This week, FedRAMP published two questions and answers. One for Cloud Service Providers (CSPs) and one for Third Party Assesment Organizations (3PAOs)
Cloud Service Providers (CSPs)
Q: The Agency I’m working with requires that their data be cryptographically protected. What requirements must I follow?
A: Any system that handles Government data may be the target of a cyber attack, particularly those systems with sensitive data. Because of this, if an Agency requires that their data must be cryptographically protected, then FIPS 140-2 applies, and cryptomodules must be validated using Transport Layer Security (TLS) services.
Version 1.2 is currently the most secure; however, version 1.3 is in draft and may cause compatibility issues when it is released because it will not support many obsolete crypto features.
To take advantage of the benefits of TLS 1.2, it is important to use a TLS service (e.g. library, web framework, web application server) that has been FIPS 140-2 validated. In addition, the cryptomodule must be installed, configured and operated in either an approved or an allowed mode to provide a high degree of certainty that the FIPS 140-2 validated cryptomodule is providing the expected security services in the expected manner.
If the system is required to use FIPS 140-2 encryption (i.e., owned or operated by or on behalf of the U.S. Government), then TLS must be used and SSL disabled. For more information on this, see Section 7.1 (now D.2) of Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program.
Cryptographic modules validation listings can be found at:
Cryptographic algorithm validation listings can be found at:
Third Party Assessment Organizations (3PAOs)
Q: How does a 3PAO indicate that a vulnerability is “closed” in the Security Assessment Report (SAR)?
A: For any scan-related finding that was found and corrected during testing, please make sure to include a “targeted” scan that reflects the vulnerability as closed. It is recommended that these remediation scans are targeted scans, where scans are conducted to target the specific vulnerabilities and specifically impacted components proving closure, so as not to skew the assessment results. Please provide these targeted scans as part of the final SAR deliverable that is submitted to FedRAMP.
Read more about this week’s FedRAMP’s Tip and cues here.