FedRAMP Weekly Tips – June 29 2017

This week, FedRAMP published a weekly tip that discusses POA&Ms and testing evidence timeliness.

Q: What purpose does the Plan of Action & Milestones (POA&M) document serve?

A: The purpose of the POA&M is to facilitate a disciplined and structured approach to mitigating risks in accordance with the CSP’s risk mitigation strategy. The POA&Ms include the findings and recommendations of the security assessment report and the continual security assessments. The POA&M identifies: (i) the tasks the CSP plans to accomplish with a recommendation for completion either before or after information system implementation; (ii) any milestones the CSP has set in place for meeting the tasks; and (iii) the scheduled completion dates the CSP has set for the milestones.

FedRAMP uses the POA&M to monitor CSP progress in correcting weaknesses or deficiencies noted during the initial assessment, annual security control assessment, and throughout the continuous monitoring process. The POA&M has columns labeled from A through Z which must be filled in for each row which is a uniquely identified vulnerability.

Use the FedRAMP Plan of Action and Milestones (POA&M) Template to track and manage POA&Ms.

The POA&M workbook has two spreadsheets, the “Open” tab and the “Closed” tab. The Open POA&M spreadsheet includes known security weaknesses within the cloud information system. Open POA&M items must comply with the following:

  • If a finding is reported in the Security Assessment Report (SAR) and/or in the continuous monitoring activities, the finding must be included as an item on the POA&M
  • False positives identified in the SAR (Appendices C, D, and E), along with supporting evidence (for example, clean scan report) do not have to be included in the POA&M
  • Each line item on the POA&M must have a unique identifier. This unique identifier must pair with a respective SAR finding and/or any continuous monitoring vulnerability
  • All high and critical risk findings must be remediated prior to receiving a JAB Provisional Authorization
  • High and critical risk findings identified following JAB Provisional Authorization through continuous monitoring activities must be mitigated within 30 days after identification
  • Moderate findings shall have a mitigation date within 90 days of JAB Provisional Authorization date or within 90 days of identification as part of continuous monitoring activities
    The POA&M must be submitted in an appropriate format for the FedRAMP automated processes

Q: When submitting a completed authorization package to FedRAMP, what are the three categories of testing evidence with timeliness criteria? Please define the timeliness criteria required.

A: The three categories of testing evidence with timeliness criteria are penetration testing, security controls testing, and vulnerability scanning. Vulnerability scanning must be for Operating System (OS)/infrastructure, databases, and web application components. The CSP/3PAO must ensure that the associated testing evidence is considered “timely” by the PMO (JAB & PMO follow same requirements).

Timeliness Requirements for Penetration Testing

  • When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process, the Penetration Test cannot be older than 6 months
  • CSPs should ensure the Penetration Test is executed as close as possible to a CSP’s submission of the authorization package
  • Once a JAB P-ATO is granted, CSPs must have a 3PAO complete a new Penetration Test at minimum once a year

Timeliness Requirements for Security Control Testing

  • When submitting a completed authorization package to FedRAMP, security control testing evidence must be current within:
  • 120 days, if the system does not have an existing FedRAMP Agency authorization
  • 12 months, if the system has an existing FedRAMP Agency authorization

Timeliness Requirements for Vulnerability Scanning

  • When submitting a completed authorization package to FedRAMP to begin the JAB P-ATO process or the Agency ATO process, the scans completed by a 3PAO and reflected in the Security Assessment Report (SAR) must be current within 120 days
  • Additionally, CSPs must submit scans and a POA&M current within 30 days prior to the date of the JAB P-ATO process kickoff
  • During the JAB P-ATO process and afterwards, vendors must submit monthly vulnerability scans, in accordance with security controls RA-5 and RA-5 (5); and matching POA&Ms, in accordance with security control CA-5
  • Agency ATO systems should be submitting timely monthly scan results and POA&Ms to the partnering agency(ies)

More Information

Read more about this week’s FedRAMP’s Tip and cues here.
Do you like this article? Click here to set up a free consultation.