Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our weekly email, sign up here for our listserv.
You can also review and search all of our past Tips & Cues by downloading our compilation document here.
November 2018 Tips & Cues
TIP: Using graphic to depict a security accreditation boundary is crucial for assessor to fully understand the security enclave that is being addressed by the CSP.
The Boundary Diagram is essential in that it provides a depiction and understanding of the components managed within the boundary as well as systems that are leveraged external to the boundary (such as the hosting IaaS) and interconnections. Further guidance on preparing the Boundary diagram can be found on our FedRAMP Documents Page in a document titled "FedRAMP Authorization Boundary Guidance" (November 7, 2018)
Q: The new Vulnerability Deviation Request Form has changed from a PDF to Excel format. Can we add all Deviation Requests (DRs) to one spreadsheet, or do we have to submit a new spreadsheet for each DR?
A: You can add all DRs to one spreadsheet so each row on the excel file can be a new DR. (November 7, 2018)
Q: Do the FedRAMP security controls restrict data to reside only within the United States?
A: There are no FedRAMP requirements restricting data to within the United States. There are multiple security controls that detail where data is stored, what the boundary of the system is, and where and how data in transit is protected. We have some providers that are authorized through FedRAMP that are located globally, although a majority of service providers do restrict their data to the United States. It is up to each individual Agency and Authorizing Official to place restrictions, if needed, on data location. Cloud service providers should work with current and potential customers to determine data location requirements. (November 14, 2018)
Q: How can an Agency ensure it maintains reasonable investigation capabilities, auditability, and traceability of data within the cloud?
A: Agencies can ensure they maintain reasonable investigation capabilities, auditability, and traceability of data by logging and monitoring the following application events:
- Management of network connections
- Addition or removal of users
- Management of changes to privileges
- Assignment of users to tokens
- Addition or removal of tokens
- Management of system administrative privileges access
- Actions by users with administrative privileges
- Use of data encrypting keys
- Management of key changes
- Creation and removal of system level objects
- Import and export of data, including screen based reports
- Submission of user-generated content, especially file uploads (November 14, 2018)
Q: Could you explain the purpose and process behind requiring a CSP to complete an incident response test and contingency plan test before their 3PAO assessment?
A: It is important that the incident response test and the contingency plan test are done before a 3PAO assessment in order to ensure that the processes are functioning as intended and that lessons learned can be integrated into the plan. If a CSP does not complete an incident response test and contingency plan test before the 3PAO assessment, the Joint Authorization Board (JAB) will not issue the cloud offering a Provisional Authorization to Operate (P-ATO). These tests must be conducted in accordance with NIST SP 800-53, and the results should be made available to the 3PAO for evaluation. Once a P-ATO is granted, the tests should continue to be completed prior to the annual assessment so that the 3PAO can evaluate the results as part of that assessment. (November 21, 2018)
TIP: Your FedRAMP or government liaison is here to help guide you through the FedRAMP process. Communication is imperative to get through the FedRAMP process! The better communication you have, the smoother the process will go.
If you have any questions or concerns, or just want to brainstorm ideas, your FedRAMP liason can share potential impacts of any proposal you have. If you’re not sure a control implementation should be “Not Applicable” or an “Alternative Implementation,” your liason can help! And if you’re unclear on how to describe your PIV/CAC implementation, your government liaison can point you in the right direction! (November 21, 2018)
Q: If a FedRAMP-Authorized service offers several multi-factor authentication (MFA) methods to remotely access that service, may I use any of those forms of multifactor authentication to access the service?
A: Cryptographic functions are used in many levels in the cloud stack. Agency customers must ask the CSP questions regarding the depth of cryptography used. FedRAMP asks CSPs that offer multiple MFA methods to customers, clearly document within their SSP those methods and the cryptographic modules along the authentication pathway that ARE FIPS-validated versus those methods that lack FIPS validation. You should ensure that you use, and the CSP uses a FIPS 140-2 validated, National Information Assurance partnership (NIAP)-certified, or NSA-approved MFA device for access to the service, or access to any FedRAMP Cloud Service, in accordance with the FedRAMP-specified parameters and guidance in Security Control IA-2(11) within the System Security Plan (SSP) templates. (November 28, 2018)
Q: Should I repeat the control requirement?
Do not repeat the control requirement. Feel free to use the control requirement as a jumping off point to write a detailed, specific implementation. Additionally, use the same action and key words within the control requirement when describing your implementation so it is clear exactly how the implementation meets the stated requirements. (November 28, 2018)