This week, FedRAMP published two tips for Cloud Service Providers (CSPs):
TIP: In the “Description of Risk to the System” section of the Deviation Request, do NOT copy and paste the vulnerability description from the source.
It is necessary to explain the vulnerability within the context of the system and the potential risk should a threat exploit that vulnerability.
A vulnerability description from a scanner does not provide the description of risk presented to the system. The reviewers should be able to discern the risk presented. Reviewers can generally research the vulnerabilities themselves, but the CSP needs to provide the risk presented to the system.
TIP: Deviation Requests (DRs) should be submitted early enough for a reasonable expectation of approval before the initial expected remediation date.
DRs should not be submitted on or after the expected closure date of the Plan of Action & Milestones (POA&M). A DR for a High vulnerability should be submitted along with the initial POA&M listing the vulnerability, or at least before the next month’s PO&M submission. A Moderate risk adjustment should be submitted before the 3rd POA&M submission. Deviation requests that are submitted at the due date can demonstrate a reactive approach to security, rather than a proactive approach.
Read more about this week’s tip on the FedRAMP website.