Succeeding with FedRAMP: Continuous Monitoring
So, you’ve received your FedRAMP authorization, either through the Agency ATO or the JAB P-ATO process. Now what? Unlike other programs, a Cloud Service Provider (CSP) can’t just sit back and relax; there is still a lot of work to be done to maintain that FedRAMP Authorization. In fact, it can be a daunting task in and of itself. With a few key strategies, a CSP can not only get through the continuous monitoring process, but make that process benefit them.
What is Continuous Monitoring?
Per the National Institute of Standards and Technology Special Publication (NIST SP) 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, information security continuous monitoring (ISCM) is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Within the FedRAMP Security Assessment Framework, CSPs are required to maintain a security authorization that meets the FedRAMP requirements. This is accomplished by monitoring a CSP’s security posture according to the assessment and authorization process, which includes monitoring security controls. The goals of continuous monitoring are to provide operational visibility, managed change control, and attention to incident response duties.
The process for continuous monitoring, as outlined in NIST SP 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, and as elaborated upon in the FedRAMP Continuous Monitoring Strategy Guide, includes six key components. These components are listed below.
- Defining a continuous monitoring strategy;
- Establishing a continuous monitoring program;
- Implementing a continuous monitoring program;
- Analyzing the data gathered and Reporting on findings;
- Responding to assessment findings; and
- Reviewing and Updating the monitoring program.
The FedRAMP Continuous Monitoring Strategy Guide defines the minimum set of requirements that a CSP’s continuous monitoring program must meet, as well as advises on the frequency to review certain controls and the requirements for control testing. CSPs should review this guide carefully, as they develop their own continuous monitoring programs, to ensure they have a plan in place to meet these minimum requirements.
Key Activities and Deliverables of a FedRAMP Continuous Monitoring Program
The FedRAMP Continuous Monitoring Strategy Guide outlines the key activities that a CSP must perform in order to maintain a continuous monitoring program that meets the FedRAMP minimum requirements. In addition to the key activities, there are also key deliverables that have varying submission frequencies that must be submitted in order to maintain compliance. The number of deliverables and activities to monitor make this task something that requires active participation and consideration on the CSP’s part.
Continuous Monitoring Key Activities
|ACTIVITY||CONTROL ID||FREQUENCY||INCLUDE IN SSP|
|Information System Monitoring||SI-4||Continuous|
|Auditable Events||AU-2a and AU-2d||Continuous|
|Information system component inventory – must be able to detect new assets continuously using automated mechanisms within a maximum of a 5-minute delay in detection.||CM-8 (3)a||Continuous|
|Temperature and Humidity Controls||PE-14b||Continuous|
|Vulnerability scanning – the list of vulnerability must be updated prior to each scan.||RA-5(2)||Continuous|
|Wireless Intrusion Detection||SI-4(14)||Continuous|
|Contingency training – new personnel must be trained in their contingency roles and responsibilities.||CP-3a||Within 10 days of assuming the responsibility||Record the date of the training in the System Security Plan.|
|Audit Review, Analysis, and Reporting – information system audit records must be analyzed for indications of inappropriate or unusual activity.||AU-6a||Weekly|
|Account Management – Automatic termination of temporary and emergency accounts.||AC-2 (2)||Monthly – within 30 days of account creation|
|Account Management – Disables user accounts|
Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the Authorizing Official.
|AC-2(3)||Quarterly (90 days)|
|Publicly Accessible Content – must review content on publicly accessible system and look for non-public information.||AC-22d||Quarterly (90 days)|
|Access Restrictions for Change – must review and reevaluate their information system developer/integrator privileges||CM-5(5)b||Quarterly (90 days)||Record the date of the review in the System Security Plan.|
|Identifier Management – Disables user IDs|
Requirement: The service provider defines time period of inactivity for device identifiers.
|IA-4e||Quarterly (90 days)|
|Least Functionality – The information system must be reviewed to identify and eliminate unnecessary functions, ports, protocols, and/or services.||CM-7(1)a||Monthly||If ports, protocols, and/or services are changed, Table 10-4 in the System Security Plan must be updated at the time of change. Changes must be made according to the CSP change management process that is described in the Configuration Management Plan.|
|Monitoring Physical Access – physical access logs must be reviewed, and the date of review recorded.||PE-6b||Monthly||Record the dates of review in the System Security Plan.|
|Physical Access Records – visitor access records.||PE-8b||Monthly|
|Flaw Remediation – security relevant software and firmware patches must be installed.||SI-2c||Monthly – within 30 days of the release of the updates|
|Flaw Remediation – automated mechanism must be used to look for system flaws.||SI-2c||Monthly – using an automated mechanism|
|Security Functionality Verification||SI-6||Monthly|
|Software and Information Integrity – integrity scanning||SI-7(1)||Monthly – including security relevant events|
|Authenticator Management – authenticator/passwords must be refreshed.||IA-5g||Within 60 days|
|Account Management – disabling inactive user accounts||AC-2(3)||Quarterly – within 90 days|
|Account Management – annual review and recertification of user accounts to verify if the account holder requires continued access to the system.||AC-2j||Annually||Record the date of annual user re-certification in the System Security Plan.|
|Security Awareness – provide basic security awareness training to all users||AT-2||Annually||Record the date that security awareness training last took place in the System Security Plan.|
|Security Training – must provide role-based security training||AT-3b, AT-3c||Annually||The date that the training took place, along with who provided the training, must be recorded In the System Security Plan.|
|Security Training Records – archive security training records||AT-4b||Annually||In the System Security Plan, record who participated in training and when the training took place. Archive the actual training materials.|
|Auditable Events – Review and update auditable events. Changes to the auditable event list must be recorded in the System Security Plan. Meeting notes with information about who attended the meeting must be archived.||AU-2(3)||Annually or whenever changes in the threat environment are communicated to the service provider by the AO.||Changes to the auditable event list must be recorded in the System Security Plan. CSPs must record the date that the auditable event review meeting takes place in the System Security Plan. Meeting notes with information about who attended the meeting must be archived.|
|Baseline Configuration – Review and update the baseline configuration. Changes and updates to the baseline configuration must be made in accordance with the change control process described in the CSP’s Configuration Management Plan||CM-2(1)a||Annually or whenever there is a significant change.|
|Contingency Training – train personnel in their contingency roles and responsibilities.||CP-3c||Annually||Record the date of the training in the System Security Plan.|
|Information System Backup – test backups to verify integrity and reliability.||CP-9(1)||Annually||When the System Security Plan is updated annually, this control description must indicate when (date) the last test took place and who performed the testing.|
|Physical Access Authorizations – review physical access authorization credential and remove personnel from the access list who no longer require access.||PE-2c||Annually||The date at which this review takes place, and who performed it, must be recorded in the System Security Plan.|
|Physical Access Control – inventory physical access devices||PE-3f||Annually||The date of the inventory must be recorded in the System Security Plan.|
|Physical Access Control – change combinations and keys||PE-3g||Annually||The date that the keys and combinations are changed must be recorded in the System Security Plan along with the name of the person responsible for making the changes.|
|Access Agreements – review and update access agreements. Individuals requiring access to organizational information and information systems must re-sign access agreements to maintain access to organizational information systems when access agreements have been updated||PS-6b, PS-6c||Annually||The date of the access agreement review must be recorded in the System Security Plan.|
|Boundary Protection – remove traffic flow that is no longer supported by a business/mission need. Changes and updates to traffic flow must be made in accordance with the change control process described in the CSP’s Configuration Management Plan.||SC-7(4)e||Annually|
|Identifier Management – Prevent reuse of user and device identifiers.||IA-4d||Every Two Years|
|Security Authorization – The security authorization will be re-evaluated by the Authorizing Official.||CA-6c||Every Three Years||CSPs must record the date of the Provisional Authorization, and any reauthorization, in the System Security Plan.|
|Position Categorization – review position categorizations.||PS-2c||Every Three Years||Record the date that position categorization was completed in the System Security Plan.|
|Risk Assessment – review and update security assessments||RA-3c, RA-3e||Every Three Years||Record the date of the last security assessment in the System Security Plan|
|Personnel Screening – Law enforcement must undergo personnel screening. There is no reinvestigation for other moderate risk positions or any low risk positions.|
For national security clearances, a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and the 15th year for confidential
|PS-3b||Every Five Years||Any law enforcement staff screened must have the screening date recorded in the System Security Plan along with their name.|
Key Deliverables of a FedRAMP Continuous Monitoring Program
In addition to the key activities, there are key deliverables that the CSP and its 3PAO must provide to AOs. These deliverables are broken down into those that are submitted on a continuous, monthly, annual, every three years, and on an as-needed basis after authorization has been granted. These key deliverables are outlined in the table below.
|DELIVERABLE||CONTROL ID||FREQUENCY||INCLUDE IN SSP|
|Incident Reporting – CSPs must report incidents in accordance with the FedRAMP Incident Communications Procedure.||IR-6||Continuous – IR-6a. [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)]|
|Vulnerability Scanning – CSPs must scan operating systems, web applications and databases.||RA-5a||Monthly – All scan reports must be sent to the FedRAMP PMO contact|
|Vulnerability Scanning – CSPs must mitigate all discovered high-risk vulnerabilities within 30 days, mitigate moderate vulnerability risks in 90 days, and mitigate low vulnerability risks in 180 days.||RA-5d||Monthly – CSPs must send their FedRAMP PMO contact updated artifacts every 30 days to show evidence that outstanding high-risk vulnerabilities have been mitigated.|
|Plan of Action & Milestones – CSPs must update the POA&M||CA-5b||Monthly – submit it to the FedRAMP PMO contact|
|Information Security Policies – review Information Security Policies and Procedures||All -1 controls||Annually for High Systems||Insert the updated Policy document as an Attachment to the System Security Plan and submit the updated plan to the FedRAMP PMO contact.|
|Configuration Management Plan – review and update the Configuration Management Plan||CM-9||Annually – Submit the new plan to the FedRAMP PMO contact|
|IT Contingency Plan – review and update the IT Contingency Plan||CP-2d||Annually – Submit the new plan to the FedRAMP PMO contact|
|IT Contingency Plan Testing & Exercises – test and exercise the IT Contingency Plan (for Moderate systems) using functional exercises||CP-4a||Annually – insert the new IT Contingency Plan Test Report into the proper Appendix of the IT Contingency Plan and submit to the FedRAMP PMO Contact|
|Incident Response Testing – perform incident response testing||IR-3||Annually||Record the results of the incident response testing directly in the control description box within the SSP, indicating when testing took place, testing materials, who participated, and who conducted the testing.|
|Incident Response Plan – review the Incident Response Plan||IR-8c||Annually||Insert the updated Incident Response Plan as an attachment to the System Security Plan.|
|System Security Plan – review and update the System Security Plan||PL-2c||Annually – submit the new plan to the FedRAMP PMO Contact|
|Information Security Policies – review Information Security Policies and Procedures||All -1 controls||Every Three years for Moderate Systems.||Insert the updated Policy document as an Attachment to the System Security Plan and submit the updated plan to the FedRAMP PMO contact|
|IT Contingency Plan Testing &|
Exercises (Low Systems) – test and exercise the IT Contingency Plan (for Low systems) every three years using table top written tests.
|CP-4a||Every three years||Record the testing date in the System Security Plan.|
It is imperative that CSPs submit the identified deliverables on-time, as repeatedly missing these core components of the continuous monitoring process can result in the revocation of their FedRAMP authorization. Additionally, the CSP needs to work with a 3PAO to ensure timely submission of the following deliverables designated as a 3PAO deliverables, as identified below in Table 3. These 3PAO deliverables are tied to the annual security controls assessment that the 3PAO conducts for the CSP.
|Security Assessment – CSPs must have a 3PAO assess a subset of their security controls – submission should include the SAP, SAR and evidence collected during the assessment, vulnerability scans||CA-2, CA-2(2)||Annually – report should be submitted to the FedRAMP PMO contact|
|Penetration Test – must conduct penetration testing to ensure compliance with all vulnerability mitigation procedures. Penetration testing must be performed by a 3PAO.||CA-8,|
|Annually and when there is a significant change – Deliverables produced by 3PAOs are always separate from deliverables produced by CSPs. All penetration testing reports must be sent to the FedRAMP PMO Contact|
|Vulnerability Scan – must have an accredited 3PAO scan operating systems/infrastructure, web applications, and databases.||RA-5a||Annually – all scan reports must be sent to the FedRAMP PMO Contact.|
Annual Security Controls Assessment
The annual security controls assessment is a key component to the FedRAMP continuous monitoring assessment. A crucial element to this is selecting and maintaining a good working relationship with a 3PAO. Communication with the 3PAO when the annual security assessment report is due is imperative to ensure that the 3PAO will have the resources necessary to perform the assessment in the required timeframe. With that said, a good 3PAO should be reaching out to its CSP throughout the year. For instance, if new requirements are released prior to the annual assessment, continued communication would ensure adequate lead time to schedule said assessment.
The security controls assessment must address a core set of controls outlined by FedRAMP. In addition to these core controls, at a minimum, a third of the remaining controls must be tested, and controls that had findings from the previous assessment need to be included in the selected controls. Additionally, the 3PAO and CSP should reach out to the FedRAMP PMO office and the AO to verify if there are any additional controls that need to be tested during the annual assessment.
Along with the security controls assessment, vulnerability scanning must be performed and analyzed. The final component of the assessment is the annual penetration testing, which must meet the FedRAMP penetration testing guidance. The 3PAO should combine all of the testing in a final Security Assessment Report (SAR) that the 3PAO submits directly to the FedRAMP PMO, along with the evidence that is collected during the assessment.
Strategies to Achieve These Monitoring and Deliverable Controls
There are many strategies that a CSP can employ in order to meet these monitoring and deliverable goals. Initially, it is recommended that the CSP review the requirements and see how they are already meeting some of them. For instance, those key activities that are to be monitored continuously are typically best achieved by having automated mechanisms in place, and they are typically in place prior to the initial FedRAMP assessment. There are even activities that are to be completed monthly or quarterly that are better handled through an automated process, e.g. disabling user accounts. It’s also important to note that a substantial number of these requirements were already tested during the initial assessment and should be in place before continuous monitoring starts. So, while the list may appear daunting initially, the CSP should already be in compliance with many of the requirements.
Tracking of these continuous monitoring items are very important. The CSP should consider methods and processes that are already in place for tracking and utilizing as much of those built in processes as possible. Ticketing systems work well, but even a shared Excel spreadsheet can be useful for tracking purposes. Calendar reminders on group calendars are also useful, however not recommended on a key personnel’s calendar. If that person were to leave, the calendar reminder would not help the person that takes over their position to know when submission of key deliverables or monitoring of key activities needs to be completed. As much as possible, these reminders and tracking lists should be shared by everyone on the team to ensure coverage should someone leave or are otherwise unable to compete a task.
Another important aspect to consider is ensuring key personnel that perform these tasks have adequate backup. For instance, audit review, analysis, and reporting must be accomplished weekly at a minimum, meaning every seven days a trained individual must review audit records for indications of suspicious activities. If only one team member is trained, this team member can never take a vacation longer than seven days! Further, if the team member were to leave that would put the CSP at a severe loss as they trained another team member to take over that task. As such, for any key activity, a backup should be identified so the process can continue regardless of vacation schedules or other unforeseen events.
CSPs should also note that there are numerous controls that FedRAMP wants the date and other supporting information recorded in the SSP in order to make it easier to maintain certain information in one location; however, it may require process changes on the CSPs part in order to meet those requirements. This should be built into the procedures documents so that it is clear what the process is and what documents need to be updated and maintained. The FedRAMP continuous monitoring requirements are, without a doubt, some of the most comprehensive and demanding requirements in the Cybersecurity industry. Establishing a robust program not only ensures that the CSP will meet these requirements and thereby maintain FedRAMP compliance, but also helps implement a strong set of security best practices for their system. When these processes are implemented at the organizational level, it can improve the overall security posture of the organization. In the age of high-profile attacks on a regular basis, these best practices can help organizations minimize the likelihood of a successful attack. CSPs that build processes that will ensure they meet the FedRAMP continuous monitoring requirements into their policy and procedures will find that they also reap the benefits of these rigorous requirements.