FedRAMP - Three Stages of Vulnerability Scanning and their Pitfalls
Blog Article Published: 03/07/2018
By Matt Wilgus, Practice Leader, Threat & Vulnerability Assessments, Schellman & Co. Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program. A CSP needs to have the right people, processes and technologies in place, and must successfully demonstrate maturity for all three. CSPs that have an easier time with the vulnerability scanning requirements follow a similar approach, which can be best articulated by breaking down the expectations into three stages.
1. Pre-AssessmentApproximately 60-90 days from an expected security assessment report (SAR), a CSP should provide the third-party assessment organization (3PAO) a recent set of scans, preferably from the most recent three months. The scan data should be provided in a format that can be parsed by the 3PAO. There are several questions that can be answered by providing scans well ahead of time:
- Credentials – Are the scans being conducted from an authenticated perspective with a user having the highest level of privileges available?
- Scan Types – Are infrastructure, database, and web application scans being performed?
- Points of Contact – Who is responsible for configuring the scanner and running scans? Who is responsible for remediation?
- Entire Boundary Covered – Is the full, in-scope environment being scanned?
- Remediation – Are high severity findings being remediated in 30 days? Are moderate severity findings being remediated within 90 days?
2. AssessmentDuring the assessment kickoff, the CSP should be ready for the 3PAO to conduct vulnerability scans. If the CSP successfully addresses the questions in the pre-assessment phase, then any findings or issues during the assessment phase should be easy to address. There are three main areas to tackle while reviewing the scan data in the assessment past:
- Current Picture - What vulnerabilities exist in the environment as of the current date?
- Reassurance on Remediation – Are vulnerabilities continuing to be remediated in a timely manner?
- Adjustments – What changes have been taken since the pre-assessment?
- vulnerability scanning tool has changed
- scan checks have been modified
- personnel responsible for configuring and running the scans are no longer with the organization
- technologies within the environment have changed
- environment hosting the solution has changed
3. Final ScanA final round of scans should be run by the CSP five to 10 days prior to the issuance of the SAR. At this point, all questions related to the personnel running the scans, the processes deployed, and the technologies implemented should be answered. The last set of scans should be limited in scope and used to show evidence of remediation activities on the vulnerabilities identified in the assessment phase. There are three primary goals related to the last piece of scan evidence:
- Targeted scans – Has a final set of scans that shows remediation of findings from the assessment phase been provided?
- Operational Requirements (OR) and False Positives (FP) – Are all ORs and FPs documented, reviewed and understood?
- Ready for Continuous Monitoring – Are there any high severity findings remaining, and is the CSP ready to provide monthly results to an agency or the Joint Authorization Board (JAB)?