Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide bi-weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our bi-weekly email, sign up here for our listserv.
June, July & August 2019 Tips & Cues
TIP: For Low Impact SaaS (LI-SaaS "Tailored"), the following information should be included in the “Summary of Risks” and “Summary of Remediation Plans” files:
The 3PAO performing the FedRAMP assessment of a Li-SaaS system should include findings from Appendix B control testing, Appendix E control attestation, and Vulnerability Scans of the authorization boundary in the Summary of Risks Table in Appendix B, Section 15. The Cloud Service Provider (CSP) should list any findings that haven't been remediated after assessment in the “Summary of Remediation Plans” in Appendix B, Section 16, which is an abbreviated version of the Plan of Actions and Milestones (POA&M), a tracking system used in other FedRAMP baselines. The “Summary of Remediation Plans” document is maintained after authorization to capture and manage not only Initial Authorization findings, but also findings from monthly vulnerability scans and future Annual Assessments.
Q: I’m curious about when I can be listed on the FedRAMP Marketplace as In Process. What are some key requirements I should be aware of?
A: In June 2019, FedRAMP released FedRAMP Marketplace Designations For Cloud Service Providers. This document lists the requirements for listing a CSP as In Process on the FedRAMP Marketplace.
One of the requirements is that "The full 3PAO assessment is planned for no more than six months from the date of email." This requirement ensures that CSOs are fully operational and ready for testing within six months. We expect CSOs to achieve FR authorization within twelve months of being designated as In Process.
Why does FedRAMP require this? We have found that the likelihood of achieving an authorization within twelve months is very low if the actual testing doesn't begin within six months. There simply is not enough time on the back-end for remediation activities and Agency review. We added the six-month buffer as a requirement to ensure that CSPs will be successful, and to avoid revoking a CSP's In Process status. We also recognize that CSPs may not be able to provide evidence of a scheduled 3PAO assessment that far in advance, so we don't ask for actual evidence. Instead, the PMO monitors the CSP's progress through occasional check-ins.
Q: The Readiness Assessment Review Process (RAR) requires vendors to identify the function and purpose of Application Programming Interfaces (APIs). Why is this important?
A: Cloud Service Providers (CSPs) often provide applications to their customers to access, interface, and transfer Federal Data between the Agency Boundary and their tenant within the Software as a Service (SaaS). These applications are identified in the System Security Plan (SSP) inventory and within several security controls that focus on application maintenance/distribution responsibilities (CSP and/or customer responsibility), and flow of Federal data. CSPs also often provide APIs that can be incorporated in customer developed software to perform the same type of functions as the other vendor provided applications. The APIs need to be identified in the same way as these other applications, but are often overlooked and not included in the SSP, but should be. Here are a few things to keep in mind when documenting APIs:
- Every API needs to be treated as an external interconnection. They need to be documented and tested by your 3PAO.
- API access requires authentication, just like users, and it needs to be documented. Depending on the sensitivity of the data, access controls such as strong passwords, certificates, and rate limiting should be applied, as appropriate.
- Some systems interface with customer-supplied APIs, or allow customers to build and publish their own APIs. Since these APIs do not exist at the time of FedRAMP authorization, they cannot be fully tested. Even so, the existence of these capabilities must be fully documented. At a minimum, typical APIs should be shown on the boundary, controls that can be inherited should describe API protections, and 3PAOs should test these as they would for any external connection.
Q: I was told that FedRAMP does not Authorize IaaS (Infrastructure as a Service) at the Low Security Baseline. Why is this the case?
A: There is no FedRAMP restriction prohibiting Authorization of Low IaaS. Rather, the PMO generally does not prioritize Low systems, so they are rarely considered. The reason for this is U.S. Federal Agencies typically ATO their systems at the Moderate and High baselines so the Low IaaS would not be an acceptable host. In fact, Agencies usually build their Private Clouds on High baseline IaaS, then ATO their applications at Moderate, leveraging the High IaaS. Low infrastructures are sometimes included in Low Impact SaaS Authorizations, but they are not Authorized as an IaaS, just the data center component of the LI-SaaS. FedRAMP prioritizes on High/Moderate (IaaS, PaaS and SaaS) and Low-Impact SaaS.
When submitting a Significant Change Request (SCR), please be sure to submit everything that is needed for the reviewers to start their review of the SCR.
For instance, if the significant change is a new technology, please make sure you include the SCR, new technology control worksheet, and the Security Assessment Plan (SAP). If the SAP is not submitted with the SCR, the reviewers cannot make an adjudication. In addition, if the SAP is not included in the submission, please provide it before the 3PAO Assessment.
“The SA-9 control defines the requirements for external information services, including the requirement for 3PAOs to assess the risk associated with the use of external services. What should the 3PAO keep in mind when assessing external services as part of the assessment of the SA-9 Control?”
Generally, JAB systems can only leverage External Services that are also FedRAMP Authorized at the same security baseline as the leveraging service. High Baseline systems should only leverage other FedRAMP JAB systems Authorized at the High Baseline. Moderate JAB systems should only leverage Moderate or High Baseline JAB External Systems. There may be flexibility with FedRAMP Agency systems, though. The Agency Authorization Official (AO) may be willing to accept the risk associated with permitting External Systems that are not yet FedRAMP Authorized. 3PAOs should identify the External Systems that are leveraged, but not authorized, as a finding tied to SA-9 and list it among “Remaining Risks” for the system.
TIP: Cloud Service Providers (CSPs) pursuing a JAB P-ATO have asked about how to implement new technologies. New technologies have a minimum control set in the significant change policy and procedures. The assumption is that all the controls will be assessed unless the 3PAO provides a rationale for excluding controls or scoping the assessment of the controls as:
- Not Applicable (N/A) - The nature of the component means it inherently does not contain this capability and will not be tested (e.g. controls that apply to collaborative computing devices only apply if that capability exists in the system)
- Not Selected (N/S) - A centralized automated mechanism ensures the implementation of the specific control, and that central automated mechanism has already been assessed to ensure that it is operating as intended and producing the desired result. Therefore, the assessment of the control will be scoped to only verifying/validating that the component is integrated into the centralized automated mechanism. Here are a few examples of centralized and/or automated mechanisms that implement other controls:
- AC-2 (1) - The organization employs automated mechanisms to support the management of information system accounts
- AU-7 - The information system provides an audit reduction and report generation capability
- CM-6 (1) - The organization employs automated mechanisms to centrally manage, apply, and verify the configuration settings for organization-defined information system components.
JAB reviewers will review each rationale for excluding controls from assessment or scoping the assessment of the control to determine if they concur.
Q: A CSP asked, “What is the process for handling False Positives found during Initial or Annual Assessment when the Security Assessment Report (SAR) is closed but has not yet been approved by the Sponsoring Agency?”
A: All of the False Positives found during the Annual Assessment should be added to the Plan of Action and Milestones (POA&M) list. If they are approved before the SAR is closed/signed, they are moved to the Closed Tab of the POA&M list. If they have not been approved, they should remain in the Open Tab of the POA&M list until approved. Then, at least Annually during assessment, the False Positives should be evaluated for continued False Positive status. For more information on handling the Annual Assessment and scan findings check out the CSP Continuous Monitoring Strategy Guide.
TIP: IA-5 (1) Control - FedRAMP guidance states if password policies are compliant with NIST SP 800-63B Memorized Secret Guidance (Section 5.1.1), the control may be considered compliant.
NIST SP 800-63B specifies that memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. For guidance on the subject of passwords, refer to NIST SP 800-63B.
TIP: Significant Change Requests (SCR’s) for uplift from Moderate to High baseline require scan and pentest reports to be submitted.
Some vulnerability and penetration tests may still be acceptable from a recent Moderate Annual Assessment for the High baseline uplift. However a full analysis needs to be conducted to determine which controls need to be tested. The analysis must consider the additional controls for High, freshness of Annual Assessment testing, and ensuring all controls are tested within the three year time frame. For more on this, please refer to Continuous Monitoring performance documents on the FedRAMP Website.