In this blog post, we describe the FedRAMP program, explore the role of vulnerability scanning and the patch management process in FedRAMP compliance, and discuss how JetPatch supports these requirements.
In February 2011, the Obama administration published the Federal Cloud Computing Strategy to catalyze cloud adoption in the US government. More frequently referred to as the Cloud First policy, it required agencies to evaluate secure cloud computing options before making any new IT investments. The objectives of the Cloud First policy were to enhance government services while reducing IT costs by leveraging cloud economics in general and its consumption-based cost model in particular.
In Q4 2018, the Federal Cloud Computing Strategy was updated, transforming the policy from Cloud First to Cloud Smart. The updated policy seeks to further drive cloud adoption through building and sharing knowledge and best practices across government agencies as well as removing policy roadblocks. Its three areas of focus are: modernizing security policies, improving procurement processes, and retraining/upgrading the workforce to close cloud skill gaps.
Three US Federal Government frameworks define the IT security controls (cloud or otherwise) that must be met by government agencies:
● In 2002 the Federal Information Security Modernization Act (FISMA) was passed requiring agencies to develop and implement a documented information protection program. Failure to comply can lead to censure by Congress and a reduction in federal funding as well as reputational damage. FISMA underwent a significant revision in 2014.
● To provide agencies with standards and guidelines for meeting FISMA’s information security requirements, NIST Special Publication 800-53 was issued in February 2005. Now in its fifth revision, NIST SP 800-53 explains and catalogs the security controls that must be put into place to comply with FISMA’s Risk Management Framework.
● The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 as part of the Cloud First policy. FedRAMP sets and enforces the criteria (based mainly on NIST SP 800-53) by which cloud service providers are certified by Third Party Assessment Organizations (3PAO) for use by federal government agencies.
FedRAMP has established a standardized process by which cloud service providers (CSPs) can obtain an Authority to Operate (ATO), i.e., join the FedRAMP marketplace of vendors who meet the government’s information security requirements. The process is rigorous and can be costly, but it opens the door to the large and growing US federal government cloud market to providers of all sizes.
The critical security objectives that must be met by a FedRAMP-accredited CSP are:
● Confidentiality: Means for protecting personal privacy and proprietary information.
● Integrity: Means for guarding stored information against modification.
● Availability: Means for ensuring timely and reliable access to information.
The security controls are categorized into technical (e.g., Access Control, Audit, and Accountability, IAM), operational (e.g., Configuration Management, Incident Response, System and Information Integrity), and management (e.g., Risk Assessment, Planning, System and Services Acquisition). FedRAMP takes a risk-based approach and sets different levels of required security controls depending on the impact of the data:
● Low: Such as SaaS applications that do not store personally identifiable information. There are 125 Low Baseline Controls.
● Moderate: I.e., services for which failure to meet the security objectives (confidentiality, integrity, availability) would have serious adverse effects on the Agency’s operations, assets, or personnel. There are 325 Moderate Baseline Controls.
● High: I.e., services that deal with highly sensitive data (law enforcement, health, financial, etc.) for which failure to meet the security objectives would have severe or even catastrophic consequences. There are 421 High Baseline Controls.
There are two routes for obtaining a FedRAMP ATO: a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) for clearance to work with any agency or Agency ATO for clearance to work with a specific agency. For a thorough description of both options from the CSP perspective, you can refer to the CSP Authorization Playbook: Getting Started With FedRAMP.
In either case, once an ATO is obtained, the CSP enters a Continuous Monitoring (ConMon) phase during which it delivers monthly reports such as Plan of Actions & Milestones (POA&M), vulnerability scan results, system changes, and anything else that may have been requested in order to maintain a high level of operational visibility between the government customer and the CSP. Also, a Third Party Assessment Organization must be hired to conduct an annual security audit and assessment.
Spotlight on FedRAMP Vulnerability Management Requirements
FedRAMP is quite explicit about the CSP’s vulnerability scanning requirements in the ConMon phase:
● CSPs are required to scan operating systems, web apps, and databases at least once a month and send the reports to the body that provided the ATO, i.e., the JAB or an agency Authorizing Official (AO).
● For Moderate and High Baseline systems, scans must be authenticated and performed with full system authorization.
● The vulnerability scanner must always use the most updated list of vulnerabilities, and the CSP must provide machine-readable evidence of the most recent vulnerability update before scanning.
● The vulnerability scanner configuration settings must be approved by the 3PAO and can only be altered with the approval of the agency AO. It’s worth noting that the CSP must enable all non-destructive detections.
● The report must be in a machine-readable format and include:
○ A unique identifier that maps the vulnerability to an inventory asset.
○ The Common Vulnerabilities and Exposures (CVE) reference number for any vulnerability listed in the latest version of the National Vulnerability Database (NVD).
○ Risk scoring, in order of preference: The Common Vulnerability Scoring System (CVSS) v3 base score if available in the NVD, the CVSS v2 base score, and the native scanner base risk score.
○ Each unique vulnerability tracked to an individual POA&M item.
In terms of vulnerability management, here are some of the essential guidelines:
● Once a vulnerability has been discovered, high-risk vulnerabilities must be mitigated within 30 days, moderate-risk vulnerabilities within 90 days, and low-risk within 180 days. Mitigation evidence must be sent to the agency AO.
● Security-relevant software and firmware patches must be installed within 30 days of their release.
● New assets must be detected automatically, within five minutes of joining the network.
● Automated mechanisms should be employed at least once a month to probe for system flaws, including inspecting log files for anomalies, identifying missing patches, finding evidence of intrusions or malware, and so on.
JetPatch and FedRAMP Compliance
JetPatch’s intelligent and automated patch management solution provides an end-to-end framework for ongoing compliance with FedRAMP patch and vulnerability management requirements with the following attributes:
● Establishes centralized and consistent patch and vulnerability management processes across all environments and infrastructures and manages them through a single Patch Governance dashboard.
● Full and immediate discovery of all servers, operating systems, and applications eliminates patch blind spots, constantly comparing installed patches to baselines.
● Continuous monitoring for new vulnerabilities and patches as well as automatic triggering of remediation processes either immediately or during scheduled maintenance windows, depending on the risk level.
● Machine learning algorithms to analyze remediation delays and automatically correct them.
● Seamless integration with the existing patch and vulnerability management stack, including vulnerability scanners, patch managers, ITSM, and more.
Request a demo to see firsthand how JetPatch eases the complexities of staying compliant with FedRAMP’s rigorous patch and vulnerability management requirements.