This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs) and Important Stakeholder Information:
Cloud Service Providers (CSPs)
Q: Can a CSP mark a control as both “Implemented” and “Alternative Implemented” in the System Security Plan (SSP)?
A: Usually not. If a control is fully implemented, then only the “Implemented” box is checked. If there is an “Alternative Implementation” or “Partial Implementation” of any component of the control, then either Alternative or Partial is selected as appropriate. As an example, there may be 2 types of Access Control methods: one for an administrator with elevated privileges that is fully “Implemented;” and the second access type is for non-privileged users that has an “Alternative Implementation.” The CSP would only check the box for Alternative Implementation, but explain the two implementations in the dialog box for that control. This is because during testing, the 3PAO will only determine whether the control is Implemented, Alternative Implementation, Partial Implementation etc, but no combination. Then, the 3PAO will determine if the control implementation is Satisfied or Other than Satisfied for the implementation type provided.
Cloud Service Providers (CSPs)
Q: Can shareware or freeware be an integral part of the operational infrastructure of a CSP?
A: Shareware and freeware products that are typically available for PC or mobile device usage are not permitted in FedRAMP environments.
Open Source (no product or support costs) products, however, are permitted from reputable sources where the CSP has control over the source and executable code. The product must be subjected to continuous monitoring functions and vulnerability remediation.
Important Information for Stakeholders:
On October 16th, CERT Coordination Center (CERT/CC) released information on Wi-Fi Protected Access II (WPA2) protocol vulnerabilities. Exploitation of these vulnerabilities could allow an attacker to gain access to sensitive information sent over wireless networks. The vulnerabilities are in the WPA2 standard itself, which affects nearly all WPA2 networks, not within individual WPA2 implementations.
An attacker within range of an affected network may leverage these vulnerabilities to conduct attacks. Attacks may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast and group-addressed frames, dependent on the data protocols used.
Mitigations include installing updates to affected products and hosts as they become available. In addition, ensure all applications use an additional level of encryption, e.g. SSH and HTTPS should be used to encrypt data in transit, in addition to the underlying wireless network security protections.
US-CERT encourages users and administrators to review CERT/CC’s VU #228519 (https://www.kb.cert.org/vuls/id/228519/).
For more information, please see https://www.krackattacks.com/
Read more about this week’s FedRAMP’s Tip and cues here.