FedRAMP P-ATO Management and Revocation Guide. Version 1.0

Similar documents
FedRAMP Continuous Monitoring Performance Management Guide. Version 2.0

FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide. Version 2.0

FedRAMP JAB P-ATO Process PRIORITIZATION CRITERIA. VERSION 1.0 November 11, 2016

LIFT MAINTENANCE POLICY

ICC ASSOCIATE MEMBERSHIP CRITERIA & GUIDELINES. As at July 2013

Procedure: Work health and safety reporting

ASSOCIATED BRITISH PORTS - LOWESTOFT

Youth Outdoor House League/HLDP General Rules & Regulations

Institutional Review Board Standard Operating Procedure. Suspension and Termination of IRB Approval

(y9. &i?r, JUL t Certified-Return Receipt Requested WARNING LE7TER

MEDICAL GAS CYLINDERS AND MEDICAL PIPELINE SYSTEMS (MGPS) POLICY

Chief Operating Officer Approved by. Responsible Officer. Vice-Chancellor Approved and commenced 25 September, 2017 Review by September, 2020

External IRB Instructions for the Registration Pathway in OSIRIS

The Children s Hospital of Philadelphia Committee for the Protection of Human Subjects Policies and Procedures. Cooperative Agreements

WFTDA SANCTIONING POLICY

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at June 2016

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at January 2015

Vermin, Insects and Scavenging Birds Management Plan

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at July 2013

NRA MANUAL OF CONTRACT DOCUMENTS FOR ROAD WORKS. Introduction to the NRA Manual of Contract Documents for Road Works. Volume 0 Section 0 Part 1

CERTIFICATION AGREEMENT

UNIVERSITY OF TENNESSEE GRADUATE SCHOOL OF MEDICINE INSTITUTIONAL REVIEW BOARD CONTINUING REVIEW AND REAPPROVAL OF RESEARCH

TLN WRO Document. Back to Back CAS support

NRA MANUAL OF CONTRACT DOCUMENTS FOR ROAD WORKS

NAUI Technical Instructor Application Checklist

EXHIBITION Guide. Roles and Responsibilities OS11. A handbook for exhibitors and contractors

Sample Signature List: [Your list may vary depending on your jurisdiction, structure, and/or state and county guidelines.]

GUIDELINES FOR BREATH ALCOHOL COLLECTION

UC Irvine Environmental Health & Safety

INTERPLAY GUIDELINES (U16 U19) SECTION 8 AREA B

Bathing Water Directive report Austria

International Standard for Athlete Evaluation. September 2016

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

MODEL AERONAUTICAL ASSOCIATION OF AUSTRALIA

THE FOOTBALL ASSOCIATION DISCIPLINE PROCESS FOR SMALL-SIDED FOOTBALL

University of Iowa External/Central IRB Reliance Process Standard Operating Procedure (SOP)

CONTINUING REVIEW CRITERIA FOR RENEWAL

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD CONTINUING REVIEW OF RESEARCH

NORTHWOODS FIGURE SKATING CLUB PROFESSIONAL STAFF AGREEMENT

Wayne State University Institutional Review Board

H-F Youth Hockey MITE Payment Agreement

SYRACUSE UNIVERSITY HUMAN RESEARCH PROTECTION PROGRAM STANDARD OPERATING PROCEDURES

Common Test Scenarios Document. Version 1.9

LONDON & SE DIVISIONAL ORGANISING COMMITTEE (DOC) ADMINISTRATIVE INSTRUCTIONS

NATIONAL TRANSPORTATION SAFETY BOARD Public Meeting of September 24, 2014 (Information subject to editing)

2013 Special Reliability Assessment: Accommodating an Increased Dependence on Natural Gas for Electric Power

IOWA STATE UNIVERSITY Institutional Review Board. Policy on IRB Review of Protocol Deviations and Noncompliance for Non-exempt Research

VALE # Name: Dave Duczeminski Position: Manager Department: Maintenance Engineering

Enid Soccer Club. Administrative Regulations. 1. Seasons. 2. Players. 3. Teams

Code for the Provision of Chargeable Mobile Content Services

Reliability Coordinator Procedure

Football Operations:

Scottish Swimming Regulations. Open Water National Discipline Committee

Archery Australia Inc High Performance Committee

ICC UMPIRES CODE OF CONDUCT

The University of Georgia Automated External Defibrillator (AED) Program Guidelines

Nomination Guidelines Canadian Para-Alpine Ski Team

Copyright Thames Water Utilities Ltd Alternative water supplies policy.

Questions & Answers About the Operate within Operate within IROLs Standard

CONTINUING REVIEW CRITERIA FOR RENEWAL

International Paralympic Committee Athlete Classification Code. November 2015

Website Years in Business Number of Full-time Employees. Architect Electrical Contractor Industrial Services Mechanical Contractor

VDOT BICYCLE & PEDESTRIAN IMPLEMENTATION GUIDE FOR LOCALITY INVOLVEMENT April 2017

XXI Commonwealth Games. Gold Coast, Australia April Selection Policy and Standards December 2016

ELITE JUNIOR CHAMPIONSHIP SELECTION POLICIES 2017

Research Involving Human Subjects: AA 110.7

Guidance Note. NXT Advisors

DISCIPLINE POLICY AND PROCEDURES

Executive Order on the activities of pilotage service providers and the obligations of pilots

Policy Registry. C-01 Competitions Policy. Committee Responsible: Competition. Date Approved: June 3, 2012 Review Date: June 2017

GEVA Region Recruiting and Binding Commitment Policy

Jamberoo Touch Incorporated Judiciary Rules & Procedures

International Association of Drilling Contractors North Sea Chapter HPHT Guidance on MODU Safety Case Content

University of Cincinnati. Radiation Safety Committee Operations Guidelines Statement of Policy (RSC Guidelines) RSC Guidelines (revision 5)

DELISLE MINOR HOCKEY ASSOCIATION

Dockless Cycle Share

2017 EUROPEAN YOUTH CHAMPIONSHIPS SELECTION POLICY

New Castle County Guidelines for the Certified Construction Reviewer, Owner/Developer, Site Contractor and Professional Engineer

CONTINUITY OF SERVICE PLAN FOR THE LRIT SYSTEM

XX1 Commonwealth Games Gold Coast, Australia April Artistic Gymnastics. Selection Policy and Standards

Code for the Provision of Chargeable Mobile Content Services

Selection Criteria Changes April 14, 2016 The following was removed from section 5.2, then revised and added to section 6.1: NOTE: Failure to achieve

PUBLIC RECORD. Record of Determinations Medical Practitioners Tribunal

!! Conduct Management! Change for the better.

To ensure compliance to WorkSafeBC Regulation Part 9 Confined Space Entry which states:

Safe High Pressure Water Washing (HPWW) Requirement

EMA, Inc. SITE SAFETY PLAN

Table Tennis England Selection Policy

HS329 Risk Management Procedure

Cayuse IRB Policy and Procedure Manual

AGREEMENT BETWEEN THE U.S. FISH AND WILDLIFE SERVICE AND THE U.S. ARMY CORPS OF ENGINEERS FOR CONDUCTING FISH AND WILDLIFE COORDINATION ACT ACTIVITIES

REFEREE SERVICE AGREEMENT

Speed Limit Policy Isle of Wight Council

WAIS Canoe Sprint Program Selection Guidelines, Criteria and Process

Appendix C - Guidance for Integrating EFH Consultations with Endangered Species Act Section 7 Consultations

Healthcare. Ref: Final results of the quench line inspection at your MAGNETOM system. Dear Siemens MR User,

1.0 PURPOSE 2.0 REFERENCES

NAVIGATION AND SEAMANSHIP Secure vessel at mooring, anchor, and berth

Disciplinary Policy and Procedures

BCGA GUIDANCE NOTE 17

Transcription:

FedRAMP P-ATO Management and Revocation Guide Version 1.0 July 29, 2015

Revision History Date Version Page(s) Description Author 07/22/2015 1.0 All Initial version FedRAMP PMO How to Contact Us For questions about FedRAMP or this document, email to info@fedramp.gov. For more information about FedRAMP, visit the website at http://www.fedramp.gov. Page 2

1. INTRODUCTION This document explains the actions FedRAMP will take when a Cloud Service Provider (CSP) fails to maintain an adequate risk management program. When a CSP receives a Provisional Authority to Operate (P-ATO) for its cloud system, it comes with the following minimum requirements: 1. The CSP satisfies the requirement of implementing continuous monitoring activities as documented in FedRAMP s continuous monitoring (ConMon) requirements and CSP s Continuous Monitoring Plan; 2. CSP mitigates all open low and moderate POA&M action items, agreed to in the Security Assessment Report (SAR); and 3. Significant changes or critical vulnerabilities are identified and managed in accordance with applicable Federal law, guidelines, and policies. 1 This document lays out the escalation processes and procedures as well as minimum mandatory escalation actions FedRAMP will take when a CSP fails to adhere to the requirements of the P- ATO. While this document specifically addresses FedRAMP P-ATOs maintained by the JAB, FedRAMP recommends that agencies create similar guides and/or use this P-ATO Management and Revocation Guide when maintaining agency ATOs through FedRAMP. 2. ESCALATION PROCESS AND PROCEDURES If a CSP fails to meet the FedRAMP ConMon requirements described in the FedRAMP Continuous Monitoring Strategy Guide, FedRAMP will initiate the escalation process defined in Table 1 below. This escalation process outlines actions that can be taken by FedRAMP, but is not necessarily linear. The severity and scope of the change in the cloud system s risk posture will define the escalation action taken by FedRAMP. 1 As a note, there may be additional requirements included in the P-ATO that address cloud system specific security concerns that were identified. Page 3

Table 1. Escalation Process Escalation Actions FedRAMP Action If a CSP cannot meet the FedRAMP ConMon requirements for their cloud system: Internal Corrective Action FedRAMP will notify the CSP of the specific failures to comply with FedRAMP ConMon. The CSP will provide a Corrective Action Plan (CAP) to FedRAMP including a time period agreement to fix the specific failures noted by FedRAMP. o The CAP must be provided to FedRAMP within 1 week of notice of the failures to comply with FedRAMP ConMon. FedRAMP will notify the JAB teams on issues and the CSP s CAP and continued progress. If a CSP cannot meet the stated requirements within FedRAMP ConMon for their cloud system: Formal Corrective Action Plan The FedRAMP Director will send a letter to the CSP notifying the CSP a CAP is required. The letter will outline the specific failures of the CSP s ConMon activities. The letter will be posted in the FedRAMP Secure Repository for leveraging agencies to see. The CSP shall provide a CAP to FedRAMP including a time period agreement to fix the specific failures noted by FedRAMP. o The CAP must be provided to FedRAMP within 1 week of receipt of the letter from the FedRAMP Director. o The CAP must be signed by the System Owner. o The CAP must be agreed to by FedRAMP. The CAP and updates will be posted to the FedRAMP Secure Repository. Once the CAP is completed, the FedRAMP Director will post a letter to the FedRAMP Secure Repository detailing the successful completion of the CAP and the CSP s adherence with FedRAMP ConMon requirements. If a CSP cannot meet the stated requirements within FedRAMP ConMon for their cloud system: Suspension The FedRAMP Director will send a letter to the CSP notifying the CSP of possible P-ATO suspension. The letter will outline the specific failures of the CSP s ConMon activities. The FedRAMP Director will initiate a formal JAB P-ATO review to Page 4

Escalation Actions FedRAMP Action determine if the risk level requires suspension of the JAB P-ATO. The CSP shall provide a CAP to FedRAMP including a time period agreement to fix the specific failures noted by FedRAMP. o The CAP must be provided to FedRAMP within 1 week of the letter from the FedRAMP Director. o The CAP must be signed by the System Owner. The JAB will review the CAP and either grant the CSP more time to mitigate the issue(s) or suspend the P-ATO for a specific period of time. The JAB s decision and necessary actions will be documented and a letter will be posted in the FedRAMP Secure Repository and all known agencies leveraging the CSP s cloud system will be notified. Once the CAP is completed, the FedRAMP Director will post a letter to the FedRAMP Secure Repository detailing the successful completion of the CAP and the CSP s adherence with FedRAMP ConMon requirements. If a CSP cannot meet the stated requirements within FedRAMP ConMon for their cloud system: Revocation The FedRAMP Director will send a letter to the CSP notifying the CSP of possible P-ATO revocation. The letter will outline the specific failures of the CSP s ConMon activities. The JAB may decide to have a formal P-ATO review initiated by the FedRAMP Director to determine if the risk level requires revocation of the JAB P-ATO. The CSP shall provide a CAP to FedRAMP including a time period agreement to fix the specific failures noted by FedRAMP. o The CAP must be provided to FedRAMP within 1 week of the letter from the FedRAMP Director. o The CAP must be signed by the System Owner. The JAB will review the CAP and either grant the CSP more time to mitigate the issue(s), or revoke the P-ATO. The JAB s decision and necessary actions will be documented, a letter will be posted in the FedRAMP Secure Repository, and all known agencies leveraging the CSP s cloud system will be notified. Page 5

3. CONMON REQUIREMENTS: MEASUREMENTS, ACTIONS, AND RESPONSES Each section below explains a ConMon requirement, associated risk factor, what action the FedRAMP PMO will take in response to that risk factor, and what action the organization must then take to maintain its P-ATO. Although each of the categories is identified as a separate risk factor, together they represent a system-based approach to risk management. For example, a risk factor of increased vulnerabilities and past due Plan of Action and Milestones (POA&M) items may actually be the result of poor configuration/change management process and procedures. Any past due vulnerabilities can lead to an escalation action by FedRAMP based on the number and severity of the vulnerabilities. The table below includes the minimum escalation actions that will be taken by FedRAMP based on a CSP s vulnerability management deficiency, however more severe escalation actions can be taken by FedRAMP and will be determined on a case by case basis. Table 2. Risk Management Deficiencies ConMon Process Area Operational Visibility Risk Management Deficiency Unique Vulnerability Count Increase 20% or more from P-ATO Non Adherence to scanning requirements outlined in the FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide (available on FedRAMP.gov) First non-compliant delivery of scan results and/or evidence to FedRAMP Late Remediation High Impact Vulnerabilities 5 or more unique vulnerabilities or POA&Ms aged greater than 30 days Late Remediation High Impact Vulnerabilities 5 or more unique vulnerabilities or POA&Ms aged greater than 60 days Late Remediation Moderate Impact Vulnerabilities 10 or more unique vulnerabilities or POA&Ms aged greater than 90 days Late Remediation Moderate Impact Vulnerabilities Mandatory Minimum Escalation Action Page 6

ConMon Process Area Significant Changes Incident Response Risk Management Deficiency 10 or more unique vulnerabilities or POA&Ms past due 120 days or longer Late Delivery of Annual Assessment Delivery of Annual Assessment SSP less than 60 days before annual P-ATO date Late Delivery of Annual Assessment Delivery of Annual Assessment SAR after P-ATO anniversary date Insufficient Notice of Planned Change Notification received less than 30 days Late Notice of Emergency Change Notification received longer than 5 days after the change Undocumented/Unreported Change No notification Incident Notification Late notification of incident in accordance with US CERT reporting guidelines Incident Frequency of Re-Occurring Type Any incident with re-occurring type and/or cause Incident Frequency 4 or more incidents within 6 months Mandatory Minimum Escalation Action Page 7

APPENDIX A: TABLE OF ACRONYMS Acronym AO CAP ConMon CSP Authorizing Official Corrective Action Plan Continuous Monitoring Cloud Service Provider Meaning FedRAMP JAB P-ATO PMO POA&M SAR TR Federal Risk and Authorization Management Program Joint Authorization Board Provisional Authority to Operate Program Management Office Plan of Action and Milestones Security Assessment Report Technical Representative Page 8

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback