FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide. Version 1.0

Similar documents
FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.2

FedRAMP Plan of Action and Milestones (POA&M) Template Completion Guide. Version 1.1

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

FedRAMP Training - Continuous Monitoring (ConMon) Overview

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

FedRAMP Digital Identity Requirements. Version 1.0

FedRAMP Initial Review Standard Operating Procedure. Version 1.3

Agency Guide for FedRAMP Authorizations

FedRAMP Security Assessment Framework. Version 2.0

Guide to Understanding FedRAMP. Version 2.0

FedRAMP Security Assessment Plan (SAP) Training

FedRAMP Security Assessment Framework. Version 2.1

Branding Guidance December 17,

Continuous Monitoring Strategy & Guide

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

READ ME for the Agency ATO Review Template

American Association for Laboratory Accreditation

FedRAMP Training - How to Write a Control. 1. FedRAMP_Training_HTWAC_v5_ FedRAMP HTWAC Online Training Splash Screen.

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

MIS Week 9 Host Hardening

Akamai White Paper. FedRAMP SM Helps Government Agencies Jumpstart their Journey to the Cloud. FedRAMP. Federal Risk Authorization Management Program

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

FedRAMP General Document Acceptance Criteria. Version 1.0

INFORMATION ASSURANCE DIRECTORATE

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Job Aid: Introduction to the RMF for Special Access Programs (SAPs)

Incident Response Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

FISMAand the Risk Management Framework

Exhibit A1-1. Risk Management Framework

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

Vol. 1 Technical RFP No. QTA0015THA

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

Tenable SCAP Standards Declarations. June 4, 2015 (Revision 11)

The next generation of knowledge and expertise

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

IT-CNP, Inc. Capability Statement

Tenable.io User Guide. Last Revised: November 03, 2017

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

FedRAMP Penetration Test Guidance. Version 1.0.1

Introduction to AWS GoldBase

2 Requests for Changes. About Requests for Changes

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Certification Report

Requirements for Certification under the Grandfathering Provision

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

Risk Management Framework for DoD Medical Devices

CAMSCANNER TURN YOUR PHONE AND TABLET INTO SCANNER FOR

Patient Reported Outcome Measures (PROMs)

ForeScout Extended Module for Tenable Vulnerability Management

CYBER SECURITY POLICY REVISION: 12

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

LOUGHBOROUGH UNIVERSITY RESEARCH OFFICE STANDARD OPERATING PROCEDURE. Loughborough University (LU) Research Office SOP 1027 LU

Determining If Cloud Services Are Secure Enough: What Would FedRAMP Do? John Pescatore, SANS

7/21/2017. Privacy Impact Assessments. Privacy Impact Assessments. What is a Privacy Impact Assessment (PIA)? What is a PIA?

Certification Report

Secure Web Fingerprint Transaction (SWFT) Access, Registration, and Testing Procedures

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Telos and Amazon Web Services (AWS): Accelerating Secure and Compliant Cloud Deployments

Tenable for ServiceNow. Last Updated: March 19, 2018

PART III: SCOPE OF WORK (Revised )

Compliance with CloudCheckr

IBM Managed Security Services - Vulnerability Scanning

Streamlined FISMA Compliance For Hosted Information Systems

State of Colorado Cyber Security Policies

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Presented By Rick Link, Coalfire December 13, 2012

Web-based Internet Information and Application Checklist

DRAFT DEPARTMENT OF DEFENSE (DOD) CLOUD COMPUTING SECURITY REQUIREMENTS GUIDE (SRG) Version 1, Release December, 2014

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

SAGE Knowledge 2.0. Voluntary Product Accessibility Template. Version 1.0 December 10, 2015

About the DISA Cloud Playbook

MNsure Privacy Program Strategic Plan FY

Developed by the Defense Information Systems Agency (DISA) for the Department of Defense (DoD)

Development Authority of the North Country Governance Policies

COMPLIANCE IN THE CLOUD

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

Click to edit Master title style

NB Appendix CIP NB-0 - Cyber Security Personnel & Training

TRANSFORMING CUSTOMS THROUGH TECHNOLOGY

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Server Security Checklist

SSL Certificates Certificate Policy (CP)

6/18/ ACC / TSA Security Capabilities Workshop THANK YOU TO OUR SPONSORS. Third Party Testing Program Overview.

CERTIFICATION CONDITIONS

The Common Controls Framework BY ADOBE

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Appendix 12 Risk Assessment Plan

Service Description: CNS Federal High Touch Technical Support

Advisory Circular. Subject: INTERNET COMMUNICATIONS OF Date: 11/1/02 AC No.: AVIATION WEATHER AND NOTAMS Initiated by: ARS-100

Certification Exam Outline Effective Date: September 2013

CIP Cyber Security Systems Security Management

Notes for authors preparing technical guidelines for the IPCC Task Group on Data and Scenario Support for Impact and Climate Analysis (TGICA)

INFORMATION ASSURANCE DIRECTORATE

Certification Requirements and Application Procedures for Persons and Firms.

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Smarter-Better-Faster. Human-Computer Hybrid Architecture Bionic defence with edgescan

Transcription:

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015

Document Revision History Date Version Page(s) Description Author May 27, 2015 1.0 All Initial Version C. Andersen June 6, 2017 1.0 Cover Updated logo FedRAMP PMO Page i

Table of Contents Document Revision History... i About this Document... iii Who Should Use This Document... iii How to Contact Us... iii 1. Purpose... 1 2. Cloud Service Provider Requirements... 1 3. FedRAMP Activities... 3 4. Remediation... 3 APPENDIX A: FedRAMP ACRONYMS... 4 Page ii

ABOUT THIS DOCUMENT WHO SHOULD USE THIS DOCUMENT This document is intended for the use by the following groups: Federal Risk and Authorization Management Program (FedRAMP) Cloud Service Providers (CSPs), to ensure they provide vulnerability scans as required. FedRAMP Information System Security Officers (ISSOs), to ensure the requirements are met and maintained. Leveraging agencies, to understand the scanning required by CSPs. HOW TO CONTACT US Questions about FedRAMP or this document should be directed to info@fedramp.gov. For more information about FedRAMP, visit the website at http://www.fedramp.gov. Page iii

1. PURPOSE This guide describes the requirements for all vulnerability scans of FedRAMP Cloud Service Provider s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (P- ATOs). 2. CLOUD SERVICE PROVIDER REQUIREMENTS CSPs are required to perform vulnerability scanning of their information systems monthly (at a minimum). Each CSP is responsible for the delivery of the results of these vulnerability scans to their authorization official in a timely manner. These vulnerability scans are the cornerstone for the continuous monitoring of a CSP s risk posture, enabling authorization officials to continue to authorize a CSP system for use. Each CSP must identify and use vulnerability assessment tools within their security control implementations approved by the JAB through the P-ATO. These include: Operating system and network vulnerability scanners Database vulnerability scanners Web application vulnerability scanners FedRAMP security authorization requirements specify that initial vulnerability scans for the P- ATO shall be performed by a Third Party Assessment Organization (3PAO), to provide independent validation of the scan results. CSPs must use the same tools for continuous monitoring as were used by the 3PAO for the P-ATO process. In some circumstances, CSPs may request changes to these tools. However, continued use of the previous tools must continue until all identified vulnerabilities from the original tools have been mitigated. The length of overlap is dependent on the CSP correcting the remaining vulnerabilities. To ensure FedRAMP has all of the required information to perform the vulnerability analysis, the CSP must submit the following information: Vulnerability scan data Raw scan files (native scanner files usually some form of XML, CSV, or structured data format). Exported summary reports (PDF, MS Word, or other readable documents). Summary reports should include Executive Summary, Detailed Summary, and Inventory Report. Actual reporting capabilities may vary by tool. Current and accurate system inventory. CSPs shall deliver a current system inventory identifying the components of the information system within the authorization boundary. The inventory must be complete and contain all boundary components. The system inventory must be delivered in a machine-readable format (XLS, CSV, XML). It is critical that the vulnerability scans and the provided system inventory is machine matchable (IP addresses, system names, or other unique identifiers). Vulnerability scans and inventories that cannot be matched will by rejected by the PMO. Page 1

CSPs are also responsible for ensuring the highest quality vulnerability scans. Below is a list of requirements to ensure the quality of the scanning is acceptable for the FedRAMP program. Authenticated/Credentialed Scans: Vulnerability scans must be performed using system credentials that allow full access to the systems. Scanners must have the ability to perform in-depth vulnerability scanning of all systems (where applicable). Systems scanned without credentials provide limited or no results of the risks. All unauthenticated scans will be rejected unless an exception has been previously granted due to applicability or technical considerations. Enable all Non-destructive Plug-ins: To ensure all vulnerabilities are discovered, the scanner must be configured to scan for all non-destructive findings. Any vulnerability scans where plug-ins are limited or excluded will be rejected. Exceptions may occur based on specific requests from the government for re-scans or targeted scans. These scans must comply with the directions provided by the government. Full System Boundary Scanning: Each scan must include all components within the system boundary. Reduced number of components or missing categories will result in rejected scans. In some cases, sampling is acceptable; however this sampling must be approved as a part of the initial Security Assessment Plan for P-ATO, and approved as a part of the Continuous Monitoring Plan at the time of P-ATO. Sampling must include a complete and comprehensive representative sample of the information system components. This includes scanning multiple components of the same category in addition to scanning all component categories. (Note: sample scanning is approved based on the ability to prove the component categories are identically configured. These categories must be maintained through configuration management and all components must be similarly configured. Discovery of mis-configured items may result in the revocation of sampling and require future scans to be comprehensive, including all system components). Scanner Signatures Up to Date: CSPs must ensure that the vulnerability scanner used is up to date and includes the latest versions of the vulnerability signatures. Before scanning, each scanner must be updated to reflect the latest version of the scan engine as well as the signature files. Provide Summary of Scanning: Each scan submission must be accompanied by a summary of the scanning performed. The summary must include a listing of all the scan files submitted, which scanning tools were used, and a short summary of the purpose of the scan (e.g. monthly scans, re-scans, verification scans, etc.). In addition, the summary should discuss the configuration settings of the scanner, including whether the signatures were limited for targeted, verification scans or if the scope of the scans excluded certain components or IP addresses. IP address ranges and/or a description of the targets are required. POA&M All Findings: Findings within the scans must be addressed in a Plan of Action and Milestones (POA&M) or other risk acceptance requests and maintained until the vulnerabilities have been remediated and validated. Additional details on the POA&M requirements can be found in the POA&M Template User Guide on FedRAMP.gov website. Page 2

3. FEDRAMP ACTIVITIES FedRAMP evaluates all vulnerability scans submitted and provides a summary report to the JAB. In addition, agencies looking to leverage a CSP will also have access to the most recent risk posture information, including the continuous monitoring reports and POA&M. FedRAMP CSPs can be complex and ever-changing. It is critical that FedRAMP maintain a current risk posture of the system through the scanning and continuous monitoring documentation. To accomplish this, FedRAMP utilizes automated tools for the evaluation, analysis, and reporting of the risk posture. The system ISSO will review the reports and make additional modifications or additions to ensure an accurate risk posture is presented in the summary reports. 4. REMEDIATION Systems that fail to meet the quality or timeliness of the vulnerability scan submission requirements will be subject to actions. These actions may include one or more of the following: FedRAMP may require an immediate re-scan of the system. FedRAMP will clearly document the required adjustments necessary for the re-scan. FedRAMP may require a 3PAO to perform future scans for a period of time if the CSP is unable to meet the FedRAMP requirements. Continuous issues may result in FedRAMP requiring a Corrective Action Plan from a CSP as part of maintaining a P-ATO and communicating with known agencies the deficiencies with meeting scanning requirements. The FedRAMP JAB can also revoke a P-ATO for failure to meet these requirements and remove the vendor from the FedRAMP website. FedRAMP reserves the right to take any of the actions listed above based on the severity of the deficiency. Page 3

APPENDIX A: FedRAMP ACRONYMS The master list of FedRAMP Master Acronym & Glossary definitions for all FedRAMP templates is available on the FedRAMP website Documents page (https://www.fedramp.gov/resources/documents-2016/) under Program Overview Documents. Please send suggestions about corrections, additions, or deletions to info@fedramp.gov. Page 4

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback