Skip to main content

Tips & Cues

Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our weekly email, sign up here for our listserv.

You can also review and search all of our past Tips & Cues by downloading our compilation document here.

June 2018 Tips & Cues

TIP: When submitting final documents, please also provide extracted versions of embedded documents.

This will facilitate the preparation of the final package for customer review. (June 6, 2018)

TIP: In the System Security Plan (SSP), control CA-3 (3) “CA-3, Control Enhancement 3” should be implemented.

TIC compliant architectures are required through the FedRAMP security controls baseline. TIC compliance is a hybrid responsibility -- CSPs must have an architecture that supports TIC, and Agencies must enforce TIC routing and compliance. (June 6, 2018)

TIP: The rationale for Risk Adjustment (RA) and Operational Requirement (OR) provided in deviation requests should be based exclusively on risk (e.g., description of the likelihood and/or impact if the vulnerability was exploited and why), not availability or priority of resources.

For the purposes of the RA and OR deviation requests, discussion should be based on security risk. Make every effort to detail original risk score and adjusted risk score with clear description of the mitigations that contribute to the downgrade such that the remaining risk is understood. (June 13, 2018)

TIP: FedRAMP will perform a completeness check of the Security Assessment Report (SAR).

This includes checking that all controls were assessed, all vulnerabilities are accounted for in the SAR, and all inventory items were scanned or assessed via alternate means. In order to prevent delays, ensure that:

- All scan vulnerability IDs are included in all SAR tables where they are reported. This typically includes tables 4-1, 5-1, 5-2, 5-3, and F-6.

- All control related findings have the control ID referenced in all SAR tables where they are reported. This typically includes tables 4-1, 5-1, 5-2, 5-3, and F-6.

- There is a result in the controls assessment workbook for every control that was selected for assessment in the previously approved Security Assessment Plan (SAP).

- Every control that hasn’t been satisfied in the controls assessment workbook is included in Table 4-1 with the control ID referenced.

(June 13, 2018)

TIP: If an optional feature in a CSP’s product affects the customer’s security responsibilities, these customer responsibilities need to be notated in the Customer Responsibility Matrix.

In addition, the feature must be explicitly identified as being applicable for customers who purchase the optional feature. (June 20, 2018)

TIP: CSPs must submit a risk adjustment (RA) deviation request (DR) for any High impact vulnerabilities that are also vendor dependencies.

High impact vendor dependencies must be risk adjusted to at least a Moderate. Make sure to include any mitigation methods/compensating controls. (June 20, 2018)

TIP: TLS version 1.1, or higher, must be fully implemented for both public-facing and internal interfaces by July 1, 2018, in accordance with the FedRAMP Transport Layer Security (TLS) Requirements

Control documentation should contain sufficient detail to describe TLS implementation for both public-facing and internal interfaces (if applicable). (June 27, 2018)

TIP: TIP: If an incident requires notification to US-CERT, it almost always requires notification to Federal customers whose data could have been impacted or exposed.</a>

Regardless of whether or not it is fully required, it is a best practice for customer relationship management. Inspector General’s (IG) for all agencies have access to all US-CERT incidents as they use this for their annual audits of agency incidents. Therefore, if an IG has access to an incident notification of a system an agency uses, the agency customer should be informed as well. (June 27, 2018)