This week, FedRAMP published two Q&A’s for Cloud Service Providers(CSPs):
Cloud Service Providers (CSPs)
Q: When is the distinction between an Operational Requirement (OR) and a Vendor Dependency (VD)?
A: An OR is a weakness that has a fix available but the fix cannot be applied without impacting the full operation of the system. A VD is a weakness that must be corrected by an upstream vendor but the fix has not been made available. In other words, an OR is something that could be fixed, but the fix would cause bigger issues or reduce functionality in the system so the risk of not fixing the weakness will be accepted. A VD does not have a fix available yet, and the fix must come from another vendor. A VD will be fixed as soon as possible, while an OR will be assessed at least annually to determine whether there is a fix, but often stands as an OR.
Cloud Service Providers (CSPs)
Q: What is the best approach to assigning ownership, managing vulnerabilities, and applying patches in an IaaS platform?
A: If management services are being provided by an IaaS provider, managing vulnerabilities and application of patches in IaaS requires a carefully thought-out service level agreement (SLA) between CSPs and the potential customer. It is important to define not only the scope of responsibility, but also the allotted remediation timeframe for each type of finding. This will prevent non compliance of FedRAMP’s vulnerability management policy and procedure.
More Information
Read more about this week’s FedRAMP’s Tip and cues here