This week, FedRAMP published two tips about security controls and incident response plans:
TIP: AC-2 and IA-2 are closely related.
Every group, account, or role defined in AC-2 must be explicitly addressed in IA-2. AC-2 is used to define the groups, accounts, and roles, who may be assigned to one, and how they are managed (approval process, creation & modification procedures, monitoring, etc). IA-2 defines the authenticators used for each group, account, or role, as well as the types of access to the system utilized by these groups, accounts, and roles. Different roles or activities require differing strengths/levels of authentication. Each authentication mechanism and use case must be clearly documented to ensure complete and adequate coverage of authentication.
TIP: Incident Response plans must include the response time for Federal Agency Incident Categories.
Minimum response times are provided by US CERT at https://www.us-cert.gov/government-users/reporting-requirements. FedRAMP is especially concerned with the response time for CAT 1 incidents, unauthorized access. FedRAMP expects reporting of suspected unauthorized access within one hour of when the impacted customer agency is identified. The CSP should not wait for a full analysis to be complete before reporting the suspected breach.
Read more about this week’s FedRAMP’s Tip and cues here.