GSA Seeks Industry Input on Updates to Cloud Security Reporting

Published: August 27, 2014

Cloud ComputingCybersecurityGSA

On August 21, 2014, the Government Services Administration (GSA) Federal Risk and Assessment Management Program (FedRAMP) office released draft guidance on several aspects of cloud security including continuous monitoring and test cases for incident response. The program office is seeking feedback from industry as FedRAMP works towards consistent monitoring and reporting requirements for providers.

The four FedRAMP documents for which GSA is currently seeking industry input address continuous monitoring requirements and incident response process. They are also looking for feedback on updated test cases for incident response and vulnerability scanning. 

Evolution of FedRAMP Continuous Monitoring Framework: The program office is looking for suggestions on how the continuous monitoring program should evolve. In particular, they are looking for improvements to the current continuous monitoring process and ways to support security authorizations in cloud environments using a risk-based approach. 

FedRAMP Continuous Monitoring Reporting and Plan of Action and Milestones (POA&M) Templates: Looking to standardize continuous monitoring reporting across FedRAMP, the program office is accepting public commentary on draft definitions and requirements to address monthly reporting summaries and milestones. This guidance aims to assist cloud service providers in standardizing and submitting their monthly reporting data. 

Incident Response Requirements and Process Clarification: Noting weaknesses in some cloud service providers report (actual or potential) security incidents to stakeholders, the FedRAMP office is revising the IR-6 test case language and submitting the changes for public comment. New language has been added to help ensure that provider incident reporting policies, procedures, and plans include notification of the FedRAMP office and US-CERT, and that tests are run to verify that these stakeholders would receive notification. 

Vulnerability Scanning Requirements and Process Clarification: Two issues related to the RA-5 test case have prompted language revisions. The first issue involves needing to confirm links between the scanning process and related processes like configuration management and change management. Establishing this link helps to prevent introducing a new component with known vulnerabilities. The other issue is related to potential inconsistencies in system assessments that could result from independent assessors using different vulnerability scanning tools (or the same tool with different configurations) than the vendor uses for continuous monitoring and reporting. To address these issues, language has been added to the RA-5 control requirements. 

The documents will remain open for public comment for a 30 day period ending September 19, 2014. 

FedRAMP Program Update 

So far, seventeen services have completed the process and achieved FedRAMP authorizations. Twelve cloud services have received FedRAMP Joint Authorization Board (JAB) provisional authorization, and five cloud services have FedRAMP agency authorizations. The FedRAMP office continues to work through evaluations of provider applications. According to the program office, nearly thirty services are in process. Fifteen cloud services are in the process of obtaining a JAB provisional authorization, and twelve cloud services are in process for agency authorization.

In the past several months, the FedRAMP office has hosted information sessions for government and industry. Back in June 2014, the FedRAMP PMO released document and template updates on the transition to a baseline of revised security controls. Presentation material and recordings of webinars addressing these topics are now available on demand