Fedramp system Security Plan (ssp) High Baseline Template


RA-3 Additional FedRAMP Requirements and Guidance



Download 1.2 Mb.
Page347/478
Date16.12.2020
Size1.2 Mb.
#54609
1   ...   343   344   345   346   347   348   349   350   ...   478
FedRAMP-SSP-High-Baseline-Template
FedRAMP-SSP-High-Baseline-Template, North Carolina Summary Table of Ecoregion Characteristics
RA-3 Additional FedRAMP Requirements and Guidance:

Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F

RA-3 (d) Requirement: Include all Authorizing Officials; for JAB authorizations to include FedRAMP.

RA-3

Control Summary Information

Responsible Role:

Parameter RA-3(b):

Parameter RA-3(c):

Parameter RA-3(d):

Parameter RA-3(e):

Implementation Status (check all that apply):

☐ Implemented

Partially implemented

☐ Planned

☐ Alternative implementation

Not applicable



Control Origination (check all that apply):

☐ Service Provider Corporate

☐ Service Provider System Specific

☐ Service Provider Hybrid (Corporate and System Specific)

☐ Configured by Customer (Customer System Specific)

☐ Provided by Customer (Customer System Specific)

☐ Shared (Service Provider and Customer Responsibility)

☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,





RA-3 What is the solution and how is it implemented?

Part a




Part b




Part c




Part d




Part e





RA-5 Vulnerability Scanning (L) (M) (H)


The organization:

  1. Scans for vulnerabilities in the information system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications and databases] and when new vulnerabilities potentially affecting the system/applications are identified and reported;

RA-5 (a) Additional FedRAMP Requirements and Guidance:

Requirement: An accredited independent assessor scans operating systems/infrastructure, web applications, and databases once annually.

  1. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for:

    1. Enumerating platforms, software flaws, and improper configurations;

    2. Formatting and making transparent, checklists and test procedures; and

    3. Measuring vulnerability impact;

  1. Analyzes vulnerability scan reports and results from security control assessments

  2. Remediates legitimate vulnerabilities; [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery], in accordance with an organizational assessment of risk; and

  3. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

RA-5 (e) Additional FedRAMP Requirements and Guidance:

Requirement: To include all Authorizing Officials; for JAB authorizations to include FedRAMP.

RA-5 Additional FedRAMP Requirements and Guidance

Guidance: See the FedRAMP Documents page under Key Cloud Service Provider (CSP) Documents> Vulnerability Scanning Requirements

https://www.FedRAMP.gov/documents/



RA-5

Control Summary Information

Responsible Role:

Parameter RA-5(a):

Parameter RA-5(d):

Parameter RA-5(e):

Implementation Status (check all that apply):

☐ Implemented

☐ Partially implemented

☐ Planned

☐ Alternative implementation

☐ Not applicable



Control Origination (check all that apply):

☐ Service Provider Corporate

☐ Service Provider System Specific

☐ Service Provider Hybrid (Corporate and System Specific)

☐ Configured by Customer (Customer System Specific)

☐ Provided by Customer (Customer System Specific)

☐ Shared (Service Provider and Customer Responsibility)

☐ Inherited from pre-existing FedRAMP Authorization for Click here to enter text. ,





RA-5 What is the solution and how is it implemented?

Part a




Part b




Part c




Part d




Part e






Download 1.2 Mb.

Share with your friends:
1   ...   343   344   345   346   347   348   349   350   ...   478




The database is protected by copyright ©ininet.org 2024
send message

    Main page