Today’s information environments are always changing, whether through the development of new capabilities, patching systems, responding to new threats and vulnerabilities, or fixing discrepancies within the system. Each change to the system carries with it an inherent security risk. Therefore, that security risk must be evaluated in the context of the security posture of the current system, not what it was at a point in time six months or a year ago.
In my May 26, 2016 blog post entitled “Continuous Monitoring – An Introduction,” I provided an overview of continuous monitoring and its place in the overall Risk Management Framework as defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide to Applying the Risk Management Framework to Federal Information Systems.
As a refresher, the NIST SP 800-137, Information System Continuous Monitoring for Federal Information Systems and Organizations, defines Information Security Continuous Monitoring (ISCM) as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization’s networks, information, and systems, and respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risks as situations change.”
This blog post will focus more specifically on FedRAMP continuous monitoring requirements and some things to keep in mind when preparing to address requirements.
What is the Purpose of the FedRAMP Continuous Monitoring Program?
For much of my time supporting the government as a security engineer, systems would be granted an authorization to operate (ATO) which would last approximately three years. At the end of the three years, the program would have to undergo another certification and accreditation process where they would be granted another ATO for three years.
While OMB introduced the change to continuous monitoring in April 2010, it has taken federal agencies many years to transition from the three-year ATO cycle to a continuous monitoring program. For example, as of early 2016, the continuous monitoring program was just getting off the ground for the one directorate of the federal agency I was supporting. Continuous monitoring keeps security risk decisions at the forefront of the minds of those involved with the system instead of it being something just thought about as the time for the ATO renewal approaches.
From the start, the FedRAMP PMO has required cloud service providers (CSPs) to develop a continuous monitoring program, and having a continuous monitoring program is a requirement to maintain an ATO once granted. The FedRAMP Continuous Monitoring process is based on NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.
FedRAMP continuous monitoring efforts ensure controls are still operating effectively despite changes in the threat landscape and any upgrades/improvements to the cloud service offering (CSO). As the system is continually assessed, the results of the assessment are folded back into the security package documentation.
In order to provide direction to CSPs (and 3PAOs for that matter) regarding continuous monitoring processes in support of maintaining an ATO, the FedRAMP Program Management Office (PMO) published a Continuous Monitoring Strategy and Guide. The Continuous Monitoring Strategy and Guide can be found here.
What Are the CSP Responsibilities in the Continuous Monitoring Process?
Develop and Execute Against a Continuous Monitoring Plan
The primary responsibility of the CSP is to develop a FedRAMP Continuous Monitoring Plan and then execute according to the plan. The FedRAMP PMO developed a template (find it here) which defines the minimum set of controls that are part of a continuous monitoring effort. They are the minimum set because an Authorizing Official (AO) can request that additional controls be added to the continuous monitoring effort to help address specific risk areas of concern.
The template defines the intervals at which the specified controls are to be monitored (e.g., continuous/ongoing, monthly, annually, etc.). For AO specified requirements, the AO will determine the frequency of the monitoring and the compliance evidence. For some of the controls, a deliverable is required in accordance with the control frequency; otherwise, evidence of compliance will be verified by the 3PAO during the annual assessment.
Develop and Update the Plan of Action and Milestones
As part of initial assessment and receipt of an ATO, a CSP develops a Plan of Action and Milestones (POA&M). A POA&M describes the findings or deficiencies identified during the initial assessment, where within the system the finding was identified, the resources required (e.g. financial investment) to remediate the finding, when the finding will be remediated, etc. The CSP updates this POA&M monthly.
There is also a POA&M that is generated as part of the continuous monitoring effort. These POA&M findings are folded into the POA&M created during the initial assessment. All POA&M findings, whether identified during the initial assessment or during the annual assessments in support of continuous monitoring, must be reviewed, updated, and provided to the AO monthly.
Address changes to the system
One of the great benefits of cloud systems is that services and capabilities are continuously updated and made available to subscribers of the cloud service. Customers no longer have to wait for an upgrade to be rolled out on a specified schedule (which often included scheduled maintenance or downtime).
Operating under a continuous monitoring program requires the CSP to review every change or update to the CSO and make a determination on how it impacts the security posture of the system. Changes to the system will span the spectrum of security impact from no impact to significant impact. Whether no impact or significant impact to the system, the CSP must update their baseline configuration in accordance CM-2 – The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system – and associated control enhancements.
In accordance with the FedRAMP Continuous Monitoring Strategy and Guide, CSPs must perform a Security Impact Analysis (which is part of their change control process) and complete a Significant Change Security Impact Analysis Form and submit it to their AO, prior to implementing significant changes to the CSO. A Security Assessment Plan (SAP) must accompany the security impact analysis. All documentation for the significant change must be submitted to the CSP’s AO at least 30 days prior to the planned change. CSPs must also update any corresponding system documentation (e.g., the System Security Plan) to document the change to the system.
What Are the 3PAO Responsibilities in the Continuous Monitoring Process?
Perform Annual Assessments
The primary responsibility of 3PAOs regarding continuous monitoring is to perform the annual assessments. As part of the annual assessments, 3PAOs perform penetration testing (at least annually) and monthly vulnerability scans of operating systems, databases, web applications, and supporting infrastructure.
In addition, 3PAOs perform assessments on a subset of controls as defined by the FedRAMP PMO as well as any controls identified by the AO (which may vary from year to year depending on the changes made to the system or the AO areas of concern). 3PAOs complete a SAP to document the planned testing for the annual assessment and a Security Assessment Report (SAR) to document the test results, just as they do for the initial assessment. This SAR will document the evidence of compliance with the controls that are not governed by a specified deliverable. Annual security assessments should be completed each year no later than the anniversary of the initial ATO.
Validate Closure of POA&M findings
If a fix for a POA&M finding cannot be validated using automated methods (e.g., vulnerability scans), then a 3PAO must validate that the finding has indeed been corrected. Since a CSP will want to show progress in remediating open POA&M findings, the validation of the closed POA&M findings need not wait until the time of an annual assessment.
Perform Assessments for Significant Changes
As CSPs plan to introduce new capabilities into their CSO, they will need the assistance of a 3PAO to perform the testing of the new capability to ensure it meets FedRAMP requirements and does not introduce unacceptable risk to the system. A SAP and a SAR are required as part of the documentation for the significant change process, and the testing needs to be performed within the timeframe agreed to by the CSP and the AO as the change cannot be introduced to the production environment without the approval of the AO.
What Activities or Elements of Continuous Monitoring Are Often Overlooked?
Vulnerability scanning of web applications, operating systems, databases, and other infrastructure components comprising the CSO is required as part of FedRAMP initial and annual assessments. There are three key elements regarding vulnerability scanning of which CSPs and 3PAOs should take note.
The first key element is that the scans must be executed as an authenticated privileged user with access across the entire CSO. This ensures that the scanner has the ability to identify vulnerabilities across the entire system and at the appropriate depth.
The second key element is that the vulnerability scan must include all hosts within the authorization boundary. It is the responsibility of the 3PAO to verify that every host within the authorization boundary is included within the scope of the vulnerability scan.
The last key element is that each vulnerability identified during the scans must be documented in the POA&M.
Static and Dynamic Code Analysis
The FedRAMP PMO has also identified that many CSPs fail to document in their FedRAMP Continuous Monitoring Plan how they are addressing the required control enhancements for static and dynamic code analysis (SA-11(1) and SA-11(8) respectively). The documentation of these control enhancements in the plan is easily overlooked as they are FedRAMP specified requirements.
With competing priorities and limited personnel, CSPs should automate the activities in their FedRAMP Continuous Monitoring Plan as much as possible. Excellent candidates include ensuring the secure configurations of operating systems, databases, and other supporting infrastructure remain intact, the review and analysis of audit records and the reporting of anomalies, and disabling user accounts after 90 days of inactivity.
Continuous monitoring of security controls is an important element of obtaining and maintaining a FedRAMP authorization, so it is imperative that CSPs develop and execute against a robust FedRAMP Continuous Monitoring Plan.
Continuous monitoring of security controls also provides assurance to the CSP that the implemented controls continue to operate effectively and protect government data. While only a subset of controls is tested during annual assessments, these assessments maintain the same rigor as required in the initial assessment with both CSPs and 3PAOs having specified tasks and responsibilities.
Through upfront planning and coordination with their AO and 3PAO, CSPs can also deploy significant changes and updates to the CSO as part of their continuous monitoring efforts. Continuously monitoring the security of a CSO also provides current and relevant data to inform the AO’s risk based decision-making process.