This week, FedRAMP published two questions and answers for Cloud Service Providers (CSPs):
Cloud Service Providers (CSPs)
Q: What is the relationship between continuous monitoring and continuous diagnostics & mitigation (CDM) and ongoing authorization?
A: The FedRAMP and CDM monitoring requirements are both based on NIST Special Publication 800-137 guidance for implementing an Information Security Continuous Monitoring program. The CDM program has initially focused on providing tools to Federal Agencies to ensure that they can fulfill vulnerability management, malware detection, asset management, and configuration management program responsibilities and aggregate data from those tools into a central console or dashboard to facilitate a more robust awareness of one’s risk posture. Agencies would also provide aggregate output from this dashboard to DHS to facilitate a government-wide view of vulnerabilities and associated risks. FedRAMP security controls also require that these elements (vulnerability management, malware detection, asset management, and configuration management) be in place at the CSP to support visibility into the operational status of a system, much like the CDM program. However, FedRAMP does not prescribe the exact tools and dashboards nor does it require real-time or near real-time uploading of all tool output to FedRAMP.
There is no planned integration of CDM and FedRAMP continuous monitoring at this time as CDM is focused on government assets and not external providers. FedRAMP is interested in evolving its continuous monitoring program to facilitate a shift from a compliance-based to a more risk-based approach and is preparing to solicit feedback from agencies and industry.
Cloud Service Providers (CSPs)
Q: My system uses various platforms and operating systems, so how do I relate technical control implementation statements?
A: The security control implementation statements for technical controls (AC, AU, IA, SC, etc) must be developed to include all of the applicable platforms/operating systems (e.g., Windows, Linux, Solaris, VMware) that comprise the cloud service architecture.
It is critical for reviewers (either Joint Authorization Board (JAB) or Agency) to delineate each platform/operating system against the applicable security control requirement to ensure compliance is adequately being met.
More Information
Read more about this week’s FedRAMP’s Tip and cues here