This week, FedRAMP published one Tip and one Q&A for Cloud Service Providers(CSPs) :
Cloud Service Providers (CSPs)
Tip: Recently, we’ve received inquiries about the SAR review process for CSPs pursuing a JAB Provisional Authorization to Operate (P-ATO). There are a number of things that JAB Reviewers need in order to properly assess risks noted in the SAR:
1) Each finding should be identified as externally or internally facing.
- 3PAOs can explicitly label the findings that are “externally facing” in Table 4-1.
- Once findings are labeled, 3PAOs can include a general statement above Table 4-1 stating “Findings in Table 4-1 are internally facing unless they are explicitly identified as externally facing.”
2) The assets impacted in a finding should have some descriptive information to indicate that they are affected, such as OS type and function (e.g. OS=Juniper Function=Firewall).
- Identify everything the 3PAO is considering when applying a risk rating.
- Enough explanation should be provided for the reviewer to follow the 3PAO’s thought process. For example, a moderate risk that only discusses a problem resulting from the lack of a control’s implementation (and does not discuss the positive factors that resulted in a moderate rating rather than high risk rating) might actually give the impression that a higher risk rating should have been applied.
Cloud Service Providers
Q: Can a service that is installed but disabled in an asset be a False Positive finding when a scan is conducted?
A: Technically, if the service is not enabled, it is a false positive. Some may argue, “why not uninstall it?” This is dependent on how the code is packaged. Uninstalling might sometimes identify and expose other weaknesses.
A screenshot of the configuration file from the asset in question should be enough to confirm the status of the service.
Read more about this week’s FedRAMP’s Tip and cues here