Many of our Cloud Service Providers (CSPs), Federal Agencies, and Third Party Assessment Organizations (3PAOs) share common issues and questions when going through the FedRAMP process. To help guide our stakeholders, we provide bi-weekly tips and address frequently asked questions and concerns. Below you will find our most recent month of Tips & Cues. To receive our bi-weekly email, sign up here for our listserv.
June & July 2019 Tips & Cues
When submitting a Significant Change Request (SCR), please be sure to submit everything that is needed for the reviewers to start their review of the SCR.
For instance, if the significant change is a new technology, please make sure you include the SCR, new technology control worksheet, and the Security Assessment Plan (SAP). If the SAP is not submitted with the SCR, the reviewers cannot make an adjudication. In addition, if the SAP is not included in the submission, please provide it before the 3PAO Assessment.</a>.
“The SA-9 control defines the requirements for external information services, including the requirement for 3PAOs to assess the risk associated with the use of external services. What should the 3PAO keep in mind when assessing external services as part of the assessment of the SA-9 Control?”
Generally, JAB systems can only leverage External Services that are also FedRAMP Authorized at the same security baseline as the leveraging service. High Baseline systems should only leverage other FedRAMP JAB systems Authorized at the High Baseline. Moderate JAB systems should only leverage Moderate or High Baseline JAB External Systems. There may be flexibility with FedRAMP Agency systems, though. The Agency Authorization Official (AO) may be willing to accept the risk associated with permitting External Systems that are not yet FedRAMP Authorized. 3PAOs should identify the External Systems that are leveraged, but not authorized, as a finding tied to SA-9 and list it among “Remaining Risks” for the system.</a>.
TIP: Cloud Service Providers (CSPs) pursuing a JAB P-ATO have asked about how to implement new technologies. New technologies have a minimum control set in the significant change policy and procedures. The assumption is that all the controls will be assessed unless the 3PAO provides a rationale for excluding controls or scoping the assessment of the controls as:
- Not Applicable (N/A) - The nature of the component means it inherently does not contain this capability and will not be tested (e.g. controls that apply to collaborative computing devices only apply if that capability exists in the system)
- Not Selected (N/S) - A centralized automated mechanism ensures the implementation of the specific control, and that central automated mechanism has already been assessed to ensure that it is operating as intended and producing the desired result. Therefore, the assessment of the control will be scoped to only verifying/validating that the component is integrated into the centralized automated mechanism. Here are a few examples of centralized and/or automated mechanisms that implement other controls:
- AC-2 (1) - The organization employs automated mechanisms to support the management of information system accounts
- AU-7 - The information system provides an audit reduction and report generation capability
- CM-6 (1) - The organization employs automated mechanisms to centrally manage, apply, and verify the configuration settings for organization-defined information system components.
JAB reviewers will review each rationale for excluding controls from assessment or scoping the assessment of the control to determine if they concur.
Q: A CSP asked, “What is the process for handling False Positives found during Initial or Annual Assessment when the Security Assessment Report (SAR) is closed but has not yet been approved by the Sponsoring Agency?”
A: All of the False Positives found during the Annual Assessment should be added to the Plan of Action and Milestones (POA&M) list. If they are approved before the SAR is closed/signed, they are moved to the Closed Tab of the POA&M list. If they have not been approved, they should remain in the Open Tab of the POA&M list until approved. Then, at least Annually during assessment, the False Positives should be evaluated for continued False Positive status. For more information on handling the Annual Assessment and scan findings check out the CSP Continuous Monitoring Strategy Guide.
TIP: IA-5 (1) Control - FedRAMP guidance states if password policies are compliant with NIST SP 800-63B Memorized Secret Guidance (Section 5.1.1), the control may be considered compliant.
NIST SP 800-63B specifies that memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. For guidance on the subject of passwords, refer to NIST SP 800-63B.
TIP: Significant Change Requests (SCR’s) for uplift from Moderate to High baseline require scan and pentest reports to be submitted.
Some vulnerability and penetration tests may still be acceptable from a recent Moderate Annual Assessment for the High baseline uplift. However a full analysis needs to be conducted to determine which controls need to be tested. The analysis must consider the additional controls for High, freshness of Annual Assessment testing, and ensuring all controls are tested within the three year time frame. For more on this, please refer to Continuous Monitoring performance documents on the FedRAMP Website.