This week, FedRAMP published two tips for Cloud Service Providers ( CSPs):
Cloud Service Providers (CSPs)
TIP: CSPs must address every vulnerability they submit as part of their continuous monitoring data. There are a few different options for managing those vulnerabilities.
1. Remediate the finding within the required timeframe. This should be the default approach to vulnerability management.
2. As part of the Deviation Request process:
- Implement mitigations and request a risk adjustment, if appropriate.
- Seek approval for any False Positive (FP) findings. Be sure to provide evidence that proves the finding was an FP. An FP would not be appropriate in instances where the system setting is not active and, therefore, not vulnerable, but if it were active, the vulnerability would exist. This type of finding should be submitted as a Risk Adjustment with layers of mitigations that prevent exposure if the system setting is activated.
- Seek approval as an Operational Requirement (OR). OR requests should be infrequent since it means the vulnerability remains in production until it is eventually remediated. High findings must be mitigated and Risk Adjusted to at least Moderate for acceptance as an OR.
3. Justify the finding as a Vendor Dependency and check in with the vendor every 30 days. In this case, the vulnerability will not be considered late. The CSP should seek vendor components that are FedRAMP compliant when possible to avoid any Vendor Dependencies.
Cloud Service Providers (CSPs)
TIP: Select your monthly continuous monitoring scan and Plan of Action & Milestones (POA&M) delivery date wisely.
Consider vendor patch release schedules and your typical duration between the release of a vendor patch and its application within your environment. Plan your scans as soon as possible after patches are typically applied each month. If your monthly scans are out-of-sync with your patch cycle, the number of vulnerabilities reported can be artificially inflated.
For example, if you have Microsoft-based hosts and a two week patch cycle, running scans just one week after “patch Tuesday” will report all of the newly released patches as new vulnerabilities on those hosts and inflate your vulnerability count. Scanning shortly after your patch cycle gives your admins time to remediate all of those new vulnerabilities. Therefore, only the exceptions – if any – are reported.
More Information
Read more about this week’s FedRAMP’s Tip and cues here