185 Furthermore, FedRAMP
186 will prescribe specific reporting criteria that service providers can utilize to maximize their
187 FISMA reporting responsibilities while minimizing the resource strain that is often experienced.
Suggests that individual services providers are responsible for ensuring the FedRAMP PMO meets FISMA reporting requirements. What is the criterion and where is it published?
198 However, there will be instances, beyond the control of FedRAMP in
199 which deliverables may be required on an ad hoc basis.
How will Cloud Service Providers (CSP) address ad-hoc reporting on deliverables noted in Table 2: FedRAMP Continuous Monitoring Deliverables? If CSP offerings are based on a pre-defined schedule, but have to also support ad-hoc reporting, what will be the compensation mechanism?
Given the potential increase in Cloud Service offerings (i.e., IaaS. PaaS, or SaaS) over time, who will track the level, detail, and accuracy of reporting submissions? Will Cloud Service Providers be given detailed specifications and instructions for each submission requirement? How will the Service Provider and the FedRAMP PMO coordinate issues with reports or reconcile changes/updates to previous submissions to ensure there is a level of oversight of change control related to the Continuous Monitoring deliverables?
The criteria for an effective Continuous Monitoring Program (see below) that was extracted from NIST 800-37, Rev. 1 (Task 2-3: Monitoring Strategy) should be balanced against the reporting requirements in Table 2: FedRAMP Continuous Monitoring Deliverables to ensure the use of continuous monitoring is focused on monitoring the state of the implemented and accepted baseline security controls during the authorization process and that changes are appropriately reported to reduce the level-of-effort associated with assessing all of the controls in the environment annually or at least every three-years (depending on the frequency identified acceptable by the FedRAMP PMO). The requirement for only annual self-assessments identified on page 41 (“Performance of the annual Self Assessment in accordance with NIST guidelines”) should be guided with specifications of what constitutes an acceptable Self Assessment to ensure there is consistency with the approach many Agencies have taken on a their own when using the Continuous Monitoring process to ensure the effectiveness of security control for near “real-time’ continuous monitoring as part of ongoing reauthorization, rather than using the less effective approach of authorizing their systems every three (3) years.
An effective continuous monitoring program includes:
144 • Configuration management and control processes for information systems;
145 • Security impact analyses on proposed or actual changes to information systems and
146 environments of operation;
147 • Assessment of selected security controls (including system-specific, hybrid, and common
148 controls) based on the defined continuous monitoring strategy;
149 • Security status reporting to appropriate officials; and
150 • Active involvement by authorizing officials in the ongoing management of information
151 system-related security risks.
According to CA-2 (“Security Assessments”) in Section 1 (“Cloud Computing Security Requirements Baseline”), control enhancement 1 (CA-2(1) was selected as a minimum control requirement for both Low- and Moderate-Impact Cloud Computing Services. NIST 800-53, Rev. 3 CA-2(1) states “The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.” However, the qualification of Self Assessment should aligned with the specificity noted in Section 3.4.2 (“Detailed Assessment & Authorization Process”) which identifies that the “continuous monitoring strategy” for “security control assessments conducted by qualified assessors with the required degree of independence based on policies, appropriate security standards and guidelines, and the needs of the FedRAMP authorizing officials, the assessment results can be cumulatively applied to the reauthorization, thus supporting the concept of ongoing authorization.” However the FedRAMP Policy does not establish specific criteria for the selection of the independent assessor by the Cloud Service Provider. Further the FedRAMP PMO should provide a list (or repository) of independent assessors deemed qualified to allow Cloud Service Providers and the federal government to maximize the effectiveness of continuous monitoring over the flawed concept of three-year assessments, thereby maximizing the value of the assessment process and ensuring risk is identified and communicated to the JAB on a regular basis.