinthe
|62
existingPOA&M.TheupdatedPOA&MisthenthePOA&MofrecordforthenextmonthlyContinuousMonitoringcycle.
TIP:WhensubmittingthemonthlyPlanofActionsandMilestones(POA&M)spreadsheet,thedateatthetopofthesheet(header)needstobeupdated.
Thisdate,alongwithdatesfromtheindividualscansprovidedbytheCSP,isusedbytheContinuousMonitoringteamasthereferencepointfordifferentdate-relatedissues/itemsinthePOA&M.Forexample,anyvendordependencycheck-indateslistedinthePOA&MwillbereferencedagainstthedateintheheaderofthePOA&M.
Missingorincorrectlistingsinthatheadercouldbeconsideredasnon-adherencetoscanningrequirementsornon-compliantdeliveryofscanresults(badscans,badPOA&Ms,etc.)andresultinaCAP.
Q:AservicepreviouslydocumentedintheSystemSecurityPlan(SSP)wasrenamed.HowdowereflectthenamechangewhenwesubmitaDeviationRequest(DR)foravulnerabilitythataffectstherenamedservice?
A: PleaseprovideabriefcontextualdescriptionoftherenamedserviceandreferenceitsdocumentednameintheSSP.ThisenablesthereviewertolookuptheservicebyitsoriginalnameintheSSP.
Q:AreCSPsexpectedtomaintainContinuousMonitoringactivitieswhileundergoinganannualassessment?
A: Yes.CSPsareexpectedtomaintainContinuousMonitoringactivitieswhileundergoinganannualassessment,includingtimelyremediationofPOA&Msandsubmissionofmonthlydeliverables.FedRAMPdoesnotallowexceptionsforthis.
TIP:WhensubmittingaSignificantChangeRequest(SCR),alwaysdiscussthechangewithyourreviewerpriortosubmittingtheform.
|63
ACSPisofteninclinedtoerronthesideofcautionandevaluateachangeassignificantwhenitmaynotbe(orviceversa),andthereviewercanassistinthisdecision.Additionally,thereviewerwillbeabletoassisttheCSPwithwordingontheform,aswellasthetimingofwhenitissubmitted.Asanexample,thereviewermayadvisethatachangeddeemedas“significant”,requiringmoreextensivetesting,maybedoneinconjunctionwithanupcomingAnnualAssessment.
TIP:CSPsshouldbesuretoincludeclosuredatesforPlanofAction&Milestones(POA&M)itemseveniftheyhavebeenmovedtotheclosedtabs.
Pleasebesuretoincludethesedatesboldlyinthecommentsection.ThisprovidesaclearpictureofthestatusofPOA&Mitems.
TIP:WhensubmittingtheAnnualAssessment(AA)package,thefinalSecurityAssessmentPlan(SAP),SecurityAssessmentReview(SAR),SystemSecurityPlan(SSP)andPlanofAction&Milestones(POA&M)documentsmustbesubmittednolaterthantheP-ATOanniversarydate.
CSPsshouldplancarefullytoensurealldocumentsarecompletedandsubmittedfortheAnnualAssessmentnolaterthantheP-ATOanniversarydate.FedRAMPoftenreceivespartialpackages(e.g.withonlytheSAPandSARandnottheSSPandPOA&M).IfFedRAMPdoesnotreceiveacompletepackage(withdocumentsinafinaldraftform)bytheP-ATOanniversarydate,thepackageisconsideredlateandtheCSPwillbeplacedonacorrectiveactionplan(CAP)inaccordancewiththeFedRAMPP-ATOManagementandRevocationGuide.
ThePOA&MprovidedmustbeupdatedtoincludethefindingsfromtheSAR.FortheSSPprovided,theNISTSP800-53controlsinthatSSPmustbeupdatedtomatchthestatusreflectedintheSAR.TheCSPsand3PAOshouldallowforthesePOA&MandSSPupdatetasksintheannualassessmentschedule.
TIP:Inthe"DescriptionofRisktotheSystem"sectionoftheDeviationRequest,doNOTcopyandpastethevulnerabilitydescriptionfromthesource.
Itisnecessarytoexplainthevulnerabilitywithinthecontextofthesystemandthepotentialriskshouldathreatexploitthatvulnerability.
|64
Avulnerabilitydescriptionfromascannerdoesnotprovidethedescriptionofriskpresentedtothesystem.Thereviewersshouldbeabletodiscerntheriskpresented.Reviewerscangenerallyresearchthevulnerabilitiesthemselves,buttheCSPneedstoprovidetheriskpresentedtothesystem.
TIP:DeviationRequests(DRs)shouldbesubmittedearlyenoughforareasonableexpectationofapprovalbeforetheinitialexpectedremediationdate.
DRsshouldnotbesubmittedonoraftertheexpectedclosuredateofthePlanofAction&Milestones(POA&M).ADRforaHighvulnerabilityshouldbesubmittedalongwiththeinitialPOA&Mlistingthevulnerability,oratleastbeforethenextmonth’sPO&Msubmission.AModerateriskadjustmentshouldbesubmittedbeforethe3rdPOA&Msubmission.Deviationrequeststhataresubmittedattheduedatecandemonstrateareactiveapproachtosecurity,ratherthanaproactiveapproach.
TIP:DeviationRequests(DRs)shouldbesubmittedearlyenoughforareasonableexpectationofapprovalbeforetheinitialexpectedremediationdate.
DRsshouldnotbesubmittedonoraftertheexpectedclosuredateofthePlanofAction&Milestones(POA&M).ADRforaHighvulnerabilityshouldbesubmittedalongwiththeinitialPOA&Mlistingthevulnerability,oratleastbeforethenextmonth’sPO&Msubmission.AModerateriskadjustmentshouldbesubmittedbeforethe3rdPOA&Msubmission.Deviationrequeststhataresubmittedattheduedatecandemonstrateareactiveapproachtosecurity,ratherthanaproactiveapproach.
TIP:WhensubmittingaMicrosoftOutlook,Gmail,oremailfromothermessagingsystemsasevidence,ensurethatitiscapturedinacommonformatsuchasaMicrosoftWordfileorAdobePDF.
Thishelpstoeliminateissueswithdissimilaremailsystems.Thepreferredmethodistoavoidtheuseofemailalltogetherandusesecuremethodsfortransmittingandstoringevidence.