Guide To Understanding FedRAMP 061312
Guide To Understanding FedRAMP 061312
Guide To Understanding FedRAMP 061312
Version 1.0
June 5, 2012
Executive Summary
This document provides helpful hints and guidance to make it easier to understand FedRAMPs requirements. The primary purpose of this document is to act as an aid for Cloud Service Providers and Third-Party Assessment Organizations (3PAOs) to get through the security assessment process quickly. The FedRAMP website can be found at www.fedramp.gov and information found in this document is consistent with the program described on the website. The FedRAMP program supports the U.S. governments mandate that all U.S. federal information systems comply with the Federal Information Security Management Act of 2002 (FISMA).
Page 2
Page 3
Table of Contents
About this document .................................................................................................................................... 9 Who should use this document? ............................................................................................................... 9 How this document is organized ............................................................................................................... 9 Conventions used in this document .......................................................................................................... 9 How to contact us .................................................................................................................................... 10 1. 1.1 1.2 1.3 1.4 2. FedRAMP Introduction.................................................................................................................... 11 Applicable Laws and Regulations ................................................................................................ 11 Applicable Standards and Guidance ........................................................................................... 11 FedRAMP governance ................................................................................................................. 12 Overview of The FedRAMP Process ............................................................................................ 12 Guidelines For Third-Party Assessment Organizations ................................................................... 13 2.2.1 2.2.2 2.2.3 2.2.4 3. 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 Security Assessment Plan (SAP) Template ...................................................................... 14 Security Test Procedure Workbooks ............................................................................... 14 Security Assessment Report (SAR) Template .................................................................. 14 Running Scans ................................................................................................................. 14
Guidelines For Cloud Service Providers .......................................................................................... 15 Before You Begin ......................................................................................................................... 15 Initiating the Process................................................................................................................... 16 After Acceptance Into The FedRAMP Program ........................................................................... 16 FIPS 199 Template ....................................................................................................................... 17 e-Authentication Template ......................................................................................................... 17 Privacy Threshold Analysis and Privacy Impact Assessment....................................................... 18 CTW Template ............................................................................................................................. 18 CIS Template ................................................................................................................................ 19 Components, Boundaries, and Architecture ............................................................................... 20 3.9.1 3.9.2 3.9.4.1 3.9.4.2 3.9.4.3 3.9.4.4 3.9.4.5 Describing Information System Components ( 9.2) ...................................................... 20 Use Cases ........................................................................................................................ 22 Case 1: Simple IaaS...................................................................................................... 22 Case 2: Simple PaaS..................................................................................................... 22 Case 3: Simple SaaS ..................................................................................................... 23 Case 4: One Provider, Just SaaS .................................................................................. 24 Case 5: Two Cloud Providers, IaaS and PaaS............................................................... 24
Page 4
3.9.4.6 3.9.4.7 3.9.4.8 3.9.4.9 3.9.3 3.9.4 3.9.4.1 3.9.4.2 3.9.5 3.10 3.10.1 3.10.2 3.10.3 3.10.4 3.10.5 3.10.6 3.10.7 3.11 3.12 3.13 3.14
Case 6: Three Cloud Providers, IaaS, PaaS, and SaaS .................................................. 25 Case 7: Two Cloud IaaS Providers ............................................................................... 26 Case 8: Two Cloud IaaS Providers and a PaaS Provider .............................................. 26 Case 9: Three Cloud Providers, One IaaS and Two PaaS ............................................. 27 Discussing Virtualization ................................................................................................. 28 Discussing Boundaries ( 9.2 in SSP) ............................................................................... 29 Discussing Live Migrations .......................................................................................... 31 Discussing Storage Components ................................................................................. 32 Addressing the Data Flow Diagram ( 10.1.4 in SSP) ...................................................... 33 Security Control Summary Information .......................................................................... 36 Security Control AC-7 ...................................................................................................... 38 Security Control PE-13 (1)(2)(3) ...................................................................................... 38 Security Control PL (4) ..................................................................................................... 39 Security Control SA-11(1) ................................................................................................ 40 Security Control SC-7 (1) ................................................................................................. 40 Security Control SC-13..................................................................................................... 42
IT Contingency Plan (CP-2) .......................................................................................................... 42 Business Impact Analysis (BIA) .................................................................................................... 42 Configuration Management Plan (CM-9) .................................................................................... 42 Incident Response Plan (IR-8) ..................................................................................................... 45 Security Control IR-2 ....................................................................................................... 47 Security Control IR-3 ....................................................................................................... 48 Security Control IR-4 ....................................................................................................... 48 Security Control IR-4(1) ................................................................................................... 49 Security Control IR-5 ....................................................................................................... 49 Security Control IR-6 ....................................................................................................... 49 Security Control IR-6(1) ................................................................................................... 50 Security Control IR-7 ....................................................................................................... 51 Security Control IR-7(1) ................................................................................................... 51 Security Control IR-7(2) ................................................................................................... 51
3.10.8 3.10.9 3.10.10 3.10.11 3.10.12 3.10.13 3.10.14 3.10.15 3.10.16 3.10.17 3.15 4.
5.
General Documentation Information for CSP ................................................................................. 52 5.1 Formatting and Section Numbers ...................................................................................................... 52 5.2 Sensitivity Markings ........................................................................................................................... 53 5.3 Items That Are Not Applicable ........................................................................................................... 53
Page 6
List of Tables
Table 3-1. Preparation Checklist.................................................................................................................. 15 Table 3-2. Information Types for IaaS Providers ......................................................................................... 17 Table 3-3. Example of Security Control Summary Information ................................................................... 36 Table 3-4. Control Original Definitions ........................................................................................................ 37 Table 3-5. Configuration Management Controls ......................................................................................... 43 Table 3-6. Configuration Management Nomenclature ............................................................................... 43 Table 3-7. Incident Response Controls ........................................................................................................ 46 Table 3-8. Agency Points of Contact to Report Incidents ............................................................................ 50
Page 7
List of Figures
Figure 2-1. FedRAMP Process ..................................................................................................................... 13 Figure 3-1. Screenshot from CTW ............................................................................................................... 19 Figure 3-2. Select the Implementation Status in the CIS ............................................................................ 19 Figure 3-3. Select the Control Origination Responsibility ........................................................................... 20 Figure 3-4. Example of Components Described by Name........................................................................... 21 Figure 3-5. Example of Components Described by Function ...................................................................... 21 Figure 3-6. One IaaS Provider ..................................................................................................................... 22 Figure 3-7. One Provider for IaaS and PaaS ................................................................................................ 23 Figure 3-8. One Provider, IaaS, PaaS, and SaaS ........................................................................................... 23 Figure 3-9. One Provider, Just SaaS ............................................................................................................. 24 Figure 3-10. Two Providers, One IaaS and One PaaS .................................................................................. 25 Figure 3-11. Three Providers, One IaaS, One PaaS, and One SaaS.............................................................. 25 Figure 3-12. Two IaaS Providers .................................................................................................................. 26 Figure 3-13. Two IaaS and One PaaS Provider ............................................................................................ 27 Figure 3-14. Three Providers, One IaaS and Two PaaS................................................................................ 28 Figure 3-15. Security Controls Fitting Together........................................................................................... 30 Figure 3-16. Security Control Gap ............................................................................................................... 30 Figure 3-17. Example of Storage Array Illustration ..................................................................................... 33 Figure 3-18. Data Flow Diagram Example ................................................................................................... 34 Figure 3-19. Access Control for System Components ................................................................................. 35 Figure 3-20. Two Access Control Mechanisms ............................................................................................ 35 Figure 3-21. TIC Compliant Architecture ..................................................................................................... 41
Page 8
Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note.
Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples. Tips Tips include information designed to help simplify the process.
HOW TO CONTACT US
If you have questions about FedRAMP or something in this document, please write to: [email protected] For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov.
Page 10
1. FEDRAMP INTRODUCTION
The FedRAMP program supports the U.S. governments objective to enable U.S. federal agencies to use managed service providers that enable cloud computing capabilities. The program is designed to comply with the Federal Information Security Management Act of 2002 (FISMA). This document includes guidance on how cloud service providers can meet FISMA requirements to obtain a FedRAMP Provisional Authorization.
Revision 1] Guide for Developing the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [NIST SP 800-37, Revision 1] Guide for Mapping Types of Information and Information Systems to Security Categories [NISP SP 800-60, Revision 1] Guide for Security-Focused Configuration Management of Information Systems [NIST SP 800-128] Information Security Continuous Monitoring for Federal Information Systems and Organizations [NIST SP 800-137] Managing Information Security Risk [NIST SP 800-39] Minimum Security Requirements for Federal Information and Information Systems [FIPS Publication 200] Personal Identity Verification (PIV) of Federal Employees and Contractors [FIPS Publication 201-1] Recommended Security Controls for Federal Information Systems [NIST SP 800-53, Revision 3] Risk Management Guide for Information Technology Systems [NIST SP 800-30] Security Considerations in the System Development Life Cycle [NIST SP 800-64, Revision 2] Security Requirements for Cryptographic Modules [FIPS Publication 140-2] Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199] Technical Guide to Information Security Testing and Assessment [NIST SP 800-115]
Page 12
The independent assessment is paid for by the CSP and must be performed in accordance with FedRAMP assessment procedures. CSPs select the 3PAOs from the list of accredited 3PAOs which is published at the following URL: http://www.gsa.gov/portal/content/131991 When an agency leverages a Provisional Authorization, that agency will still need to address a subset of security controls within their own agency for the controls not addressed by the Provisional Authorization. Refer to the use cases in Section 3.8.2 for more information on how agencies layer security controls on top of cloud services. After a Provisional Authorization is granted, CSPs must maintain their compliance by performing a variety of continuous monitoring tasks as described in the FedRAMP Continuous Monitoring and Strategy Guide which has not yet been released. Please check back on the FedRAMP website for it.
Page 13
for the system being scanned (e.g. root, administrator). The use of non-authenticated scans can assist in vulnerability severity determinations and in prioritizing remediation efforts since in a non-authenticated scan vulnerabilities are seen from the point of an attacker/intruder. Non-authenticated scans can be used in addition to fully authenticated scans if the information from these scans helps to determine the risk exposure. However, non-authenticated scans are not required by FedRAMP. 3PAOs do not need to run source code scans. However, if a CSP writes original source code that is built into their service offering, the CSP is required to perform source code scanning to satisfy control SA-11(1). If the CSP service offering uses CSP developed original code, the 3PAO should ask the CSP to provide the results of a source code analysis report (from a code analysis scanner) for the current release.
All scan results should be attached as an Appendix to the SAR. CSP systems must be scanned quarterly by a 3PAO in order to maintain their authorization. The scan does not have to be performed by the same 3PAO that performed the scan previously.
Page 15
Guide to Understanding FedRAMP Version 0.1 / Date Checklist 3 4 5 6 7 8 9 10 11 12 Description You can identify customer responsibilities and what they must do to implement controls System provides identification & 2-factor authentication for network access to privileged accounts System provides identification & 2-factor authentication for network access to non-privileged accounts System provides identification & 2-factor authentication for local access to privileged accounts You can perform code analysis scans for code written in-house (non-COTS products) You have boundary protections with logical and physical isolation of assets You have the ability to remediate high risk issues within 30 days, medium risk within 90 days You can provide an inventory and configuration build standards for all devices System has safeguards to prevent unauthorized information transfer via shared resources Cryptographic safeguards preserve confidentiality and integrity of data during transmission
Page 16
certain documents that you will be required to submit. FedRAMP has created templates for these documents which the CSP should edit and modify based on the security controls implemented in the candidate system. All templates are available on the FedRAMP website. Guidance on how to fill out the various templates and how to develop the required documents are described in the sections that follow.
C.3.5 Information and Technology Management C.3.5.1 System Development Information Type C.3.5.2 Lifecycle/Change Management Information Type C.3.5.3 System Maintenance Information Type C.3.5.4 IT Infrastructure Maintenance Information Type C.3.5.5 Information Security Information Type C.3.5.6 Record Retention Information Type C.3.5.7 Information Management Information Type C.3.5.8 System and Network Monitoring Information Type C.3.5.9 Information Sharing Type The FIPS 199 analysis should be performed with respect to service provider system data only. Customer agencies will be performing a separate FIPS 199 analysis for their customer owned data hosted on the system.
You should ensure that your final e-Authentication analysis is consistent with Table 2-5 in the System Security Plan.
Page 17
Note: Please refer to OMB Memo M-04-04 E-Authentication Guidance for Federal Agencies for more information on e-Authentication.
CSPs should consider whether or not their security controls (for their own support staff) use PII for any authentication mechanisms (e.g. fingerprint scanners, hand scanners, iris scanners). If the CSP system will require PII from agency customers, for example to enroll users in authentication mechanisms, then the impending collection of that PII on first use by agency customers should be made known. When performing the independent security assessment the 3PAO will review the PTA and/or a PIA and may make certain determinations and findings that are incorporated into the Security Assessment Report (SAR). A combination PTA and PIA template is provided and is available on www.fedramp.gov.
not exist in the candidate service offering, that should be noted as not implemented. If the candidate service offering uses an alternative or compensating control, that fact should be noted with a brief explanation of how the alternative control works. If a control does not exist but is planned for future implementation, that information should be noted along with a brief explanation of how and when the control will be implemented in the future. For planned controls, an anticipated implementation date should also be noted. If your CSP candidate system meets all required security controls, settings, and parameters, the CSP should note Meets in the right-hand most column for the associated control.
Additionally, CSPs need to indicate in the CIS the entity that owns the responsibility to implement and manage the control. In some cases, implementation and management of a control may require joint ownership by the CSP and the customer agency. An example of control origination selections for three different controls is illustrated in Figure 3-3.
Page 19
The CIS is considered a living document and it is okay to update it throughout the development of the System Security Plan.
Once the FedRAMP security assessment process has started, if a component has its name changed for any reason, the Change Control Process (as described in your Configuration Management Plan) for the information system should capture and include a recorded history of the name change. Submitting initial documentation with one set of component names, and then submitting subsequent documents with another set of component names accompanied by an email that states We changed the names of our components... will not be sufficient and could cause substantial delays in your FedRAMP security assessment.
Figure 3-4 illustrates software components described by unique names and Figure 3-5 illustrates software components described by functionality. Regardless of which method you use to describe your components, you will still need to include a detailed description of the functionality that each component provides to the overall system.
Page 21
3.9.4.1
Its possible that an agency may want to use one IaaS provider with the intention of having the top layer controls (platform and application) provided by the agency. In this scenario, one FedRAMP Provisional Authorization is applicable as illustrated in Figure 3-6.
3.9.4.2
Page 22
Its possible that an agency may want to use one provider that provides both the IaaS and PaaS layers, with the intention of having the top layer controls (application) provided by the agency. In this scenario, one FedRAMP Provisional Authorization is applicable as illustrated in Figure 3-7.
3.9.4.3
Its possible that an agency may want to use one provider that provides the IaaS, PaaS, and SaaS layers. In this scenario, one FedRAMP Provisional Authorization is applicable as illustrated in Figure 3-8.
Page 23
3.9.4.4
Its possible that a cloud service provider may build a SaaS application that encompasses the entire stack of security controls, but does not differentiate between the PaaS and IaaS layers. NIST SP 500-293, Volume II (Draft) states: It is possible, though not necessary, that SaaS applications can be built on top of PaaS components, and PaaS components can be built on top of IaaS components.
3.9.4.5
Its possible that an agency may want to use one provider that provides IaaS and a different provider that provides the PaaS layer. In this scenario, the Paas provider is dependent on leveraging a pre-existing Provisional Authorization from the IaaS provider. In this scenario, if the agency decides to make use of this integrated package, two different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-10.
Page 24
3.9.4.6
Its possible that an agency may want to use three providers that each provide a different layer. In this scenario, the PaaS provider is dependent on leveraging a pre-existing Provisional Authorizations from the IaaS provider and the SaaS provider is dependent on leveraging a preexisting Provisional Authorization from the PaaS provider (and indirectly the IaaS provider). In this scenario, if the agency decides to make use of this integrated package, three different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-11.
Figure 3-11. Three Providers, One IaaS, One PaaS, and One SaaS
Page 25
3.9.4.7
Its possible that an agency may want to make use of two separate IaaS providers with the intention of having the top layer controls (platform and application) provided completely by the agency. In this scenario, two different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-12.
3.9.4.8
Its possible that a cloud implementation could make use of two separate IaaS providers and a third separate PaaS provider. In this scenario, the Paas provider is dependent on leveraging two pre-existing Provisional Authorizations one from each of the IaaS providers. In this scenario, if the agency decides to make use of this integrated package, three different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-13.
Page 26
When IaaS Provider 1 writes their System Security Plan, they will not indicate that they are leveraging any other Provisional Authorization. The same holds true for IaaS Provider 2. However, when the PaaS provider writes their System Security Plan, in Section 8.2 of the System Security Plan, they should indicate that they are leveraging the Provisional Authorization of both IaaS Provider 1 and IaaS Provider 2. It is anticipated that the PaaS provider will inherit controls from both IaaS providers. 3.9.4.9 Case 9: Three Cloud Providers, One IaaS and Two PaaS
Its possible that a cloud implementation could make use of one IaaS provider and two PaaS providers. In this scenario, both Paas providers are dependent on leveraging the pre-existing Provisional Authorizations from the IaaS providers. In this scenario, if the agency decides to make use of this integrated package, three different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-14.
Page 27
When discussing the functionality of the different components, indicate whether the component is a standard host operating system or a guest (virtual) operating system. For each physical host that provides the capability to implement guest systems, discuss whether the virtualization technique is based on hosted virtualization or bare metal virtualization.
Page 28
Guest operating systems can be deployed in several ways (i) the CSP provides a self-service menu driven control panel where customers can setup and configure their own virtual machines within a controlled environment; (ii) the CSP installs and configures unique virtual machines instances directly for the customer thereby eliminating the need for a self-service portal. When discussing administration, access control, and configuration settings of virtual machines, CSPs need to be clear about whether their service offers a self-serve solution or a CSP administered solution. The roles and authorizations associated with both of these solutions should be detailed in the System Security Plan (Table 9-1) User Roles and Privileges. Not considering applications and platforms, network components can also be virtualized. If you are discussing a network component (or device) that is a virtual component, you need to be clear about the fact that the item you are discussing is virtual and not physical. Examples of virtual network components and devices are: Virtual Local Area Networks (VLANs) Virtual Ethernet Modules Virtual Firewalls Virtual Switches Virtual Distributed Switches Virtual Security Gateways Virtual Routers NAT Virtual Interfaces (NVI)
Page 29
If parts of a security control boundary are not well understood, it is possible that there could be gaps in the security control boundary between the layers as illustrated in Figure 3-16.
Page 30
When discussing boundaries, be sure to include information on how different tenants are separated from each other in a multi-tenant environment. Questions that you should consider when describing your boundaries are: Will your boundaries leverage any existing Provisional Authorizations? What is your definition of a tenant? For your service offering, will multiple tenants share the same VLAN(s)? Are there controls that prevent VLAN hopping? Do you isolate virtual machine zones on unique network segments? Do you use separate physical network adapters to isolate virtual machine zones? Is layer-2 isolation performed? Is isolation through traffic encapsulation used? Do port groups define any boundaries? If port groups are used, are they all in the same layer-2 domain or do they span multiple layer-2 domains? Do you bond multiple Network Interface Cards (NICs) together? How do firewalls provide isolation between tenants? How do router ACLs provide isolation between tenants? Are IPsec tunnels used to define boundaries? Are network filters used that control what packets are sent to or from a virtual machine? Are network zones used? If yes, how are zones defined? Will U.S. federal agencies be multi-tenanted with non-government entities? Do you use NAT virtual interfaces (NVI) or domain specific NAT configurations? How does NAT play a role in containing network traffic within the boundary? What kind of NAT is used? (e.g. static, dynamic, overloading, overlapping) Do you use NAT IP pools? Are geo iplocation boundaries used? How will you know the geographic location (City, State) where customer data is stored? Will it be possible for agency customers to know the geographic location (City, State) where their data is stored?
Tip: NAT can be used to do the following: allow internal users access to the Internet, allow the Internet to access devices inside the boundary, redirect TCP traffic to another port or address, allow overlapping networks to communicate, allow networks with different address schemes to communicate, allow the use of application level gateways.
3.9.4.1
Live migrations of virtual machines have the potential to confuse a common understanding of the
Page 31
information system boundaries. Therefore, when describing boundaries, it is important to discuss the live migration strategy for the information system. Live migrations have the ability to move an entire virtual machine to another host or instead to move a virtual machines data store (configuration file and virtual disks) to another physical host without actually moving the virtual machine. Complicating this, it is also possible to move and store a virtual machines configuration files, and disks in separate locations. FedRAMP does not make recommendations on live migration strategies. However, whatever the live migration strategy is, FedRAMP wants to understand how live migrations are managed. IP addresses declared within the boundary must remain protected by the security controls noted in the System Security Plan even if the IP addresses are move around. Questions that you should consider in your discussion on live migration are: Are live migrations performed manually or are they scheduled and automated? If live migrations are automated, what are the rules that govern the migration? FedRAMP is interested in understanding how virtual machines are monitored and how guest systems are migrated one from physical host to another. Consider discussing how virtual machine migration and tracking can be audited through logging and event generation in Section 13.13.2 (AU-2a) of the System Security Plan. 3.9.4.2 Discussing Storage Components
In your description of system components, you should include information about storage components that are inside the boundary. If you are using a fabric channel storage array, insert a diagram of the configuration. An example illustration is shown in Figure 3-17. Questions that you should consider when describing your storage components are: Does the system use Direct Attached Storage (DAS), Network Attached Storage (NAS), or Storage Area Networks (SANs)? If you use a SAN, what is used to connect hosts in a cluster (fiber channel or iSCSI)? Which fiber channel or iSCSI connections are considered within the boundary? Are different types of storage devices used on different network segments? Are clusters used? How many hosts are on a cluster and which clusters are in the boundary? Do the storage devices use a multipath environment? Are the storage devices setup to be persistent or non-persistent?
Page 32
3.9.5
Section 10.1.4 in the System Security Plan template requires that you include a data flow diagram of how network traffic flows through your platform and offering. A data flow diagram focuses more on the direction of the network traffic and less on the actual network topology. However, certain components of the systems network topology need to be included in order to illustrate the direction that the network traffic flows through the system. Figure 3-18 below shows an example of a data flow diagram.
Page 33
3.10
Section 13 in the System Security Plan template requires that CSPs accurately describe how security controls are implemented. Your information system and offering likely includes multiple components. When describing a security control, you will need to describe how the control is implemented for all components of your system as is illustrated in Figure 3-19. It may be possible that different services provided by a vendor consist of different components. Some components may be common across all services but others may be unique to a particular service. You may describe how a control is implemented based on its named component (Figure 3-4), or its functional component name (Figure 3-5). It adds clarity to the control description process if the functional components are aligned with named components however that may not be possible in all cases.
Page 34
Tip: If all components are integrated into a centralized single sign-on system, then the access control process and implementation only needs to be described once.
FedRAMP allows for flexible implementations, and it is possible that a group of components collectively use one type of access control mechanism and that the rest of the components use a different access control mechanisms as illustrated in Figure 3-20.
If multiple access control mechanisms are used for the various system components, when describing how access controls are implemented, CSPs need to describe all access control mechanisms and indicate which components use which mechanism.
Page 35
3.10.1
Each security control includes a table called Security Control Summary Information as illustrated in Table 3-3. Security control enhancements also require security control summary information. Definitions for Control Origination can be found in Table 4-1. For any of the -1 controls that describe Policies and Procedures (e.g. AC-1, SC-1 etc.) it is not possible to select Configured by Customer, Provided by Customer, Shared, or Inherited from pre-existing Provisional Authorization and this is by design since all organizations need to have their own set of Policies and Procedures.
Table 3-3. Example of Security Control Summary Information Control ID Responsible Role: Parameter: Implementation Status (check all that apply): In place Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
In the field described as Responsible Role, the CSP should indicate what staff role within their organization is responsible for maintaining and implementing that particular security control. Examples of the types of role names may differ from CSP to CSP but could include role names such as: System Administrator Database Administrator Network Operations Analyst Network Engineer Configuration Management Team Lead IT Director
Page 36
Firewall Engineer All controls originate from a system or from a business process. It is important to describe where the control originates from so that it is clear whose responsibility it is to implement and manage the control. In some cases, the responsibility is shared by a CSP and by the customer. Since each service offering is unique, the FedRAMP program cannot provide guidance on which controls should or should not be defined according to the Control Origination definitions in Table 3-4.
Table 3-4. Control Original Definitions Control Origination Service Provider Corporate Definition A control that originates from the CSP corporate network. Example DNS from the corporate network provides address resolution services for the information system and the service offering. A unique host based intrusion detection system (HIDs) is available on the service offering platform but is not available on the corporate network. There are scans of the corporate network infrastructure. Scans of databases and web based application are system specific. User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http or https, etc.), entering an IP range specific to their organization are configurable by the customer. The customer provides a SAML SSO solution, adding in SAML assertions, to implement two-factor authentication. Both the service provider and the customer require two-factor authentication for both privileged and non-privileged users for network access.
A control specific to a particular system at the CSP and the control is not part of the standard corporate controls.
A control that makes use of both corporate controls and additional controls specific to a particular system at the CSP. A control where the customer needs to apply a configuration in order to meet the control requirement.
Configured by Customer
Provided by Customer
A control where the customer needs to provide additional hardware or software in order to meet the control requirement. A control that is managed and implemented partially by the CSP and partially by the customer.
Shared
As of this edition, guidance has been provided for a subset of the security controls. This document may be updated in the future to include guidance on other security controls.
Page 37
3.10.2
Section 13.1.7(a) in the System Security Plan template requires that you discuss the fact that unsuccessful logins are set to a parameter of 3 or less within a 15 minute period. Questions that you should consider in your discussion are: Is the unsuccessful login parameter configured on a central policy server? What server? Is the unsuccessful login parameter configured manually on a server by server basis? What tool/function do you use to configure unsuccessful logins? Do you use policy templates or a policy manager to configure this parameter? Is the unsuccessful login parameter configured the same for all groups and roles of users? Is the unsuccessful login parameter configured using different techniques on application servers, databases, firewalls, routers, and all other components? Do you use a single sign-on application that controls unsuccessful login parameters? Do you configure unsuccessful login parameters through a GUI or a CLI? Do you use any COTS authentication/access control products to configure the unsuccessful login parameter? Can you provide any screenshots that show the configuration of the unsuccessful login parameter is configured? If you are using multiple operating systems do you set this parameter using different techniques for the different operating systems? Section 13.1.7(b) in the System Security Plan template requires that you discuss how account lockouts occur when a user has more than 3 unsuccessful login attempts within a 15 minute period. Questions that you should consider in your discussion include: Are account lockouts configured on all systems that are within the boundary? Are account lockouts configured on any customer control panel login mechanisms? If a user is locked out, how will they know who to call to have their account reset? Will VPNs made available to customers through self-service control panels lockout via the physical system lockout parameters? Or do customers need to configure their own VPN lockouts separately?
3.10.3
Section 13.11.13 in the System Security Plan template requires that you describe fire suppression security controls. One of the things that you should indicate is whether or not your fire suppression system complies with NFPA 751. Indicate if local fire marshals have performed a recent inspection and what the date is of the last inspection.
1
National Fire Protection Association (NFPA) Standard for the Protection of Information Technology Equipment 75
Page 38
Questions that you should consider in your discussion are: Is there a fire alarm system? Do fire alarms get sent to a remote monitoring center? How are your alarms activated? (e.g. smoke, heat) Where are fire detection devices located? Where are fire suppression devices located? Is the monitoring and maintenance of the system outsourced to a service provider? Are there maintenance records for the fire suppression system? Are you using wet pipe, dry pipe, pre-action, or deluge sprinklers? Are you using an inert agent fire suppression system? Are there fire extinguishers in the data center? Where are fire extinguishers located? When are fire extinguishers inspected? What fire suppression agent do the fire extinguishers use?
3.10.4
Section 13.12.3 in the System Security Plan template requires that CSPs provide Rules of Behavior for their users. FedRAMP has provided a template for Rules of Behavior which is available on the FedRAMP website. The template includes two sample sets of Rules of Behavior one for Internal Users and one for External Users. Internal Users are company employees or company contractors. External Users are customers who will be using the service provider platform. Before the CSP gives customers access to the service provider platform, CSPs should require their customers to sign the External Rules of Behavior. If the CSP provisions one account to one customer user (a customer account administrator), who in turn provisions accounts for the all the other customer users, the CSP only needs to obtain a signed External Rules of Behavior for that one customer user. That one customer user who provisions accounts for other customer users inside their respective agency will then become responsible for ensuring that Rules of Behavior for their agency are signed for the system. The agency customer account administrator should then determine the appropriate Rules of Behavior for the agency users to sign but should take into consideration the rules listed on External Rules of Behavior that was signed and provided to the CSP. The general rule of thumb is that if you provision an account to someone else, the person who provisions the account is responsible for obtaining a signed Rules of Behavior. In some cases the person provisioning the account might be the CSP, and in some cases the person provisioning the account might be an agency employee. The rules provided on the FedRAMP Template are samples and CSPs do not have to use these specific rules. CSPs should consider what rules apply to the candidate system and edit the template to describe the rules that are actually required. They can use any of the sample rules, or replace them completely with other rules. Signed records of the Rules of Behavior should be retained by the entity that provisions the account. It is acceptable to implement the Rules of
Page 39
Behavior electronically or on paper, however, agreement to the Rules of Behavior and sign-off should be obtained before users are granted access to new accounts.
3.10.5
Section 13.15.11.1.1 in the System Security Plan temple is a control for original source code development. If the CSP service offering has been developed using original source code, CSPs need to provide a code analysis report that shows that the latest release was scanned with a code analysis scanner. Indicate what scanner was used and insert the report into your System Security Plan for this control. All code analysis reports should be made available to the 3PAO that performs the testing on the CSP system. If the CSP is not writing any original code, then this control is not applicable and that should be indicated in the System Security Plan.
3.10.6
Section 13.16.6.1.1 in the System Security Plan template and SC-7(1) references the Trusted Internet Connection (TIC) initiative. The TIC initiative is mandated by OMB in Memo M-08052. The purpose of putting in place Trusted Internet Connections (TIC) is to reduce and consolidate and connections to the federal government, including connections to the Internet. Additionally, data must pass through the TIC to obtain monitoring services from US-CERT. Currently, there are two categories of TICs as defined and approved by Federal Network Services which is part of the Department of Homeland Security (DHS): Federal agencies that are approved TIC Access Providers (referred to as TICAPs) Networx Managed Trusted IP Service providers with qualified and approved capabilities (referred to as MTIPS). For a commercial cloud service provider to comply with SC(7)-1, the CSP must demonstrate an architecture that allows an agency to provide effective separation of network traffic to meet the following objectives: a. All government data, shall be capable of routing through a dedicated logical or physical network connection. b. The service shall be capable of excluding co-tenant data, or any other third party data, not intended for the government from being transmitted through a government network connection. c. The service shall be capable of excluding data intended solely for government use from being routed through an external (non-dedicated) network connection.
2
http://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2008/m08-05.pdf
Page 40
To accomplish the TIC objectives, there are multiple architectures that CSPs may propose with an example illustrated in Figure 3-21. The following architectures have been previously approved by Federal Network Services: 1. CSP routes all Government traffic via VPN back to an agency network. 2. CSP routes all government traffic through an agency sponsored MTIPS, no government traffic is allowed over the public Internet. 3. CSP routes all government traffic through dedicated network connections to an agency network, no government traffic is allowed over the public Internet. 4. CSP routes by all government traffic through government endpoints, not allowing any data to traverse any other end-points than agency IP address ranges (effectively all inbound/outbound traffic routes through government network by proxy or other rules). It is not possible for a CSP to connect directly to a TICAP. Connection to an MTIPS Provider is available through the Networx contract but this contract vehicle can only be used by agencies. Agencies should sponsor the CSP that they want to use, and then use the Networx contract vehicle to assist the CSP in connecting to the MTIPS Provider. More information about the Networx contract can be found at the following URL: http://www.gsa.gov/portal/content/104870 . More information on the TIC is available at the following URL: http://www.dhs.gov/files/programs/gc_1268754123028.shtm . The TIC Program Office can be contacted at [email protected].
Page 41
3.10.7
Section 13.16.12 in the System Security Plan template and SC-13 requires that you discuss where cryptographic protections are implemented. Cryptographic protections can be used in a multitude of places on an information system. You should describe what components or devices use cryptographic protections and how they are implemented. Questions that you should consider in your discussion are: Are data partitions encrypted? Are swap partitions encrypted? Are temporary file systems encrypted? Are file systems encrypted? Are files encrypted? All files or just some files? Are storage devices encrypted? Are log files encrypted? Are databases encrypted? Are hardware encryption modules used? Are encrypted logical volumes used? Do virtual machines that are not running have their images/templates encrypted? Are commercial off-the-shelf encryption products being used? Which ones? If cryptographic protections are used to protect data in transmission, save that discussion for Section 13.16.8 in the System Security Plan which is where you describe the control implementation for Transmission Confidentiality SC-9.
3.11
FedRAMP provides an IT Contingency Plan (ITCP) template that is available on the FedRAMP website. Please refer to NIST SP 800-34, Revision 1 for assistance in writing your IT Contingency Plan http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errataNov11-2010.pdf.
3.12
The Business Impact Analysis is an Appendix of the IT Contingency Plan. At this time, FedRAMP does not provide a template for the BIA. Please refer to NIST SP 800-34, Revision 1 for more information on developing a Business Impact Analysis.
3.13
The FedRAMP program currently does not provide a template for a Configuration Management Plan. However, each CSP is required to submit a Configuration Management Plan which should describe how their organization controls change for the information system. The Configuration Management Plan needs to be able to stand alone since it is possible that the staff that uses the
Page 42
Configuration Management Plan does not have access to the System Security Plan. The Configuration Management Plan need to address the Configuration Management (CM) family of security controls as indicated in the System Security Plan template. A summary of the CM controls can be found in the Table 3-5.
Table 3-5. Configuration Management Controls Control No CM-1 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9 Control Name Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan Low CM-1 CM-2 Not Selected CM-4 Not Selected CM-6 CM-7 CM-8 Not Selected Moderate CM-1 CM-2 (1) (3) (4) CM-3 (2) CM-4 CM-5 CM-6 (3) CM-7 (1) CM-8 (1) (5) CM-9 Delta From NIST 800-53 r3 No Yes Yes No No Yes Yes Yes No
Configuration management nomenclature should be defined in the Configuration Management Plan as it is used at the CSP. Suggested configuration management nomenclature that is worth taking into consideration can be found in Table 4-3. FedRAMP allows for flexibility of development and release nomenclature and the definitions in Table 4-3 may not match the terminology that your organization is accustomed to using. Please modify the definitions in Table 4-3 to match the nomenclature that you normally use. If you dont normally use the terminology found in Table 3-6, but would like to switch to this terminology, please ensure that all of your supporting documents are updated so that the terminology is consistent across all of your documentation.
Table 3-6. Configuration Management Nomenclature Nomenclature Alpha Release Definition The Alpha phase of the release cycle is the first phase to begin software testing. Alpha releases can potentially contain stability issues and are not made available to customers. The Beta phase of the release cycle is a secondary phase to begin software testing after all features of the code are complete and after bugs found during the Alpha Release have been fixed.
Beta Release
Page 43
Guide to Understanding FedRAMP Version 0.1 / Date Nomenclature Baseline Definition (1) A specification or product that has been formally reviewed and agreed upon, that thereafter serves as the basis for further development, and that can be changed only through formal change control procedures. (2) A document or a set of such documents formally designated and fixed at a specific time during the life cycle of a configuration item. (3) Any agreement or result designated and fixed at a given time, from which changes require justification and approval. (IEEE Std. 610-12-1990). A baseline is configuration identification formally designated and applicable at a specific point in the life cycle of a configuration item. An operational version of a system or component that incorporates a specified subset of the capabilities that the final product will provide. (IEEE Std. 610-121990) A group of people responsible for evaluating and approving or disapproving proposed changes to configuration items, and for ensuring implementation of approved changes. (IEEE Std. 610-12-1990) A request from either an internal or an external customer to make a change to a baseline configuration. Change requests can be related to either software releases or to network components such as server or workstation configurations or to any other network infrastructure component. An element of CM, consisting of the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification. (IEEE Std. 610-12-1990) An identifiable part of a system that is a discrete target of configuration control processes. (NIST SP 800-128) A discipline applying technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a configuration item, control changes to those characteristics, record and report change processing and implementation status, and verify compliance with specified requirements. (IEEE Std. 610-12-1990) A software build that has been thoroughly tested and made available to customers. A current and comprehensive baseline inventory of all hardware (HW) (to include manufacturer, type, model, physical location and network topology or architecture) required to support <Information System Name> operations is maintained by the Configuration Control Board (CCB) and is part of the Hardware and Software Inventory. A backup copy of the inventory is stored in a fire-rated container located or otherwise not collocated with the original. A current and comprehensive baseline inventory of all software that includes manufacturer, type, and version and installation manuals and procedures. A backup copy of the inventory is stored in a fire-rated container or otherwise not collocated with the original.
Build
Software Baseline
Page 44
Guide to Understanding FedRAMP Version 0.1 / Date Nomenclature Version Definition Each software build is assigned a version number. The version number is used as a mechanism for differentiating one build from another. Version numbers are used regardless of whether or not a build is ultimately released.
Note: NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems can be found at the following URL: http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf
When there is a major change to your system, you are required to update certain artifacts and new security testing may be required on all of your controls or a subset of your controls. If you have a major change to your system planned, please notify your FedRAMP ISSO in advance of the change giving as much advanced notice as possible. The nomenclature such as that found in Table 4-3 should be taken into consideration when you implement a major change to your system. Within your Configuration Management Plan, you are required to describe the change management process that you use to implement changes (CM-3). Your change management process should indicate if the change is a major change, a standard change, or an emergency change (CM-3a). You are welcome to add other change types according to your organizational needs. A major change includes (but is not limited to): Changing your authentication or access control implementation Changing your storage implementation Changing a COTS product implemented in your system to another vendor or product Adding more IP addresses to your inventory Implementing a new code release of your code Changing your backup mechanisms and process Changing your IaaS provider (if you are a PaaS or SaaS provider) Adding new interconnections to outside service providers Changing an alternate (or compensating) control Removing security controls
3.14
Security 13.8.8 in the System Security Plan template requires that you develop an Incident Response Plan. FedRAMP currently does not provide a template for an Incident Response Plan. Nonetheless, each CSP is required to submit an Incident Response Plan which should describe how they manage security incidents for the system. The Incident Response Plan needs to address the Incident Response (IR) family of security controls as indicated in the System Security Plan template. A summary of the IR controls is found in Table 3-7. The Incident Response Plan (IR-8) for the system should include information that provides descriptions of how IR-1 through IR-7
Page 45
are implemented.
Table 3-7. Incident Response Controls Control No IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 Control Name Incident Response Policy and Procedures Incident Response Training Incident Response Testing & Exercises Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan Low IR-1 IR-2 Not Selected IR-4 IR-5 IR-6 IR-7 IR-8 Moderate IR-1 IR-2 IR-3 IR-4 (1) IR-5 IR-6 (1) IR-7 (1) (2) IR-8 Delta From NIST 800-53 r3 No No Yes Yes No No Yes Yes
The purpose of the Incident Response Plan is to have a plan to use in the event of a security or privacy incident, or any other incident that may affect operations of the system (e.g. incidents related to power outages, natural disasters). The staff that may need to use the Incident Response Plan may not have access to the System Security Plan. Therefore, the Incident Response Plan should be able to stand alone. It is important to make sure that incident response roles and responsibilities are well defined and articulated in the Incident Response Plan. Questions that you should consider in your discussion on IR-8, part (a) include: Are incident roles and responsibilities defined? Who is responsible for incident response planning? Are there clear lines of reporting related to incidents? Are incident types defined? When was the Incident Response Plan last reviewed and who approved it? How does incident response fit into the overall Information Security Program? Do you track how many incidents occur each month/year? Do you track what types of incidents are most prevalent? Do you track the average time it takes to close an incident? Questions that you should consider in your discussion on IR-8, part (b) include: To whom has the Incident Response Plan been distributed to in your organization? Does the Incident Response Plan indicate that designated FedRAMP personnel should be included in the distribution? Questions that you should consider in your discussion on IR-8, part (c) include:
Page 46
How often is the Incident Response Plan reviewed? When was the Incident Response Plan last reviewed? Questions that you should consider in your discussion on IR-8, part (d) include: Does the Incident Response Plan include a document history to record changes? Who is responsible for updating the plan with revisions? Were any revisions made after the last testing exercise? Questions that you should consider in your discussion on IR-8, part (e) include: If there is a change to incident response procedures or policies who is notified? Is there an organizational contact list included for the incident response team members? Are role names listed for the individuals identified in the contact list? Additional FedRAMP requirements for IR-8(b) and IR-8(e) require that you include FedRAMP points of contact in your incident response plan. Please obtain FedRAMP points of contact from your designated FedRAMP ISSO. When you contract with customer agencies to use your cloud service platform, you will need to obtain points of contact from each customer agency on who to notify at the agency in the event of a security incident. Please insert a copy of Table 4-5 into your Incident Response Plan and fill it out as you contract with new customers. One of the points of contact should be the agency CSIRC3. You should list the points of contact in the order in which the agency has specified. Your Incident Response Plan is required to be updated no less than once annually. At the time of the annual update, you should contact your customer agency and make sure that each of the phone numbers and POCs listed are still accurate.
3.10.8
Section 13.8.2 in the System Security Plan requires that you describe how personnel are trained in incident response for the system. Question that you should consider in your discussion include: What roles are trained? (e.g. database administrator, systems administrator) On what date did the last training occur? When will the next training take place? Where did the training take place and was it online or in person? Is there a participant/attendance list of who participated in the last training? Who is responsible for ensuring the training takes place?
3
Page 47
3.10.9
Section 13.8.3 in the System Security Plan requires that you perform an annual incident response test/exercise. Questions that you should consider in your discussion include: What roles participate in the incident response test/exercise? On what date did the last test/exercise occur? When will the next test/exercise occur? Where did the test/exercise occur? Is there a participant list of who participated in the last text/exercise? Who is responsible for leading the test exercise? Who is responsible for writing the test plan that must be submitted to FedRAMP annually?
3.10.10
Section 13.8.6.5 in the System Security Plan requires that you describe your incident handling capability. Questions that you should consider for part (a) include: How do you prepare for incidents? Who should agency customers call if they suspect an incident? Is there an incident hotline or phone number published where customers can see it? What capability do you have to detect incidents? If you suspect an incident how do you verify if it really is an incident? What methods do you use to analyze confirmed incidents? What methods do you use to contain incidents? What methods do you use to eradicate incidents? What is your process for determining that the system has recovered from the incident? Questions that you should consider for part (b) include: Which incident handling activities are coordinated with contingency planning activities? How does the coordination take place? Which incident handling activities are coordinated with contingency planning activities? Questions that you should consider for part (c) include: Who maintains archives of lessons learned regarding incidents? How do you determine which incidents require a lessons learned report? How soon after an incident is closed will the lessons learned report be published?
Page 48
Who is responsible for integrating lessons learned into procedures, training, and test/exercises? Questions that you should consider in your discussion for the additional FedRAMP requirements and guidance for IR-4 include: What personnel security requirements are required of individuals who perform incident handling?
3.10.11
Section 13.8.4.1.1 in the System Security Plan template requires that you describe the automated mechanisms for incident handling? Questions that you should consider in your discussion include: Is there any sort of online workflow tool used for managing incidents? Are there any automated alerts related to incidents? Are there any automated programs, scripts, or applications that look for incidents or suspicious activities?
3.10.12
Section 13.8.5 in the System Security Plan template requires that you describe how security incidents are tracked and documented. Questions that you should consider in your discussion include: What mechanism is used to record and track information about incidents? Do you have an incident reporting and tracking form? Is the incident reporting form online on your intranet? Where? Is the incident reporting form a .pdf file? Can you insert a blank copy of the incident reporting form? Is there a place on the incident reporting form to indicate if PII4 has been compromised? Who is responsible for ensuring that incidents are documented internally? Who will be the FedRAMP point of contact for incidents? Who will be the point of contact for customer agencies Is there a flow chart to show how decisions about incident escalation are made?
3.10.13
Section 13.8.6 in the System Security Plan template requires that you describe incident reporting
4
Page 49
capabilities. Questions you should consider in your discussion for part (a) include: What notification timeframes are built into your incident reporting process? Do your reporting timeframes line up with Table J-1 in NIST SP 800-61? Questions that you should consider in your discussion for part (b) include: Who will ensure that incident reporting timeframes are adhered to? Who at your company determines if law enforcement should be notified? What decisions need to be made before law enforcement is notified? Do you have the contact information for all of your agency customers? Additionally, see Section 3.12 in this document for more information on incident reporting part (b). Table 3-8 should be inserted in the section related to incident reporting (IR-6). As CSPs contract with new customers, agency contact information should be recorded in this table. In the event of a security incident, the CSP should contact all agency customers using their system as well as the FedRAMP ISSO.
Table 3-8. Agency Points of Contact to Report Incidents Agency Name 1. <Agency Name> 2. 3. CSIRC 1. <Agency Name> 2. 3. CSIRC 1. Primary: 2. Alternate: 1.Primary: 2. Alternate: Point of Contact Phone 1. Primary: 2. Alternate: 1. Primary: 2. Alternate: Email
3.10.14
Section 13.8.6.1.1 in the System Security Plan template requires that you describe automated mechanisms to assist in the reporting of security incidents. Questions that you should consider in your discussion include:
Page 50
Is there an online Incident Reporting Form that is available to your staff? Is there an online Incident Reporting Form that is available to your customers? Are there any apps for Incident Reporting?
3.10.15
Section 13.8.7 in the System Security Plan template requires that you provide incident response assistance and resources for users. Questions that you should consider in your discussion include: Have you identified incident response experts within your own organization? Do you have an internal Intranet page or wiki that includes helpful information for users about security incidents and reporting?
3.10.16
Section 13.8.7.1.1 in the System Security Plan template requires that you provide mechanisms to increase the availability of incident response related information and support. Questions that you should consider in your discussion include: Is there an incident reporting phone number that is available 24 x 7 x 365? Is there an internal web page or wiki with incident reporting information that has highavailability mechanisms built into it? Do you have contact information for at least one outside vendor that specializes in incident response? Do you have any contracts with outside vendors to provide incident response?
3.10.17
Section 13.8.7.1.2 in the System Security Plan template requires that you describe incident response capabilities that extend beyond your own organization. Part (a) requires that you establish a direct, cooperative relationship between your incident response capabilities and external providers of information system protection. Questions that you should consider in your discussion for part (a) include: Have you documented the process on how to contact your vendors if you suspect a security vulnerability in a COTS product? Does your organization receive patch update information from all of your different vendors? Who receives information on the latest patches?
Page 51
Does your organization receive advisories from US-CERT? Who receives the advisories? Part (b) requires that you provide your internal incident contact information to external providers. Questions that you should consider in your discussion for part (b) include: What are the incident points of contact available to agency customers? Do your Internet providers have your internal points of contact for incidents? Do your telecom providers have your internal points of contact for incidents? If you use an external IaaS or PaaS vendor, does that vendor have your internal incident response POCs?
3.15
POA&M TEMPLATE
CSPs should leverage the Security Assessment Report to put together a Plan of Action & Milestones (POA&M) for mitigating security weaknesses. FedRAMP provides a POA&M template for CSPs which is available on the FedRAMP website. All High and Moderate findings from the Security Assessment Report should be mapped into the POA&M. High impact vulnerabilities need to be mitigated within 30 days, and Moderate impact vulnerabilities need to be mitigated within 90 days.
The FedRAMP program provides a Continuous Monitoring Strategy & Guide to provide instructions on the continuous monitoring process. Please refer to that guide for more information on continuous monitoring.
possible. You are allowed to make modifications to the templates as long as you dont remove any required sections. While the templates have been designed to capture the FedRAMP requirements, if adding new sections enables you to better describe your information system, it is acceptable to do that. Note that if you add new sections, the section numbering will change and some of the guidance found in this document refers to document section numbers. Therefore, changing the document section numbers might make it more difficult for you to use this document as a guide.
Page 53