FEDRAMP TIPS & CUES COMPILATION

2015 - 2017

January 2018

|i

HelloEveryone!

TheFedRAMPPMObeganpublishingourweekly“TipsandCues”asawaytoaddresscommonconcernsandissuesbeingraisedbyFederalAgencies,CloudServiceProviders(CSPs),andThirdPartyAssessmentOrganizations(3PAOs).

Wehavereceivedalotofpositivefeedbackabouttheseposts.Inordertomakethemevenmoreaccessibletoourreaders,we’vecompiledeverytipwe’vepublishedintoasingledocument.

Wehopeyoufindthiscompilationhelpful.Ifyou’dliketosignuptoreceiveourweeklyTipsandCues,pleaseusethislink.

Thanksandallthebest,

MattGoodrich

FedRAMPDirector

|ii

TABLE OF CONTENTS

1. CONTINUOUSMONITORING................................................................................................................1

2. CONTROLS...........................................................................................................................................4

3. FEDERALAGENCY................................................................................................................................6

4. GENERALPROGRAM.........................................................................................................................13

5. PROFESSIONALWRITINGTIPS...........................................................................................................34

6. READINESSASSESSMENTREPORT.....................................................................................................37

7. SECURITYASSESSMENTPLAN(SAP)&SECURITYASSESSMENTREPORT(SAR)DOCUMENTS..............37

8. SYSTEMSECURITYPLAN(SSP)DOCUMENTATION..............................................................................47

9. OTHERDOCUMENTATION-PLANOFACTIONSANDMILESTONES(POA&M),READINESSASSESSMENTREPORT(RAR),SCANS,ANDINFORMATIONSYSTEMCONTINGENCYPLAN(ISCP)......................................57

KEY

CloudServiceProvider(CSP)Tip

FederalAgencyTip

TheirPartyAssessmentOrganization(3PAO)Tip

|1

1. CONTINUOUS MONITORING

TIP:CSPsmustaddresseveryvulnerabilitytheysubmitaspartoftheircontinuousmonitoringdata.Thereareafewdifferentoptionsformanagingthosevulnerabilities.

1. Remediatethefindingwithintherequiredtimeframe.Thisshouldbethedefaultapproachtovulnerabilitymanagement.

2. AspartoftheDeviationRequestprocess:a. Implementmitigationsandrequestariskadjustment,ifappropriate.b. SeekapprovalforanyFalsePositive(FP)findings.Besuretoprovideevidencethat

provesthefindingwasanFP.AnFPwouldnotbeappropriateininstanceswherethesystemsettingisnotactiveand,therefore,notvulnerable,butifitwereactive,thevulnerabilitywouldexist.ThistypeoffindingshouldbesubmittedasaRiskAdjustmentwithlayersofmitigationsthatpreventexposureifthesystemsettingisactivated.

c. SeekapprovalasanOperationalRequirement(OR).ORrequestsshouldbeinfrequentsinceitmeansthevulnerabilityremainsinproductionuntilitiseventuallyremediated.HighfindingsmustbemitigatedandRiskAdjustedtoatleastModerateforacceptanceasanOR.

3. JustifythefindingasaVendorDependencyandcheckinwiththevendorevery30days.Inthiscase,thevulnerabilitywillnotbeconsideredlate.TheCSPshouldseekvendorcomponentsthatareFedRAMPcompliantwhenpossibletoavoidanyVendorDependencies.Inthiscase,thevulnerabilitywillnotbeconsideredlate.

TIP:SelectyourmonthlycontinuousmonitoringscanandPlanofAction&Milestones(POA&M)deliverydatewisely.

Considervendorpatchreleaseschedulesandyourtypicaldurationbetweenthereleaseofavendorpatchanditsapplicationwithinyourenvironment.Planyourscansassoonaspossibleafterpatchesaretypicallyappliedeachmonth.Ifyourmonthlyscansareout-of-syncwithyourpatchcycle,thenumberofvulnerabilitiesreportedcanbeartificiallyinflated.

Forexample,ifyouhaveMicrosoft-basedhostsandatwo-weekpatchcycle,runningscansjustoneweekafter“patchTuesday”willreportallofthenewlyreleasedpatchesasnewvulnerabilitiesonthosehostsandinflateyourvulnerabilitycount.Scanningshortlyafteryourpatchcyclegivesyouradminstimetoremediateallofthosenewvulnerabilities.Therefore,onlytheexceptions–ifany–arereported.

|2

Q:Theeffortand/orcostsaretoogreattoremediateavulnerabilitywithintherequiredtimeperiod.Isitacceptabletosubmitariskadjustmentinthissituation?

A: Generally,levelofeffortand/orcostofimplementingaremediationarenotacceptablejustificationsforleavingasystemthatisauthorizedforprocessingfederaldatainavulnerablestate.Duringtheinitialassessmentofthesystem,theCSPisassessedtodetermineitsabilitytoperformcontinuousmonitoringsuccessfully,whichincludestimelyremediationofvulnerabilities.ThisalsoincludesanassessmentoftheCSP’sequipmentacquisitionandlife-cyclemanagementplantoensurevendorproductscanbemaintainedand/orreplacedtostayontopofsecurity.ThismeanstheCSPshouldbeawareofequipmentend-of-life/end-of-support.

Intherareeventthattimelyremediationsneedtobepostponed,itisincumbentupontheCSPtoemploymitigationsthatreducetheriskofthevulnerability.ThisriskmitigationandadjustmentshouldbedescribedindetailintheDeviationRequest,andaplanforultimateremediationandcomplianceshouldbeincluded.

Q:Howare“falsepositive”scanresultsmanaged?

A:AFalsePositive(FP)scanresultisnotedwhenanidentifiedvulnerabilitydoesnotactuallyexistonthesystem.Forinstance,avulnerabilityscannermightidentifyaweaknessforacomponentthatisnotinstalledorfailtorecognizearecentsystemupdate.Aslongasevidenceisofferedtosupportthenon-existenceofthecomponentand/ortheexistenceofthesystemupdateinstall,thisisnownotedasa“FP”.FortheSecurityAssessmentReport(SAR),theFPsarenotedinaFalsePositiveReportfortheInfrastructure,Databases,WebApplications,and“Other”miscellaneous(automatedandmanual)toolresults.TheFPsarerecordedonthe“Open”PlanofActionsandMilestones(POA&M)tabofthePOA&MworkbookuntiltheSecurityAssessmentPackageissignedoffandacceptedbytheJointAuthorizationBoard(JAB).Oncethepackageisaccepted,theseFPsarevalidatedandverifiedthroughtheProvisionalAuthorizationtoOperateprocess,andmovedtothe“Closed”POA&Mtab.

Fromthatpointforward,allFPsidentifiedthroughtheContinuousMonitoringprocessarerecordedasDeviationRequestsembeddedwithallsupportingevidence,andnotedontheOpenPOA&Mtab.OncetheDeviationRequestisacceptedbytheJABTechnicalReviewReviewers,theFPcanbemovedtotheClosedPOA&Mtab.

Q:WhataretheContinuousMonitoring(ConMon)rolesandresponsibilitiesassociatedwiththeFedRAMPProgramManagementOffice(PMO)foraFedRAMPAgencyAuthorization?IsthereaFedRAMPPMOISSOassignedtoeachFedRAMPAgencyAuthorization?

|3

A: ConMonisacriticalcomponentinunderstandingevolvingrisksassociatedwithanITsystem.CSPsarerequiredtofollowstringentConMonrequirementsandprovideAgencieswiththeinformationtheyneedonaperiodicbasis,toensuretheirdataremainssecuretoinclude,butnotlimitedto:monthlyPlanofActionandMilestones(POA&M),monthlydatabase,operatingsystem,andwebapplicationrawscanfiles,ad-hoc(asappropriate)incidentresponsenotifications,majorsystemchangerequests,andannualassessments.Thesedeliverablesarerequired,regardlessofauthorizationtype(JABorAgency)andarelocatedwithintheFedRAMPSecureRepositoryonOMBMAX.

EachAgencyshouldreviewthesematerials,regularly,toensuretheirATOremainsvalidandtheriskremainsacceptable.TheFedRAMPPMOdoesnothaveadedicatedISSOthatsupportseachAgencyAuthorization;but,providesthestructureandaccesstoeachCSPs’ConMonmaterialsinOMBMAX.Asalways,ifanyAgencyhasquestionsregardingspecificConMonvulnerabilitiesorisunabletoobtaintheinformationtheyneedpertainingtoConMonforanygivenCSP,theFedRAMPPMOisheretohelp.

Q:WhatscanningdepthdoesFedRAMPrequire?

A:FedRAMPrequiresfull-rangeauthenticatedscanswithallpluginsenabled.Thisrequirementpertainstoallnetwork,operatingsystem,database,andwebapplicationscans,usingthetype-specificscanningtoolset,whichmustbeconductedatleastmonthly.EachscanmustincludeallcomponentswithinthesystemboundaryandasagreedwithinthemostcurrentSecurityAssessmentPlan.DetailedrequirementsareprovidedintheFedRAMPJABP-ATOVulnerabilityScanRequirementsGuideandtheContinuousMonitoringStrategyGuide,bothlocatedinthe“Documents”sectionofwww.fedramp.gov.

CSPsand3PAOsshouldplanfor,andconfigure,scansthatmeetFedRAMPrequirementsfromtheoutset.Doingsohelpstoavoidtheneedtorescanandresubmitresults,whichcanleadtoscheduledelaysandadditionalcosts.

Q:WhydoesFedRAMPrequireauthenticatedscans,andhowdotheydifferfromunauthenticatedscans?

A:Unauthenticatedscansprovideaperimeterviewofthesystem,typicallyincludingopennetworkports,services,operatingsystems,anddataleaks.Incontrast,authenticatedscansutilizecredentialstodetectinternalvulnerabilitiesthatcouldprovideanintruderthatpenetratedtheperimeterwithprivilegedaccesstothesystem.ScanningmonthlywithauthenticationisaFedRAMPrequirementbecauseitidentifiesandpromptsthecloudserviceprovidertofixtheseinternaltargets.

|4

Q:Whatistherelationshipbetweencontinuousmonitoringandcontinuousdiagnostics&mitigation(CDM)andongoingauthorization?

A:TheFedRAMPandCDMmonitoringrequirementsarebothbasedonNISTSpecialPublication800-137guidanceforimplementinganInformationSecurityContinuousMonitoringprogram.TheCDMprogramhasinitiallyfocusedonprovidingtoolstoFederalAgenciestoensurethattheycanfulfillvulnerabilitymanagement,malwaredetection,assetmanagement,andconfigurationmanagementprogramresponsibilitiesandaggregatedatafromthosetoolsintoacentralconsoleordashboardtofacilitateamorerobustawarenessofone’sriskposture.AgencieswouldalsoprovideaggregateoutputfromthisdashboardtoDHStofacilitateagovernment-wideviewofvulnerabilitiesandassociatedrisks.FedRAMPsecuritycontrolsalsorequirethattheseelements(vulnerabilitymanagement,malwaredetection,assetmanagement,andconfigurationmanagement)beinplaceattheCSPtosupportvisibilityintotheoperationalstatusofasystem,muchliketheCDMprogram.However,FedRAMPdoesnotprescribetheexacttoolsanddashboardsnordoesitrequirereal-timeornearreal-timeuploadingofalltooloutputtoFedRAMP.

ThereisnoplannedintegrationofCDMandFedRAMPcontinuousmonitoringatthistimeasCDMisfocusedongovernmentassetsandnotexternalproviders.FedRAMPisinterestedinevolvingitscontinuousmonitoringprogramtofacilitateashiftfromacompliance-basedtoamorerisk-basedapproachandispreparingtosolicitfeedbackfromAgenciesandindustry.

2. CONTROLS

Q:Whatisanexampleofacommonlyoverlookedorinsufficientlyansweredcontrol?

A:FedRAMPdocumentationwriterstendtooverlook“ImplementingConfigurationSettings(CM-6).”Thisisasignificantcontrolbecauseitis(1)requiredand(2)becausewriterstypicallyuseitasanumbrellatomapfailures.

Whenwritingthiscontrol,besuretofollowthesesteps:

1. Includeinyouranswerallsystemcomponentsthatmustbeconfiguredwithinthesystemboundary.

2. Explainwherethesystemconfigurationdocumentationislocated.3. Identifyallthesystemcomponentsthataretobeconfigured.4. Identify,foreachcomponent,whoisresponsibleforconfiguringthecomponent.5. Identifyhowtheresponsiblepartyconfigureseachcomponentindetail.6. IdentifyandaddressanyspecialFedRAMPrequirementsincludedintheconfigurationprocessin

detail.

|5

7. Explainhowconfigurationsettingdeviationsareidentified,documented,andapproved.8. Explainhowtheorganizationmonitorsandcontrolschangestotheconfigurationsettings.

Explainhowthisprocessisinaccordancewithorganizationalpoliciesandprocedures.

Q:WhatarecommonmissedorneglectedFedRAMPand/orNationalInstituteofStandardsandTechnology(NIST)requirements?

A:ThePMOisunabletoevaluateauthorizationpackagesthatdonotcompletelyrespondtoFedRAMPand/orNationalInstituteofStandardsandTechnology(NIST)requirements.Althoughnotacompletelisting,thefollowingitemshighlightsomecommonincompleterequirements:

§ Notidentifyingportals§ Non-compliancewithmulti-factorauthentication§ Tenantseparationformultiplecustomers(governmentvs.public)doesnotexist§ HighvulnerabilitiesdetectedduringP-ATOtesting§ Authorizationboundaryisnotclearlydefined§ Policiesandproceduresthatdonotexist,incomplete,ornotwelldefined§ NothavingFIPS-140enabled

Q:HowdoIindicate“sole,”“shared,”or“customer”responsibilitieswhenansweringtheAwarenessandTraining(AT)controls?

A:WhenansweringAwarenessandTraining(AT)controls,itismutuallybeneficialforboththeCSPandtheAgencytosharethatresponsibilityinprovidingawarenessandtraining(e.g.,MandatorySecurityAwarenessTraining,specificsystemsleveltrainingandguidance).TheSSPimplementationshouldbecheckedasasharedcontrolresponsibilitybetweentheCSPandtheAgencyinadditiontoanyboxes.

ItisgoodpracticetohaveSecurityAwarenessTrainingincorporatedandasharedresponsibilityasopposedtosimplyrespondingtotheimplementationassolelya“corporate”or“customerresponsibility.”

Q:Mysystemusesvariousplatformsandoperatingsystems,sohowdoIrelatetechnicalcontrolimplementationstatements?

|6

A:Thesecuritycontrolimplementationstatementsfortechnicalcontrols(AC,AU,IA,SC,etc.)mustbedevelopedtoincludealloftheapplicableplatforms/operatingsystems(e.g.,Windows,Linux,Solaris,VMware)thatcomprisethecloudservicearchitecture.

Itiscriticalforreviewers(eitherJointAuthorizationBoard(JAB)orAgency)todelineateeachplatform/operatingsystemagainsttheapplicablesecuritycontrolrequirementtoensurecomplianceisadequatelybeingmet.

Q:WhenistheFIPS140compliant/validatedcryptographyapplicable?

A:Fordataflowscrossingtheauthorizationboundaryoranywhereelseencryptionisrequired,FIPS140compliant/validatedcryptographymustbeemployed.FIPS140compliant/validatedproductswillhavecertificatenumbers.ThesecertificatenumberswillberequiredtobeidentifiedintheSSPasademonstrationofthiscapability.JABTRswillnotauthorizeacloudservicethatdoesnothavethiscapability.

Q:IfaSoftware-as-a-Service(SaaS)isbuiltonapreviouslyauthorizedInfrastructure-as-a-Service(IaaS),doestheIaaS’sauthorizationboundarycovertheSaaSaswell?Ifitdoes,isanAuthoritytoOperate(ATO)letternecessaryfortheSaaS?

A:TheIaaS’sauthorizationboundarydoesnotcompletelycovertheSaaS.Allpiecesofthecloudstackhavetobeauthorized—whichmeanstheIaaShasitsownauthorizationboundary(whatitisresponsiblefor),andtheSaaShasitsownauthorizationboundary.However,yourSaaScaninheritsomeofthesecuritycontrolsfromtheIaaS,dependingontheservicesusedfromtheIaaS.

EachportionofthecloudstackrequiresitsownATOletter,sotheSaaSwillneedanATOseparatefromtheIaaS.

3. FEDERAL AGENCY

Q:HowdosecuritycontrolsimpactQualityofService(QoS)ofanapplicationorsystem?

|7

A:QualityofService(QoS)andsecurityareinterrelated.Theimplementationofsecuritycontrolsmustbethoughtfullyconsideredanddeployed/implementedsoastoNOTadverselyimpactanapplication'sorsystem’sQoS.Thisisimportantbecauseimproperlythought-outorexcessivesecuritycontrolscanimpactQoS.TheCSPmustplanthe"right"amountofsecurityasitpertainstothesystemperformanceandfinancialconsiderations.

Q:DotheFedRAMPsecuritycontrolsrestrictdatatoresideonlywithintheUnitedStates?

A:TherearenoFedRAMPrequirementsrestrictingdatatowithintheUnitedStates.Therearemultiplesecuritycontrolsthatdetailwheredataisstored,whattheboundaryofthesystemis,andwhereandhowdataintransitisprotected.WehavesomeprovidersthatareauthorizedthroughFedRAMPthatarelocatedglobally,althoughamajorityofserviceprovidersdorestricttheirdatatotheUnitedStates.ItisuptoeachindividualAgencyandauthorizingofficialtoplacerestrictions,ifneeded,ondatalocation.

Q:CanaFederalAgencyrequireCSPstobeFedRAMPauthorizedinarequestforproposal(RFP)?

A:FederalAgenciescannotrequireCSPstobeFedRAMPauthorizedaspartoftheirRFPbutcanstatethataCSPneedstobeFedRAMPauthorizedoncefederaldataisplacedinthesystem.Formoreinformationoncontractclauses,pleasereviewtheFedRAMPStandardContractualClauses.

Q:HowdoesaFederalAgencyaccessJABapprovedandAgencyAuthorizedpackagesintheOMBMAXSecureRepository?

A:ToaccessaCSP’sP-ATOand/orAgencyATOsecuritypackagedocumentation,FederalAgencyemployeesorcontractorsmustcompleteaPackageAccessRequestformavailableatwww.FedRAMP.govandsubmitthecompletedformtoinfo@fedramp.gov.ThePMOwillthenreview,validate,andgrantaccesswithin72hoursifallrequiredfieldsarepopulatedintheform.

Q:DoFederalAgenciesneedanInterconnectionSecurityAgreement(ISA)withaCSP?

|8

A:InterconnectionSecurityAgreements(ISAs)arenotdesignedforusebetweenaCSPandanAgency.AnAgencyATOmemoshouldbethegoverningdocumentforAgencyandCSPinteractionandsecurityrequirementcommunications.CSPsshoulddocumentsecurityprotectionsinplaceforAgencyaccess–whetherthroughdedicatedconnectionsorpubliclyroutableinternetspace.ThisdocumentationshouldbeincludedwithinthestandardFedRAMP-requiredtemplates,policies,andprocedures.

AgenciesshouldfollowthedocumentedprocessesforissuingATOsincludedintheFedRAMPguidanceanddocumentationavailableonFedRAMP.gov.

CSPsshouldalsocontinuetoutilizeISAsforcloudsysteminterconnectionsthatfallwithinthescopeofthecloudboundary.TheseISAswillbereviewedaspartofthesecurityassessmentandtestingprocessby3PAOsandtestingforcontrolCA-3.TheFedRAMPAgencyorJABP-ATOprocessshouldbethemechanismforvalidatingISAdocumentation.

Q:HowcananAgencyensureitmaintainsreasonableinvestigationcapabilities,auditability,andtraceabilityofdatawithinthecloud?

A:Agenciescanensuretheymaintainreasonableinvestigationcapabilities,auditability,andtraceabilityofdatabyloggingandmonitoringthefollowingapplicationevents:

§ Managementofnetworkconnections§ Additionorremovalofusers§ Managementofchangestoprivileges§ Assignmentofuserstotokens§ Additionorremovaloftokens§ Managementofsystemadministrativeprivilegesaccess§ Actionsbyuserswithadministrativeprivileges§ Useofdataencryptingkeys§ Managementofkeychanges§ Creationandremovalofsystemlevelobjects§ Importandexportofdata,includingscreen-basedreports

§ Submissionofuser-generatedcontent,especiallyfileuploads

Q:WouldacloudservicerequireaFedRAMPauthorizationifitalreadyhasaFISMAATO?Ifso,canyoureferencethespecificlanguageintherequirement?

A:WhileFISMAandFedRAMPauthorizationsaresimilar,FedRAMPauthorizationsinvolveextrarequirementsandparametersspecifiedintheFedRAMPtemplates/baselinerequirementsdocumentation,availableonfedramp.gov.Agenciesthatareusingacloudsystemorservicesmust

|9

followFedRAMPrequirementsandgothroughtheFedRAMPAuthorizationprocess.ThedrivingpolicyforFedRAMPisapolicymemoreleasedbyOMB.

Theinitialcloudsystem/serviceauthorizationpackage(toincludetheATO,forAgency-authorizedsystems)mustbereviewedandapprovedbytheFedRAMPPMOtoreceiveaFedRAMPAuthorization.

Q:WhoismyFedRAMPapprovertosignoffonanaccessrequestform?

A:YourFedRAMPapproveriseitheryourAgency’sCISOorDAA.IftheformissignedbyaDAA,thatpersonmustbeatalevelthathastheauthoritytograntanATOforasystem.

Q:CananAgencysharecompleteAuthorizationtoOperate(ATO)packagematerialswithanotherAgency?

A:Yes,AgenciescansharecompleteATOpackagematerialwithotherFederalAgencies.ButitisrecommendedthatAgenciesreceivethisinformationdirectlyfromtheFedRAMPPMO,asitensuresdocumentationisvalidatedagainstFedRAMPstandards.

Q:IreceivedarequestfromaFederalAgencytoreviewmysystem’sProvisionalAuthorizationtoOperate(P-ATO)letterandIamconcernedthatsharingtheletterwillviolatesensitivitypolicies.IsitappropriatetoshareanauthorizationletterwithAgencies?

A:Yes!TheAuthorizationLetterisintendedtoserveasevidencethattheCSPhasobtainedtheirFedRAMPP-ATO.TheCSPmayshoworevenprovideacopytoarequestingAgency.Indeed,theAgencymayneedacopyfortheirownATOpackageasevidencetheyselectedaCSPwithavalidFedRAMPP-ATO.

Q:IfanAgencywantstoleverageanotherAgency’sFedRAMPauthorization,butrecognizestheexistenceofriskthatthepotentialleveragingAgencyisunwillingtoaccept,isthereanoptiontoworkwiththeCloudServiceProvider(CSP)toresolvetheseriskspriortoauthorization?

|10

A: IfanAgencyisalreadyusingaCSPandhasnotyetissuedanauthorizationtousethatcloudservicewithintheiroperatingenvironment,theAgencycanleverageanexistingAgencyAuthorizationasitapplieswithintheiroperatingenvironment.IfaleveragingAgencyisunwillingtoacceptrisksassociatedwiththeexistingAgencyauthorization,theAgencyshouldworkwiththeprovidingAgencytodeterminehowtoremediateandmitigatetheamountofriskassociatedwiththeleveragedAgencypackagesothattheriskcanbemanagedtoanacceptablelevelwithintheirownAgencyenvironment.TheCSPhastheopportunitytoremediatevulnerabilitiesatanytime.AnAgencycanengagewiththeCSPtoresolveissuesthattheAgencyisunwillingtoaccept.

Formoreinformation,pleasevisittheOfficeofManagementandBudget(OMB)A-130Revised,datedJuly28,2016,AppendixI-22,(OMBCircularA-130,“ManagingFederalInformationasaStrategicResource”(7/28/2016-85pages))sectionj.JointandLeveragedAuthorizationsonpage59.

Q:IfanAgencyleveragesanAgencyauthorizedsecuritypackagetomeettheirFISMAauthorizationrequirements,howdoestheContinuousMonitoringthencomeintoplay?

A: EachAgencyisresponsibleformeetingtheirorganizationalresponsibilitiesforFISMAandContinuousMonitoringinmonitoring,evaluating,andreportingtheriskposturemonthlyfortheAgencyinformationsystems.

AccordingtoOMBA-130AppendixI-23,sectionk.ContinuousMonitoring:

“Agenciesmustdevelopinformationsecuritycontinuousmonitoring(ISCM)andprivacycontinuousmonitoring(PCM)strategiesandimplementISCMandPCMactivitiesinaccordancewithapplicablestatutes,directives,policies,instructions,regulations,standards,andguidelines.AgencieshavetheflexibilitytodevelopanoverarchingISCMandPCMstrategy(e.g.,attheAgency,bureau,orcomponentlevel)thataddressesallinformationsystems,orcontinuousmonitoringstrategiesthataddresseachAgencyinformationsystemindividually.TheISCMandPCMstrategiesmustdocumentallavailablesecurityandprivacycontrolsselectedandimplementedbyAgencies,includingthefrequencyofanddegreeofrigorassociatedwiththemonitoringprocess.ISCMandPCMstrategies,whichmustbeapprovedbytheappropriateAgencyAuthorizingOfficialandtheSeniorAgencyOfficialforPrivacy,respectively,mustalsoincludeallcommoncontrolsinheritedbyAgencyinformationsystems.”

TIP:WhileAgencyuseofaccredited3PAOsisnotmandatory,itisrecommended.BelowistheguidanceprovidedintheFedRAMPSecurityAssessmentFramework.

|11

1.6.8.THIRD-PARTYASSESSMENTORGANIZATIONS

“3PAOsplayacriticalroleintheFedRAMPsecurityassessmentprocess,astheyaretheindependentassessmentorganizationsthatverifycloudproviders’securityimplementationsandprovidetheoverallriskpostureofacloudenvironmentforasecurityauthorizationdecision.Theseassessmentorganizationsmustdemonstrateindependenceandthetechnicalcompetencerequiredtotestsecurityimplementationsandcollectrepresentativeevidence.3PAOsmust:

§ PlanandperformsecurityassessmentsofCSPsystems§ ReviewsecuritypackageartifactsinaccordancewithFedRAMPrequirements

TheSecurityAssessmentReport(SAR)createdbythe3PAOisakeydeliverableforleveragingAgenciestouseFedRAMPsecurityassessmentpackages.TheFedRAMPJABrequiresthata3PAObeaccreditedthroughtheFedRAMP3PAOProgramforanyJABP-ATOs.AgenciesarehighlyencouragedtousetheseorganizationsforAgencyauthorizationsthatmeettheFedRAMPrequirements.WhileAgenciesarefreetousenon-3PAOIndependentAssessors(IA),useofa3PAOassessorremovestheAgencyrequirementtoprovideanattestationtotheindependenceandcompetencyofthesecuritycontrolassessor.”

AND

2.1.2.FEDRAMPAGENCYATO

“CSPsmayworkdirectlywithanAgencytoobtainaFedRAMPAgencyATO.Inthiscase,theFederalAgencywillprovidetheriskreviewofalldocumentationprovidedbytheCSPinitssecurityauthorizationpackage.CSPswillworkdirectlywiththeFederalAgencysecurityofficeandpresentalldocumentationtotheAuthorizingOfficial(AO)orequivalentforanauthorization.AsnotedinSection1.6.8,FederalAgenciesmayelecttouseaFedRAMPaccredited3PAOoranon-accreditedIAtoperformtheindependentassessment.Ifanon-accreditedassessorisused,theAgencymustprovideevidenceoftheassessor’sindependenceandprovidealetterofattestationoftheassessor’sindependencewiththesecurityauthorizationpackage.TheFedRAMPPMOhighlyrecommendsAgenciesselectanassessorfromtheFedRAMP3PAOaccreditationprogram.

OnceanAgencyauthorizesapackage,theAgencymustinformtheFedRAMPPMObysendinganemailtoinfo@FedRAMP.gov.ThePMOtheninstructstheCSPhowtosubmitthepackageforPMOreview.AfterreviewingthepackagetoensureitmeetsalloftheFedRAMPrequirements,theFedRAMPPMOwillpublishthepackageintheSecureRepositoryforotherAgenciestoleverage.”

TIP:ThecurrentOMBA-130clarifiesspecificAgencyAuthorizationresponsibilitiesforprotectingandmanagingFederalinformationresources.HerearesomewaysOMBA-130furtherrefinesAgencyinteractionwithFedRAMP.

|12

OfficeofManagementandBudget(OMB)CircularA-130revised7/28/2016nowexplicitlyoutlinesAgencyresponsibilitiesfortheirinformationandinformationsystemsandlinkstheirinformationsecurityprogramtoOMBCircularA-123,Management’sResponsibilityforEnterpriseRiskManagementandInternalControls.OMBCircularA-130AppendixIincorporatesrequirementsoftheFederalInformationSecurityManagementAct(FISMA)(44U.S.C.Chapter35),theE-GovernmentActof2002(44U.S.C.Chapters35and36),thePaperworkReductionAct(44U.S.C.Chapter35),andthePrivacyActof1974,andresponsibilitiesassignedinExecutiveOrdersandPresidentialDirectives.

Agenciesareresponsiblefor:

§ EnsuringallnewCloudServiceProvider(CSP)CloudServiceOffering(CSO)projectsminimallyusetheFedRAMPbaselinecontrolsandtemplatesforLow,Moderate,andHighbaselinesystems.

§ Ensuringexistingcloudprojects(implementedorintheacquisitionprocess)meetFedRAMPrequirements.

§ AddingormodifyingcontractualprovisionsthatrequireCSPsandtheassociatedCSOprojectsmeetFedRAMPrequirements.

§ UpdatingOMBPortfolioStatdataquarterlytoidentifyuseofCSPsandAgencyplanstomeetFedRAMPrequirementsandprovideAgency-specificrationaletosupportlackofcompliance.

§ IssuingtheinitialAgencyAuthorization.§ ReviewingCSPdocumentationandtestresultspriortoleveragingaJointAuthorizationBoard

(JAB)ProvisionalAuthoritytoOperate(P-ATO)orleveragingtheAgency-issuedAuthorizationtoOperate(AgencyATO).

§ ReviewingPlansofActionandMilestones(POA&Ms)forleveragedCSPCSOs.§ AddinganyAgency-specificcontrolsthatmayexistabovetheFedRAMPbaselineorabovethe

baselinerequiredbyapartneringAgency.§ EnsuringthesubmittalofAgencyATOsecuritypackages.§ ReviewingallCSPand3PAO-provideddocumentationfortheATOandContinuousMonitoring,

asappropriate.

TIP:UsetheFedRAMPPackageAccessRequestFormontheFedRAMPwebsitetoreviewaFedRAMPSecurityPackage.

TheFedRAMPPackageAccessRequestFormistheformcompletedbyfederalemployeesandgovernmentcontractorswhodesireaccesstoviewaCSP’ssecurityauthorizationpackagetodeterminesuitabilityoftheserviceforusewithintheirindividualAgency/organization.

Applicantsmustbesuretocompleteeverysectionoftheformandmakesuretofillintheboxeswithinitials,asappropriate.Donotusecheckmarksor“X’s”intheareasthatrequireinitials.TheAgencyAccessRequestFormincludingAttachmentA:FederalContractorNon-DisclosureAgreementforFedRAMPisonthewebsite,underFedRAMPAuthorizedProducts.

|13

BesuretofillouttheFedRAMPApproversectionslocatedatthebottomofPage1under“AccessAuthorization”andpage3“AgreementforAuthorizedFedRAMPApprover(CISO;DAA)”,initsentirety.TheseApproverSectionsareoftenleftblankresultinginthePMOsendingtheformsbacktotheapplicant.Thisresultsindelaysfortheapplicantbeingabletoviewthepackages.

4. GENERAL PROGRAM

Q:Doesthe“FedRAMPReady”designationallowCSPstobidoncontractswithouthavinganexistingATO?Ifnot,howwillaCSPthatdoesnothaveacurrentATOrespondtoaRFP?WilltheCSPberequiredtoobtainaJABP-ATO?

A:CSPswithoutexistingATOsareallowedtobidoncontracts.AgenciescanrequestaCSPtohaveatimelineforobtaininganATObutshouldnotlimittherequesttoCSPswithATOs.PleasecontacttheFedRAMPPMOifanAgencyisdoingsuchanaction.

The“FedRAMPReady”designationisamarketindicatortoAgenciesthatasystemhasahighlikelihoodofobtainingaJABP-ATOoranAgencyATO.AgenciescanbeconfidentthatsystemsthatmeettheFedRAMPReadyrequirementsactuallyhavethekeycapabilitiesneededtofittheirsecurityneeds.Therefore,asmallcloudserviceproviderwillhavetheabilitytoattainFedRAMPReadyandbeavailableforAgencyreviewintheFedRAMPMarketplace.TheAgencycanthendecidetoissueanATObasedontheunderstandingthatthesystemmeetstheReadinessAssessmentrequirements.

Q:Willthesame3PAObeabletoperformboththeFedRAMPReadinessAssessmentandthecompletesecurityassessmentduringaJABP-ATOprocess?

A:Thesame3PAOcanperformboththeReadinessAssessmentandcompletethesecurityassessmentfortheATOprocesswithoutconflictofinterest,providedthatthe3PAOdoesNOTprovideanyconsultingdutiesforthesameauthorizationpackage.So,a3PAOcanhelpwritetheSSP,SAP,SAR,andPOA&Mbutcannotdoanyofthetesting.ItisfairlysimilartothecurrentATOprocesswheredifferent3PAOsdotheconsultingandtestingforaCSP’sauthorizationpackage.

|14

Q:Whatisamajordifferencebetweenatruecloudserviceprovider(CSP)andamanagedserviceprovider(MSP)?

A:ThedifferencebetweenaMSPandaCSPisthedeliveryoftheservice.

AMSPprovidesaservicethatisspecifictoanindividualcustomer.Thecustomerdictatesboththetechnologyandtheoperationalprocedures.ThatserviceisgovernedbyastrictServiceLevelAgreement(SLA)betweentheindividualandtheMSPandislimitedtotheagreementbetweenthecustomerandtheMSP.

ACSPoffersthetechnologyandtheoperationalproceduresonasubscriptionbasis.Ifthecustomerdoesnotacceptthetechnologyandtheoperationalprocedures,thenthecustomercanshopelsewhere.TheCSPprovidesafullenvironmentthatencompassesdatacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity).Thisenvironmentissecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervals.Thisensuresprotectionfromunauthorizedinterceptionordamageanddesignedwithautomatedfail-overorotherredundanciesintheeventofplannedorunplanneddisruptions.

Q:HowcanIensureI’vesubmittedallofthedocumentsrequiredforFedRAMPauthorization?

A:TheFedRAMPDocumentationChecklist(foundonFedRAMP.gov)includesalistoftherequiredauthorizationpackagedocumentsthatmustbesubmittedforreviewtoachieveFedRAMPAuthorization.TheChecklistspecifiesthecorrectformat(e.g.Word,orExcel,etc.)thatthedocumentationmustbesubmittedin,aswellasiftheCSPmustuseaFedRAMP-providedtemplateforthedocument.NotonlyistheChecklistausefultoolfortheCSPtohelpensurethecorrectdocumentationisuploaded,butitisalsorequiredtobecompletedandincludedwiththeuploadedmaterial.Thisisimportantsinceitincludesfieldsforeachdocument'sfilename,date,andversionnumber,sothattheFedRAMPReviewerknowsthateachuploadeddocumentistheintendedversion,andnotanolderdraft.CompletingandsubmittingtheChecklistwiththepackagehelpstoenableanefficientreviewoftheauthorizationpackage.

Q:IfaCSPwantstocompleteaFedRAMPReadinessReview,butisthengoingtopursueanAgency-sponsoredFedRAMPauthorization,cantheCSPusethesame3PAOforbothassessments?

|15

A:ACSPcanusethesame3PAOforcompletingtheirReadinessAssessmentReport(RAR)andtheirfullsecurityassessmentwhenworkingwithanAgencyortheJAB.Thesame3PAO,however,cannotconsultbetweenassessments–thisisoutlinedintheISO17020requirementsandFedRAMP-A2LA3PAOaccreditationrequirements.

Additionally,tohelpensuresuccessfulcompletionoftheRAR,theFedRAMPPMOhascreatedaFedRAMPRARGuidefor3PAOsthatincludesusefultipsandlessonslearned.

Q:WhatdoesFedRAMPReadystatusmean?IsitarequirementforCSPswhowouldliketopursueanAgencyauthorization?

A:FedRAMPReadyisadesignationintendedtodemonstrateaCSP’sabilitytocompletethefullFedRAMPAuthorizationprocess.ItisamandatorystepinpursuingaJABProvisionalAuthorizationtoOperate(P-ATO)andisoptionalforthosepursuinganAgency-basedFedRAMPAuthorization.AlthoughitisoptionalforAgencies,someAgenciesmayprefertoworkwithCSPsthatare“FedRAMPReady”sinceitofferskeyinsightintotheircapabilitiesandabilitytoachieveanauthorization.

TheFedRAMPAuthorizationprocessisrigorousandintensive.Itinvolvesalotofhardworkandeffort,soitmakessensethataCSPwouldwantsomeassurancethattheircloudofferingislikelytoattainauthorization.Thisiswhyreaching“FedRAMPReady”isanimportantfirststepintheFedRAMPprocess.

Q:CouldyouexplainthepurposeandprocessbehindrequiringaCSPtocompleteanincidentresponsetestandcontingencyplantestbeforetheir3PAOassessment?

A:IfaCSPdoesnotcompleteanincidentresponsetestandcontingencyplantestbeforethe3PAOassessment,theJointAuthorizationBoard(JAB)willnotissuethecloudofferingaProvisionalAuthorizationtoOperate(P-ATO).ThesetestsmustbeconductedinaccordancewithNISTSP800-53,andtheresultsshouldbemadeavailabletothe3PAOforevaluation.OnceaP-ATOisgranted,thetestsshouldcontinuetobecompletedpriortotheannualassessmentsothatthe3PAOcanevaluatetheresultsaspartofthatassessment.

Q:IamdevelopingacloudsystembutwanttomakesureitisFedRAMPcompliantbeforeproducingitandmakingitoperational.WillFedRAMPevaluateacloudsystem(evenforFedRAMPReady)thatisnotinproductionandoperational?

|16

A: No.FedRAMPonlyevaluatesdocumentationforsystemsthatexistandareoperational.FedRAMPworkswithCSPstoprovideAgencieswithsecurecloudcomputingoptions,soitisrequiredthatCSPshaveanoperationalcloudsystembeforeengagingwiththeFedRAMPTeam.CSPscanusetheFedRAMPReadinessAssessmentReport(RAR)asaself-assessmenttounderstandifthereareanygapsintheirserviceoffering’ssecuritypriortopursuinganAuthoritytoOperate(ATO)withanAgency.TheReadinessAssessmentReportTemplateforHighandModeratesystemscanbefoundontheTemplatespageoffedramp.gov.

TIP:YourFedRAMPInformationSystemSecurityOfficer(ISSO)orgovernmentliaisonisheretohelpguideyouthroughtheFedRAMPprocess.CommunicationisimperativetogetthroughtheFedRAMPprocess!Thebettercommunicationyouhave,thesmoothertheprocesswillgo.

Ifyouhaveanyquestionsorconcerns,orjustwanttobrainstormideas,yourFedRAMPpoint-of-contactcansharepotentialimpactsofanyproposalyouhave.Ifyou’renotsureacontrolimplementationshouldbe“NotApplicable”oran“AlternativeImplementation,”yourISSOcanhelp!Andifyou’reunclearonhowtodescribeyourPIV/CACimplementation,yourgovernmentliaisoncanpointyouintherightdirection!

Q:IkeepreceivingcommentaryfromtheJABondocumentsinmyauthorizationpackageandthishasextendedmyreviewtime.WhatcanIdotolessentheamountofcommentsmyauthorizationpackagereceives?

A:WhenpreparingdocumentationforfinalsubmissiontotheJABTechnicalRepresentatives,onemustrememberthatthedocumentistellingastoryabouttheeffort.Iftherearegapsinthestoryline,therewillbecommentstoaddressthegaps.Themoregapsinthestoryline,themorenumerousthecommentswillbecreatedtotrytofillinthegaps–whichwillinturnslowdownyourreviewtime.Theauthorshouldframeeachanswerinawaythatthereadercanfollowthecompletethreadfromthebeginningtotheend.Theauthormustneverassumethatthereaderalreadyknows“details”aboutthestorywithoutidentifyingthedetail’slocationinthedocument.Forinstance,whenprovidingthePenetrationTestingReport,the3PAOshouldprovidethefullnameandversionsofthetoolsused,whythesewerechosen,andthenwhattheoutcomewasfromthetesting.Thesequestionsarebasictoinformationgatheringandreporting.Foreachsectionwithinthedocumentation,eachofthesequestionsmusthaveafactual,detailedanswerforthestorytobecomplete.

Q:WhyshouldCSPsspendtimeandmoneydevelopinghighqualitydocumentationwhentheirgoalistobecomeFedRAMPAuthorized?

|17

A:FedRAMPrequiresqualitydocumentation(i.e.,documentationthatisclear,concise,consistent,andcomplete)toprovideaclearandcompletedescriptionoftheriskpostureofacloudsystem.This,inturn,reducesanAgency’slevelofefforttoreuseanAuthorizationPackage.Qualitydocumentationalsopaysforitselfbyminimizingcostlyreworkandtime-consumingdelayscausedbyclarifyingmisunderstandingsandwaitingformissingdocumentation.FedRAMPrequiresCSPstospendasmuchtimewritingandeditingthedocumentationastheydoengineeringthesecurity.

Q:IsthereanOMBmemooranyotherguidancethatstateswhen(orif)thereisa“dropdead”dateforFederalITsystemstobeinthecloud?

A:AccordingtotheinitialCloudFirstStrategy,dated2010,theFederalGovernmentshouldhavebeenmovedtothecloudwithin18months,sothiswouldbeapproximatelyJune9,2012.However,sincetheefforttomoveallAgenciestothecloudwasmorecomplexthaninitiallyanticipated,theCloudFirstStrategywasupdatedonFebruary8,2011andstates:

"Ourresponsibilityingovernmentistoachievethesignificantcost,agilityandinnovationbenefitsofcloudcomputingasquicklyaspossible.Thestrategyandactionsdescribedinthispaperarethemeansforustogetstartedimmediately.GiventhateachAgencyhasuniquemissionneeds,securityrequirements,andITlandscape,weaskthateachAgencythinkthroughtheattachedstrategyasanextstep.EachAgencywillevaluateitstechnologysourcingstrategysothatcloudcomputingoptionsarefullyconsidered,consistentwiththeCloudFirstpolicy."

Therefore,itistheresponsibilityofeachindividualAgencytodefineitsCloudFirstStrategy.

Q:WhatisimportanttoconsiderforCSPsleveragingotherservices?

A: ItisaverycommonpracticeforaSaaSCSPtousesomeoftheservicesavailablefromanunderlyinginfrastructure(IaaS/PaaS)thattheSaaSishostedon.Thisiscalledleveraging.However,buyerbeware–someservicesthatanIaaS/PaaSCSPmayoffer,maynotbeFedRAMPauthorized.OnlyFedRAMPauthorizedservicesmaybeusedbygovernmentcustomers.

Ifyourserviceofferingisleveraginganothersystem,thesystemyouareleveragingitselfmustbeFedRAMPAuthorizedbyhavingaFedRAMPP-ATOoranAgencyATO.Thisincludessub-services.Forexample,alargeCSPmayhaveacommercialserviceofferingandaseparateserviceofferingwithaFedRAMPAuthorization.ThatCSPmayoffermultiplesub-services–someofwhichmaybeincludedintheFedRAMP-authorizedservice’sauthorizationboundary,whileothersub-servicesarenot.OnlyserviceofferingswithaFedRAMPAuthorizationmaybeleveragedforusebygovernmentcustomers.PleasevalidatethatservicesareFedRAMPauthorizedandanyassociatedsub-servicesarewithinthe

|18

authorizationboundaryofaFedRAMP-authorizedservicebeforeleveragingthemforusebyyourgovernmentcustomers.

Note:ThisisamandatoryrequirementforachievingFedRAMPReadystatusundertheReadinessAssessmentprocess.3PAOsarerequiredtovalidatetheFedRAMPauthorizationofallleveragedservicesandsub-services.

Q:WhathappensifaSaaSishostedatanon-FedRAMPIaaSandonanon-FedRAMPPaaS?

A: WhenaCSPhasitssystem/servicehostedinanon-FedRAMPAuthorizedcloudservice(e.g.,IaaS,PaaS)thereisno"leveraging/inheritance"relationship.Inthissituation,theSaaSproviderneedstoincludetheinfrastructureandplatform,aswellasitsownsoftwareapplicationwithinitsauthorizationboundary.ThismeansthattheCSPisresponsiblefortheentirestack.Hence,theCSPisnot"leveragingorinheriting"anysecuritycontrolsfromanIaaS/PaaSauthorization.InorderforaSaaStoreceiveFedRAMPapproval,theunderlyingstackpieces(IaaS/PaaS)mustbeconsideredanddefinedinthesystemsecurityplan.

Q:IneedtodevelopaConfigurationManagementPlan(CMP);canyoupleasedirectmetosomeguidanceoratemplateforCMPs?

A: SecurityControlCM-9requiresCSPstodevelopaConfigurationManagementPlan(CMP)andthatPlanisarequireddocumentwithintheirsecurityauthorizationpackages.FedRAMPdoesnotprovideatemplateforCMPshoweverNISTSP800-128,GuideforSecurity-FocusedConfigurationManagementofInformationSystems,providesawealthofinformationaboutconfigurationmanagementandalsoprovidesasampleoutlineforaCMPinitsAppendixD:http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf.

TIP:Securitycontrolimplementationscanonlybeinherited(leveraged)fromaCloudServiceOffering(CSO)thathasbeenapprovedandgrantedaFedRAMPProvisionalAuthorizationtoOperate(P-ATO)oranAgencyATO.

Itisveryimportanttoclearlyidentifywhatcontrolsorsectionsofcontrolsareinherited.SimilartotheCustomerResponsibilityRequirements,thecontrolwritermustidentifywhatsectionsofthecontrolareinheritedfromtheleveragedCloudServiceOfferingorotherentity.

|19

TheFedRAMPSSPtemplatesallhaveasectionforeachcontrol,labeled,"ControlOrigination".Withinthissectionistheareaforthecheckboxnamed,"Inheritedfrompre-existingFedRAMPAuthorizationforClickheretoentertext.,DateofAuthorization".

TheSSPwritershouldclearlyindicatewhatsectionsofthesecuritycontrolareinheritedandprovideadescriptionofwhatisinherited.Ifanentirecontrolisinherited,itmustbecleartotheAssessorwhatisinherited.Thewriterdoesnotneedtodescribehowtheleveragedserviceisperformingtheparticularfunction.ThatdetailisfoundintheSSPoftheleveragedsystemfromwhichthecontrolisinherited.

Ifapolicyhasbeenpublishedandisreferencedasisthebasisfortheimplementationoftheinheritedsecuritycontrol,makesurethatpublisheddocumentisprovidedasanattachment,orasupportingartifactwiththeSSPwhensubmittedforFedRAMPreview.

Inheritance

AccordingtoNISTSP800-53Revision4,securitycontrolinheritanceis"asituationinwhichaninformationsystemorapplicationreceives(fullinheritance)protectionfromsecuritycontrols(orportionsofsecuritycontrols,i.e.,partialinheritance)thataredeveloped,implemented,assessed,authorized,andmonitoredbyentitiesotherthanthoseresponsibleforthesystemorapplication;entitieseitherinternalorexternaltotheorganizationwherethesystemorapplicationresides."

Securitycapabilitiesprovidedbycontrolscanbeinheritedfrommanysourcesincluding,forexample,organizations,organizationalmission/businesslines,sites,enclaves,environmentsofoperation,orotherinformationsystems.Manyofthecontrolsneededtoprotectorganizationalinformationsystems(e.g.,securityawarenesstraining,incidentresponseplans,physicalaccesstofacilities,rulesofbehavior)areinheritablebyothersystems.Inaddition,therecanalsobeavarietyoftechnology-basedinheritablecontrols(e.g.,PublicKeyInfrastructure[PKI],authorizedsecurestandardconfigurationsforclients/servers,accesscontrolsystems,boundaryprotection,cross-domainsolutions).Bycentrallymanaginganddocumentingthedevelopment,implementation,assessment,authorization,andmonitoringofinheritablecontrols,securitycostscanbeamortizedacrossmultipleinformationsystems.

Inheritablecontrols,whetheremployedinorganizationalinformationsystemsorenvironmentsofoperation,mustbeauthorizedbyseniorofficialswithatleastthesamelevelofauthority/responsibilityformanagingriskastheauthorizationofficialsfortheinformationsystemsinheritingthecontrols.

Q:HowdoIwriteaBusinessImpactAnalysisrequiredbyFedRAMP?

A: FedRAMPdoesnotprovideaBusinessImpactAnalysistemplate.However,atemplatecanbefoundinNISTSP800-34Revision1,ContingencyPlanningGuideforFederalInformationSystems,datedMay2010;AppendixB—SampleBusinessImpactAnalysis(BIA)andBIATemplate

|20

Q:HowdoItreattheimplementationforSA-11(1)?

A: FedRAMPseesthatmanyCSPsfailtheSA-11(1)requirement.ThisistruenotbecausethecontrolfailsbutbecausetheCloudServiceProvider(CSP)failstodocumentthisenhancementintheContinuousMonitoringPlan.PleasebeawarethatControlEnhancementSA-11(1)mustbeimplementedforFedRAMPCloudServiceOfferings.SA-11(1)is"Theorganizationrequiresthedeveloperoftheinformationsystem,systemcomponent,orinformationsystemservicetoemploystaticcodeanalysistoolstoidentifycommonflawsanddocumenttheresultsoftheanalysis."ThentheSA-11(1)AdditionalFedRAMPRequirementwhichisalsoarequirementforSA-11(1)andSA-11(8):TheserviceproviderdocumentsintheContinuousMonitoringPlan,hownewlydevelopedcodefortheinformationsystemisreviewed.

Q:CanaCSPsimplygofromanAgencyATOtoaJABP-ATOwithoutgoingthroughtheJABAuthorizationeffort?

A: ACSPinterestedintransitioningtheirAgencyATOtoaJABP-ATOmustgothroughtheJABP-ATOprocess.EachAgencycanacceptvaryinglevelsofrisk,perFISMA,whengrantinganATO.TheJABworksinasimilarfashion,inthattheymustreviewtheentireauthorizationpackagetounderstandassociatedriskwiththesystemandmakeadecisionwhetherornottoissueaJABP-ATO.TheJABP-ATOprovidestheAgencycommunitywiththeassurancethattheJABentities(DoD,DHS,andGSACIOs)reviewedthepackageanddeemedtherisktobeacceptableforAgenciestoissuetheirownATOs.TheJABcannotacceptriskonbehalfofanyAgencywhichiswhytheJABauthorizationistitleda“ProvisionalAuthorization.”IfanAgencydecidestouseasystemwithaProvisionalAuthorization,theAgencywillneedtoissueitsownATOlettertoindicatethattheyaccepttheriskassociatedwithusingthesystem.WeaskthattheseATOsaresenttoinfo@fedramp.govforrecord-keepingandincidentresponsenotifications.

AJABProvisionalAuthorizationmaynotnecessarilybeoptimalforeverysystemandeveryCSP.Ingeneral,theJABgrantsProvisionalAuthorizationsforthosesystemsleveragedgovernmentwide.FedRAMPwasdesignedwiththeobjectivetoauthorizeasystemonceandreusethatauthorizationmanytimes.IfaCSPonlyhasoneortwoAgencycustomersshowinginterestinusingtheirsystem,itisjustasefficientfortheCSPtoobtainanauthorizationdirectlythroughtheoneAgencyofinterest.

TIP:TheCSPhasthemostsignificantresponsibilitybeforebeginningtheFedRAMPprocesses-adequatelyandaccuratelydefiningtheinformationsystemsecurityboundary.

|21

BeforeaCSPlaunchesintotheFedRAMPprocess,andbeforegettinga3PAOconsultantorassessorinvolvedintheprocess,aCSPshoulddraftanaccurateillustrationofthesystemauthorizationboundaryandallassociateddataflowdiagrams.

TheCSPsystemauthorizationboundaryillustrationmustincludenetworkandarchitecturediagram(s)andprovideawrittendescriptionoftheAuthorizationBoundary.Ensureeachdiagram:

§ Includesaclearlydefinedauthorizationboundary.§ Clearlydefinesserviceswhollywithintheboundary.§ Depictsallmajorcomponentsorgroupswithintheboundary.§ Identifiesallinterconnectedsystems.§ Depictsallmajorsoftware/virtualcomponents(orgroupsof)withintheboundary.§ Isvalidatedagainsttheinventory.

TheCSPsystemboundarydescriptionmustclearlydefinethefollowing:

§ Allsharedcorporateservices,withexplicitrationaleofanythatarenotwithintheboundary,suchasacorporateSecurityOperationsCenter(SOC)orcorporatesecurityawarenesstraining.

§ Allotherexternalserviceswithexplicitrationaleofanythatarenotwithintheboundarythatincludesallleveragedservices.

§ Allsystemsrelatedtobutexcludedfromtheboundary.

Inadditiontodescribingthese,alloftheservicesmustalsobedepictedeitherintheCSPsystemauthorizationboundarydiagramsorinseparatediagrams.

TheCSPsystemdataflowdiagram(s)must:

§ ClearlyidentifyanywhereFederaldataistobeprocessed,stored,ortransmitted.§ Clearlydelineatehowdatacomesintoandoutofthesystemboundary.§ Clearlyidentifydataflowsforprivileged,non-privilegedandcustomersaccess.§ Depicthowallports,protocols,andservicesofallinboundandoutboundtrafficarerepresented

andmanaged.

Thedataflowdiagramsmustbeaccompaniedbyawrittendescriptionofthedataflows.

IftheCSPboundaryisnotadequately/accuratelyrepresented,the3PAOwillidentifyboundarydeficienciesthatcouldleadtosubstantialdelaysintheCSPReadinessAssessmentprocess.

Q:HowdoesanAgencyrecognizeiftheCSP’sCloudServiceOffering(CSO)acceptsPersonalIdentityVerification(PIV)andCommonAccessCard(CAC)?

A:TheIA-2(12)IdentificationandAuthenticationAcceptanceofPIV/CACCredentialsisoneofFedRAMP’scriticalcontrols.Intable4-4oftheReadinessAssessmentReport(RAR)thefirst"Question"

|22

asksifthesystemsupportsfederaluserauthenticationviaCAC/PIVcredentials.IftheCSP’sanswertothisquestionis"no,"theyfailtheReadinessAssessmentReview.

Inordertosecurelyprovidethiscapabilityinthecurrent,secure,technologyenvironment,thismaybeaccomplishedthroughatypeofFederatedIdentityManagement.FederatedIdentityManagementisavailableasaserviceofferedbycertainFedRAMPCSPsintheirCSO.WhenaCSOacceptsGovernment-issuedPIVorCAC,thatCSPhaslikelyarchitectedtheirsolutiontoincludesometypeofFederatedIdentityManagement.

AteachCSPlevel,whetheranIaaS,PaaS,orSaaS,theCSPmayincludeintheirCSOaFederatedIdentityManagementsolution.AgenciesshouldvalidatethatIA-2(12)isindicatedasimplementedintheCSP'spackageandshouldvalidatethatthetestingintheSARindicatestheCSP'ssolutionadequatelymeetsthecontrolrequirement.

Q:Whattypesofsoftwaremustbeincludedintheinformationsystemboundary?

A:Intermsofcomputing,softwareisthevariablepartandhardwaretheinvariablepart.FedRAMPsoftwareinventorymusttakeintoaccountallthe"variable"parts.

Historically,applicationsoftwareisdividedintotwogeneralclasses:systemssoftwareandapplicationssoftware.FedRAMPrecognizesapplicationssoftwareandsystemssoftwarewhichincludestheoperatingsystemsandanyprogramthatsupportsapplicationsoftware.Applicationssoftwareisalsocalledend-userprogramsandincludessuchthingsasdatabaseprograms,wordprocessors,Webbrowsersandspreadsheets.Anapplicationprogram(apporapplicationforshort)isacomputerprogramdesignedtoperformagroupofcoordinatedfunctions,tasks,oractivitiesforthebenefitoftheuser.Thiscontrastswithsystemsoftware,whichismainlyinvolvedwithrunningthecomputer.Systemsoftwareisatypeofcomputerprogramthatisdesignedtorunacomputer'shardwareandapplicationprograms.Ifwethinkofthecomputersystemasalayeredmodel,thesystemsoftwareistheinterfacebetweenthehardwareanduserapplications.TheOperatingSystemmanagesalltheotherprogramsinacomputer.

FedRAMPrecognizesmiddlewareasprogrammingthatmediatesbetweenapplicationandsystemsoftwareorbetweentwodifferentkindsofapplicationsoftware.Middlewareiscomputersoftwarethatprovidesservicestosoftwareapplicationsbeyondthoseavailablefromtheoperatingsystem.Itcanbedescribedas"softwareglue".Aservice-orientedarchitecture(SOA)isastyleofsoftwaredesignwhereservicesareprovidedtotheothercomponentsbyapplicationcomponents,throughacommunicationprotocoloveranetwork.Thebasicprinciplesofservice-orientedarchitectureareindependentofvendors,products,andtechnologies.

FedRAMPalsorecognizesutilitysoftware,asapplicablewithinthesystem.Utilitysoftwareisalsoknownasautilityprogram,andautilitytool.Thisutilitysoftwaremayhaveitsownstripped-downOS;canbeinstalledseparatelyandusedindependently.Utilitysoftwareissystemsoftwaredesignedtohelpanalyze,configure,optimizeormaintainacomputer.Itisatypeofsystemsoftware,usedtosupportthe

|23

computerinfrastructureincontrasttoapplicationsoftware,whichisaimedatdirectlyperformingtasksthatbenefitordinaryusers.Autilityprogrammaybeonethatperformsaveryspecifictask,usuallyrelatedtomanagingsystemresources.Operatingsystemscontainanumberofutilitiesformanagingdiskdrives,printers,andotherdevices.

Ifyouinventoryallthesetypesofsoftware(includingallrelevantinformationconcerningeachpieceofsoftware,i.e.,version,patchlevel,date,etc.)withinyoursystemboundary,thenthechancesaregoodthatyouhaveincludedallrequiredsoftwareintheFedRAMPsoftwareinventory.

Q:ForcontrolRA-3,theFedRAMPparameterindicatesthattheresultsoftheriskassessmentshouldbedocumentedina"SecurityAssessmentReport."IsthisdocumentthesameastheSARthe3PAOproduces?

A: Yes-thisdocumentisthesame.FedRAMPdoesnotrequireaseparateriskassessment;theresultsoftheriskassessmentarereportedinthe3PAO'sSAR.

Q:WhenaddinganewserviceorfeaturetoaJAB-authorizedsystem,howdoesaCSPdeterminewhichprocesstofollow-theNewServicesOnboardingprocessortheSignificant Changeprocess?

A: Ifonboardingthefeatureorserviceseverelyimpactsthesecuritypostureofthesystem,theCSPshouldfollowtheSignificantChangeprocess.TohelpCSPsand3PAOsdeterminewhichprocesstofollow,FedRAMPhasdefinedthefollowingparametersforwhatconstitutesafeatureorservicethatqualifiesforonboarding:

§ Doesnotreplaceanexistingservice/featurepreviouslyincludedintheoriginalsystemassessment;

§ IsnotanoutsourcedservicebelongingtoadifferentCSP;§ DoesnotchangethecategorizationoftheCloudServiceOffering;§ Doesnotintroducevulnerabilitiesaffectingthecurrentsecuritypostureofthesystem;§ Doesnotaffecttheexistingsecuritycontrolsimplementationdetailsofanycontrolsascaptured

intheSystemSecurityPlan;and/or§ Doesnotaddauniqueoralternativeimplementationofanyofthesecuritycontrolsascaptured

intheSystemSecurityPlan

Q:HowaredatacenterstreatedforFedRAMPAuthorizations?

|24

A: DatacenterfacilitiesareincludedinFedRAMPauthorizationsbutthedatacenters,themselvesarenotspecificallyauthorizedseparatelyas"datacenters."Inotherwords,aserviceproviderthatoffersinfrastructure,platform,and/orsoftwareasaservicemustincludetheunderlyingdatacenter,i.e.,thephysicalproperty(ping,power,andpipe)withinitsauthorizationboundary.FedRAMPauthorizestheinfrastructure,platform,and/orsoftwareasaservice.

Q:HowshouldIuploadmypackagedocumentation?InwhichfileformatshouldthefilesbeandwhatfilesisFedRAMPlookingfor?

A: AllpackagedocumentationshouldbeuploadedtoMAX.govusingthefolderstructurethathasbeenprovided.Filesshouldbeuploadedintheirnativeformatbasedonthefile,i.e.,Word,Excel,PowerPoint.UploadingafileinitsnativeformatwillfacilitateFedRAMPreviewofyourdocumentationtoprovidequickerturnaround.Foracompletelistoftheappropriatefileformatsrequiredinacloudpackage,pleaseseetheFedRAMPInitialAuthorizationpackagechecklist(foundonfedramp.gov).ThischecklistcanbeusedforAgencyorJABAuthorizationstoprepareyourpackageorAnnualAssessmentforFedRAMPreview.

TIP:Authorizations(ProvisionalAuthorizationsandAgencyAuthorizations)arenow“ongoingauthorizations.”

OfficeofManagementandBudgetCircularA-130(OMBA-130),Subject:ManagingInformationasaStrategicResource,revised7/28/2016,enablesongoingauthorizationtomaintainthesecuritystateandtheriskpostureofthesystematthelevel(Low,Moderate,orHigh)asapprovedbytheinitialauthorization.OMBA-130requiresthatAgenciestestinformationsecurityandprivacycontrols,inanongoingmanner,atleastannuallybutataratethatisacceptabletoeachAgencies’riskposture.Theauthorizationletterissignedatinitialapproval.AgenciesmustcollaboratewithCSPstoensurethatcloudserviceofferingsaretestedandevaluatedatleastannually.

Pleasesee:

OMBA-130,pg.33

54.“Ongoingauthorizationisatime-drivenorevent-drivenauthorizationprocesswherebytheauthorizingofficialisprovidedwiththenecessaryandsufficientinformationregardingthesecurityandprivacystateoftheinformationsystemtodeterminewhetherthemissionorbusinessriskofcontinuedsystemoperationisacceptable.”

OMBA-130,AppendixI-19,sectione.SecurityandPrivacyAssessments

|25

“Agenciesmustensurethatperiodictestingandevaluationoftheeffectivenessofinformationsecurityandprivacypolicies,procedures,andpracticesareperformedwithafrequencydependingonrisk,butatleastannually.However,thisgeneralrequirementtotestandevaluatetheeffectivenessofinformationsecurityandprivacypolicies,procedures,andpracticesdoesnotimplythatAgenciesmustassesseveryselectedandimplementedsecurityandprivacycontrolatleastannually.Rather,Agenciesmustcontinuouslymonitorallimplementedsecurityandprivacycontrols(i.e.,system-specific,hybrid,andcommoncontrols)withafrequencydeterminedbytheAgencyinaccordancewiththeISCMandPCMstrategies.Thesestrategieswilldefinethespecificsecurityandprivacycontrolsselectedforassessmentduringanyone-yearperiod(i.e.,theannualassessmentwindow)withtheunderstandingthatallcontrolsmaynotbeformallyassessedeveryyear.”

TIP:MandatoryrequirementsforFedRAMPReadinessReviewsarejustthat-mandatory.

CSPsareresponsibleforunderstandingwhatittakesforthemtobe"FedRAMPReady."AnyCSPthatisconsideringtooptforModerateorHighbaselineFedRAMPReadinessshoulddownloadthemostrecentcopyofeithertheModerateorHighbaselineReadinessAssessmentReport(RAR)Templatefromfedramp.gov.EachpotentialCSPapplicantshouldreadthroughthedocumenttounderstandthecompulsoryitemsrequiredwithintheCloudServiceOffering.Thesecompulsoryrequirementscannothavealternateimplementationsandmustbeimplemented.

1. The"showstopper"requirementsarelocatedinRARSection4.1FederalMandatesforboththeModerateandtheHighBaselineCloudServiceOfferings.

2. AreFIPS140-2ValidatedorNationalSecurityAgency(NSA)-Approvedcryptographicmodulesconsistentlyusedwherecryptographyisrequired?

3. CanthesystemfullysupportuserauthenticationviaAgencyCommonAccessCard(CAC)orPersonalIdentityVerification(PIV)credentials?

4. IsthesystemoperatingattheminimumeAuthlevelforitsFIPS-199designatedlevelofoperation(Level3forModerate,Level4forHigh)?

5. DoestheCSPhavetheabilitytoconsistentlyremediateHighvulnerabilitieswithin30daysandModeratevulnerabilitieswithin90days?

6. DoestheCSPandsystemmeetFederalRecordsManagementRequirements,includingtheabilitytosupportrecordholds,NationalArchivesandRecordsAdministration(NARA)requirements,andFreedomofInformationAct(FOIA)requirements?

IfyouareaCSPlookingatthesefiverequirementsandyouanswer“No”toanyoneofthese,youarenot“FedRAMPReady.”Keepinmindthat,whiletheCSPcanincludecustomerresponsibilitiesassociatedwithmeetingsomeofthemandatoryrequirements,suchasPIVAcceptance,theymaynotpasstheresponsibilitytothecustomer.Asanexample,citingthePIVacceptance,theCSPmusthavethecapabilitytoacceptPIVs/CACsregardlessofthecustomer'smechanismforuseofPIVs/CACs.Soanalternativeimplementationisnotacceptable.

|26

FedRAMPrecommendsthatifaCSPisdeficientinanyoftheFedRAMPmandatoryrequirementsareas,theyseekassistancetodeterminethefeasibilityofarchitecting/re-architectingtheenvironmenttoaccommodatetheFedRAMPReadyrequirements.

TIP:ASaaSisresponsiblefortheentirestackif…

IfaSaaSisonaninfrastructureand/orplatformthatisnotFedRAMPauthorized,theSaaSCSPwouldeitherneedtoincludetheIaaS/PaaSinitsownauthorizationboundary(whichwouldbeindicatedintheReadinessAssessmentReport)ORwaitforthetheIaaS/PaaStobeauthorizedseparatelypriortosubmittingtheRAR.Alllayersneedtobeauthorizedorhavethepotentialtobeauthorized.

Assuch,aSaaSCloudServiceOfferingisresponsiblefortheentirestack(IaaS/PaaS/SaaS)iftheunderlyingIaaS/PaaSdoesnothaveaFedRAMPauthorization,eitheraProvisionalAuthorizationthroughtheJABoranAgencyAuthorization.TheSaaSisresponsibleforallthesecuritycontrolsthatarenormallyinheritedfromtheIaaS/Paas,suchastheping/power/pipeandrentedcagewithinthedatacenter,andforthephysical,environmental,andallotherrelatedcontrols.

IftheIaaS/PaaSarenotFedRAMPauthorized,theSaaSCloudServiceOfferingmayworkwiththedatacenterproviderthroughServiceLevelAgreementsand/orRentalAgreementstoensurethattherequirementsfortheping,power,pipe,cage,allphysical,environmental,andallrelatedsecuritycontrolsareimplementedpertheappropriateFIPS199Level(Low,Moderate,orHigh).Intheagreement(s),theSaaSCSPmustensurethatthedatacenterproviderhastheappropriatelevelofsecurityimplementedtoensurethesecurityoftheSaaS.

Q:WhyshouldaCSPuseanaccredited3PAOwhenpursuingaFedRAMPAgencyATO?

A: WhilethereisnospecificrequirementforanAgencytorequirethattheaCSPuseaFedRAMPaccredited3PAOtoperformthesecurityassessment,FedRAMPrecommendsthatAgenciesrequireCSPstoengageaFedRAMPAccreditedAssessortoevaluatetheimplementationoftheFedRAMPbaselinesecuritycontrols.

CSPsthatseekaJABP-ATOmustuseaFedRAMPAccreditedAssessor.CSPssubmittinganAgencyAuthorizationpackagemayhavetheircloudsystemassessedbyanAgency-validatedIndependentAssessor.However,FedRAMPhasnoinsightandcontroloveranAgency-validatedindependentassessor.TheAgencyhasnorecourseandmusthaveanotherassessmentperformed,ifanAgency-validatedIndependentAssessorprovidestheAgencyadeficientsecurityassessmentinwhichthesecurityoftheCSPsystemisinappropriately/poorlytested.UsingaFedRAMPAccredited3PAOprovidesgreaterconfidencetootherleveragingAgenciesastotherigoroftheinitialpartneringAgency'sassessment.Furthermore,iftheCSPintendstolaterpursueaJABP-ATO,therigorprescribedbythe

|27

FedRAMPAccredited3PAOtotheassessmentprocessprovidestheCSPwithamoreaccurateunderstandingoftheirriskposturefromatrueFedRAMPperspectiveandtheirreadinesstopursueaJABP-ATO.

Q:WhataresomefrequentlyaskedquestionsforCSPswhocurrentlyholdanAgencyAuthorizationtoOperate(ATO)attheModeratelevel,butwishtoapplyforanAgencyHighBaselineAuthorization?

A:ForsomeCSPs,theATOtransitionbetweenaModeratebaselineandaHighbaselineissimplebecausethesysteminquestionwasoriginallyarchitectedattheHighbaselinelevelbuttheCSPoptedfortheFedRAMPModeratebecausethatisallFedRAMPofferedatthetime.

ForotherCSPswhowishtotransitiontothehighbaseline,FedRAMPrecommendsthattheCSPandtheattesting3PAOdownloadacopyoftheFedRAMPHighReadinessAssessmentReport(RAR)TemplatefromtheFedRAMPwebsiteandreadthroughthecontentsoftheRARtounderstandthedepthofscrutinyrequiredforaHighBaselinesystem.

Herearesomefrequentlyaskedquestionsregardingthistransition:

1. IstheATOtransitionbetweenaModeratebaselineandaHighbaselinemerelyanamendmenttotheModerateATO?OrwillthisprocessinvolveanewATO?

Answer:TheHighBaseline(HBL)AuthorizationisanewAuthorizationattheHighBaselinelevel.ThisrequiresthattheCSPengagewithapartneringAgency(eitherexistingornew)andaFedRAMP-accredited3PAOorotherindependentassessortomaneuverthroughtheHBLAuthorizationprocess;i.e.,capturingHBLrequirementsintheSSPandattachments,undergoingtestingoftheHBLcontrols,ataminimum,andre-authorizationoftheServiceattheHBLlevel.Thisassumesthatthecloudservice’smoderate-leveltestingiscurrentandcompliantwithFedRAMPguidelines.

2. IsthereaFedRAMP-approveddocumentthatspeakstothe“net-new”controlsbetweentheModeratebaselineandtheHBL?

Answer:No.Basedontheextentofthecontrolandparameterchanges,theCSPmustreviewtherequirementsasenumeratedintheHighBaseline(HBL)SSPtemplate,andtheHBLRARtemplatetoensurethattheCSPorganizationalarchitecturewillsupporttheHBLrequirements.Further,thereviewwillensurethatthecloudservicearchitecturecanmeettheHBLrequirements.

3. ArethereanysignificantnewrequirementsforNewSystems?

Answer:Yes.TherearechangesincorporatedinthecurrentFedRAMPHBLsetofcontrolspostedontheFedRAMPwebsite,basedontheFedRAMPPMOandJointAuthorization

|28

Board(JAB)collaboration.Someofthechangeswereadditionalcontrols;otherchangesweremorestringentparametersandAdditionalGuidance.PleaseseetherequirementsintheHBLSSPtemplate,andtheHBLReadinessAssessmentReporttemplate.SomeexamplesofchangesintheHBLrequirementsinclude:

a. Moreemphasisisplacedontheuseofautomationforcontrolimplementationsb. AllCSOservicesmustbeincludedintheauthorizationboundaryc. TheeAuthrequirementis"Level4"(includesin-personidentityproofing)versusthe

Moderate"Level3orhigher"

Thereareaddedcontrolsthatareparticularlychallenging,eitherintermsofresourcesortechnicalcomplexity,baseduponthecloudservicearchitecture,i.e.,SC-3SecurityFunctionIsolation

Q:OneoftheModerateandHighRARFederalMandatesthatisoverlookedis(5.)DoestheCSPandsystemmeetFederalRecordsManagementRequirements,includingtheabilitytosupportrecordholds,NationalArchivesandRecordsAdministration(NARA)requirements,andFreedomofInformationAct(FOIA)requirements?WhatdoesthisreallymeantoaCSP?

A: SincetheFedRAMPmandateisarequirementthatmustbemet,itisimportantthattheCSPunderstandstheFederalRecordsRetentionRequirementstoachievecompliance.SinceCSPsstore,transmit,andprocessGovernmentdata,aCSPmustbeawarethatthereareretentionschedulesprovidedbyNARAthatgovernthedispositionofthesefederalrecords.FromtheAgencyperspective,theAgencyprogramofficialsarerequiredtocoordinatewithAgencyrecordsofficersandwithNARAtoidentifyappropriateretentionperiodsanddisposalmethods.SinceCSPsandtheCSOsarenowmostlythedefactocloud-basedkeepersofthefederalrecords,CSPsmustunderstandtheNARAandFOIArequirementsforthefederaldataandinformationthatistraversingandbeingheldintheCSPsystem.Therequirementsshouldbefullyoutlinedinthecontractawardinformation,butitisincumbentupontheCSPcontractorstounderstandFederalRecordsManagementRequirements.ThebasicrequirementsforFederalRecordsManagementcanbefoundat:

https://www.archives.gov/about/regulations/regulations.html

RegardingFOIA,“Since1967,theFreedomofInformationAct(FOIA)hasprovidedthepublictherighttorequestaccesstorecordsfromanyFederalAgency.Itisoftendescribedasthelawthatkeepscitizensintheknowabouttheirgovernment.FederalAgenciesarerequiredtodiscloseanyinformationrequestedundertheFOIAunlessitfallsunderoneofnineexemptionswhichprotectinterestssuchaspersonalprivacy,nationalsecurity,andlawenforcement.”

Currently,additionalinformationfortheFOIAcanbefoundhere:

https://www.foia.gov/index.html

|29

TheFOIAappliestoallfederalAgencies,whichmeansitdoesnotapplyto:

§ TheJudicialBranchandFederalCourts§ TheLegislativeBranchandCongress§ StateGovernmentsandCourts

Q:IsthereanestablishedprocessforwhatissupposedtooccurwhenownershipofanauthorizedservicetransfersfromoneCloudServiceProvider(CSP)toanother?

A: IftherewereNOchangestotheservice,NOchangetothesecurityposture,NOchangetotheriskmanagementstrategyoftheoverallorganization,anditwassimplyanamechange,thentheprocesscouldbeaseasyasnotifyingtheAuthorizingOfficial(s)ofthenamechange.ThiscouldbeaddressedasanadministrativechangebasedupontheAOdetermination.TheCSPshouldnotifyFedRAMPalso,ofthechange.TheCloudServiceOfferingauthorizationpackagedocumentationshouldbechangedaswelltoreflecttheownershipchange.

Moreoftenthannot,whenserviceschangeowners,organizationalpoliciesandprocedureschangewhichchangesthesecuritypostureandtheriskmanagementstrategyofthesystem.Changeslikethisaresignificantandmustbedocumentedappropriately.Ifthatisthecase,theCSPshouldaccountforandmakeassociatedupdatestotheCSOpackageasearlyaspossible.ThechangesmustbeclearlydocumentedandsubmittedtotheAOforreviewandapproval.

Ofcourse,theCSPandinvolvedAgencieswillneedtofacilitatecontractualchangestoreflectthechangeofownership.

Q: DoesFedRAMPstillassignInformationSystemSecurityOfficers(ISSOs)toeachCloudServiceProvider(CSP)thatisengagedintheJointAuthorizationBoard(JAB)provisionalauthorizationprocess?

A:FedRAMPnolongerhasFedRAMPISSOsassignedtoeachCSP.Now,eachCSPhasadirectrelationshipwithaprimaryandsecondaryJABReviewer.EachCSPshouldensurethattheSSPdocumentation,whenreferringtodesignatedcontacts,ischanged(forexample,changing“FedRAMPISSO”to“PrimaryJABReviewer”and“SecondaryJABReviewer.”

Pleasenotethatintherecentpast,the“JABReviewer”wascalledthe“JABTechnicalReview-Reviewer.”SincetheFedRAMPJABProvisionalAuthorizationadjustments,andtheshiftingoftheresponsibilities,theJABTechnicalReview-Reviewerisnowcalledthe“JABReviewer.”

|30

Q: WhensubmittingacompletedauthorizationpackagetoFedRAMP,whatarethethreecategoriesoftestingevidencewithtimelinesscriteria?Pleasedefinethetimelinesscriteriarequired.

A: Thethreecategoriesoftestingevidencewithtimelinesscriteriaarepenetrationtesting,securitycontrolstesting,andvulnerabilityscanning.VulnerabilityscanningmustbeforOperatingSystem(OS)/infrastructure,databases,andwebapplicationcomponents.TheCSP/3PAOmustensurethattheassociatedtestingevidenceisconsidered“timely”bythePMO(JAB&PMOfollowsamerequirements).

TimelinessRequirementsforPenetrationTesting

§ WhensubmittingacompletedauthorizationpackagetoFedRAMPtobegintheJABP-ATOprocess,thePenetrationTestcannotbeolderthan6months

§ CSPsshouldensurethePenetrationTestisexecutedascloseaspossibletoaCSP’ssubmissionoftheauthorizationpackage

§ OnceaJABP-ATOisgranted,CSPsmusthavea3PAOcompleteanewPenetrationTestatminimumonceayear

TimelinessRequirementsforSecurityControlTesting

§ WhensubmittingacompletedauthorizationpackagetoFedRAMP,securitycontroltestingevidencemustbecurrentwithin:

- 120days,ifthesystemdoesnothaveanexistingFedRAMPAgencyauthorization- 12months,ifthesystemhasanexistingFedRAMPAgencyauthorization

TimelinessRequirementsforVulnerabilityScanning

§ WhensubmittingacompletedauthorizationpackagetoFedRAMPtobegintheJABP-ATOprocessortheAgencyATOprocess,thescanscompletedbya3PAOandreflectedintheSecurityAssessmentReport(SAR)mustbecurrentwithin120days

§ Additionally,CSPsmustsubmitscansandaPOA&Mcurrentwithin30dayspriortothedateoftheJABP-ATOprocesskickoff

§ DuringtheJABP-ATOprocessandafterwards,vendorsmustsubmitmonthlyvulnerabilityscans,inaccordancewithsecuritycontrolsRA-5andRA-5(5);andmatchingPOA&Ms,inaccordancewithsecuritycontrolCA-5

§ AgencyATOsystemsshouldbesubmittingtimelymonthlyscanresultsandPOA&MstothepartneringAgency(ies)

TIP:WhensubmittingaReadinessAssessmentReportoranauthorizationpackage,besuretosendanemailnotificationtoinfo@fedramp.gov

|31

CloudServiceProviders(CSPs),PartneringAgencies,and/orThirdPartyAssessmentOrganizations(3PAOs)mustsendanemailnotificationtoinfo@fedramp.govtolettheFedRAMPPMOknowexactlywhenanAgencyFedRAMPPackageoraReadinessAssessmentReport(RAR)ispostedtoOMBMAX.BecauseboththeRARandtheCSPpackageculminatesintheSecurityAssessmentReport(SAR)andthe3PAOrecommendationtotheAuthorizingOfficial(AO)concerningtheriskpostureand/orauthorizationofthesystem,itisidealifthe3PAOuploadsthedocumentation.ThisemailnotificationfacilitatesthebeginningoftheprocesstogettheCloudServiceOffering(CSO)PackageintotheFedRAMPprocessorattheleastgettheAOMemopostedtothewebsite.TheOMBMAXfacilitatorwillsetuptheCSOpackageskeletononMAXintowhichthepackageisuploaded.OtherencryptionpoliciesapplyiftheCSOisaHighBaselinepackage.

PleasebeadvisedthatOMBMaxsubmissionsdonotgenerateanautomaticnotificationtotheFedRAMPPMOatthistime.IfaRARorauthorizationpackageissubmitted,butthePMOisnotmadeawareofthesubmission,thereviewwillbedelayed.

Q: AreCSPsrequiredtoperformbackgroundchecksonstaffmembers?

A:Yes.PersonnelSecurity(PS)-3PersonnelScreeningisrequiredforallFedRAMPdefinedbaselines(High,Moderate,Low,andFedRAMPTailored).Specifically,thecontrolrequirementisthattheorganization:

a. Screensindividualspriortoauthorizingaccesstotheinformationsystem;andb. Rescreensindividualsfornationalsecurityclearances-areinvestigationisrequiredduringthe

5thyearfortopsecretsecurityclearance;the10thyearforsecretsecurityclearance;and15thyearforconfidentialsecurityclearance.Additionally,formoderaterisklawenforcementandhighimpactpublictrustlevel,areinvestigationisrequiredduringthe5thyear.Thereisnoreinvestigationforothermoderateriskpositionsoranylowriskpositions.

Theobjective/intentofpart(a)ofthisPS-3controlistoensurethattheCSPelaboratesuponwhattypeofpersonnelscreeningisaccomplishedbeforethepersonnelareallowedsystemaccess.TheCSPmustbeawarethatwhencontractingwiththeFederalGovernmentitisatthediscretionofthepartneringAgencytodeterminewhatlevelofpersonnelscreeningmustbeaccomplished.SincetheCSPiscontractingandactingonbehalfoftheAgency,theCSPisrequiredtofollowtheAgencyrequirementsforsuitabilitytoperformservicesonbehalfoftheAgency.

Further,forFedRAMPModerateandHighbaselinesystems,PS-3(3)PersonnelScreening|InformationwithSpecialProtectionMeasures,thecontrolrequirementisthattheorganizationensuresthatindividualsaccessinganinformationsystemprocessing,storing,ortransmittinginformationrequiringspecialprotection:

a. Havevalidaccessauthorizationsthataredemonstratedbyassignedofficialgovernmentduties;and

b. Satisfypersonnelscreeningcriteria–asrequiredbyspecificinformation.

|32

NISTSupplementalGuidance:

Organizationalinformationrequiringspecialprotectionincludes,forexample,ControlledUnclassifiedInformation(CUI)andSourcesandMethodsInformation(SAMI).Personnelsecuritycriteriainclude,forexample,positionsensitivitybackgroundscreeningrequirements.

TIP:ACSPusingnon-USpersonstosupporttheirsystemisFedRAMPcompliantbutwillfindtheirmarketlimitedamongFederalAgencies.

Usingnon-USpersonstosupportaFedRAMPsystemisabusinessdecisiontheCSPmustmake.ThereisnoFederalrequirementaboutcitizenship.SomeAgencieshavenoissuewiththeuseofnon-USpersonssupportingthesystem;however,manyAgencieshavetheirowncitizenshiprequirements.ForsomeAgencies,therequirementisblanket.Forothers,itmaydependonthesensitivityofthesystem.

Q:WhodoIcontactifIhavechangestotheinformationthatIsubmittedinmyCSPInformationFormortheinformationthatisdisplayedonmyFedRAMPMarketplacepage?

A: Pleaseemailinfo@fedramp.govtorequestanychangesand/orupdatestoinformation(e.g.,offering,description,pointofcontact).

TIP:US-CERThasupdatedincidentresponseguidance(effectiveApril1,2017).

https://www.us-cert.gov/incident-notification-guidelines

Organizationsmustreportinformationsecurityincidents,wheretheconfidentiality,integrity,oravailabilityofafederalinformationsystemwiththerequireddataelements,aswellasanyotheravailableinformation,withinonehourofbeingidentifiedbytheorganization.Insomecases,itmaynotbefeasibletohavecompleteandvalidatedinformationpriortoreporting.Organizationsshouldprovidetheirbestestimateatthetimeofnotificationandreportupdatedinformationasitbecomesavailable.Eventsthathavebeenfoundbytheorganizationnottoimpactconfidentiality,integrityoravailabilitymaybereportedvoluntarily.

Q:Whatisthefirststeptomovefromamoderatesystemtoahighsystem?

|33

A:PleasevisittheFedRAMPTemplatespageandfindtheFedRAMPFIPS-199CategorizationChangeFormTemplateunderthe“ContinuousMonitoring”section.Oncetheformiscompleted,sendtheform,alongwiththeletterfromanAgencydemonstratingdemand,toinfo@fedramp.gov.YourJABreviewerwillthencontactyouregardingtherequest(withrequestforclarification,approval,ordenial).

Q:HowdoIgetaccesstomyCertificateofCompletionafterIcompleteTrainingmodule300-G?

A:Todownloadandprintyourcoursecertificateyoumustfirstcompletethe3PAORARTraining,3PAORARFinalExam,andFedRAMPCourseSurvey.ThesetrainingscanbeaccessedonourFedRAMPTrainingpage.Oncethecoursesurveyiscomplete,clickonthebox‘MarkedReviewed’belowthedescription.Thisactionwillrefreshthescreenandbringupyourcoursecertificate.Toviewthecoursecertificate,clickonthebox“MarkedReviewed”andthenclickon“Certificate”intheupperleft-handindexunder“StartHere.”Thisactionwillbringupanotherwindowwiththecertificateandyoucanprintitusingthecontrolsontheright.

Q: TheAgencyI’mworkingwithrequiresthattheirdatabecryptographicallyprotected.WhatrequirementsmustIfollow?

A: AnysystemthathandlesGovernmentdatamaybethetargetofacyber-attack,particularlythosesystemswithsensitivedata.Becauseofthis,ifanAgencyrequiresthattheirdatamustbecryptographicallyprotected,thenFIPS140-2applies,andcryptomodulesmustbevalidatedusingTransportLayerSecurity(TLS)services.

Version1.2iscurrentlythemostsecure;however,version1.3isindraftandmaycausecompatibilityissueswhenitisreleasedbecauseitwillnotsupportmanyobsoletecryptofeatures.

TotakeadvantageofthebenefitsofTLS1.2,itisimportanttouseaTLSservice(e.g.library,webframework,webapplicationserver)thathasbeenFIPS140-2validated.Inaddition,thecryptomodulemustbeinstalled,configuredandoperatedineitheranapprovedoranallowedmodetoprovideahighdegreeofcertaintythattheFIPS140-2validatedcryptomoduleisprovidingtheexpectedsecurityservicesintheexpectedmanner.

IfthesystemisrequiredtouseFIPS140-2encryption(i.e.,ownedoroperatedbyoronbehalfoftheU.S.Government),thenTLSmustbeused,andSSLdisabled.Formoreinformationonthis,seeSection7.1(nowD.2)ofImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram.

Cryptographicmodulesvalidationlistingscanbefoundat:https://csrc.nist.gov/projects/cryptographic-module-validation-program/module-validation-lists

|34

Cryptographicalgorithmvalidationlistingscanbefoundat:https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation

Q: IalreadyhaveaProvisionalAuthorizationtoOperate(P-ATO)withtheJointAuthorizationBoard(JAB).Isnon-complianceonaparticularcontroloronbusinessissuesallowed?

A: OnceaCSPachievesaP-ATO,itisincumbentonthemtomaintaintheirauthorizationtothebestoftheirability.Anynon-compliancemustbeaddressedexpedientlyandtothesatisfactionoftheJAB.Thisincludesensuringconsistent,successfulmonthlycontinuousmonitoringwithremediationsandannualassessments.CorrectiveActionPlans(CAPs)willbeinstitutedifdeemednecessary.Thisleveloffidelityisnecessarytoensurethesecurityofgovernmentdataandsystems.

5. PROFESSIONAL WRITING TIPS

TheFedRAMPauthorizationprocessrequirescloudserviceproviders(CSPs)and3PAOstodevelopalargenumberoftechnicallywrittendocuments.HerearesometipsfromourQualityManagementteamonhowtowritetoawell-writtendocument.

Writeshortsentences.

Sticktoasingleideaineachsentence.Structurethemwithbulletedlistsinmanycases.Avoidasentencelikethis:“InordertofulfillcontrolrequirementXX-Y,thesystemimplementsfeatureQ,controlledbyparametersinitializedtofactorysettingsZZZ,andchangedinaccordancewiththehistoryofuserrequeststonewsettingstosolveanyrevealedproblems,reviewedmonthlybytheproductmanager.”

Sayrather:

§ “ControlrequirementXX-Yissatisfiedasfollows:§ FeatureQisusedtofulfillthisrequirement.§ FeatureQisinitializedtofactorysettingsZZZ.§ Theproductmanagerreviewsthepastmonth’suserrequests.§ Theproductmanagerchangesthesettingsbasedonthepastmonth’suserrequests.§ Thenewsettingsaredeterminedaccordingtothefollowingtable:”[Youshouldincludeatable

hereshowingcriteriaforchangingthesettings.]

Eachtimeanewversionofadocumentis“published,”theversionnumbershouldbeincremented,andthedateofpublicationshouldbecomethedocumentdate.

|35

Thedocumentshouldbemarkedwiththesetwoimportantitemsonthecoverpageataminimum.Ideally(andwhererequiredbytemplates)theversionanddateappearalsoinadocumentrevisionhistoryandintheheaderorfooterofeverypageofthedocument.Formajorrevisions,incrementthewholenumbertotheleftofthedecimal.Forminorrevisions,incrementthenumbertotherightofthedecimal.

Forexample,theinitialSSPwouldstartoutasVersion1.0.AstheCSPrevisestheCSPinresponsetoJABTRcomments,theSSPversionnumbershouldincrementto1.1,then1.2,etc.AsaCSPtransitionsfromNISTSP800-53Rev3toRev4,theresultingSSPversionnumberwouldchangeto2.0.ThenastheSSPisrevisedasaresultofISSOorJABfeedbacktheversionwouldchangeto2.1andthento2.2foreach“published”revision.

Reviewers,auditors,andusersofthesedocumentsrelyoncorrectversionnumbersanddatestoensuretheyarelookingatanappropriateversionofadocument.Propermanagementofdocumentversionnumbersanddateseliminatesambiguityastowhichversionofadocumentisthelatestandwhenitwentintoeffect.

Q:Whenisitappropriatetouse“bytes”andwhenshouldIuse“bits”?

A:Youmayalreadyknowthisandtherecanbeexceptionsbutasaruleofthumb:

Whendiscussingstorage,sizeisexpressedin“bytes.”Whendiscussingcommunications,speedsaretypicallyexpressedin“bitspersecond.”Storageincludestapebackup,SAN,RAM,ROM,disks,thumb-drives,etc.andstoringprogramfilessuchasexecutables,OS’,MicrosoftOAfilessuchasWord/Excel,andpictures,sizeisexpressedinbytes(KB,MB,GBandSANandtapestoragecanbeterabytes(TB)andpetabytes(PB)).Asanexample,GSA’semailgatewayhasalimitofa45MB(megabytes)fileattachmentsize.

Communicationsspeedsandsizes,ontheotherhand,areexpressedin“bitspersecond.”GSA’sInternetlinksareprobably1Gbps(gigabitspersecond).CorporateWideAreaNetworksanddatacenterbackbonesaretypically10Gbpsandcommunicationsbetweenworkstationsandserversaretypically100Mbps(megabitspersecond)or1Gbps.Wi-Fi,thesedays,isatleast54Mbpsandgettingfaster.

So,bytesforstorage,andbitspersecondforcommunications.

Bewaryofusingpronounsinyourwriting.

Alwaysbeabsolutelyclearwho,orwhatorganization,isresponsibleforanaction.Itismuchbettertorepeattheresponsibleparty’s/organization’snamethantoleavethereaderindoubtastowhoorwhatapronounrefersto.

|36

Inyourwrittenwork,alwaysrefertothesameperson,position,orthingbythesamename.Avoid,forexample,calling“thetestteam”byothernames,like“thetestgroup,”“thetesters,”or“theevaluationteam.”

ProvideallrelevantinformationfortheJABTRstopreventslowingdownthereviewprocess.

WhenreviewingeachoftheNISTSP800-53Revision4controls,besuretoreadthecontroldescriptionthoroughlytounderstandthenounsandtheverbsineachoftheindividualrequirementsforeachindividualsecuritycontrol.Oncethewriteridentifieswhoorwhatshouldbeperformingtheaction(s),thenprovideadescriptionregardinghowtheactionisand/ortheactionsareperformedwithintheenvironment.Besuccinctforeachactionverb,i.e.,“monitors”and“updates”.Thewritermustdescribehowsomethingismonitoredandthenhowsomethingisupdated.(Pleasenotethatmanytimesthemonitorsandupdatesrequireaspecificfrequency,aswell.)TheNISTSP800-53ARevision4testingcriteriacanbeusedasthecrossreferenceforeachofthesecuritycontrolsinorderthatthewriterunderstandtheobjectivesforeachcontrol.

Q:Whichisthebettersentence?“ThereportissenttotheAgency.”OR“TheContractor’sProjectManagersendstheMonthlyStatusReporttotheAgencyProgramManagerbythefifthdayofeachmonth.”

A:Thefirstsentenceiswritteninpassivevoice.ItdoesnotspecifywhosendsthereportorwhichAgencywillreceiveit.

Tip:SendalldocumentsandwritinginanActiveVoice.Writinginactivevoicegivesclarityandspecificity–amustforallFedRAMPdocumentation.

Manyreaderscommonlyconfusethemeaningsofi.e.ande.g.I.e.ande.g.arebothabbreviationsforLatinterms.I.e.standsfor“idest”andmeansroughly“thatis.”E.g.standsfor“exempligratia,”whichmeans“forexample.”Itisbesttowriteoutthemeaningsoftheseabbreviationstoavoidanymisunderstanding.

Avoidusing“etc.”Ifanitemisimportantenoughtobeinalist,thenitisimportantenoughtoname.Onlyuse“etc.”ifitiscompletelyclearhowtherestofthelistwillrun.Alternatively,explainthecharacteristicsoftheitemsinthelist,andthensay,“Forexample.”

Beconsistentwithyournamingconventions.Alwayscallthesamethingbythesamenamethroughoutyourwrittenwork.

EXAMPLE:“TheEmergencyResponseTeamshallresolveallproblemswithinfourhoursofreceivingareport.Onceaproblemisfixed,theresponseteamleaddocumentsthesolutionandsendsthe

|37

requestingteamthecorrectionreport.”Thissentencecalls“TheEmergencyResponseTeam”byanothername,“responseteam.”Theseareprobablythesame,butthedifferentnamesanddifferingcapitalizationcanbeconfusing.Additionally,whattheEmergencyResponseTeamdoesisreferredtowiththreedifferentverbs:resolve,fix,andcorrect.Sticktoonenameandtrytosticktooneverbthataccuratelydescribestheaction.

6. READINESS ASSESSMENT REPORT

TIP:WhensubmittingaRARorRARupdate(3PAOs)oranauthorizationpackage(CSPsorAgencies),besuretosendanemailnotificationtoinfo@fedramp.gov.

SubmissiondoesnotgenerateanautomatednotificationtoPMOatthistime.SometimesRARsandauthorizationpackagesaresubmitted,butPMOisnotmadeawareofthesubmission,tobeginreview.

Wealsoaskthatyouemailinfo@fedramp.govandgiveusatleasttwoweeksadvancenoticeBEFOREyousubmitanyauthorizationforreviewtoOMBMAX.

Bygivingusadvancenoticeofyouranticipatedsubmissiondatethroughinfo@fedramp.gov,theFedRAMPPMOcanensureourreviewsarecompletedinapromptandefficientmanner.OurgoalistocompleteourreviewsasquicklyaspossibleandinturnupdateyourCSP’sstatusontheFedRAMPMarketplaceto“Authorized”asclosetoyourAgencygrantinganATOaspossible.

Withoutprovidinguswithanestimatedcompletiondateandprovidingatwo-weekwarning,wewillbeunabletoensurewehavetheappropriateresourcesandcommittoyouthatourreviewwillbecompletedinatimelymanner.

Ifyouhaveanyquestionsaboutthisrequest,placedonothesitatetoreachouttoinfo@fedramp.gov.

7. SECURITY ASSESSMENT PLAN (SAP) & SECURITY ASSESSMENT REPORT (SAR) DOCUMENTS

TIP:Findingsthatthe3PAOhasvalidated/determinedtobeFalsePositivesareNOTincludedintheP-ATOSARPOA&M.

Otherwise,theyaresimply“findings”whichneedtobeincludedintheP-ATOSARPOA&M.However,ifthefindingsthatthe3PAOdeterminedtobe“FalsePositives”intheP-ATOSARarenotapprovedby

|38

JAB,thenatContinuousMonitoringphase,thosefindingsmustbeaddedtotheConMonPOA&Mfortrackingthroughthemonthlyreportinguntilremediated.(Note:Thesefindingsaredeliberatelynotcalled“FalsePositives”becauseatthatpointtheywillhavebeendeterminedtobesimply“openfindings.”)

Q:Whatisthe3PAO’sresponsibilityifitisnotconductingthevulnerabilityscanningforanassessment?

A:Ifthe3PAOisnotconductingthevulnerabilityscanningforanassessment,thentheSecurityAssessmentPlan(SAP)shouldidentifythealternativemethodology.The3PAOshoulddescribeprocessestoensureintegrity,completeness,accuracy,reliability,andtheindependentnatureofthescanresults.Ataminimum,the3PAOisresponsiblefor:

§ Reviewingscanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted(i.e.,describingwhattheappropriate/expectedconfigurationsarethatwillbeverified)

§ EnsuringscanscomplywiththeFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide§ Overseeingandmonitoringscansfrominitiationtocompletion§ Describingtheprocedurestoensurechain-of-custodyofthescanresults

Q:WhendevelopingaSystemAssessmentPlan(SAP),howshoulda3PAOselectwhichcontrolstoassess?

A:GuidancedocumentsforselectingcontrolstoincludeintheSAPcanbefoundontheFedRAMPwebsite.ForAnnualAssessments,asanexample,the3PAOshouldselectcoresecuritycontrols,aswellasothercontrolsrequiredbytheCSP,allcontrolsthathaven’tbeentestedwithinthethree-yearcycle,andcontrolsthatwerePlanofActionandMilestones(POA&M)items,involvedwithDeviationRequests,etc.

Asatip:WhendevelopingtheSAP,3PAOsshouldreviewthecontrolslistedintheclosedPOA&Msasabasisfortheselectionofcontrolstoassess.Then,insteadoffulltestingofthecontrol,simplyassesstheremediationactions/documentationassociatedwiththeclosedPOA&MtoensurethespecificissuenotedinthatPOA&Mwasaddressed.

Q:Whatisthethirdpartyassessmentorganization’s(3PAO)responsibilityifitisnotconductingthevulnerabilityscanningforspecificcontrolsinanassessment?

|39

A:Generally,anassessmentbythe3PAOincludesseveralmethodologies:personalinterviews,documentandevidencereviews,vulnerabilityscanning,andpenetrationtesting.TheSecurityAssessmentPlan(SAP)shouldaddresstheassessmentmethodologyindetailsothatitcanbereviewedandapprovedpriortoassessmenttesting.Forvulnerabilityscanning,3PAOresponsibilitiesinclude:

§ Reviewingscanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted(i.e.,describingtheappropriate/expectedconfigurationsthatwillthenbeverified)

§ EnsuringscanscomplywiththeFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide§ Overseeingandmonitoringscansfrominitiationtocompletion§ Describingandexecutingtheprocedurestoensure3PAOchain-of-custodyofthescanand

results

Q:WhencompletingtheSecurityAssessmentReport(SAR),isitappropriatetoassignthesamevaluestotablesES-1andF-1/F-2iftherearenoPOA&Mentriesintheinitialassessment?

A:ItisnotappropriatetoassignthesamevaluestotablesES-1andF-1/F-2iftherearenoPOA&Mentriesintheinitialassessment.SARTableES-1representsthetotalrisktothesystembeingassessed,whiletablesF-1andF-2representonlythefindingsfromtheassessmenttestingitself.

Forinitialassessments,thefindingsrepresentthetotalrisktothesystem,thustableES-1endsupwiththesametotalsastablesF-1andF2.Forannualassessments,POA&Mitemsnotduplicatedthroughtestingarealsopartofthetotalsystemrisk,thustableES-1totalsmustreflectbothtestingtotalsandPOA&Mtotalsafterduplicateshavebeenidentifiedandremovedfromthecount.

Q:IstheCSPresponsibleforensuringthequalityoftheworkperformedbythe3PAO?

A:Whileaccredited3PAOsperformsecurityassessmentsofFedRAMPcloudservices,itistheCSPthatisresponsibleforall3PAOactivitiesanddeliverablesrelatedtotheassessmentoftheircloudoffering.TheCSPmanagesandoverseestheseactivitiesaccordingly.ExceptionsaredeliveryoftheSecurityAssessmentPlan(SAP),SecurityAssessmentReport(SAR),andtheSARresults.Inordertomaintaintheintegrityandindependenceofthesedocuments,theymustbeprovidedtothePMOdirectlyfromthe3PAO.Whilethe3PAOmakesthefinaldeterminationonthesecurityresultsintheSAR,theCSPshouldensurethequalityoftheSARandall3PAOdeliverablesprovidedtoFedRAMP.

|40

Q:AreHighfindingsacceptablewhensubmittingaSecurityAssessmentReport(SAR)foraninitialJointAuthorizationBoard(JAB)ProvisionalAuthorizationtoOperate(P-ATO)?

A:WhensubmittingaSARforaninitialJABProvisionalAuthorizationtoOperate(P-ATO),theremustbenoHighfindings.ForHighfindingsthatcannotberesolved,suchasvendordependencies,sufficientadditionalmitigatingcontrolsmustbeinplacetojustifyariskreductiontoModerate.

SomeCSPsincorrectlybelievethataHighfindingisacceptableifitisavendordependencyoroperationallyrequiredvulnerability.Thisisnotthecase.IfaHighfindingcannotberesolved,itmustatleastbemitigateddowntoaModerate.

Q:DothetoolsusedforthepenetrationtestneedtobelistedanywhereelsebesidesinthePenetrationTestPlandocument?

A:Yes.ThetoolsusedforthepenetrationtestmustalsobelistedintheSecurityAssessmentPlan(SAP)andmatchthoselistedinthePenetrationTestPlandocument.WhencompletingTable5-3intheSAP,besuretoincludeeachtoolusedforthesecuritycontrolsassessment,vulnerabilityscanning,andpenetrationtest.

Q:ArelowriskfindingstrackedonthePlanofActionandMilestones(POA&M)?Ifso,whatisthetimewindowtocorrectlowriskfindings?TheFedRAMPguidanceonlystatesremediationtimeframesforhigh/moderateriskitems.

A:Yes,allfindingsmustbedocumentedinthePOA&M,includinglowriskfindings.Lowriskfindingsshouldberemediatedwithin180days,andtheremediationwillbevalidatedduringthenextannualassessment.

Q:Whataretherolesandresponsibilitiesofthethirdpartyassessmentorganization(3PAO)andthecloudserviceprovider(CSP)duringtheassessment?

A:WhileFedRAMPcertifies3PAOstoperformsecurityassessmentsofFedRAMPcloudservices,theCSPisultimatelyresponsibleforall3PAOactivitiesanddeliverablesrelatedtotheassessmentoftheircloudoffering.TheCSPdevelopsandmaintainstheSystemSecurityPlan(SSP),PlanofActionandMilestones(POA&M)andothersupportingdocuments;however,theCSPalsomanagesandoverseesthe

|41

assessmentactivitiesaccordingly.The3PAOdevelopsanddeliverstheSecurityAssessmentPlan(SAP),andSecurityAssessmentReport(SAR),andSARevidence/attachments.Whilethe3PAOmakesthefinaldeterminationonthesecurityresultsintheSAR,theCSPshouldensurethequalityoftheSARandallother3PAOdeliverables.

Q:WhendevelopingtheSecurityAssessmentReport(SAR),whatistheprocedureormethodfordocumentingfindingsthatwerecorrectedduringtestingoridentifiedasfalsepositives?

A:FalsepositivesandvulnerabilitiesthatwerecorrectedduringtestingarereportedindesignatedSARtables.ConsulttheSARtableofcontentstoidentifytheselocations.Whendescribingwhatwasdonetoconfirmthatsomethingwasafalsepositiveorcorrectedduringtesting,citethespecificitemofevidence(screenshot,scanfile,etc.)byfilenameinthetableentry.Providetheevidencefile(s)withtheSAR.ThisapproachwillensuretheSARreviewerscaneasilynavigatethedocumentwhenevaluatingtheseitems.

Q:CantheSecurityAssessmentPlan(SAP)ortheSecurityAssessmentReports(SAR)templatesbemodified?

A:TemplatesfortheSAPandtheSARcanbemodifiedtoaddcontent,butcontentcannotberemovedfromthetemplate.Soyouwillbeabletoaddinformationtohelpbolstersecuritypackages,butyoucannoteliminatepartsorportionsofthetemplates.

Q:Howdoesa3PAOindicatethatavulnerabilityis“closed”intheSecurityAssessmentReport(SAR)?

A: Foranyscan-relatedfindingthatwasfoundandcorrectedduringtesting,pleasemakesuretoincludea“targeted”scanthatreflectsthevulnerabilityasclosed.Itisrecommendedthattheseremediationscansaretargetedscans,wherescansareconductedtotargetthespecificvulnerabilitiesandspecificallyimpactedcomponentsprovingclosure,soasnottoskewtheassessmentresults.PleaseprovidethesetargetedscansaspartofthefinalSARdeliverablethatissubmittedtoFedRAMP.

|42

Q:AretherelimitationsonthetypesoffindingsthatcanbereportedintheSecurityAssessmentReport(SAR)?

A:TherecannotbeanyunmitigatedorunremediatedhighfindingsreportedintheSARforP-ATO.Hence,TableES-1,shouldn’thaveanyhigh’slistedwithinthecomposite

Q:Whatdoesthe3PAOneedtoprovidewithregardtovulnerabilitiesthatwerefixedduringtesting,downgraded,operationallyrequired,orfalsepositives?

A: Forvulnerabilitiesthatwereremediatedduringassessmenttesting,riskadjusted,operationallyrequired,ordeterminedtobeafalsepositive,the3PAOmustprovidecompellingevidenceintheformofartifactsanddetailedrationalewithintheappropriateSecurityAssessmentReport(SAR)tablestojustifytheadjustedstatus.Pleasereferencethespecificevidencefile(s)andprovidethemwiththeSAR.

Q:ShouldaSecurityAssessmentPlan(SAP)besubmittediftheinventorydiffersfromtheSystemSecurityPlan(SSP)?

A:AtthetimetheSAPissubmittedbythe3PAO,theSSPandSAPshouldreflectthesameinventory.Posttesting,iftherearedevicesthatarediscoveredandnotdisclosedwithintheSSPand/orSAP,theSecurityAssessmentReport(SAR)mustreflectadeviationfromtheSAP,andtheSSPmustbeupdatedpriortoauthorizationwiththeaccurateinventorylisting.

Q:Howdoesa3PAOensurerepeatableandconsistentresultswhenreportingtheresultsofanassessmentmethod?

A:Whenreportingtheresultsofanassessmentmethod(documentexaminations,personalinterviews,andsystemtests),ensurethereisenoughdetailsothattheassessmentmethodandresultcanberepeatedbysomeoneelse.ThisgenerallyreferstoAppendixBoftheSecurityAssessmentReportSAR),spreadsheettab:“ProcedureandEvidence”.Foreachcontrol,thereshouldbesufficientdetailtodescribetheassessmentmethodthatincludestheprocedure,evidenceandresults.Thisshouldhaveaconsistentlookandfeelfromcontroltocontrol,forrepeatabilityandconsistency.

|43

Q:Whena3PAOisprovidingtheAuthorizationRecommendationforaCSPProvisionalAuthorizationToOperate(P-ATO),theSecurityAssessmentReport(SAR),Section7needstobeupdated.WhatupdatesmustbeprovidedintheSARtemplatesection7-AuthorizationRecommendation?

A:Section7oftheSARistemplatedsothatthe3PAOmayprovideanexecutivesummarytypeofoverviewfortheanalysisofriskidentifiedwithinthesystemenvironment.Thesummaryincludesthenumbersoftypesofvulnerabilitiesidentified(i.e.,therewere<Number>Highrisks,<Number>Moderaterisks,<Number>Lowrisks,and<Number>ofOperationallyRequiredrisks).Operationallyrequiredrisksmustbeidentifiedbecausethesevulnerabilitiesarerisksthatcannotreadilyberemediatedormitigatedbecausetheremediationormitigationwouldadverselyaffecttheoperatingenvironmentofthesystem.TheFedRAMPProgramManagementOffice(PMO)expectsthatthe3PAOprovidestheirprofessionalrecommendationregardingtheanalysisofrisksforthesystembasedontheresultsofthesecurityassessment.However,the3PAOrecommendationmustbefullyvalidatedbycollectedartifactsandevidence.TherecommendationisreviewedbytheJointAuthorizationBoard(JAB)fortheProvisionalAuthorizationToOperate(P-ATO)decisionandbytheAgencyAuthorizingOfficial(AO)fortheAgencyAuthorization.

TIP:ACertified3PAOPenetrationTestingMethodologymustcontainalloftheFedRAMPPenetrationTestingcomponents.

Every3PAOhasadoptedaspecificPenetrationTestingMethodology.However,inorderforthe3PAOtobeFedRAMPcompliantandperformFedRAMPCompliantPenetrationTesting,theFedRAMPPenetrationTestGuidance,Version1.0.1,datedJuly6,2015andthemethodologycontainedthereinmustbetightlyinterwoveninthe3PAOPenetrationTestingMethodology.

Forinstance,ifa3PAOistestingroles,foreachroledefined,thepenetrationtestingmethodologyusedbythe3PAOmustincorporateattackvectorsdefined,ataminimum:

1. ExternaltoCorporate–ExternalUntrustedtoInternalUntrusted2. ExternaltoTargetSystem–ExternalUntrustedtoExternalTrusted3. TargetSystemtoCSPManagementSystem–ExternalTrustedtoInternalTrusted4. TenanttoTenant–ExternalTrustedtoExternalTrusted5. CorporatetoCSPManagementSystem–InternalUntrustedtoInternalTrusted6. MobileApplication–ExternalUntrustedtoExternalTrusted

EvenifthenetworksarecalledsomethingelseandarenotreferredtoasgenericallyastheFedRAMPlisting,theproofmustbeprovidedthatatleasttheminimumattackvectorslistedintheFedRAMPguidancemustbepenetrationtestedandmustbepartofthe3PAOFedRAMPPenetrationTestingMethodologyfortheCSP.

|44

TIP:AssignuniqueVulnerabilityIdentifiersfortheSAR/DeviationRequests/POA&Mworkbooks.

Thiscanbeinanyformatornamingconventionthatproducesuniqueness,butFedRAMPrecommendstheconventionV-<incrementednumber>(forexample,V-123).ThisuniqueidentifierisassignedtoaspecificallyidentifiedvulnerabilityintheCSPsystem.Therequirementisthatifavulnerabilityisidentifiedduringtheannualassessmentand/orthemonthlycontinuousmonitoringeffort,andthatvulnerabilityisthesamevulnerabilityalreadyuniquelyidentifiedintheexistingPOA&M,theCSPand3PAOmustusethesamePOA&MIDasforpre-existingandopenvulnerabilities.Inotherwords,donotassignadifferentIDtoavulnerabilitythatisalreadydocumentedinthePOA&M.

Q:WhataretheFedRAMPrequirementsforvulnerabilityscanning?

A:VulnerabilityscanningmustoccurforOperatingSystem(OS)/infrastructure,databases,andwebapplicationcomponentsintheCloudServiceofferingauthorizationboundary.ThescanningparametersforthecomponentsmustbedefinedintheSecurityAssessmentPlan(SAP).Ifthe3PAOhasnotorisnotconductingthevulnerabilityscanningfortheassessment,thentheSAPidentifiesthealternativemethodology.Thisstandardthenbecomesintegratedinthemethodology.InordertomaintainFedRAMPscanningcompliance,the3PAOmustdescribeprocessestoensureintegrity,completeness,accuracy,reliability,andtheindependentnatureofthescanresults.

Ataminimum,the3PAOmust:

§ Reviewthescanningtoolstoensurethetoolsareappropriatelyconfiguredbeforethescansareexecuted.

§ Overseeandmonitorthescansfrominitiationtocompletion.§ Describetheprocedurestoensurechain-of-custodyofthescanresults.§ Comparethelistofcomponentsidentifiedinthescansandthoseintheinventoryandprovide

anexplanationforthedifferenceintheSAR.§ Assessacomponentthroughothermeans(manualmethods),ifacomponentcannotbe

scanned.

OncethemethodologyisapprovedviatheSAP,themethodologymaybefollowedforthesystemuntilthereisasignificantchangeorthenextannualassessmentwherebythemethodologymaybealteredwithinthenextSAP.

Vulnerabilityscansmustbeperformedusingsystemcredentialsthatallowfullaccesstoscanningtheentireauthorizationboundarytoincludeallhardwareandsoftware.Scannersmusthavetheabilitytoperformin-depthvulnerabilityscanningofallsystems(asapplicable).Systemsscannedwithout

|45

credentialsprovidelimitedornoresultsoftherisks.Allunauthenticatedscanswillberejectedunlessanexceptionhasbeenpreviouslygrantedduetoapplicabilityortechnicalconsiderations.

Q:Forvulnerabilityscans,doallpluginshavetobeenabled?

A:Allnon-destructivepluginsmustbeenabled.Toensureallvulnerabilitiesarediscovered,thescannermustbeconfiguredtoscanforallnon-destructivefindings.Anyvulnerabilityscanswherepluginsarelimitedorexcludedwillberejected.Exceptionsmayoccurbasedonspecificrequestsfromthegovernmentforre-scansortargetedscans.Thesescansmustcomplywiththedirectionsprovidedbythegovernment.Formoreinformation,pleaseseeourFedRAMPJABP-ATOVulnerabilityScanRequirementsGuide.

TIP:WhatdoesatypicalThirdPartyAssessmentOrganization(3PAO)TeamperformingaCloudServiceOffering(CSO)assessmentlooklikeaccordingtoFedRAMP?

FedRAMPrequiresthatallassessmentsmustbestaffedbyanappropriatenumberof3PAOteammembersbasedonthecomplexityoftheCSObeingassessed.This3PAOstaffingincludes,butisnotlimitedto,individualsresponsibleforscanning,interviews,theexaminingofartifacts,andreportwriting.The3PAOteammustconsistofatleastthreepeoplefromthe3PAO,whoparticipateinandsupporttheassessment,oneofwhichisanindividualconsideredtobetheseniorrepresentativeofthe3PAO,oneofwhichisapenetrationtester,andoneofwhichisanindividualdedicatedtoqualitymanagementofthe3PAOprocess.

TheseniorrepresentativeisresponsibleforensuringtheassessmentactivitiesandevidenceiscompletedfullyandmeetstheFedRAMPrequirementsandstandards.

ThepenetrationtesterisresponsibleforensuringthepenetrationtestingisfullycompliantwithFedRAMPPenetrationTestGuidance.

Theindividualdedicatedtoqualitymanagementisresponsibleforensuringthatalldeliverablesfromthe3PAOmeetthequalitystandardssetforthbyFedRAMP.

Any3PAOwhowishestocompleteanassessmentwithlessthanthreepeoplemustseekapprovalfromtheFedRAMPPMO.Theseniorrepresentativemusthavetheauthoritytosignoffontheworkoftheotherindividualswhoworkontheproject.DuringtheonsiteassessmentbyA2LA,the3PAOmustdemonstratetheabilitytomeettheteamstaffrequirements.

|46

TIP:WhatarethebasicFedRAMPrequirementsfor3PAOsdeliveringasecurityassessmentreportorareadinessassessmentreport?

Alldeliverablesshouldbesignedoffbythe3PAOqualitymanagementleadbeforebeingdeliveredtoaCSPorgovernmentauthorizingofficialteam.Thequalityreviewprocessforthe3PAOshallincludecheckingalldeliverablestoensurethefollowing:

§ Therearenospellingorpunctuationerrors.§ Allsectionsofeachdocumentdeliveredarecomplete,clear,concise,andconsistentwitheach

other.§ Allteammembersoftheassessmenthavereviewedthedeliverables.§ Documentsarepreparedusingthemostrecentstandardtemplates,withoutalterationsor

deletions,andinsertionsmustbeagreedupon.

AllSARswrittenbythe3PAOshallincludeanauthorizationrecommendationonwhetherthesystemcanappropriatelysafeguardgovernmentdatainaccordancewiththesecurityclassificationofthesystem.Therecommendationshallincludeasummarystatementandjustificationstatement.

AllSARswrittenbythe3PAOshallincludeallscanresultsinareadableformatsuchthatsomeonewithoutascannerlicensecanreadtheresults.

AllRARswrittenbythe3PAOmustadheretotheguidancewithintheFedRAMPHighReadinessAssessmentReport(RAR)templateandtheFedRAMPModerateReadinessAssessmentReport(RAR)template.

AllRARswrittenbythe3PAOshallincludeanalysisofresultsfromactivitiesincluding,butnotlimitedto,discoveryscansandinpersoninterviewsandphysicalexaminationswhereappropriate.IntheeventthatscanresultsarerequestedbythePMO,theyshouldberetainedinareadableformatsuchthatsomeonewithoutascannerlicensecanreadtheresults.

Q:Whatarethereportingexpectationsforthepenetrationtestplan?

A:TheSSP(andsupportingdocuments)containinformationthatcontributestothereconnaissance/informationgatheringphaseofthepenetrationtest.Thisinformationincludesthesystemandnetworkarchitecture,inventory,ports,andprotocolsandservices.TheSAPshouldincludetailoredpenetrationtestassessmentsteps(includingmanualsteps)thataretheuniqueresultofevaluatingtheinformationinthisdocumentation.

|47

8. SYSTEM SECURITY PLAN (SSP) DOCUMENTATION

Q:HowdoIavoidmakingmistakeswhencreating/updatingtheSystemSecurityPlan(SSP)document?

ForEVERYsecuritycontrolimplementation:

1. Describethesolutionimplementedforthissecuritycontrolandhowitmeetsthesecuritycontrolrequirement.

2. Specifytheperson(s)responsibleforimplementing/enforcingthesolutiontothissecuritycontrol.

3. Describehowoften(daily,weekly,monthly,quarterly,annually,etc.)thissecuritycontrolanditsimplementationareperiodicallyreviewed.

a. Besuretoinclude:i. Whoperformsthereview.ii. Whattriggersaperiodicreview.Isitaspecificdateorevent?

4. Howarespecifiedperiodicreviewsdocumentedandwhatartifactscanprovethiscontrolisactivelyimplementedandreviewed?

5. Ifapolicyhasbeenpublishedandisreferencedasthebasisfortheimplementationofthissecuritycontrol,makesurethatpublisheddocumentisprovidedasanattachment,orasupportingdocumentwiththeSSPwhensubmittedforFedRAMPreview.Thisisespeciallytrueforinheritedcontrols.

a. Securitycontrolimplementationscanonlybeinherited(leveraged)fromsystemsthathavealreadybeenapprovedandgrantedaFedRAMPauthorization.

Providingacompleteresponsetotheitemsabovewillgreatlyimprovethelikelihoodofasuccessfulreviewonthefirstsubmission.

Q:Howcana3PAOensurehighqualityassessmentsanddeliverables?

A:TheFedRAMPPMOsuggests3PAOstoperformapeerreviewthatasksthefollowingquestionstoensurehighqualityassessmentsanddeliverables:

§ Canthedocumentedassessmentsteps(eitherdescribedan/orasshownintheevidencefiles)beeasilyrepeatedbysomeoneelse?

§ DidyouperformanexaminationoftheSystemSecurityPlan(SSP)orPolicies&Procedures(P&P)whenanexaminationofrecordswasrequired?

§ Whenatestwasrequired,didyouperformanintervieworusetheexamineassessmentmethod?

§ Wasaninterviewassessmentmethodusedwhenanexamination/observationwasrequired?

|48

§ Isareasonprovidedforperformingadifferentassessmentmethodthantheonerequired(e.g.examineinlieuofatest)?

§ Isevidenceprovided?§ Istheevidencespecificallycitedsoitcanbeeasilylocated?§ IstheevidencespecificallycitedorprovidedsothatISSOcanverifythatthesampling

methodology(asdescribedintheSecurityAssessmentPlan)wasfollowed?§ Dotheobservationsandevidencediscussadifferentcontrolthanthecontrolinthetestcase?§ AretheobservationsandevidencedescriptionsconsistentwithFindingscolumn(foundinthe

“AssessmentTestCases”template)?§ DotheResultsshowaContingencyPlan(CP)testwasconducted?§ DotheResultsshowtheCPtestwasatable-topexerciseratherthanafunctionaltest?§ DotheResultsshowanIncidentResponse(IR)testwasconducted?§ DotheTestcasesincluderesultsofthevulnerabilityscansandpenetrationtest?

Q:DoestheFedRAMPPMOhavefiletyperequirementsfordocumentssubmittedforreview?

A:WhensubmittingdocumentationtotheOMBMAXSecureRepositoryforFedRAMPPMOReview,theSystemSecurityPlan(SSP)mustbeinWordformatandunprotected.TheFedRAMPPMOcannotproperlyconductaformalreviewifdocumentationisinanyotherformat.Forconcernsregardingthis,pleaseaddressthemtotheFedRAMPPMOatinfo@fedramp.govpriortouploadingdocumentationtoMAX.

Q:CouldyouexplaintheinterdependenciesofcontrolswithintheSystemSecurityPlan(SSP)?Specifically,doeshaving“N/A”formySystemSecurityPlan(SSP)AccessControl(AC)-17forRemoteAccesshaveimplicationsonothercontrols?

A:WhencreatingtheSystemSecurityPlan(SSP),understandthattheplantellsthe“story”ofthesystem.Whileitmaynotbeclearwhenyoubeginthistask,thesecuritycontrolsareinterrelatedandhaveinterdependencies.OneofthemostcommonissuesunfoldswhentheSSPAccessControl(AC)-17RemoteAccesshas“N/A”fortheimplementationdetail.Inourevolvingtechnologicalworld,allaccesstothesystemisnowremoteaccess.Thiscontrolisinterdependentwithmanyothercontrols,specifically:AC-2,AC-3,AC-18,AC-19,AC-20,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,MA-4,PE-17,PL-4,SC-10,SI-4.SoifthereisamisinterpretationofAC-17,chancesareverygoodthattheinter-relatedcontrolswillalsohaveissues.

Q:Whatisasecurityarchitecturediagramandwhatshoulditinclude?

|49

A:Asecurityarchitecturediagramisacomponentofthesecurityarchitecturedocument,whichillustrateshowtechnicalsecuritycontrolsareimplementedintheenvironment.Italsoarticulatestheoverallsecurityprogramstrategyinalignmentwiththepositionandselectionofsecuritycontrolimplementations.AsecurityarchitecturediagramMUSTbeastand-alonedocumentandaddresstherequirementsoutlinedinthecontrolsupplementalguidanceinPL-8,itisnotsufficienttoreferencetheSSPoroutsideproductguides.

ArchitecturalandnetworkdiagramsmustincludeallpossiblecommunicationlinksbetweentheCSPandfederalAgencies,aswellaspathsintothesystemboundary.Ifcustomersarenotyetconnectingdirectly,aCSPcanidentifyallplannedconnectionpointsintheSSP.Describingthearchitecturethatwillbeofferedcanhelpensurethatitwillbeauthorizedbeforeacustomerneedsit.Theboundarydiagramsshouldbecompletedpriortowritingimplementationstatements.

Q:Whataresometipstowritingadetailedandaccuratecontrolimplementation?

A:Thinkofeachimplementationasalittlestory.Alwaysincludewhoisresponsible,howthecontrolisimplemented(bespecific–getgranular),andwhatcomponentsareaffected.

Q:ShouldIrepeatthecontrolrequirement?

A:Donotrepeatthecontrolrequirement.Feelfreetouseitthoughasajumpingoffpointtowriteadetailed,specificimplementation.Additionally,usethesameactionandkeywordswithinthecontrolrequirementwhendescribingyourimplementationsoitisclearexactlyhowtheimplementationmeetsthestatedrequirements.

Q:Whyisitimportanttomaintainconsistencybetweenthesecuritycontrolimplementationstatementsandthetechnicaldiagrams?

A:ThesecuritycontrolimplementationstatementsprovideadetailedexplanationastohowcompliancewithNISTSP800-53andFedRAMPrequirementsaremet.Generally,complianceismetwiththeimplementationoftechnicalcomponents,policy/procedure,andothermechanisms.TheBoundary,Network,andDataFlowdiagramsprovideavisualdepictionofthesecomponentswithinthesecureenvironment,soit’sveryusefultoreviewerstomapcontrolimplementationstothespecificcomponents.Further,manycontrolsareoftensatisfiedwiththeimplementationofthesamecomponentsandaresubjecttosecuritytestandContinuousMonitoringtoassureeffectiveness.It’simportant,therefore,thattheimplementationstatementsandthediagramsareconsistentandaccurate.

|50

TIP:AvoidaddingtimetoyourauthorizationprocessbysuccessfullycompletingtheSystemSecurityPlan(SSP)reviewthefirsttime!HerearesometipsfromtheFedRAMPPMOonhowtocreateastrongSSP:

“TheEmergencyResponseTeamshallresolveallproblemswithinfourhoursofreceivingareport.Onceaproblemisfixed,theresponseteamleaddocumentsthesolutionandsendstherequestingteamthecorrectionreport.”

1. Submitacompleteandwell-structuredSSP.2. ExpertiseandknowledgeofNIST/FedRAMPsecuritycontrols.3. Enoughresources–oftenonewriterisnotenough,andyoumayhavetoallotadditional

resourcesandsubjectmatterexpertstocompleteSSP.4. EmploythefourC’sofwriting:Clear–straightforward,avoidingconvolutedphrasesorover-

longphrases;Concise–packthemostmeaningintoyourwords;Concrete–concretewritingispreciseanddetail-oriented;andfinally,Correct–correctgrammar,mechanics,andformatarebaselineexpectationsforwriting.

5. Thewriter(s)hasknowledgeofthesystemand/orcanobtaintheinformationfromothersandbeabletocommunicatetheirtechnicalknowledge.

6. PerformqualityreviewontheSSP.DoingthesethingscannotguaranteeasuccessfulSSPreviewbutwillgreatlyenhanceyourchances.

Anotherwritingtip:Forthefirstcontrolineachfamily(e.g.AC-1,AU-1etc.),usethefollowingasachecklisttoensureconsistencyamongallofthe“first”controlstoensuretheycontaintherequiredinformationintheappropriatepart.

PartA:

(1)

§ Referencethepolicydocumentspecifically§ Discusshow/wherethepoliciesaremadeavailabletopersonnel

(2)

§ Referencetheproceduresdocumentspecifically§ Discusshow/wheretheproceduresaremadeavailabletopersonnel

PartB:

§ Identifyfrequencyofreviewandupdateofpolicy§ Identifyfrequencyofreviewandupdateofprocedures

Note1:Ifthepoliciesandproceduresareallinonedocument,thereisnoissuewithreferencingthatdocumentinbothPartsaandb.

|51

Note2:Beawarethat800-53Rev4reorganizedthesecontrolrequirements.

“SecurityProcedures”asdefinedbyNISTinSP800-12:“Proceduresnormallyassistincomplyingwithapplicablesecuritypolicies,standards,andguidelines.Theyaredetailedstepstobefollowedbyusers,systemoperationspersonnel,orotherstoaccomplishaparticulartask(e.g.preparingnewuseraccountsandassigningtheappropriateprivileges).”

SecurityProceduresgenerallyexplainhowtoperformatasksuchasatechnicaltaskorabusinessprocess.

Examplesofproceduresare:

§ HowToCreateUserAccounts§ HowToTestBackups§ HowToAuthorizeAUserAccount§ HowToPerformFriendlyTerminations§ HowToPerformUnfriendlyTerminations§ HowToLockdownaWindows2012Server§ HowToManuallyTurnOnaGenerator§ StandardOperatingProceduresForAddingNewStorageArrays§ MediaSanitizationProcedures§ ProceduresForAddingFirewallRules§ ProcedureForConfiguringLiveMigrationsofVirtualMachines§ HowToReviewaLogFileforSuspiciousActivity§ HowToConfigureAuditStorageCapacityAlerts§ HowToUseCronToScheduleAlerts§ HowToConfigureTheLogDeliveryService§ HowToTestTheContingencyPlan

Q:AllofthecontrolslistedintheSystemSecurityPlan(SSP)donotapplytomysystem,soIonlycompletedthosethatareapplicableandlefttheothersblank.Isitpermissibletoleaveacontrolblankifithasnotbeenimplemented?

A:EverysectionwithintheSSPisrequiredtohaveananswer–includingeachcontrol.Sosimplyleavingitblankisnotpermissible.Youmustlistthecontrolas“n/a”andanyappropriaterationaleastowhythatcontroldoesnotapplytoyoursystem.Veryfewcontrolsareeverconsidered“notapplicable.”TheaverageFedRAMPCSPsystemhasnomorethanahandfulofcontrolsthataretrulynotapplicableandtypicallyincludecontrolsinvolving“Wi-Fi”and“Mobile,”wherethesecomponentsaresimplynotused.However,thereshouldbeverylimitedornocontrolslistedas“notapplicable”fortechnicalcontrols

|52

suchasAC,AU,IAandSCetc.CSPsmustthinkofthesystemasawholewhendeterminingapplicability.Ifthecontrolappliestothesysteminanywayfromtheprovidertotheconsumer,itisapplicable.Aprovidermustdescribeanyportionthecontrolthattheproviderisresponsibleforaswellasanyresponsibilitiesofconsumers.Forexample,forIA-2(12),whichrequiresmulti-factorauthenticationforendusersviaPIVorCACcardsmightnotsoundapplicableforaCSP.ControlslikethisaretrickybecauseaCSPusuallydoesn’tworkwithendusersatAgenciestoissuePIVorCACcards.However,CSPsarerequiredtohavethecapabilitiesinplaceforenduserstoauthenticateviaPIVorCACcards.Inthiscase,insteadofthiscontrolbeingnotapplicable,aCSPmightdescribehowtheyacceptSAMLauthenticationmechanismsfortheenduser,andalsothecustomerresponsibilitiesrelatedtoPIV/CACandSAMLinteractionswiththeCSP.

Q:ThereseemtobesomeinconsistenciesintheSystemSecurityPlan(SSP)template.Forexample,the-1controlsdonothaveasmany“checkboxes”asothercontrols.AmIallowedtoalterorupdatethetemplatetofitmyneeds?

TheSSPtemplateshouldnotbealteredbytheCSP.Forexample,donotadd“checkboxes”ormakeanyotherchangestotheoriginaltemplate.Tablesmaybeadded,forexample,butexistingtablescannotbemodified.The-1controlsdonothaveasmany“checkboxes”astheothercontrols,andthisisintendedbythePMO.ThetablesareintendedtobeconsistentacrossallFedRAMPSSPstofacilitateAgencycustomerreviews.

Q:HowdopoliciesandproceduresdifferfromtheSystemSecurityPlan(SSP)?

A:PoliciesandproceduresareacriticalsupplementtotheSSPandarerequiredbythefirstcontrol(knownasthe“dashones,”i.e.AC-1)foreachcontrolfamily.ThesedocumentsaresubmittedwiththeSSPandprovidetheguidelinesunderwhichtheproceduresaredevelopedandbywhichtheSSPcontrolsareimplemented.Policiesaddresswhatthepolicyisanditsclassification,whoisresponsiblefortheexecutionandenforcementofthepolicy,andwhythepolicyisrequired.Proceduresdefinethespecificinstructionsnecessarytoperformatask.Proceduresdetailwhoperformstheprocedure,whatstepsareperformed,whenthestepsareperformed,andhowtheprocedureisperformed.

Q:IreferencedadocumentinmySystemSecurityPlan(SSP)butdidnotprovidethe referenceddocumentbecauseitcontainsproprietaryorsensitiveinformation.Howwillthisaffectmyreview?

A:Everyattemptshouldbemadetopreventthissituation.Theassessmentpackageshouldstandonitsownwithoutreferencingdocumentsthatrequirecomplexretrieval,whichcanbeconfusing,time

|53

consuming,andcausedelaysintheassessment.Intherarecircumstancethiscan’tbeavoided,youmightaddastatementthatsays,“Thedocumentisavailableonsiteforreviewuponrequestorasrequiredforauditsandassessments.”

Q:Howshouldacloudserviceprovider(CSP)addressplatformscopewithintheSystemSecurityPlan(SSP)?

A:Therearemultipleplatforms/platformgroupsinasystemasidentifiedbytheinventory.Aplatformhascertaincontrols(e.g.,accesscontrols,auditlogging,sessionlock,etc.)configureduniquelyforeachdevicetype.Itisexpectedthatuniqueimplementationswouldbeaddressedbyplatformforthefollowingcontrols/controlfamilieswhereapplicable:AC,IA,AU,CM,SI-2,SI-3,SI-5,SI-11.Werecommendusingastandardformatforaddressingcontrolsbyplatform(e.g.,haveasubheaderwithinthecontrolpart/partsfor“Cisco,”“Brocade,”etc.).

Q:HowdoIcaptureCustomerRequirementsinmysecuritycontrolimplementationdetail?

A:Pleaserememberthatclarityandconsistencyiskeyinsecuritycontrolimplementationdetail.OncethewriteroftheSSPmakesadeterminationastohowtheCustomerRequirementisportrayedforonesecuritycontrolimplementationdetail,thatsameformatshouldbeusedthroughouttheSystemSecurityPlan(SSP)foreachcontrolthathasaCustomerResponsibilityrequirement.WesuggestthatyoubegintheCustomerResponsibilitysectionineachsecuritycontrolimplementationdetailbyframing"CustomerResponsibility"or"CustomerResponsibilityRequirements"directlyandstayconsistentthroughouttheSSP.

Followingthe"CustomerResponsibility"or"CustomerResponsibilityRequirements",clearlydescribewhatthecustomerisexpectedtodo.AstheCloudServiceProvider(CSP),youdonothavetodescribehowthecustomerimplementstherequirement.Thatdescriptionistheresponsibilityofeachindividualcustomerusingyourserviceoffering.YoumustonlydescribethatitisaCustomerRequirementasbasedonthesecuritycontrolimplementation.MakesurethatallcustomerrequirementsintheSSPMATCHtheCustomerRequirementsintheFedRAMPControlImplementationSummary(CIS)forSSPLowModerateBaseline(CIS)benchmarkandintheCustomerResponsibilityMatrix(CRM).PleasenotethatthisCIStemplatefortheLowandModerateCloudServiceOfferingsislocatedonTheFedRAMPwebsiteviathisurl:https://www.fedramp.gov/files/2016/07/A09-FedRAMP-CIS-Workbook-LM-Template-2016-06-20-v02-00.xlsx

TheFedRAMPwebsitealsohasaFedRAMPHighControlImplementationSummary(CIS)Workbooktemplateasitmayapplytosomesystems.

|54

Q:WhataresomecommonmistakesthatarisewhenaddressingControlImplementationstatements?

A:ThereareseveralmistakesthatCSPsencounterwhendraftingtheirControlImplementationstatements.Someofthoseinclude:

§ CustomerResponsibility:Thecustomerspecificresponsibilityshouldbeaddressedexplicitlyandconsistently(e.g.addressedundera"CustomerResponsibility"heading).ThisissocustomersknowexactlywhattheirresponsibilitiesarewithregardtomeetingthecontrolrequirementexclusivelyorinpartnershipwiththeCSP.

§ ControlScope:Therearemultipleplatformsanddevicetypesinasystemidentifiedinthesysteminventory.Ataminimum,eachdevicetypehas(forinstance)accesscontrols,auditlogging,andflawremediation.Eachdevicetypemayhavethosecontrolsconfigureduniquelydependinguponthelocationofthedevicewithinthedefense-in-depthfortheoverallsystemriskmanagementstrategy.Uniqueconfigurationsandimplementationsareaddressedbydevicetypeand/orlocationinthesecuritydefensestrategyforthesystem.ThiswillnormallyaffecttheAC,IA,AU,CM,andSIcontrolfamilies.Thismeansthatthesecuritycontrolimplementationdetailsforthosefamiliesandthentheparticularcontrolswithinthefamilieshavegreaterdepthofdetailrequired.

§ Beforeattemptingtopopulatethesystemsecurityplan(SSP),itisrecommendedthatonetakealookattheoverallsystemauthorizationboundaryandallthedevicesandcomponentswithintheboundarytounderstandwhatcontrolsaffectwhichdevicesandcomponents.ThismappingiscalledaSecurityControlsRequirementsMatrix.DevelopingamatrixsavestimeinthelongrunwhendocumentingthesystemviatheSSPanditbecomeseasiertouseastandardformatforaddressingcontrolsbydeviceorcomponent(e.g.,haveasubheaderwithinthesecuritycontrolimplementationdetailfor"Cisco","Brocade",“Windows”,“Linux”,and/or“Oracle”).Additionally,whereapplicable,eachfacilityshouldbeaddressedincludingalternate,backup,andoperationalfacilities.

§ DocumentReferences:Policiesandproceduresaswellassupportingdocumentsshouldbeexplicitlyreferenced(title,dateandversion)soitisclearwhichisactive.Iftheentirereferenceddocumentdoesnotapply,specificsectionsreferencesshouldbeprovidedsotheapplicablesectionscanbelocatedeasily.Thereviewershouldnothavetorelysolelyonfollowingthereferencestounderstandthecontrolimplementation.AnoverviewofwhatthereferenceddocumentaddressesanddirectrelevancytothecontrolrequirementshouldbeprovidedsotheSSPcanstandonitsown.

YoucanhaveatableattheendoftheSSPthatspecifiesallreferenceddocuments,theirtitle,date,andversion.Thenreferencethattablewhenadocumentiscited.Thiswayyouonlyhavetomaintaindateandversioninoneplace.

|55

Q: DoesFedRAMPprovideatemplateforanIncidentResponsePlan?

A: SecurityControlIR-8requiresCSPstodevelopanIncidentResponsePlan(IRP).TheIRPisarequireddocumentwithinsecurityauthorizationpackages.FedRAMPdoesnotprovideatemplateforIRPs;however,NISTSP800-61Rev2,ComputerSecurityIncidentHandlingGuide,providesguidanceonthedevelopmentofIncidentResponsePoliciesandProcedures,aswellasguidanceonthedevelopmentofanIncidentResponsePlan.

Q:AlthoughtheFedRAMPPMOdoesnotprovideatemplateforContingencyPlansandIncidentResponsePlans,isthereanyinformationthatneedstobeincluded?

A: ForContingencyPlansandIncidentResponsePlans,itishelpfultoincludethefollowinginformation:

§ Name/Titleofattendees§ Dateandtimeoftheexercise§ Descriptionspecificexercise§ Expectedresults§ Actualresults§ Wastheparticularexercisesuccessful?§ Whoperformedthespecificpartoftheexercise?§ Lessonslearned

ForLowsystems,atabletopexerciseissufficient.Formoderateandhighsystems,werequireafunctionalexercise.

TIP:IncidentResponseplansmustincludetheresponsetimeforFederalAgencyIncidentCategories.

MinimumresponsetimesareprovidedbyUSCERTathttps://www.us-cert.gov/government-users/reporting-requirements.FedRAMPisespeciallyconcernedwiththeresponsetimeforCAT1incidents,unauthorizedaccess.FedRAMPexpectsreportingofsuspectedunauthorizedaccesswithinonehourofwhentheimpactedcustomerAgencyisidentified.TheCSPshouldnotwaitforafullanalysistobecompletebeforereportingthesuspectedbreach.

|56

TIP:IfaCSP’sorAuthorizingOfficial’sinformationhaschanged,besuretomakethesechangesintherolesectionoftheSystemSecurityPlan(SSP)immediatelyafterthechange.

TherehavebeenalotofpersonnelchangesinCSPsandAgencies.It’scriticalthatCSPsupdatetheirSSPstoreflectthesechanges,asthisissomethingthatisvital,butoftenoverlooked.

TIP:AC-2andIA-2arecloselyrelated.

Everygroup,account,orroledefinedinAC-2mustbeexplicitlyaddressedinIA-2.AC-2isusedtodefinethegroups,accounts,androles,whomaybeassignedtoone,andhowtheyaremanaged(approvalprocess,creation&modificationprocedures,monitoring,etc.).IA-2definestheauthenticatorsusedforeachgroup,account,orrole,aswellasthetypesofaccesstothesystemutilizedbythesegroups,accounts,androles.Differentrolesoractivitiesrequiredifferingstrengths/levelsofauthentication.Eachauthenticationmechanismandusecasemustbeclearlydocumentedtoensurecompleteandadequatecoverageofauthentication.

TIP:TheSystemSecurityPlan(SSP)Boundary,Network,andDataFlowDiagramsshouldbeasdetailedaspossibletoclearlydefinetheAuthorizationBoundaryandservices,aswellasshowmajorhardwareandsoftwarecomponentsandinterconnectivity.

EachcomponentshouldalsoappearwiththesamedescriptionintheHardwareandSoftwareInventories.DeviationRequestsandPlanofAction&Milestones(POA&Ms)thatreferencethesecomponentsshouldincludethesamedescriptionssothattheyareeasilycross-referencedbetweendocuments.DataFlowDiagramsshouldidentifywherefederaldataisprocessedandstoredanddescribealldatatrafficinandoutoftheboundary.Itisalsonecessarytodescribedataflowforprivileged(suchassystemsadministrators)andcustomeraccessandaddressports,protocolsandservicesformanagingthistraffic.Thisassuresamuchbettermappingbetweendocumentsandhelpseliminateconfusion.

Q:CanaCSPmarkacontrolasboth“Implemented”and“AlternativeImplemented”intheSystemSecurityPlan(SSP)?

|57

A: Usuallynot.Ifacontrolisfullyimplemented,thenonlythe“Implemented”boxischecked.Ifthereisan“AlternativeImplementation”or“PartialImplementation”ofanycomponentofthecontrol,theneitherAlternativeorPartialisselectedasappropriate.Asanexample,theremaybe2typesofAccessControlmethods:oneforanadministratorwithelevatedprivilegesthatisfully“Implemented;”andthesecondaccesstypeisfornon-privilegedusersthathasan“AlternativeImplementation.”TheCSPwouldonlychecktheboxforAlternativeImplementationbutexplainthetwoimplementationsinthedialogboxforthatcontrol.Thisisbecauseduringtesting,the3PAOwillonlydeterminewhetherthecontrolisImplemented,AlternativeImplementation,PartialImplementationetc.,butnocombination.Then,the3PAOwilldetermineifthecontrolimplementationisSatisfiedorOtherthanSatisfiedfortheimplementationtypeprovided.

Q:CansharewareorfreewarebeanintegralpartoftheoperationalinfrastructureofaCSP?

A: SharewareandfreewareproductsthataretypicallyavailableforPCormobiledeviceusagearenotpermittedinFedRAMPenvironments.

OpenSource(noproductorsupportcosts)products,however,arepermittedfromreputablesourceswheretheCSPhascontroloverthesourceandexecutablecode.Theproductmustbesubjectedtocontinuousmonitoringfunctionsandvulnerabilityremediation.

9. OTHER DOCUMENTATION – PLAN OF ACTIONS AND MILESTONES (POA&M), READINESS ASSESSMENT REPORT (RAR), SCANS, AND INFORMATION SYSTEM CONTINGENCY PLAN (ISCP)

TIP:WhensubmittingthemonthlyPlanofActionsandMilestones(POA&M)spreadsheet,thefindingsonthespreadsheetmustbereconciledeachmonthwiththescanresultstoensurePOA&Maccuracy.Thismeansthatanyitemsthathaveclosedthroughoutthemonthshouldbemarkedassuchandappropriateartifactsshouldbeprovidedtovalidateclosure.

AllfindingsmustberecordedontheopentabofthePOA&M.Afalsepositive(FP)vulnerabilityremainsintheopentabuntilthedeviationrequest(DR)isapproved.Anoperationallyrequired(OR)vulnerabilityremainsontheopentabindefinitelyandisonlyclosedifthecircumstancescreatingtheORareresolved,suchasmigrationtoanewtechnology.Avendordependencyalsoremainsontheopentab

|58

indefinitelyandisonlyclosedoncetheCSPresolvestheissuebyapplyingavendorapprovedfixorupgrade.

Q:IstheFedRAMPHighrequirement,inNIST800-53IdentificationandAuthentication(1A)-2(4),metbyaseconddevice(suchasasmartphone)receivingaone-timepasswordormustahardwaretoken(i.e.CAC/PIV)beused?Theglossaryseemstoindicatetheyareequivalentasfarasmeetingtherequirement,sincethe“SomethingYouHave”categorylistsboth.

A:TheFedRAMPHighbaselinerequirestheuseofFIPSPub201-compliantcredentials–andPIVs/CACsmeetthisrequirement.OMBMemo11-11requiresfederalAgenciestocontinueimplementingtherequirementsspecifiedinHSPD-12toenableAgency-wideuseofPIVcredentials.Pleaseseethislinkformoreinfo:

http://www.nist.org/nist_plugins/content/content.php?content.49

TheFedRAMPJABhasprovidedthefollowingGuidancetoCSPsonthesubject:

§ WhenfirstfactorisPassword,secondfactormustbeoneofthefollowing:§ Look-upSecret–e.g.,bingocardwhereyoulookuptheOTP§ OutofBand–e.g.,smartphonewithsecurecommunicationsprotocoltoreceiveOTP§ SingleFactorOTPDevice–e.g.,RSASecureIDorOTPgeneratoronCMDs§ SingleFactorCryptographicDevice–e.g.,digitallysignednonceusing’embedded’‘non-

exportable’keys§ EmailisnotpermittedforOTP§ SMSisnotpermittedforOTP

Q:WhatarethecurrentvulnerabilityremediationtimelinesrequiredtobeFedRAMPAuthorized?

A:TheFedRAMPPMOdoesnotdifferentiatebetween“Critical”and“High.”However,FedRAMPrequiresmitigationofHigh-riskvulnerabilitieswithin30daysfromdiscovery,Moderate-riskvulnerabilitieswithin90daysfromdiscovery,andLow-riskvulnerabilitieswithin180daysfromdiscovery.

|59

Q:OurCSPclienthasdatacentersinmultiplelocationsthroughouttheUnitedStates.AspartoftheReadinessAssessmentReport(RAR),FedRAMPrequiresin-personinterviews.DoesvisitingonedatacentersatisfyFedRAMP’srequirement,ordoweneedtovisiteachlocation?

A: Visitingdatacentersisabestpracticetoenableyoutoviewthesecurityatthefacilityfirst-handaspartofyourverificationandvalidationefforts.IfaCSPhasmultipledatacenters,youarenotrequiredtovisiteachoneaspartoftheRAReffort;however,duringtheSecurityAssessmentReport(SAR)phase,weexpectthe3PAOtovisiteachdatacentertoperformin-personinterviews,reviewdocumentsasnecessary,andvalidatesomeofthecontrols.MostCSPsremotelymanagetheirsystems,andthe3PAOneedstovalidatethatthesecuritycapabilitiesareactuallyinplace.

Q:WhatisthepurposeofanInformationSystemContingencyPlan(ISCP)?

A:EachCSPmustdevelopandmaintaincontingencyplanstoaddressoperationaldisruptions.Thecontingencyplan(andtestresults)providesmanagementwithanevaluationofthepreparednessoftheCSP'scloudserviceofferingintheeventofamajordisruptionand/oracatastrophicevent.Thecontingencyplanensuresthatoperationsresumeandareeventuallyrestoredtoaknownstate.TheISCPandServiceLevelAgreementsdrivetherecoverytestfrequencyandcomplexityandrecoverytimeframes.Thesecontingencyplansareacomponentofaneffectivesecurityoperationsimplementation.

Q:Whattypesofdatabasesarerequiredtobescannedandhowshouldtheybetested?

A:Thedatabasescanningormanualtestingrequirementsapplytoalldatabaseswithinthesecurityboundary(i.e.,thosethatreside/areembeddedinahost/applicationaswellasotherdatabases).Databasesthatresideinahost(suchasanappliance)needtobetestedandmayrequirethetestertoworkwiththerelevantvendortoensuretheappropriatesecuritypostureofthedatabasethatresidesinahostissecure.Ifthedatabasesarenotaccessiblebythescanners,alternatemethodsofdatabasetesting(suchasmanualtests)shouldbeexplored.Thehostonwhichthedatabasesresideshouldbescannedaspartoftheinfrastructurescanning.

Q:WhatcanaCSPdotoprepareforpenetrationtestingandwhatrisksareinvolved?

|60

A:TheFedRAMPPenetrationTestingMethodologyiscomprehensiveandfollowsNISTSP800-115.Beforeconsideringthisactivity,aCSPshouldworkwithaThirdPartyAssessmentOrganization(3PAO)assessmentteamtodiscusstheramificationsofutilizingtheFedRAMPPenetrationTestingMethodology.Boththe3PAOassessmentteamandtheCSPmustdetermine,inwritingandpriortotheonsetofthetesting,thelevelofrisktheyarewillingtoacceptfortheassessmentandtailortheapproachaccordingly.

Oncetheparametershavebeententativelyagreedupon,the3PAOpenetrationtesterandassessmentteamshouldbeginthesecurityassessmentactivitieswithaplanningphasethatincludesgatheringinformationabouttheCSPenvironmentanddevelopingthetestprocedures.Onlyaftercompletingtheplanningphaseshouldthe3PAOassessmentteamproceedtotheexecutionphase.

Duringexecutionphase,theassessmentteamidentifiesvulnerabilitiesandvalidatesthatthevulnerabilitiesarenotfalsepositives.Attheconclusionoftheexecutionphase,theassessmentteamhasalistoftechnicalandprocessvulnerabilities.Thislistisusedduringthepost-executionphasetodeterminerootcausesofvulnerabilities,recommendremediationactions,anddocumentthetestresultsintheSecurityAssessmentReport(SAR).

Penetrationtestingriskscanrangefromnotgatheringsufficientinformationontheorganization’ssecuritypostureforfearofimpactingsystemfunctionalitytoaffectingthesystemornetworkavailabilitybyexecutingtechniqueswithoutthepropersafeguardsinplace.

Communicationandthoroughunderstandingiskey.

Q:WhatpurposedoesthePlanofAction&Milestones(POA&M)documentserve?

A: ThepurposeofthePOA&MistofacilitateadisciplinedandstructuredapproachtomitigatingrisksinaccordancewiththeCSP’sriskmitigationstrategy.ThePOA&Msincludethefindingsandrecommendationsofthesecurityassessmentreportandthecontinualsecurityassessments.ThePOA&Midentifies:(i)thetaskstheCSPplanstoaccomplishwitharecommendationforcompletioneitherbeforeorafterinformationsystemimplementation;(ii)anymilestonestheCSPhassetinplaceformeetingthetasks;and(iii)thescheduledcompletiondatestheCSPhassetforthemilestones.

FedRAMPusesthePOA&MtomonitorCSPprogressincorrectingweaknessesordeficienciesnotedduringtheinitialassessment,annualsecuritycontrolassessment,andthroughoutthecontinuousmonitoringprocess.ThePOA&MhascolumnslabeledfromAthroughZwhichmustbefilledinforeachrowwhichisauniquelyidentifiedvulnerability.

UsetheFedRAMP’sPlanofActionandMilestones(POA&M)TemplatetotrackandmanagePOA&Ms.Pleasenotethatwww.fedramp.govistheofficialwebsitefromwhichtodownloadFedRAMPtemplates.

|61

ThePOA&Mworkbookhastwospreadsheets,the“Open”tabandthe“Closed”tab.TheOpenPOA&Mspreadsheetincludesknownsecurityweaknesseswithinthecloudinformationsystem.OpenPOA&Mitemsmustcomplywiththefollowing:

§ IfafindingisreportedintheSecurityAssessmentReport(SAR)and/orinthecontinuousmonitoringactivities,thefindingmustbeincludedasanitemonthePOA&M.

§ FalsepositivesidentifiedintheSAR(AppendicesC,D,andE),alongwithsupportingevidence(forexample,cleanscanreport)donothavetobeincludedinthePOA&M.

§ EachlineitemonthePOA&Mmusthaveauniqueidentifier.ThisuniqueidentifiermustpairwitharespectiveSARfindingand/oranycontinuousmonitoringvulnerability.

§ AllhighandcriticalriskfindingsmustberemediatedpriortoreceivingaJABProvisionalAuthorization.

§ HighandcriticalriskfindingsidentifiedfollowingJABProvisionalAuthorizationthroughcontinuousmonitoringactivitiesmustbemitigatedwithin30daysafteridentification.

§ Moderatefindingsshallhaveamitigationdatewithin90daysofJABProvisionalAuthorizationdateorwithin90daysofidentificationaspartofcontinuousmonitoringactivities.

§ ThePOA&MmustbesubmittedinanappropriateformatfortheFedRAMPautomatedprocesses.

Q:WhatcriteriamustaPlanofActions&Milestones(POA&M)documentmeetinordertoaccuratelyrecordthefindingsoftheannualassessmentSecurityAssessmentReport(SAR)?

A: WhenrecordingthefindingsoftheAnnualAssessmentSARinthePOA&M,aCloudServiceProvider(CSP)needstoensurethattheyareutilizingthemostcurrentFedRAMPPOA&MtemplateavailableontheFedRAMPwebsite.Ifthetemplatehasbeenupdatedsincethelastannualassessment,theCSPshouldupdateandtransferdataandinformationtothelatestversion.

TheAnnualAssessmentPOA&MdiffersfromtheinitialPOA&MastheinitialPOA&MdoesnottrackPOA&MitemsthroughtheContinuousMonitoringprocess.IfaCSPhasanexistingPOA&MworkbookthathasbeenmaintainedsinceP-ATO,thePOA&MisupdatedwithalloftheitemsfromtheAnnualAssessmentSAR.ThefindingsintheSARmustexactlymatchtheitemsrecordedinthePOA&M“Open”tabsothatduringtheThirdPartyAssessmentOrganization(3PAO)assessment,a3PAOcaninvestigateandvalidatethestatusofany“Open”POA&Mitems.

TheSARmustthenaccuratelyreportallriskitemsthatarestillopen(recordedonthe"Open"tabofthePOA&M),andthenrecordanynewitemsidentifiedduringtheassessment.IfaCSPhasanexistingPOA&MthathasbeenmaintainedsinceP-ATO,allthefindingsfromtheAnnualAssessmentneedstobeappendedtothePOA&Minthe“Open”tab.UntiltheSARisJAB-approved,thenewitemsderivedfromtheAnnualAssessmentwillbeinapendingstatus,butarestillvalidrisksidentifiedbythe3PAOforthesystem.OncetheSARisapproved,theCSPwillreconciletheJABapprovals/concernswithwhatisinthe

|62

existingPOA&M.TheupdatedPOA&MisthenthePOA&MofrecordforthenextmonthlyContinuousMonitoringcycle.

TIP:WhensubmittingthemonthlyPlanofActionsandMilestones(POA&M)spreadsheet,thedateatthetopofthesheet(header)needstobeupdated.

Thisdate,alongwithdatesfromtheindividualscansprovidedbytheCSP,isusedbytheContinuousMonitoringteamasthereferencepointfordifferentdate-relatedissues/itemsinthePOA&M.Forexample,anyvendordependencycheck-indateslistedinthePOA&MwillbereferencedagainstthedateintheheaderofthePOA&M.

Missingorincorrectlistingsinthatheadercouldbeconsideredasnon-adherencetoscanningrequirementsornon-compliantdeliveryofscanresults(badscans,badPOA&Ms,etc.)andresultinaCAP.

Q:AservicepreviouslydocumentedintheSystemSecurityPlan(SSP)wasrenamed.HowdowereflectthenamechangewhenwesubmitaDeviationRequest(DR)foravulnerabilitythataffectstherenamedservice?

A: PleaseprovideabriefcontextualdescriptionoftherenamedserviceandreferenceitsdocumentednameintheSSP.ThisenablesthereviewertolookuptheservicebyitsoriginalnameintheSSP.

Q:AreCSPsexpectedtomaintainContinuousMonitoringactivitieswhileundergoinganannualassessment?

A: Yes.CSPsareexpectedtomaintainContinuousMonitoringactivitieswhileundergoinganannualassessment,includingtimelyremediationofPOA&Msandsubmissionofmonthlydeliverables.FedRAMPdoesnotallowexceptionsforthis.

TIP:WhensubmittingaSignificantChangeRequest(SCR),alwaysdiscussthechangewithyourreviewerpriortosubmittingtheform.

|63

ACSPisofteninclinedtoerronthesideofcautionandevaluateachangeassignificantwhenitmaynotbe(orviceversa),andthereviewercanassistinthisdecision.Additionally,thereviewerwillbeabletoassisttheCSPwithwordingontheform,aswellasthetimingofwhenitissubmitted.Asanexample,thereviewermayadvisethatachangeddeemedas“significant”,requiringmoreextensivetesting,maybedoneinconjunctionwithanupcomingAnnualAssessment.

TIP:CSPsshouldbesuretoincludeclosuredatesforPlanofAction&Milestones(POA&M)itemseveniftheyhavebeenmovedtotheclosedtabs.

Pleasebesuretoincludethesedatesboldlyinthecommentsection.ThisprovidesaclearpictureofthestatusofPOA&Mitems.

TIP:WhensubmittingtheAnnualAssessment(AA)package,thefinalSecurityAssessmentPlan(SAP),SecurityAssessmentReview(SAR),SystemSecurityPlan(SSP)andPlanofAction&Milestones(POA&M)documentsmustbesubmittednolaterthantheP-ATOanniversarydate.

CSPsshouldplancarefullytoensurealldocumentsarecompletedandsubmittedfortheAnnualAssessmentnolaterthantheP-ATOanniversarydate.FedRAMPoftenreceivespartialpackages(e.g.withonlytheSAPandSARandnottheSSPandPOA&M).IfFedRAMPdoesnotreceiveacompletepackage(withdocumentsinafinaldraftform)bytheP-ATOanniversarydate,thepackageisconsideredlateandtheCSPwillbeplacedonacorrectiveactionplan(CAP)inaccordancewiththeFedRAMPP-ATOManagementandRevocationGuide.

ThePOA&MprovidedmustbeupdatedtoincludethefindingsfromtheSAR.FortheSSPprovided,theNISTSP800-53controlsinthatSSPmustbeupdatedtomatchthestatusreflectedintheSAR.TheCSPsand3PAOshouldallowforthesePOA&MandSSPupdatetasksintheannualassessmentschedule.

TIP:Inthe"DescriptionofRisktotheSystem"sectionoftheDeviationRequest,doNOTcopyandpastethevulnerabilitydescriptionfromthesource.

Itisnecessarytoexplainthevulnerabilitywithinthecontextofthesystemandthepotentialriskshouldathreatexploitthatvulnerability.

|64

Avulnerabilitydescriptionfromascannerdoesnotprovidethedescriptionofriskpresentedtothesystem.Thereviewersshouldbeabletodiscerntheriskpresented.Reviewerscangenerallyresearchthevulnerabilitiesthemselves,buttheCSPneedstoprovidetheriskpresentedtothesystem.

TIP:DeviationRequests(DRs)shouldbesubmittedearlyenoughforareasonableexpectationofapprovalbeforetheinitialexpectedremediationdate.

DRsshouldnotbesubmittedonoraftertheexpectedclosuredateofthePlanofAction&Milestones(POA&M).ADRforaHighvulnerabilityshouldbesubmittedalongwiththeinitialPOA&Mlistingthevulnerability,oratleastbeforethenextmonth’sPO&Msubmission.AModerateriskadjustmentshouldbesubmittedbeforethe3rdPOA&Msubmission.Deviationrequeststhataresubmittedattheduedatecandemonstrateareactiveapproachtosecurity,ratherthanaproactiveapproach.

TIP:DeviationRequests(DRs)shouldbesubmittedearlyenoughforareasonableexpectationofapprovalbeforetheinitialexpectedremediationdate.

DRsshouldnotbesubmittedonoraftertheexpectedclosuredateofthePlanofAction&Milestones(POA&M).ADRforaHighvulnerabilityshouldbesubmittedalongwiththeinitialPOA&Mlistingthevulnerability,oratleastbeforethenextmonth’sPO&Msubmission.AModerateriskadjustmentshouldbesubmittedbeforethe3rdPOA&Msubmission.Deviationrequeststhataresubmittedattheduedatecandemonstrateareactiveapproachtosecurity,ratherthanaproactiveapproach.

TIP:WhensubmittingaMicrosoftOutlook,Gmail,oremailfromothermessagingsystemsasevidence,ensurethatitiscapturedinacommonformatsuchasaMicrosoftWordfileorAdobePDF.

Thishelpstoeliminateissueswithdissimilaremailsystems.Thepreferredmethodistoavoidtheuseofemailalltogetherandusesecuremethodsfortransmittingandstoringevidence.