This week, FedRAMP published two Q&A’s, one for Federal Agencies and one for Cloud Service Providers(CSPs):
Federal Agencies
Q: If a FedRAMP Authorized service offers several multi-factor authentication (MFA) methods to remotely access that service, may I use any of those forms of multifactor authentication to access the service?
A:Cryptographic functions are used in many levels in the cloud stack. Agency customers must ask the CSP questions regarding the depth of cryptography used.
CSPs who offer multiple MFA methods must clearly document within their SSP those methods and the cryptographic modules along the authentication pathway that are FIPS-validated versus those methods that lack FIPS validation.
Federal Agencies should ensure that they and the CSP use a FIPS 140-2 validated, National Information Assurance partnership (NIAP)-certified, or NSA-approved MFA device for access to the service. This also includes access to any FedRAMP Cloud Service in accordance with the FedRAMP-specified parameters and guidance in Security Control IA-2(11) within the System Security Plan (SSP) templates.
Cloud Service Providers (CSPs)
Q: Should I repeat the control requirement?
A: Do not repeat the control requirement. Feel free to use the control requirement as a jumping off point to write a detailed, specific implementation. Additionally, use the same action and key words within the control requirement when describing your implementation so it is clear exactly how the implementation meets the stated requirements.
Read more about this week’s FedRAMP’s Tip and cues here