This week, FedRAMP published a weekly tip that addresses Incident Response Plans and Security Assessment Reports:
Q: Does FedRAMP provide a template for an Incident Response Plan?
A: Security Control IR-8 requires CSPs to develop an Incident Response Plan (IRP). The IRP is a required document within security authorization packages. FedRAMP does not provide a template for IRPs; however, NIST SP 800-61 Rev 2, Computer Security Incident Handling Guide, provides guidance on the development of Incident Response Policies and Procedures, as well as guidance on the development of an Incident Response Plan. The IRP is a required document and must be included with the SSP as part of the security authorization package.
Q: Are High findings acceptable when submitting a Security Assessment Report (SAR) for an initial Joint Authorization Board (JAB) Provisional Authorization to Operate (P-ATO)?
A: When submitting a SAR for an initial JAB Provisional Authorization to Operate (P-ATO), there must be no High findings. For High findings that can not be resolved, such as vendor dependencies, sufficient additional mitigating controls must be in place to justify a risk reduction to Moderate. Some CSPs incorrectly believe that a High finding is acceptable if it is a vendor dependency or operationally required vulnerability. This is not the case. If a High finding can not be resolved, it must at least be mitigated down to a Moderate.
Read more about this week’s FedRAMP’s Tip and cues here.