The Federal Risk and Authorization Management Program (FedRAMP) issued three new documents Tuesday outlining continuous monitoring guidance and requirements for cloud service providers.
The new documents include a draft version of the “Automated Vulnerability Risk Adjustment Framework Guidance,” the “Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans” and another on “Vulnerability Scanning Requirements.”
FedRAMP officials have emphasized reducing the compliance costs of continuous monitoring requirements for providers offering cloud services to federal agencies and began in January slowly rolling out new documents to address the changes.
The new documents provide guidance for using automated tools based on the Common Vulnerability Scoring System and how CSPs can “scan representative samples of system components instead of the entire system,” as well as other vulnerability scanning requirements.
CSPs will have six months to apply the new guidance for the sampling of vulnerability scans, while FedRAMP officials said they would pilot the draft “Automated Vulnerability Risk Adjustment Framework Guidance” over the course of the year before issuing a final version.