The Federal Risk and Authorization Management Program provided a preview of guidance it will soon issue on how internal components and external cloud service providers should document continuous monitoring compliance.
In a recent blog post, FedRAMP officials at the General Services Administration said they would soon be issuing formal guidance on CSPs’ authorization boundary — the demarcation line for security authorization responsibilities between agencies and CSPs.
FedRAMP’s Program Management Office has been examining not only the internal structures of a CSP’s data infrastructure but also the third-party partners they work with and how they access federal data and metadata.
“As opposed to other control regimes like [International Standards Organization, Payment Card Industry, Service Organization Control,] etc., FedRAMP qualifies a system’s boundary according to wherever Federal data and/or information is stored, processed, transmitted or used,” the blog said.
“The flow of data in and out of a system provides a frame of reference for understanding how to define the boundary,” it continues. “Importantly, the same applies to a system’s metadata, as a system is only as secure as its weakest link.”
In drafting an authorization boundary, FedRAMP officials said disclosure of third-party information provides potential agency customers with a more accurate risk management view of how their data and metadata may be shared.
So if a CSP stores federal data on a customer relationship management tool or uses a vulnerability scanning tool for continuous monitoring, it should disclose whether any of those tools come from a third party and ensure that party has the appropriate security authorizations for the federal data and metadata they are accessing.
Officials said they would offer more information on the guidance this month, but CSPs should presently consider diagramming the system access and privileges of all stakeholders on their networks, the impact microservices might have on access and coordinate with the PMO office on questions about how to develop the boundary.
FedRAMP has made continuous monitoring a key piece of its streamlining efforts in 2018, including trimming compliance costs.