This week, FedRAMP published a weekly tip that discusses requirements for vulnerability scanning:
Q: What are the FedRAMP requirements for vulnerability scanning?
A: Vulnerability scanning must occur for Operating System (OS)/ infrastructure, databases, and web application components in the Cloud Service offering authorization boundary. The scanning parameters for the components must be defined in the Security Assessment Plan (SAP). If the 3PAO has not or is not conducting the vulnerability scanning for the assessment, then the SAP identifies the alternative methodology. This standard then becomes integrated in the methodology. In order to maintain FedRAMP scanning compliance, the 3PAO must describe processes to ensure integrity, completeness, accuracy, reliability, and the independent nature of the scan results.
At a minimum, the 3PAO must:
- Review the scanning tools to ensure the tools are appropriately configured before the scans are executed.
- Oversee and monitor the scans from initiation to completion.
- Describe the procedures to ensure chain-of-custody of the scan results.
- Compare the list of components identified in the scans and those in the inventory and provide an explanation for the difference in the SAR.
- Assess a component through other means (manual methods), if a component cannot be scanned.
Once the methodology is approved via the SAP, the methodology may be followed for the system until there is a significant change or the next annual assessment whereby the methodology may be altered within the next SAP.
Vulnerability scans must be performed using system credentials that allow full access to scanning the entire authorization boundary to include all hardware and software. Scanners must have the ability to perform in-depth vulnerability scanning of all systems (as applicable). Systems scanned without credentials provide limited or no results of the risks. All unauthenticated scans will be rejected unless an exception has been previously granted due to applicability or technical considerations.
Q: For vulnerability scans, do all plugins have to be enabled?
A: All non-destructive plugins must be enabled. To ensure all vulnerabilities are discovered, the scanner must be configured to scan for all non-destructive findings. Any vulnerability scans where plugins are limited or excluded will be rejected. Exceptions may occur based on specific requests from the government for re-scans or targeted scans. These scans must comply with the directions provided by the government.
Read more about this week’s FedRAMP’s Tip and cues here.