This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assessment Organizations (3PAOs):
Cloud Service Providers (CSPs)
Q: How should a CSP address platform scope within the System Security Plan (SSP)?
A: There are multiple platforms/platform groups in a system as identified by the inventory. A platform has certain controls (e.g., access controls, audit logging, session lock, etc.) configured uniquely for each device type. It is expected that unique implementations would be addressed by platform for the following controls/control families where applicable: AC, IA, AU, CM, SI-2, SI-3, SI-5, SI-11. We recommend using a standard format for addressing controls by platform (e.g., have a sub header within the control part/parts for “Cisco,” “Brocade,” etc.).
Third Party Assessment Organizations (3PAOs)
Q: What types of databases are required to be scanned and how should they be tested?
A: The database scanning or manual testing requirements apply to all databases within the security boundary (i.e., those that reside/are embedded in a host/application as well as other databases). Databases that reside in a host (such as an appliance) need to be tested and may require the tester to work with the relevant vendor to ensure the appropriate security posture of the database that resides in a host is secure. If the databases are not accessible by the scanners, alternate methods of database testing (such as manual tests) should be explored. The host on which the databases reside should be scanned as part of the infrastructure scanning.
Read more about this week’s FedRAMP’s Tip and cues here