FedRAMP Requirements Checklist
Who should be FedRAMP compliant?Currently, any cloud service provider (CSP) working with the federal government needs to meet the security assessment, authorization, and continuous monitoring requirements to obtain a Joint Authorization Board Provisional Authority to Operate (JABP-ATO). In July 2018, a bipartisan bill known as the FedRAMP Reform Act of 2018 seeks to increase efficiency for CSPs adopting FedRAMP assessment processes. However, whether your CSP works with government agencies or not, you may want to adopt the security controls as part of a business plan that helps provide insight and transparency to your customers.
Why do non-CSPs care about FedRAMP?Cloud computing is the wave of the future. As evidenced by IBM’s purchase of Red Hat for $34 billion, hybrid cloud services are the current long game for managing, analyzing, and leveraging data. These services remain a primary target for hackers. Supply chain attacks increased by 200% in 2017 and will likely continue to grow. Your CSP may be the weakest link in your supply chain. FedRAMP compliance can enable you to control your business information system solutions better.
Why FedRAMP is more secure than FISMAThe Federal Information Security Management Act (FISMA) guidelines can be used to review cloud services’ security controls. The Federal Information Procession Standard (FIPS) 199 ranks information based on the impact a vulnerability or breach has on your information system infrastructure. The FIPS 200 used by FISMA outlines minimum security control requirements. Finally, FISMA applies baseline security controls described in that National Institute of Standards and Technology (NIST) publication 800-53. These controls sound great but come with a few problems FedRAMP solves.
- FedRAMP focuses specifically on security elements unique to CSPs.
- FedRAMP security controls go beyond the NIST baseline requirements.
- FedRAMP requires a third-party assessment organization (3PAO) to certify the security controls.
How to Manage FedRAMP RequirementsSince FedRAMP was initially intended to govern CSPs working with federal information, much of which may be classified, the requirements may feel burdensome. However, with CSPs increasingly targeted by hackers, these requirements protect anyone using a FedRAMP certified CSP. Although FedRAMP released a “Tips and Cues Compilation,” below is an easy to review the summary of the most critical steps to compliance.
- Address every vulnerability found in your continuous monitoring program
Remediate the vulnerability. Establish a Deviation Request Process. Justify findings as “Vendor Dependency” and establish 30-day vendor contact timetable.
- Align monthly monitoring scans and Plan of Action & Milestones (POA&M) to sync with your patch management program to report only real vulnerabilities not ones already scheduled for remediation.
- Review for commonly overlooked or insufficiently answered controls.
When reviewing the “Implementing Configuration Settings (CM-6)” make sure to identify all system components requiring configuration management, individuals responsible for configuration, how responsible part configures, any additional FedRAMP requirements included, and where you saved the documentation.
- Review for common missed or neglected FedRAMP or NIST requirements
Not identifying portals, lacking multi-factor authentication, non-segregation of customers, high vulnerabilities detected during testing, unclear authorization boundaries, incomplete or poorly defined policies and procedures are all examples of common documentation problems.
- Communicate with your FedRAMP Information System Security Officer (ISSO) or government liaison.
- A Cloud Service Offering (CSO) must be approved and granted FedRAMP Provisional Authorization to Operate (P-ATO) or Agency ATO before leveraging security controls.
- Use NIST SP 800-53 Revision 1 Contingency Planning Guide for Federal Information System Appendix B to create a Business Impact Analysis
- If you are a moderate impact CSP and want to want to move into Law Enforcement, Emergency Services, Financial Systems, Health Systems, or any other high impact category, you should review the Categorization Change Form Template first.
Readiness Assessment Report (RAR)
- Always send an email notification to firstname.lastname@example.org when submitting a RAR or RAR update or authorization package to ensure review.
Security Assessment Plan (SAP) & Security Assessment Report (SAR)
- If 3PAO validates/determines a finding a “False Positive” ensure that the JAB also approves those findings otherwise, they must be added to the Continuous Monitoring (ConMon) POA&M.
- 3PAO vulnerability scanning includes reviewing tools for configurations, ensuring scans meeting FedRAMP requirements, overseeing and monitoring scans, describing and executing procedures.
- Penetration testing tools must be in the SAP and match the Penetration Test Plan document.
- Document False Positives or corrected findings with specific items of evidence such as screenshots or scan files, list by file name, and include with the SAR.
- Assign unique Vulnerability Identifiers and ensure previously documented vulnerabilities are not assigned new identifiers.
System Security Plan (SSP)
- Security requirements for each control include a description of the solution, how it meets security control requirement, responsible parties, how often reviewed, who reviews, what triggers reviews, documentation of reviews, proof of review, any policies referenced as implementation reasons.
- Review “Security Procedures” to include all steps for users, system operations personnel, or others. FedRAMP notes the following examples of procedures:
How To Create User Accounts
How To Test Backup
How To Authorize A User Account
How To Perform Friendly Terminations
How To Perform Unfriendly Terminations
How To Lockdown a Windows 2012 Server
How To Manually Turn On a Generator
Standard Operating Procedures For Adding New Storage Arrays Media
Procedures For Adding Firewall Rules
Procedure For Configuring Live Migrations of Virtual Machines
How To Review a Log File for Suspicious Activity
How To Configure Audit Storage Capacity Alerts
How To Use Cron To Schedule Alerts
How To Configure The Log Delivery Service
How To Test The Contingency Plan