This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: Agencies and CSPs are encouraged to adjust password complexity implementation for memorized secrets to align with NIST 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management.
FedRAMP Moderate and High controls IA-5 (g) and IA-5 (1) (a,d) are known to be more restrictive than the new password requirements in 800-63B, AAL2 and AAL3 respectively. The FedRAMP PMO is working to update our baselines to reflect the changes outlined in NIST 800-63B.
In the meantime, FedRAMP recommends Agency Authorizing Officials (AOs) accept compliance with NIST’s guidance, which is most up-to-date and consistent with current cyber security threats. Until the baselines are updated, this may be done using an implementation status of “Alternative Implementation.” Please refer to the FedRAMP Digital Identity Requirements.
Cloud Service Providers (CSPs)
TIP: Scanners will often identify a vulnerability that has been addressed by a backport. This is a False Positive (FP), and the CSP should submit an FP Deviation Request (DR) in this situation.To ensure accurate completion of this type of DR:
- Include the vulnerability ID and the associated Common Vulnerabilities and Exposures (CVEs) reported by the scanner in the DR form.
- Provide the reference/resource that describes what CVEs the backport addresses.
- Provide screenshots showing the that backport is implemented on each impacted component. Make sure the IP/hostname is visible in the screenshot as evidence for that specific component.
More Information
Read more about this week’s FedRAMP’s Tip and cues here