This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
Tip: Recently, we’ve received inquiries about the SAR review process for CSPs pursuing a JAB Provisional Authorization to Operate (P-ATO). There are a number of things that JAB Reviewers need in order to properly assess risks noted in the SAR:
1) Each finding should be identified as externally or internally facing.
- 3PAOs can explicitly label the findings that are “externally facing” in Table 4-1.
- Once findings are labeled, 3PAOs can include a general statement above Table 4-1 stating “Findings in Table 4-1 are internally facing unless they are explicitly identified as externally facing.”
2) The assets impacted in a finding should have some descriptive information to indicate that they are affected, such as OS type and function (e.g. OS=Juniper Function=Firewall).
Controls Findings:
- Identify everything the 3PAO is considering when applying a risk rating.
- Enough explanation should be provided for the reviewer to follow the 3PAO’s thought process. For example, a moderate risk that only discusses a problem resulting from the lack of a control’s implementation (and does not discuss the positive factors that resulted in a moderate rating rather than high risk rating) might actually give the impression that a higher risk rating should have been applied.
Cloud Service Providers
Q: Can a service that is installed but disabled in an asset be a False Positive finding when a scan is conducted?
A: Technically, if the service is not enabled, it is a false positive. Some may argue, “why not uninstall it?” This is dependent on how the code is packaged. Uninstalling might sometimes identify and expose other weaknesses.
A screenshot of the configuration file from the asset in question should be enough to confirm the status of the service.
More Information
Read more about this week’s FedRAMP’s Tip and cues here
