FedRAMP Tunes Requirements for CSPs

(Image: Shutterstock)

With compliance deadlines looming for Cloud Service Providers (CSPs), FedRAMP is ramping up its requirements for the monitoring of cloud systems.

CSPs have until July 1 of this year to be fully compliant with FedRAMP. By March 31, CSPs must provide written notification identifying when their cloud service offerings will be fully compliant with the National Institute of Standards and Technology (NIST) SP 800-63-3 digital identity requirements.

Based on feedback from various stakeholders, including CSPs and Joint Authorization Board (JAB) Review Teams, FedRAMP on Jan. 31 issued revisions to several existing regulations, added some new ones, and announced plans for additional rules in the near future.

According to FedRAMP, the updates are intended to improve and clarify the overall process, making it easier to reference aspects of the process that previously were not documented. It also adds structure to the procedures that may have been interpreted incorrectly by CSPs and JAB Reviewers.

“FedRAMP is continuing to proactively refine our guidance and policies to better align with NIST, White House, and DHS requirements and policies,” said Ashley Mahan, FedRAMP Agency evangelist at GSA. “We look forward to continuing to promote transparency, consistency, and clarity among the FedRAMP community.”

“2018 is a year of ‘refinement’ for the program,” she continued. “Over the last two years, we have gone full-throttle in creating new initiatives, based on customer feedback, to encourage authorization speed, enhanced program awareness, and increased transparency. This year, we are focusing these actions and providing further clarity and guidance to increase FedRAMP adoption and understanding.”

Revisions of Existing Rules

The updates to existing documents include:

  • The FedRAMP Continuous Monitoring Performance Management Guide: This explains what action FedRAMP will take when a CSP fails to maintain an adequate risk management program, and lays out escalation procedures when a CSP fails to meet the requirements.
  • The Vulnerability Deviation Request Form: This provides a standardized method to document deviation requests, which are used to document things like risk adjustments and false positives.
  • A Continuous Monitoring Strategy and Guide: This provides guidance on continuous monitoring of cloud services and ongoing authorization.

New Requirements

New FedRAMP guidance documents focus on digital identity requirements, Transportation Layer Security (TLS) requirements, and provide a form for JAB reviewers to conduct monthly reviews.

When it comes to digital identity, FedRAMP is following NIST guidance, and the new document describes how FedRAMP intends to implement it. The TLS requirement calls on CSPs to move to TLS 1.1, or higher, in order to protect against known and anticipated attacks on the TLS 1.0 and SSL protocols.

Future Regs

Looking ahead, FedRAMP has a number of documents in development, with plans to release them early this year. Those include:

  • The Critical Vulnerability Scoring System (CVSS) guidance: This will provide CSPs with a known vulnerability severity scoring framework. This framework will enable CSPs to create and use an automated, CVSS-based, vulnerability risk adjustment tool.
  • The Vulnerability Scan Requirements for CSPs Requesting to do Sampling/Representative Scans: Based on requests for CSPs to scan samples of system components instead of the entire system, this document will provide guidance on how to do that and will specify which CSPs are eligible to do sampling.

Finally, FedRAMP points out that if a CSP anticipates being unable to meet the July 1 deadline, written communication must include a justification and a plan of action detailing how and when the CSP will fully comply. Where full implementation is not possible, the CSP must present a mitigation plan.

Recent