FedRAMP Weekly Tips & Cues – January 4, 2018

This week, FedRAMP published two question and answers for Cloud Service Providers ( CSPs):

Cloud Service Providers (CSPs)

Q: What is the purpose of an Information System Contingency Plan (ISCP)?  

A: Each CSP must develop and maintain contingency plans to address operational disruptions. The contingency plan (and test results) provides management with an evaluation of the preparedness of the CSP’s cloud service offering in the event of a major disruption and/or a catastrophic event. The contingency plan ensures that operations resume and are eventually restored to a known state. The ISCP and Service Level Agreements drive the recovery test frequency and complexity and recovery time frames. These contingency plans are a component of an effective security operations implementation.

Cloud Service Providers (CSPs)

Q: What can a CSP do to prepare for penetration testing and what risks are involved?

A: The FedRAMP Penetration Testing Methodology is comprehensive and follows NIST SP 800-115. Before considering this activity, a CSP should work with a third party assessment organization (3PAO) assessment team to discuss the ramifications of utilizing the FedRAMP Penetration Testing Methodology. Both the 3PAO assessment team and the CSP must determine, in writing and prior to the onset of the testing, the level of risk they are willing to accept for the assessment and tailor the approach accordingly.

Once the parameters have been tentatively agreed upon, the 3PAO penetration tester and assessment team should begin the security assessment activities with a planning phase that includes gathering information about the CSP environment and developing the test procedures. Only after completing the planning phase should the 3PAO assessment team proceed to the execution phase.

During execution phase, the assessment team identifies vulnerabilities and validates that the vulnerabilities are not false positives. At the conclusion of the execution phase, the assessment team has a list of technical and process vulnerabilities. This list is used during the post-execution phase to determine root causes of vulnerabilities, recommend remediation actions, and document the test results in the Security Assessment Report (SAR).

Penetration testing risks can range from not gathering sufficient information on the organization’s security posture for fear of impacting system functionality to affecting the system or network availability by executing techniques without the proper safeguards in place.

Communication and thorough understanding is key.

More Information

Read more about this week’s FedRAMP’s Tip and cues here