So, you’ve received your FedRAMP authorization, either through the Agency ATO or the JAB P-ATO process. Now what? Unlike other programs, a Cloud Service Provider (CSP) can’t just sit back and relax; there is still a lot of work to be done to maintain that FedRAMP Authorization. In fact, it can be a daunting task in and of itself. With a few key strategies, a CSP can not only get through the FedRAMP continuous monitoring process, but make that process benefit them.
What is Continuous Monitoring?
Per the National Institute of Standards and Technology Special Publication (NIST SP) 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, information security continuous monitoring (ISCM) is defined as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” Within the FedRAMP Security Assessment Framework, CSPs are required to maintain a security authorization that meets the FedRAMP requirements. This is accomplished by monitoring a CSP’s security posture according to the assessment and authorization process, which includes monitoring security controls. The goals of continuous monitoring are to provide operational visibility, managed change control, and attention to incident response duties.
The process for continuous monitoring, as outlined in NIST SP 800-137 “Information Security Continuous Monitoring for Federal Information Systems and Organizations”, and as elaborated upon in the FedRAMP Continuous Monitoring Strategy Guide, includes six key components. These components are listed below.
- Defining a continuous monitoring strategy;
- Establishing a continuous monitoring program;
- Implementing a continuous monitoring program;
- Analyzing the data gathered and Reporting on findings;
- Responding to assessment findings; and
- Reviewing and Updating the monitoring program.
The FedRAMP Continuous Monitoring Strategy Guide defines the minimum set of requirements that a CSP’s continuous monitoring program must meet, as well as advises on the frequency to review certain controls and the requirements for control testing. CSPs should review this guide carefully, as they develop their own continuous monitoring programs, to ensure they have a plan in place to meet these minimum requirements.
Key Activities and Deliverables of a FedRAMP Continuous Monitoring Program
The FedRAMP Continuous Monitoring Strategy Guide outlines the key activities that a CSP must perform in order to maintain a continuous monitoring program that meets the FedRAMP minimum requirements. In addition to the key activities, there are also key deliverables that have varying submission frequencies that must be submitted in order to maintain compliance. The number of deliverables and activities to monitor make this task something that requires active participation and consideration on the CSP’s part.
Continuous Monitoring Key Activities
Key Deliverables of a FedRAMP Continuous Monitoring Program
In addition to the key activities, there are key deliverables that the CSP and its 3PAO must provide to AOs. These deliverables are broken down into those that are submitted on a continuous, monthly, annual, every three years, and on an as-needed basis after authorization has been granted. These key deliverables are outlined in the table below.
It is imperative that CSPs submit the identified deliverables on-time, as repeatedly missing these core components of the continuous monitoring process can result in the revocation of their FedRAMP authorization. Additionally, the CSP needs to work with a 3PAO to ensure timely submission of the following deliverables designated as a 3PAO deliverables, as identified below in Table 3. These 3PAO deliverables are tied to the annual security controls assessment that the 3PAO conducts for the CSP.
Annual Security Controls Assessment
The annual security controls assessment is a key component to the FedRAMP continuous monitoring assessment. A crucial element to this is selecting and maintaining a good working relationship with a 3PAO. Communication with the 3PAO when the annual security assessment report is due is imperative to ensure that the 3PAO will have the resources necessary to perform the assessment in the required timeframe. With that said, a good 3PAO should be reaching out to its CSP throughout the year. For instance, if new requirements are released prior to the annual assessment, continued communication would ensure adequate lead time to schedule said assessment.
The security controls assessment must address a core set of controls outlined by FedRAMP. In addition to these core controls, at a minimum, a third of the remaining controls must be tested, and controls that had findings from the previous assessment need to be included in the selected controls. Additionally, the 3PAO and CSP should reach out to the FedRAMP PMO office and the AO to verify if there are any additional controls that need to be tested during the annual assessment.
Along with the security controls assessment, vulnerability scanning must be performed and analyzed. The final component of the assessment is the annual penetration testing, which must meet the FedRAMP penetration testing guidance. The 3PAO should combine all of the testing in a final Security Assessment Report (SAR) that the 3PAO submits directly to the FedRAMP PMO, along with the evidence that is collected during the assessment.
Strategies to Achieve These Monitoring and Deliverable Controls
There are many strategies that a CSP can employ in order to meet these monitoring and deliverable goals. Initially, it is recommended that the CSP review the requirements and see how they are already meeting some of them. For instance, those key activities that are to be monitored continuously are typically best achieved by having automated mechanisms in place, and they are typically in place prior to the initial FedRAMP assessment. There are even activities that are to be completed monthly or quarterly that are better handled through an automated process, e.g. disabling user accounts. It’s also important to note that a substantial number of these requirements were already tested during the initial assessment and should be in place before continuous monitoring starts. So, while the list may appear daunting initially, the CSP should already be in compliance with many of the requirements.
Tracking of these continuous monitoring items are very important. The CSP should consider methods and processes that are already in place for tracking and utilizing as much of those built in processes as possible. Ticketing systems work well, but even a shared Excel spreadsheet can be useful for tracking purposes. Calendar reminders on group calendars are also useful, however not recommended on a key personnel’s calendar. If that person were to leave, the calendar reminder would not help the person that takes over their position to know when submission of key deliverables or monitoring of key activities needs to be completed. As much as possible, these reminders and tracking lists should be shared by everyone on the team to ensure coverage should someone leave or are otherwise unable to compete a task.
Another important aspect to consider is ensuring key personnel that perform these tasks have adequate backup. For instance, audit review, analysis, and reporting must be accomplished weekly at a minimum, meaning every seven days a trained individual must review audit records for indications of suspicious activities. If only one team member is trained, this team member can never take a vacation longer than seven days! Further, if the team member were to leave that would put the CSP at a severe loss as they trained another team member to take over that task. As such, for any key activity, a backup should be identified so the process can continue regardless of vacation schedules or other unforeseen events.
CSPs should also note that there are numerous controls that FedRAMP wants the date and other supporting information recorded in the SSP in order to make it easier to maintain certain information in one location; however, it may require process changes on the CSPs part in order to meet those requirements. This should be built into the procedures documents so that it is clear what the process is and what documents need to be updated and maintained. The FedRAMP continuous monitoring requirements are, without a doubt, some of the most comprehensive and demanding requirements in the Cybersecurity industry. Establishing a robust program not only ensures that the CSP will meet these requirements and thereby maintain FedRAMP compliance, but also helps implement a strong set of security best practices for their system. When these processes are implemented at the organizational level, it can improve the overall security posture of the organization. In the age of high-profile attacks on a regular basis, these best practices can help organizations minimize the likelihood of a successful attack. CSPs that build processes that will ensure they meet the FedRAMP continuous monitoring requirements into their policy and procedures will find that they also reap the benefits of these rigorous requirements.
Your FedRAMP Resource
As a certified FedRAMP 3PAO, MindPoint Group can help with all of your assessment and Continuous Monitoring needs. Our experts are here to help!