FedRAMP Continuous Monitoring Performance Management Guide. Version 2.0

Similar documents
FedRAMP P-ATO Management and Revocation Guide. Version 1.0

FedRAMP Plan of Actions and Milestones (POA&M) Template Completion Guide. Version 2.0

FedRAMP JAB P-ATO Process PRIORITIZATION CRITERIA. VERSION 1.0 November 11, 2016

Questions & Answers About the Operate within Operate within IROLs Standard

CONTINUING REVIEW CRITERIA FOR RENEWAL

CONTINUING REVIEW CRITERIA FOR RENEWAL

New Castle County Guidelines for the Certified Construction Reviewer, Owner/Developer, Site Contractor and Professional Engineer

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at January 2015

Reliability Coordinator Procedure

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at June 2016

1.0 PURPOSE 2.0 REFERENCES

WOMEN S CARDED ATHLETE PROGRAM

SYRACUSE UNIVERSITY HUMAN RESEARCH PROTECTION PROGRAM STANDARD OPERATING PROCEDURES

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

TITLE 11. DEPARTMENT OF JUSTICE NOTICE OF PROPOSED RULEMAKING

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD CONTINUING REVIEW OF RESEARCH

Selection Criteria Changes April 14, 2016 The following was removed from section 5.2, then revised and added to section 6.1: NOTE: Failure to achieve

NONCOMPLIANCE. 1. Overview

Illinois Institute of Technology Institutional Review Board Handbook of Procedures for the Protection of Human Research Subjects

XXI Commonwealth Games. Gold Coast, Australia April Selection Policy and Standards December 2016

ISSUING AGENCY: New Mexico Department of Game and Fish. [ NMAC - Rp, NMAC, 01/01/2018]

WFTDA SANCTIONING POLICY

Standard Operating Policy and Procedures (SOPP) 3:

University of Iowa External/Central IRB Reliance Process Standard Operating Procedure (SOP)

Discipline Policy

Dockless Cycle Share

Guidance Note. NXT Advisors

CITY OF WEST KELOWNA COUNCIL POLICY MANUAL

IOWA STATE UNIVERSITY Institutional Review Board. Policy on IRB Review of Protocol Deviations and Noncompliance for Non-exempt Research

2013 Target Year Updates

ICC AFFILIATE MEMBERSHIP CRITERIA & GUIDELINES. As at July 2013

Aliso Canyon Gas-Electric Coordination Phase 3 Draft Final Proposal

A2:1 The Facility Standards are focused on ensuring appropriate standards for the benefit of the Game including:

3.01B(2) Section and District/Area. Each Sectional Association shall appoint a Sectional Association League

TLN WRO Document. Back to Back CAS support

SUPPLIER HEALTH AND SAFETY. Supporting a healthy and safe working environment for our people and customers

University of Cincinnati. Radiation Safety Committee Operations Guidelines Statement of Policy (RSC Guidelines) RSC Guidelines (revision 5)

Calibration Requirements for Direct Reading Confined Space Gas Detectors

Tuesday, May 15, Please be sure to sign in and take copies of each handout.

Common Test Scenarios Document. Version 1.9

LIFT MAINTENANCE POLICY


International Standard for Athlete Evaluation. September 2016

XX1 Commonwealth Games Gold Coast, Australia April Artistic Gymnastics. Selection Policy and Standards

W E L S H R U G B Y U N I O N LTD

XX1 Commonwealth Games Gold Coast, Australia April Artistic Gymnastics Selection Policy and Standards February 2017

Code for the Provision of Chargeable Mobile Content Services

Preamble to the AFF Selection Policy

2018 NEW ENGLAND USTA LEAGUE SECTIONAL REGULATIONS

University of Wisconsin Colleges Administrative Policy #56 NON-COMPLIANCE IN HUMAN SUBJECTS RESEARCH

APPE Intercollegiate Ethics Bowl (IEB) Regional Rules

Performance Enhancement Grants Programme Guidelines

PAKISTAN CRICKET BOARD REGISTRATION OF AGENTS REGULATIONS, 2010

Code for the Provision of Chargeable Mobile Content Services

Invitations to the NTCs: There will be two intakes in each season.

Sport Canada AAP Triathlon Selection

NORTHERN REGION 2018 LEAGUE TENNIS RULES - MIXED AND TRI-LEVEL

AUSTRALIAN MEN S HANDICAPPING SYSTEM (Copyright)

Significant Change to Dairy Heat Treatment Equipment and Systems

IGEM/TD/2 Edition 2 with amendments July 2015 Communication 1779 Assessing the risks from high pressure Natural Gas pipelines

CONTINUITY OF SERVICE PLAN FOR THE LRIT SYSTEM

Research Involving Human Subjects: AA 110.7

ICC ASSOCIATE MEMBERSHIP CRITERIA & GUIDELINES. As at July 2013

Automated Traffic Enforcement Technology Guidelines

2017 CPR INTERNATIONAL MEDIATION COMPETITION RULES SUMMARY

Granby Rovers Soccer Club

CERTIFICATION AGREEMENT

REFEREE SERVICE AGREEMENT

International Paralympic Committee Athlete Classification Code. November 2015

High Performance Athlete Funding and Support Overview

COGCC OPERATOR GUIDANCE MECHANICAL INTEGRITY TEST GUIDANCE: PRACTICES AND PROCEDURES

NORTH AMERICAN PAIRS

Signature Date Date First Effective: Signature Date Revision Date:

INSTITUTIONAL REVIEW BOARD MANUAL: PURPOSE and POLICIES.

Classification Rules for ITTF Para Table Tennis

1 Suburban Friendship League 2 3 Procedures and Processes SFL Team Rosters 4 (Effective March 9, 2018) OVERVIEW 8 9 The SFL Team Roster and

Monitoring of Real-Time SOL and IROL Exceedances

2. ATHLETE NUMBERS PODIUM AND PODIUM POTENTIAL LEVEL INVESTMENT

ACTIVITY RISK ASSESSMENT

ANNUAL RELIABILITY AND POWER QUALITY REPORT for the year ended 30 June 2017

Component Specification NFQ Level TBC

Queen of Angels Catholic Elementary School Policy and Procedures Playing Time and Play-Ups

NORTH AMERICAN PAIRS CONDITIONS OF CONTEST

SUSPENSION OR TERMINATION OF HUMAN SUBJECTS RESEARCH

RFU REGULATION 14 REGISTRATION OF ADULT MALE PLAYERS

a Player is transferring from another Union. For Players at Level 4 and above, evidence of international Clearance must be provided.

UNIVERSITY OF GEORGIA Institutional Review Board

USTA Northern California Tournament Sanction Rules

TENNIS WEST LEAGUE RULES OF COMPETITION

West London Soccer League Manual. Mission Statement

A study on the relation between safety analysis process and system engineering process of train control system

RULES. 1 st LAW COLLEGE DEHRADUN NATIONAL MOOT COURT COMPETITION AUGUST 2013

Speed Limit Policy Isle of Wight Council

USTA Missouri Valley USTA League Tennis 2014 Rules and Regulations 11/18/2013 (updated 12/7/2013)

SOUTH AFRICAN RUGBY UNION - ANTI-DOPING REGULATIONS

WHITTEMORE IMPROVEMENT ASSOCIATION MOORING REGULATIONS

Guidance for IRBs, Clinical Investigators, and Sponsors IRB Continuing Review after Clinical Investigation Approval

Mine Rescue Certification Training Standard

Wayne State University Institutional Review Board

Wind Plant Operator Data User's Guide

Transcription:

FedRAMP Continuous Monitoring Performance Management Guide Version 2.0 January 31, 2018

DOCUMENT REVISION HISTORY DATE VERSION PAGE(S) DESCRIPTION AUTHOR 07/22/2015 1.0 All Initial document FedRAMP PMO 01/06/2016 1.1 6 01/31/2018 2.0 All 01/31/2018 2.0 All 01/31/2018 2.0 2-5 Added Formal for second (or more) noncompliant delivery of scan results. Title change from FedRAMP P-ATO Management and Revocation Guide to FedRAMP Continuous Monitoring Performance Management Guide. General changes to grammar and use of terminology to add clarity, as well as consistency with other FedRAMP documents. Added the Escalation Process and clarified the Suspension and Revocation Escalation Actions. FedRAMP PMO FedRAMP PMO FedRAMP PMO FedRAMP PMO 01/31/2018 2.0 6-8 Clarified deficiency triggers. FedRAMP PMO 01/31/2018 2.0 8 Added a Zero-day Attack notification trigger. FedRAMP PMO 01/31/2018 2.0 9 Added Customer Demand threshold. FedRAMP PMO i

ABOUT THIS DOCUMENT This document provides guidance on continuous monitoring and ongoing authorization in support of maintaining a security authorization that meets the Federal Risk and Authorization Management Program (FedRAMP) requirements. This document is not a FedRAMP template there is nothing to fill out in this document. This document uses the term authorizing official (AO). For systems with a Joint Authorization Board (JAB) provisional authorization to operate (P-ATO), AO refers primarily to the JAB unless this document explicitly says Agency AO. For systems with a FedRAMP Agency authorization to operate (ATO), AO refers to each leveraging Agency s AO. WHO SHOULD USE THIS DOCUMENT? This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, and government employees working on FedRAMP projects. This document may also prove useful for other organizations that are developing a continuous monitoring program. HOW TO CONTACT US Questions about FedRAMP or this document should be directed to info@fedramp.gov. For more information about FedRAMP, visit the website at http://www.fedramp.gov. ii

TABLE OF CONTENTS DOCUMENT REVISION HISTORY... I ABOUT THIS DOCUMENT... II WHO SHOULD USE THIS DOCUMENT?... II HOW TO CONTACT US... II 1. INTRODUCTION...1 2. ESCALATION LEVELS AND PROCESS...2 3. CONMON REQUIREMENTS: RISK MANAGEMENT DEFICIENCY TRIGGERS...5 4. CUSTOMER DEMAND...7 LIST OF FIGURES Figure 1. FedRAMP Escalation Process...2 LIST OF TABLES Table 2. Risk Management Deficiency Triggers...5 iii

1. INTRODUCTION This document explains the actions FedRAMP takes when a CSP fails to maintain an adequate continuous monitoring capability. The FedRAMP continuous monitoring program is based on the continuous monitoring process described in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization, and is governed by the FedRAMP Continuous Monitoring Strategy Guide. The goal is to provide: (i) operational visibility; (ii) managed change control; and (iii) attendance to incident response duties. Security-related information collected during continuous monitoring is used to determine if the system security is operating as intended and in accordance with applicable Federal law, guidelines, and policies. When a CSP receives a P-ATO letter for its cloud system, that letter comes with the following minimum requirements: 1. CSP satisfies the requirement of implementing continuous monitoring activities as documented in FedRAMP s Continuous Monitoring (ConMon) Strategy Guide and CSP s Continuous Monitoring Plan; 2. CSP mitigates all open Plan of Action and Milestones (POA&M) action items, agreed to in the Security Assessment Report (SAR), within the appropriate timeframe as defined in the agreed POA&M; and 3. CSP identifies and manages significant changes or critical vulnerabilities in accordance with applicable Federal law, guidelines, and policies. Further, by accepting the P-ATO requirements, as outlined in the P-ATO letter 1, the CSP agrees to maintain Operational Visibility, Change Control, and Incident Response functions clearly defined in the FedRAMP Continuous Monitoring Strategy Guide. In addition, the CSP is expected to continue to follow NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach, and the Risk Management Framework (RMF), continue to effectively deploy all applicable security controls, and act in good faith to maintain the appropriate risk posture. Failure to adhere to the requirements of the P-ATO may result in escalation actions by FedRAMP, outlined in subsequent sections of this document, as well as additional actions as FedRAMP deems appropriate. While this document specifically addresses FedRAMP P-ATOs maintained by the JAB, FedRAMP recommends agencies create similar guides and/or use this FedRAMP Continuous Monitoring Performance Management Guide when maintaining FedRAMP agency ATOs. 1 Additional requirements may be included in the P-ATO letter to address system-specific security concerns identified during assessment. 1

2. ESCALATION LEVELS AND PROCESS As a condition of the P-ATO, the CSP is agreeing to participate in the FedRAMP ConMon process. If the CSP fails to meet the requirements described in the FedRAMP Continuous Monitoring Strategy Guide, FedRAMP initiates an escalation process, which may result in one of the following escalation levels: : A request from the FedRAMP Point of Contact (POC) for the CSP s security POC to assess a deficiency, and report the cause and remedy back to FedRAMP. If the CSP does not resolve a detailed finding review within the agreed upon timeframe, FedRAMP may escalate to a corrective action plan. Corrective Action Plan (): A request from the FedRAMP Director for the CSP s system owner to perform a root-cause analysis and provide a formal plan for remediation. If the CSP does not resolve a within the agreed upon timeframe, FedRAMP may suspend or revoke the system s P-ATO. Suspension: A decision by the JAB to temporarily suspend a system s P-ATO until identified deficiencies are resolved. If the CSP does not resolve a suspension within the agreed upon timeframe, or if the FedRAMP Director and JAB determine the CSP can no longer meet FedRAMP compliance requirements, FedRAMP may revoke the system s P-ATO. Revocation: A decision by the JAB to permanently revoke a system s P-ATO. If revoked, the only way the system can obtain a P-ATO is by re-entering the JAB authorization process as if the system were seeking a P-ATO for the first time. When FedRAMP identifies a deficiency in the CSP s ConMon capabilities, it initiates the process depicted in Figure 1. FedRAMP Escalation Process, below. Figure 1. FedRAMP Escalation Process 1. FedRAMP Identifies ConMon Deficiency 2. FedRAMP Reviews Deficency 3. FedRAMP Notifies CSP of Deficiency 4. CSP Provides Rebuttal 5. FedRAMP Adjudicates Response 6. FedRAMP Takes Appropriate Action 7. CSP Provides Response The Escalation Process occurs as follows: 1. FedRAMP identifies a deficiency with the CSP s ConMon information. 2. FedRAMP reviews the deficiency and compares it to the CSP s past ConMon performance. As a result of the review, FedRAMP decides on one of the following actions: FedRAMP typically decides on an escalation level consistent with the guidance described in Section 3, Common Requirements: Risk Management Deficiency Triggers. FedRAMP may elect to simply monitor the CSP more closely, but take no further action. If so, no notice is sent and the process stops here. FedRAMP may increase a CSP s existing escalation level. For example, a CSP on a may face Suspension. 2

In rare cases, FedRAMP may determine the deficiency is severe enough to make the escalation effective immediately, in which case, steps #3 and 4 are skipped. 3. FedRAMP notifies the CSP of the deficiency, and FedRAMP s intended escalation. Depending on the intended escalation level, the notice comes from: the FedRAMP POC for an intended detailed finding review; or the FedRAMP Director for an intended, Suspension, or Revocation. 4. The CSP responds to the notification. This CSP s response should include any information that may rebut the escalation decision. Depending on the intended escalation level, the CSP s response must come from: the CSP s security POC for detailed finding review; or the CSP s system owner for a, Suspension, or Revocation. 5. FedRAMP reviews and adjudicates the CSP s response, and renders a formal escalation decision. Depending on the escalation level, the decision is made by: the FedRAMP POC for a detailed finding review; the FedRAMP Director for a ; or the JAB for a Suspension or Revocation. 6. FedRAMP notifies the CSP of its decision. If FedRAMP decides to follow through with an escalation, this notice: identifies the criteria for returning the system to a Satisfactory status. It may also include a deadline by which the CSP must fully satisfy the criteria or face more severe escalation; and requires certain actions from the CSP. Typically FedRAMP requires the CSP to perform a root-cause analysis and develop a formal plan for addressing the deficiencies. 7. CSP responds in accordance with the FedRAMP notification. This response must include: the results of the root cause analysis; the CSP s plan for fully resolving the issues, with clearly established milestones and dates, including a date of full resolution. For a or Suspension, the plan must be signed by the system owner. FedRAMP must approve the plan; and any other items as specified by FedRAMP in its notification. When a CSP is subject to escalation as described above, the following occurs: Monthly ConMon Reporting to Leveraging Agencies: FedRAMP updates the next monthly report to reflect the cited deficiencies, escalation level, and the CSP s identified resolution date. The system s status is changed to Minor Concern for a detailed finding review, or Major Concern for a or Suspension. The status remains and the CSPs progress is reported each month until FedRAMP determines the issue is fully resolved. FedRAMP discontinues ConMon reporting when the system s P-ATO is suspended or revoked. 3

Other Postings and Notifications to Leveraging Agencies: If there is a, Suspension, or Revocation, a letter is posted to OMB MAX for review by leveraging agencies, as is the CSP s plan for resolution where appropriate. The information is retained indefinitely for historical reference. If a system s P-ATO is suspended or revoked, FedRAMP will directly notify each known leveraging agency, and will require the CSP to ensure the known leveraging agencies match the CSP s customer list for the impacted system. NOTE: P-ATO Revocation does not automatically result in revocation of each leveraging agency s ATO. Each leveraging agency s AO reviews the circumstances of P-ATO Revocation, and makes a determination regarding the status of the ATO they issued the system on behalf of their agency. FedRAMP Marketplace: FedRAMP updates the system s status on the FedRAMP Marketplace to reflect the escalation level for Suspension. FedRAMP removes the system from the Marketplace if the P-ATO is revoked. finding review and s are not reflected on the Marketplace. Further Escalation: If the CSP fails to provide a plan acceptable to FedRAMP, or fails to meet the dates identified in the plan, FedRAMP may increase the escalation level. Further escalation repeats the same escalation process described above. Extension: If the CSP has made good-faith efforts to fully resolve the deficiency and address the plan, but requires more time, they may request an extension from FedRAMP. When FedRAMP determines the CSP has fully resolved the cited deficiencies and satisfied the FedRAMPidentified criteria communicated in the notification, FedRAMP takes the following actions: Notification to CSP: The FedRAMP POC notifies the CSP s security POC when FedRAMP agrees a detailed finding review is fully satisfied. The FedRAMP Director notifies the system owner when FedRAMP agrees a or Suspension is fully satisfied. Monthly ConMon Reporting to Leveraging Agencies: FedRAMP updates the next monthly report to reflect all cited deficiencies are resolved and the escalation level is no longer in effect. The status is returned to Satisfactory. Other Postings and Notifications to Leveraging Agencies: The FedRAMP Director posts a letter to the secure repository indicating the or Suspension is fully resolved to FedRAMP s satisfaction and the CSP is once again in good standing. As no letter is posted when a detailed finding review is initiated, no letter is posted when it is resolved. FedRAMP Marketplace: FedRAMP returns the system s status to its normal listing with no indication of an escalation level. 4

3. CONMON REQUIREMENTS: RISK MANAGEMENT DEFICIENCY TRIGGERS To ensure consistent expectations and enforcement, FedRAMP defines risk management deficiency triggers. When a CSP s performance exceeds one or more of the thresholds defined in Table 1. Risk Management Deficiency Triggers, below, FedRAMP will, at a minimum, take the prescribed action. Table 1. Risk Management Deficiency Triggers CONMON PROCESS AREA Operational Visibility RISK MANAGEMENT DEFICIENCY TRIGGER Unique Vulnerability Count Increase 20% from P-ATO baseline (or 10 unique vulnerabilities whichever is greater) Note: A request for rebaseline of a unique vulnerability count, accompanied with proper justification, can be submitted to FedRAMP and may be approved on a case by case basis. Non Compliance with scanning requirements outlined in the FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide (available on FedRAMP.gov) First incident in the previous six months. Unauthenticated scan results delivered as part of the initial SAR submission, as part of the annual SAR submission, or as part of the monthly scanning submission, where the unauthenticated scans are 10% or greater of the total scan submission, result in the CSP being placed on a. This applies only to a first CSP submission that is non-compliant with authenticated scan requirements. Non-Compliance with scanning requirements outlined in the FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide (available on FedRAMP.gov) Each subsequent incident beyond the first within the previous six months. Unauthenticated scan results delivered as part of the initial SAR submission, as part of the annual SAR submission, or as part of the monthly scanning submission, where the unauthenticated scans are 10% or greater of the total scan submission, result in the CSP being placed on a, when a second or greater CSP submission is non-adherent to authenticated scan requirements. Late Remediation High Impact Vulnerabilities Five or more unique vulnerabilities or POA&Ms aged greater than 30 days Late Remediation High Impact Vulnerabilities Five or more unique vulnerabilities or POA&Ms aged greater than 60 days Late Remediation Moderate Impact Vulnerabilities Ten or more unique vulnerabilities or POA&Ms aged greater than 90 days Late Remediation Moderate Impact Vulnerabilities Ten or more unique vulnerabilities or POA&Ms aged greater than 120 days Late Delivery of Annual Assessment Delivery of Annual Assessment SAP less than 60 days before annual P-ATO date Late Delivery of Annual Assessment Delivery of full Annual Assessment P-ATO Package after P-ATO anniversary date MINIMUM ESCALATION LEVEL 5

CONMON PROCESS AREA Operational Visibility (Continued) Change Control Incident Response RISK MANAGEMENT DEFICIENCY TRIGGER Poor Quality of Deliverables Untimely or inaccurate submission of any deliverable, including (but not limited to) monthly ConMon documents, Deviation Requests, or Significant Change Requests Lack of Transparency Failure to report known issues to FedRAMP or purposely manipulating scans to avoid Risk Management Triggers Multiple Recurrences Any trigger that is realized multiple times within a 6-month timeframe Insufficient Notice of Planned Change Notification received less than 30 days before the planned change or insufficient documentation of the Security Impact Analysis Late Notice of Emergency Change Notification received longer than five days after the change Undocumented/Unreported Change No notification Degradation of the Change Management and Change Control Processes Insufficient adherence to the provided Configuration Management Plan as determined by FedRAMP Late Incident Notification Late notification of incident not in accordance with the FedRAMP Incident Communications Procedure and United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines Note: An incident is a violation of computer security policies, acceptable use policies, or standard computer security practices, according to NIST Special Publication 800-61, Computer Security Incident Handling Guide, Revision 2. Incident Frequency of Recurring Type Any incident with recurring type and/or cause Incident Frequency Four or more incidents within six months Timely and Ongoing Notification of Zero Day Attack Failure to provide to FedRAMP daily updated progress in addressing Zero Day Attacks MINIMUM ESCALATION LEVEL 6

4. CUSTOMER DEMAND To remain eligible for a JAB P-ATO, FedRAMP requires a minimum of six unique agency customers with authorizations 2 that leverage the system s JAB P-ATO. FedRAMP evaluates CSP demand on a quarterly basis to ensure CSPs with P-ATOs are meeting and maintaining program demand thresholds. A CSP that has fewer than six unique Federal Information Security Management Act (FISMA) System ATOs posted on the FedRAMP Secure Repository will be placed on a at the discretion of the FedRAMP Program Management Office (PMO) and JAB. A CSP that cannot meet or maintain this demand threshold has the opportunity to pursue FedRAMP Agency Authorizations, in lieu of the P-ATO, with the support of the FedRAMP PMO. FedRAMP established this threshold based on JAB resources, to ensure JAB continuous monitoring resources are focused on systems that result in broader impact across the Federal Government. FedRAMP may adjust this threshold at its discretion due to changes in available resources and overall demand across the Federal Government for cloud services. 2 The FedRAMP PMO does not count the Defense Information Systems Agency (DISA) P-ATO as part of the unique agency customer total because it does not represent a true unique agency customer authorized to use a CSO. 7

APPENDIX A: FEDRAMP ACRONYMS The FedRAMP Master Acronyms & Glossary contains definitions for all FedRAMP publications, and is available on the FedRAMP website Documents page under Program Overview Documents. (https://www.fedramp.gov/resources/documents-2016/) Please send suggestions about corrections, additions, or deletions to info@fedramp.gov. 8

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback