FedRAMP: Outline of Timeliness and Accuracy of Testing

As FedRAMP continues to emphasize the FedRAMP Accelerated program, which is meant to reduce approval time for the Joint Authorization Board (JAB), they have released additional guidance on the Timeliness and Accuracy of Testing Requirements.

FedRAMP Timeliness and Accuracy of Testing

There are three categories associated with testing in the authorization package:

  1. Penetration Testing
  2. Vulnerability Scanning
  3. Security controls testing

The FedRAMP Timeliness and Accuracy of Testing Requirements guidance documentation applies to the evidence requirements for JAB authorizations. The evidence within the authorization package is required before a Cloud Service Provider (CSP) enters into the FedRAMP JAB Provisional Authorization to Operate (P-ATO) process.

When an organization is granted a provisional authorization, rigorous testing is required to understand the risk posture of these cloud systems. Because of this, the testing must be indicative of the true risk inherent within the cloud system.

Penetration Testing Requirements

A Penetration Test is when a professional Penetration Tester attempts to exploit system vulnerabilities in a variety of different ways, such as through the use of automated scripts, social engineering, or other methods. This type of testing is used to find potential weaknesses within an information system. These Penetration Tests must comply with all FedRAMP guidance.

Blog: What do Penetration Tests reveal?

When beginning the JAB P-ATO process, an organization must submit their Penetration Test plan and a Penetration Test report from an accredited Third Party Assessment Organization (3PAO).

The timeliness requirements conclude that:

  • When submitting the completed authorization package to FedRAMP to start the JAB P-ATO process, the Penetration Test must have been conducted within the last six months. CSPs should ensure that their Penetration Test is conducted as close as possible to the submission of the authorization package.
  • Once a JAB P-ATO is granted, CSPs must complete a new Penetration Test by an accredited 3PAO annually.

The accuracy requirements dictate that:

  • The Penetration Test be reflective of the current security capabilities and services of the cloud system seeking authorization.
  • Should there be significant changes to the system being tested, the JAB may require a new Penetration Test.

Vulnerability Scan Requirements

A Vulnerability Scan consists of running an automated program that looks for vulnerabilities within your system. From there, potential vulnerabilities are documented. Vulnerability Scans provide evidence for organizations by continuously monitoring a CSP’s risk posture. FedRAMP requires that organizations complete Vulnerability Scans in compliance with FedRAMP guidance.

Blog: Do you know the difference between a Penetration Test and a Vulnerability Scan?

When beginning the JAB P-ATO process, the CSP must submit Vulnerability Scans provided by a 3PAO as part of the authorization package, with monthly scans also being provided by the CSP.

The timeliness requirements conclude that:

  • When submitting the authorization package, the scans completed by a 3PAO must be current within 120 days.
  • Additionally, CSPs must submit the scans and a Plan of Action and Milestones (POA&M) current within 30 days prior to the initiation date of the JAB P-ATO.

In lieu of accuracy requirements, the Vulnerability Scan requirements include monthly scanning requirements, which are as follows:

  • During the JAB P-ATO process, vendors must submit monthly Vulnerability Scans and matching POA&Ms.
  • These scans and POA&Ms are treated as continuous monitoring to identify all vulnerabilities (high, moderate and low) on a CSP’s system. These scans must demonstrate:
    • There are no late high vulnerabilities on the system that are open for more than 30 days from the discovery date.
    • The CSP provides a POA&M to remediate all open high vulnerabilities within the 30-day remediation timeframe.
    • The CSP must remain in compliance with applicable requirements.
    • These scans must use the same scan tools and configurations as those run by the 3PAO in the Security Assessment Report (SAR).

Security Controls Testing Requirements

FedRAMP Timeliness and Accuracy of Testing requires that CSPs complete security control implementation testing, as set in the FedRAMP baseline standards. Each control within the baseline must be tested by a 3PAO with the appropriate evidence and documentation in the authorization package.

The timeliness requirements conclude that:

  • When submitting the completed authorization package, security control testing must be current within 120 days if the system lacks existing FedRAMP agency authorization. If the organization has previously been authorized, it must be current within 12 months.

The accuracy requirements dictate that:

  • All of the security control testing must be indicative of the current implementations, and must be completed by the same 3PAO.

If a high vulnerability is found during the testing documented in the SAR, any high findings should be closed within 30 days. In order to close findings, 3PAOs can perform targeted scans or can gather evidence to verify the closure of the high vulnerability.

How does it affect you?

This update is intended to assist all CSPs in order to provide clear guidance on how long assessments will remain valid, which will assist them in planning with their 3PAOs.

Additionally, this ensures that the JAB has timely evidence collection when granting provisional authorization. All of these things work in conjunction with one another to improve the FedRAMP approval process.

For more information on the FedRAMP Timeliness and Accuracy of Testing requirements for the timeliness of evidence associated with an authorization package with the JAB, please reach out to [email protected] to speak with one of our security professionals.