The Federal Risk and Authorization Management Program (FedRAMP) is requiring FedRAMP authorized cloud service providers (CSPs) to identify and report all Cisco Adaptive Security Appliances (ASA) platforms, following the issuance of an emergency directive by the Cybersecurity and Infrastructure Security Agency (CISA) last week.
CISA issued the emergency directive last Thursday, requiring all federal agencies to take immediate action to patch vulnerabilities in the Cisco ASA platform by Friday, Sept. 26. The agency issued the directive in response to what it called “an advanced threat actor” targeting Cisco ASA via web services.
Now, FedRAMP Authorized cloud providers are facing a deadline of their own. In a Sept. 29 blog post, FedRAMP said it sent emails last Friday to all FedRAMP Authorized cloud providers, informing them of the actions that need to be taken from the emergency directive.
“FedRAMP Authorized cloud providers are requested to determine if their cloud service offerings have affected devices within their FedRAMP authorization boundary,” FedRAMP said, adding, “If no affected devices exist, no further action is needed.”
However, if CSPs have affected devices in their environment, they are being asked to “document the applicability and / or actions taken for your agency customers and notify FedRAMP and agency authorizing officials.”
FedRAMP is recommending that the CSPs include the following content in their responses:
- Are Cisco ASA devices present within the FedRAMP boundary?
- What is the number or percentage of affected devices?
- Are indicators of compromise present?
- Summary of actions taken (and to be taken) to address the relevant CVEs.
- Additional information they wish to provide to customers.
FedRAMP is asking cloud providers to upload responses to their “secure location that stores FedRAMP authorization data (such as USDA Connect)” by Thursday, Oct. 2, at 11:59 p.m.
Once the information is available in their secure repository, CSPs must email FedRAMP and all agency customer Authorizing Officials (or ISSO) POCs with notification of the completed action. They must also upload a copy of their email notifications to the incident response folder in their respective FedRAMP secure repository.
“If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, please make sure to follow the FedRAMP Incident Communication Procedures, which includes reporting to CISA US-CERT and agency customers,” FedRAMP said.
Federal agencies can access cloud provider responses in the cloud provider’s respective FedRAMP secure repository. FedRAMP said that agencies should assume that a CSP is not affected by the emergency directive if no response is uploaded or emailed.