Fedramp system Security Plan (ssp) High Baseline Template


RA-3 Additional FedRAMP Requirements and Guidance



Download 1.2 Mb.
Page347/478
Date16.12.2020
Size1.2 Mb.
#54609
1   ...   343   344   345   346   347   348   349   350   ...   478
FedRAMP-SSP-High-Baseline-Template
FedRAMP-SSP-High-Baseline-Template, North Carolina Summary Table of Ecoregion Characteristics
RA-3 Additional FedRAMP Requirements and Guidance:

Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

RA-3 (d) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

RA-3

Control Summary Information

Responsible Role:

Parameter RA-3(b):

Parameter RA-3(c):

Parameter RA-3(d):

Parameter RA-3(e):

Implementation Status (check all that apply):

☐ Implemented

Partially implemented

☐ Planned

☐ Alternative implementation

Not applicable

Control Origination (check all that apply):

☐ Service Provider Corporate

☐ Service Provider System Specific

☐ Service Provider Hybrid (Corporate and System Specific)

☐ Configured by Customer (Customer System Specific)

☐ Provided by Customer (Customer System Specific)

☐ Shared (Service Provider and Customer Responsibility)

☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,





RA-3 What is the solution and how is it implemented?

Part a




Part b




Part c




Part d




Part e





RA-5 Vulnerability Scanning (L) (M) (H)


The organization:

  1. Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5 (a) Additional FedRAMP Requirements and Guidance:

Requirement: An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

  1. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:

    1. Enumerating platforms, software flaws, and improper configurations;

    2. Formatting and making transparent, checklists and test procedures; and

    3. Measuring vulnerability impact;

  1. Analyzes vulnerability scan reports and results from security control assessments

  2. Remediates legitimate vulnerabilities; [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and

  3. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

RA-5 (e) Additional FedRAMP Requirements and Guidance:

Requirement: To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

RA-5 Additional FedRAMP Requirements and Guidance

Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements

https://www.FedRAMP.gov/documents/



RA-5

Control Summary Information

Responsible Role:

Parameter RA-5(a):

Parameter RA-5(d):

Parameter RA-5(e):

Implementation Status (check all that apply):

☐ Implemented

☐ Partially implemented

☐ Planned

☐ Alternative implementation

☐ Not applicable

Control Origination (check all that apply):

☐ Service Provider Corporate

☐ Service Provider System Specific

☐ Service Provider Hybrid (Corporate and System Specific)

☐ Configured by Customer (Customer System Specific)

☐ Provided by Customer (Customer System Specific)

☐ Shared (Service Provider and Customer Responsibility)

☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,





RA-5 What is the solution and how is it implemented?

Part a




Part b




Part c




Part d




Part e






Download 1.2 Mb.

Share with your friends:
1   ...   343   344   345   346   347   348   349   350   ...   478



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy