How To Write The Jab P-Ato Vulnerability Scan Requirements Guide



Similar documents
Overview. FedRAMP CONOPS

FedRAMP Standard Contract Language

FedRAMP Online Training Security Assessment Plan (SAP) Overview 12/9/2015 Presented by: FedRAMP PMO

Federal Risk and Authorization Management Program (FedRAMP)

Security Authorization Process Guide

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

December 8, Security Authorization of Information Systems in Cloud Computing Environments

FedRAMP Government Discussion Matt Goodrich, FedRAMP Director

Continuous Monitoring Strategy & Guide

Vulnerability Scanning Requirements and Process Clarification Comment Disposition and FAQ 11/27/2014

NOTICE: This publication is available at:

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Patch and Vulnerability Management Program

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

Qualys Scanning for PCI Devices University of Minnesota

Seeing Though the Clouds

DoD Cloud Computing Security Requirements Guide (SRG) Overview

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Guide to Understanding FedRAMP. Guide to Understanding FedRAMP

REQUEST FOR PROPOSAL INFORMATION SECURITY PROGRAM PROVIDER

FedRAMP Master Acronym List. Version 1.0

AHS Vulnerability Scanning Standard

Lumension Endpoint Management and Security Suite

PCI-DSS Penetration Testing

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Penetration Testing Report Client: Business Solutions June 15 th 2015

Quick Start Guide: Utilizing Nessus to Secure Microsoft Azure

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Vulnerability Management

STATE OF NEW JERSEY IT CIRCULAR

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

FISMA Compliance: Making the Grade

Cloud Security for Federal Agencies

United States Patent and Trademark Office

Management (CSM) Capability

Esri Managed Cloud Services and FedRAMP

2014 Audit of the Board s Information Security Program

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

Audit Report. Management of Naval Reactors' Cyber Security Program

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

Security Control Standard

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

Integrated Threat & Security Management.

In Brief. Smithsonian Institution Office of the Inspector General

rating of 5 out 5 stars

Security Control Standard

How to Grow and Transform your Security Program into the Cloud

Incident Management. Verdis Spearman

SAST, DAST and Vulnerability Assessments, = 4

SysPatrol - Server Security Monitor

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

The Council of the Inspectors General on Integrity and Efficiency s Cloud Computing Initiative

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

FedRAMP Penetration Test Guidance. Version 1.0.1

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

MatriXay Database Vulnerability Scanner V3.0

Department of Homeland Security

AHS Flaw Remediation Standard

IBM. Vulnerability scanning and best practices

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Microsoft s Compliance Framework for Online Services

Delivering IT Security and Compliance as a Service

Goals. Understanding security testing

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Proactive Vulnerability Management Using Rapid7 NeXpose

Elastic Detector on Amazon Web Services (AWS) User Guide v5

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

Secunia Corporate Software Inspector (Secunia CSI) ver.5.0

Tenable for CyberArk

IT Security & Compliance. On Time. On Budget. On Demand.

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

HyTrust Addendum to the VMware Product Applicability Guide. For. Federal Risk and Authorization Management Program (FedRAMP) version 1.

VA Office of Inspector General

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

FY 2007 E GOVERNMENT ACT REPORT FINAL SEPTEMBER 2007

An Enterprise Continuous Monitoring Technical Reference Architecture

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

9 Free Vulnerability Scanners + 1 Useful GPO Tool

How To Use Qqsguard At The University Of Minneapolis

Assessment and Authorization

Network Security Audit. Vulnerability Assessment (VA)

Vulnerability management lifecycle: defining vulnerability management

Transcription:

FedRAMP JAB P-ATO Vulnerability Scan Requirements Guide Version 1.0 May 27, 2015 JAB P-ATO Vulnerability Scan Requirements Guide Page 1

Revision History Date Version Page(s) Description Author May 27, 2015 1.0 All Initial Version C. Andersen JAB P-ATO Vulnerability Scan Requirements Guide Page 2

Table of Contents About This Document... 4 Who Should Use This Document... 4 How To Contact Us... 4 1. Purpose... 5 2. Cloud Service Provider Requirements... 5 3. FedRAMP Activities... 7 4. Remediation... 7 Appendix A: Table of Acronyms... 8 JAB P-ATO Vulnerability Scan Requirements Guide Page 3

ABOUT THIS DOCUMENT WHO SHOULD USE THIS DOCUMENT This document is intended for the use by the following groups: Federal Risk and Authorization Management Program (FedRAMP) cloud service providers (CSPs), to ensure they provide vulnerability scans as required FedRAMP Information System Security Officers (ISSOs), to ensure the requirements are met and maintained Leveraging Agencies, to understand the scanning required by CSPs HOW TO CONTACT US For questions about FedRAMP or this document, email to info@fedramp.gov. For more information about FedRAMP, visit the website at http://www.fedramp.gov. JAB P-ATO Vulnerability Scan Requirements Guide Page 4

1. PURPOSE This guide describes the requirements for all vulnerability scans of FedRAMP cloud service provider s (CSP) systems for Joint Authorization Board (JAB) Provisional Authorizations (P- ATOs). 2. CLOUD SERVICE PROVIDER REQUIREMENTS CSPs are required to perform vulnerability scanning of their information systems monthly (at a minimum). Each CSP is responsible for the delivery of the results of these vulnerability scans to their authorization official in a timely manner. These vulnerability scans are the cornerstone for the continuous monitoring of a CSP s risk posture, enabling authorizing officials to continue to authorize a CSP system for use. Each CSP must identify and use vulnerability assessment tools within their security control implementations approved by the JAB throughout the P-ATO process. These include: Operating system and network vulnerability scanners Database vulnerability scanners Web application vulnerability scanners FedRAMP security authorization requirements specify that initial vulnerability scans for the P- ATO shall be performed by a Third Party Assessment Organization (3PAO), to provide independent validation of the scan results. CSPs must use the same tools for continuous monitoring as were used by the 3PAO for the P-ATO process. In some circumstances, CSPs may request changes to these tools. However, continued use of the previous tools must continue until all identified vulnerabilities from the original tools have been mitigated. The length of overlap is dependent on the CSP correcting the remaining vulnerabilities. To ensure FedRAMP has all of the required information to perform the vulnerability analysis, the CSP shall submit the following information: Vulnerability scan data o Raw scan files (native scanner files usually some form of XML, CSV, or structured data format) o Exported summary reports (PDF, MS Word, or other readable documents). Summary reports should include Executive Summary, Detailed Summary, and Inventory Report. Actual reporting capabilities may vary by tool. Current and accurate system inventory. CSPs shall deliver a current system inventory identifying the components of the information system within the authorization boundary. The inventory must be complete and contain all boundary components. The system inventory must be delivered in a machine-readable format (XLS, CSV, XML). It is critical that the vulnerability scans and the provided system inventory is machine matchable (IP addresses, system names, or other unique identifier). Vulnerability scans and inventories that cannot be matched will be rejected by the PMO. JAB P-ATO Vulnerability Scan Requirements Guide Page 5

CSPs are also responsible for ensuring the highest quality vulnerability scans. Below is a list of requirements to ensure the quality of the scanning is acceptable for the FedRAMP program. Authenticated/credentialed Scans: Vulnerability scans must be performed using system credentials that allow full access to the systems. Scanners must have the ability to perform in-depth vulnerability scanning of all systems (where applicable). Systems scanned without credentials provide limited or no results of the risks. All unauthenticated scans will be rejected unless an exception has been previously granted due to applicability or technical considerations. Enable all Non-destructive Plug-ins: To ensure all vulnerabilities are discovered, the scanner must be configured to scan for all non-destructive findings. Any vulnerability scans where plug-ins were limited or excluded will be rejected. Exceptions may occur based on specific requests from the government for re-scans or targeted scans. These scans must comply with the directions provided by the government. Full System Boundary Scanning: Each scan must include all components within the system boundary. Reduced number of components or missing categories will result in rejected scans. In some cases, sampling is acceptable; however this sampling must be approved as a part of the initial Security Assessment Plan for P-ATO, and approved as a part of the Continuous Monitoring Plan at the time of P-ATO. Sampling must include a complete and comprehensive representative sample of the information system components. This includes scanning multiple components of the same category in addition to scanning all component categories. (Note: sample scanning is approved based on the ability to prove the component categories are identically configured. These categories must be maintained through configuration management and all components must be similarly configured. Discovery of mis-configured items may result in the revocation of sampling and require future scans to be comprehensive, including all system components). Scanner Signatures Up to Date: CSP must ensure that the vulnerability scanner used is up to date and includes the latest versions of the vulnerability signatures. Before scanning, each scanner must be updated to reflect the latest version of the scan engine as well as the signature files. Provide Summary of Scanning: Each scan submission must be accompanied by a summary of the scanning performed. The summary must include a listing of all the scan files submitted, which scanning tools were used, and a short summary of the purpose of the scan (e.g. monthly scans, re-scans, verification scans, etc.). In addition, the summary should discuss the configuration settings of the scanner, including if the signatures were limited for targeted, verification scans or if the scope of the scans excluded certain components or IP addresses. IP address ranges and/or a description of the targets are required. POA&M All Findings: Findings within the scans must all be addressed in a Plan of Action and Milestones (POA&M) or other risk acceptance requests and maintained until the vulnerabilities have been remediated and validated. Additional details on the JAB P-ATO Vulnerability Scan Requirements Guide Page 6

POA&M requirements can be found in the POA&M Template User Guide on FedRAMP.gov website. 3. FEDRAMP ACTIVITIES FedRAMP evaluates all vulnerability scanning submitted and provides a summary report to the JAB. In addition, agencies looking to leverage a CSP will also have access to the most recent risk posture information, including the continuous monitoring reports and POA&M. FedRAMP CSPs can be complex and ever-changing. It is critical that FedRAMP maintain a current posture of the system through the scanning and continuous monitoring documentation. To accomplish this, FedRAMP utilizes automated tools for the evaluation, analysis, and reporting of the risk posture. The system ISSO will review the reports and make additional modifications or additions to ensure an accurate risk posture is presented in the summary reports. 4. REMEDIATION Systems that fail to meet the quality or timeliness of the vulnerability scan submission requirements will be subject to actions. These actions may include one or more of the following: FedRAMP may require an immediate re-scan of the system. FedRAMP will clearly document the required adjustments necessary for the re-scan. FedRAMP may require a 3PAO to perform future scans for a period of time if the CSP is unable to meet the FedRAMP requirements. Continuous issues may result in FedRAMP requiring a Corrective Action Plan from a CSP as a part of maintaining a P-ATO and communicating with known agencies the deficiencies with meeting scanning requirements. The FedRAMP JAB can also revoke a P-ATO for failure to meet these requirements and remove the vendor from the FedRAMP website. FedRAMP reserves the right to take any of the actions listed above based on the severity of the deficiency. JAB P-ATO Vulnerability Scan Requirements Guide Page 7

APPENDIX A: TABLE OF ACRONYMS Acronym 3PAO CSP FedRAMP ISSO JAB P-ATO POA&M Meaning Third-Party Assessment Organization Cloud Service Provider Federal Risk and Authorization Management Program Information System Security Officer Joint Authorization Board Provisional Authority to Operate Plan of Action and Milestones JAB P-ATO Vulnerability Scan Requirements Guide Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information