What types of vulnerability scans will CSPs need to do, and how will the results of these scans be shared with the FedRAMP and the AO?

FedRAMP requires monthly vulnerability scanning at the three traditional layers (infrastructure/operating system, database, and application) of all components within the boundary. In addition, FedRAMP has issued guidance for vulnerability scanning of container technology through either scanning container images prior to deployment or utilizing security sensors deployed alongside the containers. Vulnerability scans have to meet all the RA-5 control enhancements (e.g., authenticated scans with up-to-date scanner plug-ins, all of which are enabled.).

The results of the vulnerability scans of the boundary are monitored by the authorizing officials (AOs), either the JAB or the agencies that authorized the system. The AOs receive that information from multiple sources.  During FedRAMP assessments, the 3PAO assessor has to run or observe each layer of vulnerability scans. All vulnerabilities that are identified by the respective scanners are included in the results of the Security Assessment Report, which is reviewed by the AOs for the authorization. Each month during continuous monitoring, the CSPs have to submit detailed information about their vulnerabilities to their AO, including: raw vulnerability results, POA&Ms for reporting vulnerabilities that exceed their resolution timeframes, and deviation requests for downgrading the risk, closing vulnerabilities as false positives, or accepting the risk as an operational requirement.

For a very detailed discussion of FedRAMP’s requirements for vulnerability scanning, remediation, and reporting, please reference SecureIT’s FedRAMP Tech Bulletin on Vulnerability Management.