This week, FedRAMP published two Tips for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
TIP: A CSP is required to submit a Significant Change Request (SCR) when they intend to change their vulnerability scan tool. While the requirement for notification is a minimum of 30 days before implementing a significant change, in order to allow enough time for full transition, CSPs should submit the SCR with enough time to properly transition to the new scan tool.
CSPs are required to generate parallel vulnerability reports from the old and new scan tools, or provide direct mapping to all currently open vulnerabilities (from the “old” tool) to ensure all previously identified vulnerabilities are closed. CSPs may fully transition to the new tool when the ConMon team approves the new report and the JAB TR-Rs review and approve the SCR.
Cloud Service Providers (CSPs)
TIP: Acceptable False Positive evidence doesn’t necessarily have to include a screenshot of the configuration settings for each vulnerable host.
For instance, a text file (with a hash to validate authenticity) that indicates that a specific configuration, intended to remediate a vulnerability, was successfully applied to vulnerable hosts should be sufficient evidence.
More Information
Read more about this week’s FedRAMP’s Tip and cues here