FedRAMP Weekly Tips & Cues – January 24, 2018

This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):

Cloud Service Providers (CSPs)

Q: The effort and/or costs are too great to remediate a vulnerability within the required time period. Is it acceptable to submit a risk adjustment in this situation?

A: Generally, level of effort and/or cost of implementing a remediation are not acceptable justifications for leaving a system that is authorized for processing federal data in a vulnerable state. During the initial assessment of the system, the CSP is assessed to determine its ability to perform continuous monitoring successfully, which includes timely remediation of vulnerabilities. This also includes an assessment of the CSP’s equipment acquisition and life-cycle management plan to ensure vendor products can be maintained and/or replaced to stay on top of security. This means the CSP should be aware of equipment end-of-life/end-of-support.

In the rare event that timely remediations need to be postponed, it is incumbent upon the CSP to employ mitigations that reduce the risk of the vulnerability. This risk mitigation and adjustment should be described in detail in the Deviation Request, and a plan for ultimate remediation and compliance should be included.

Cloud Service Providers (CSPs)

Q: If a Software-as-a-Service (SaaS) is built on a previously authorized Infrastructure-as-a-Service (IaaS), does the IaaS’s authorization boundary cover the SaaS as well? If it does, is an Authority to Operate (ATO) letter necessary for the SaaS?

A: The IaaS’s authorization boundary does not completely cover the SaaS. All pieces of the cloud stack have to be authorized — which means the IaaS has its own authorization boundary (what it is responsible for), and the SaaS has its own authorization boundary. However, your SaaS can inherit some of the security controls from the IaaS, depending on the services used from the IaaS.

Each portion of the cloud stack requires its own ATO letter, so the SaaS will need an ATO separate from the IaaS.

More Information

Read more about this week’s FedRAMP’s Tip and cues here