FedRAMP updates vulnerability scan guidance
- By Sara Friedman
After the Federal Risk and Authorization Management Program approves a cloud-based product for agency use, the work has only begun for the cloud service providers and agencies working to secure the cloud environment. FedRAMP has already issued some guidance on continuous monitoring, and on March 20, the program office announced the release of three more documents designed to simply the ongoing vulnerability scanning process.
The Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans is designed to limit the amount of information scanned to a subset of assets that can be used to ascertain the state of the entire population.
The ability to use a subset of components is the result of the “high fidelity” of system configurations and processes for each CSP’s assets, John Hamilton, FedRAMP’s program manager of operations, said during a March 13 webinar. This guidance applies only to system builds that are deployed on standard images that remain unchanged when pushed to other devices or machines in production.
The FedRAMP Vulnerability Scanning Requirements, meanwhile, replaces the JAB P-ATO Vulnerability Scan Requirements Guide. It gives CSPs a known vulnerability severity scoring framework so they can create and use an automated Common Vulnerability Scoring System tool for automatic risk adjustments.
By automating the continuous monitoring process, CSPs can take advantage of correlative analytics and cross-cutting metrics to identify commonly found risks across all systems that have Joint Authority Board authorization.
FedRAMP is also asking industry for input on its draft of the Automated Risk Adjustment Framework Guidance.
“Our goal is to enable a CSP to leverage standardized vulnerability risk assessment ... based on scores on individual metrics that are transparent,” Hamilton said. “We hope that this will reduce the level of effort and the time required for CSPs to establish the appropriate risks or vulnerabilities within their environment."
Comments on the draft framework are expected to be open for approximately one year.
Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.
Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.
Friedman can be contacted at firstname.lastname@example.org or follow her on Twitter @SaraEFriedman.
Click here for previous articles by Friedman.