In a dynamic cloud environment, with cyber threats ever evolving and growing at an exponential rate, organizations should practice a robust cyber defense. Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to their information systems and to assess vulnerabilities in a fast-changing threat space.
The FedRAMP PMO has recognized the importance of ongoing security control monitoring, which helps ensure that deployed security controls remain effective and operate as intended. As part of the FedRAMP post-authorization requirement, cloud service providers must periodically validate whether security controls are implemented correctly and operate as intended.
The FedRAMP ConMon process is based on the guidance in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. As described by NIST, the ConMon process includes the following:
- Define – CSPs must define a continuous monitoring strategy that is based on risk tolerance, ensuring visibility into their information system assets and vulnerabilities;
- Establish – CSPs must establish a continuous monitoring program, including measures, metrics and control assessment frequencies;
- Implement – the continuous monitoring program must be implemented to collect required data;
- Analyze and Report – the collected data must be analyzed and findings must be reported;
- Respond – all findings must be addressed with either technical, management, and/or operational mitigating activities;
- Review and Update – based on the lessons learned, the continuous monitoring program must be reviewed and revised.
The goal of FedRAMP continuous monitoring is to provide operational visibility, manage change control, and ensure incidents are responded to in timely manner.
To ensure their data remains secure, CSPs must deliver evidentiary information to agencies on a periodic basis. These deliverables include, but are not limited to: a monthly Plan of Action and Milestones (POA&M); monthly database, operating system, and web application raw scan files; ad-hoc (as appropriate) incident response notifications’ and major system change requests. In addition, on an annual basis, CSPs must hire a third-party assessment organization (3PAO) to perform an assessment of a subset of the overall controls implemented on the system. These deliverables are required regardless of authorization type (JAB or Agency) and must be uploaded to the FedRAMP Secure Repository on OMB MAX.
The FedRAMP PMO recognizes that the cloud environments are in a constant state of change, therefore CSPs must implement a configuration management process and conduct a Security Impact Analysis for all planned changes. In the event a change is deemed to adversely affect the integrity of the system, a CSP must treat it as a significant change. In that case the CSP must complete a Significant Change Request Form (located at http://fedramp.gov). The goal is for the CSP to make changes in a planned and controlled way in order to preserve the security posture of the system.
Lastly, as part of the FedRAMP ConMon, CSPs must demonstrate the ability to respond to security incidents in an effective and timely manner. Organizations must report information security incidents where the confidentiality, integrity, or availability of a federal information system has been affected within one hour of being identified, along with the required data elements as well as any other available information. In some cases, it may not be feasible to have complete and validated information prior to reporting. Organizations should provide their best estimate at the time of notification and report updated information as it becomes available.
What is FedRAMP looking for?
- Monthly Authenticated/Credentialed Scans
- FedRAMP requires full-range authenticated scans with all non-destructive plugins enabled. Scans over 10 percent unauthenticated will be rejected unless the CSP provides sufficient justification. This requirement pertains to all network, operating system, database, and web application scans, using the type-specific scanning toolset, which must be conducted at least monthly. Each scan must include all components within the system boundary. Scans under 95 percent inventory coverage will be rejected unless the CSP provides sufficient justification.
- Scans should be performed soon after a vendor patch release. If monthly scans are out-of-sync with the patch cycle, the number of vulnerabilities reported can be artificially inflated.
- Updated monthly Plan of Action and Milestones (POA&M)
- CSPs must reconcile monthly POA&M findings with the scan results to ensure accuracy. All POA&Ms that were closed during the month must be recorded under the “Closed POA&M” tab. All false positive vulnerabilities should stay on the open tab until the deviation request is approved by the JAB. Operational requirements need to stay on the open tab forever or until it’s been resolved such as migration to a new technology. Vendor dependencies should also remain on the open tab indefinitely and should be closed only if the CSP resolves the issue by applying vendor patch or remediation.
- CSPs must demonstrate the ability to mitigate High-risk vulnerabilities within 30 days from discovery, Moderate-risk vulnerabilities within 90 days from discovery, and Low-risk vulnerabilities within 180 days from discovery.
- Annual Assessment
- For Annual Assessment, a 3PAO should select core controls as well as other controls required by the CSP, all controls that haven’t been tested within the three-year cycle, and controls that were Plan of Action and Milestones (POA&M) items, involved with Deviation Requests, etc.
Failure to adhere to FedRAMP ConMon strategy may result in escalation actions by FedRAMP and even to permanently revoke a system ATO. For more guidance on FedRAMP escalation process please refer to the FedRAMP Continuous Monitoring Performance Management Guide located at the FedRAMP website.
FedRAMP Tip Sheet: 9 Quick Insights to Help You Get Started with Cloud Offerings for the Federal Market
Looking to break into the federal market for cloud-based software? Get started with the new FedRAMP Tip Sheet from Telos Corporation. It’s the advice you need to prepare for the federal government’s rigorous framework for cloud security.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.