The FedRAMP certification program, as part of the federal approach to security throughout the U.S. government computing environment, has the unenviable task of balancing security guidance initially created for non-cloud environments with the complexity of the growing federal-private cloud environment.
In general, the matrix of federal guidance often means that when a newer guide is released, it is necessary to make changes across the rest of federal guidance. Because guides are cross referenced with each other by specific version, this can mean a newer guide is not the actual mandatory instruction and can lead to confusion or conflict in a certified system. This has been the case for a number of guides that are referenced in the FedRAMP program that address security configuration and security procedures such as monitoring and vulnerability remediation.
In particular, the federal (NIST) security guidance on “continuous monitoring” is a challenging part of FedRAMP compliance. “Continuous monitoring” is a key focus for the FedRAMP control systems. It is technically and administratively challenging to apply the correct configuration of information scanning, incorporate an appropriate amount of capture and reporting, and then perform analysis and incident response for even the simplest of computer systems. For a FedRAMP compliance program, “continuous monitoring” mandates dozens of specific controls and extensive reporting.
The instructions on controls can be found in many different guides and forms. When a continuous monitoring program indicates failure or errors, the root cause analysis and interpretation can be technically challenging and could jeopardize the certification and continued availability of a system.
Because continuous monitoring controls often result in high resource use (manpower and systems) compared to other security controls, it has come under plenty of pressure to make it less complex to deploy and maintain compliance. In response, the FedRAMP authority has been working on updating and adjusting guidance and to FedRAMP Cloud Service Providers (CSPs), agencies, and Third Party Assessment Organizations (3PAO).
In January 2018, the FedRAMP blog announced updates to existing guidance and a few new documents to improve the instructions to FedRAMP program participants. The goal, according to FedRAMP, will be to “… streamline, clarify, and improve.” A challenge for the CSP, 3PAO, and agencies will be to rework their Continuous Monitoring Plan – a required component of any existing FedRAMP certification, to take advantage of these updates.
Upon initial review, the following changes affect security improvements for a FedRAMP security program:
- FedRAMP Continuous Monitoring Strategy Guide v3.0 (1/31/2018): updated control mapping and instructions for how to apply controls which clarifies specific event types that must be reported with an emphasis on adjusting thresholds on when change is alerted.
- FedRAMP Continuous Monitoring Performance Management Guide v2.0 (1/31/2018): (former title: “P-ATO Management and Revocation Guide”) updated event escalation processing and clarified instructions on required triggers such as zero-day, deficiency, and customer demand.
- Vulnerability Deviation Request Form and the Significant Change Form: updated forms to better integrate with language and concepts of continuous monitoring.
- Plan of Action and Milestone (POA&M) Template Completion Guide v2.0 (1/31/2018) and POA&M Template (1/31/2018): These documents were updated to address the requirements for monthly reports of continuous monitoring.
- NEW! FedRAMP Digital Identity Requirements v1.0 (1/31/2018): This new document aligns the NIST 800-63C requirements and FIPS-199 assurance levels with FedRAMP, including clarification of conflicting instructions on specific password requirements.
- NEW! FedRAMP Transport Layer Security (TLS) Requirements v1.0 (1/31/2018): addresses the expected use of TLS protocol 1.1 or higher in all FedRAMP environments. This includes specific instructions for how to deal with execution problems. A plan must be submitted to the FedRAMP by March 31, 2018 detailing how the cloud offering will be transitioned to at least TLS v.1.1.
- NEW! FedRAMP Continuous Monitoring Monthly Executive Summary: A form to track the mandatory monthly reporting on continuous monitoring sources and events.
The new FedRAMP documents give organizations until July 2018 to make changes to their environment in order to be compliant with instructions. These may not be all the changes that are in store. FedRAMP officials announced in December 2017 that there were more significant changes in store for continuous monitoring instructions. Already noted are the CVSS Framework Guidance and the Vulnerability Scan Requirements for CSPs to do Sampling/Representative Scans.
FedRAMP-Ready Cloud Management for Your Agency
Securely govern your cloud infrastructure with the only cloud management platform to achieve FedRAMP Ready status. Schedule a demo to see CloudCheckr CMx Federal in action.