October 9, 2023 – Authorization Path Improvements
No outstanding questions.
October 26, 2023 – ConMon Process Improvements
Bo Berlas: “The ConMon related ones [one-pagers] correspond to just the monthly OS database and the corresponding updates to the POA&Ms for the control related findings. Do you find as in October of 2023, where we sit today, that for the types of cloud service solutions that are being for federal authorization, that OS web and database scanning in and of itself is holy reflective of the overall set of risks, cyber hygiene risk, for how some of these are being delivered? We have API integration everywhere, we have multi cloud integrations everywhere, we have micro services, and we’ve got AP container related solutions. Are we consuming all of the right or asking for all of the right sets of data to really understand the true cyber hygiene across the cloud service environments?”
FedRAMP PMO Response: FedRAMP requirements around scanning have evolved over time as technologies have advanced. In the Rev 4 baselines, we did focus on Web, database and OS scanning. However, as technology evolved, so has our scanning requirements. We did add specific guidance for container scanning, which CSPs should be providing now. Additionally, as part of the approved Rev 5 baselines, we did specify that API scanning is required (as applicable). As additional technologies emerge, and the ability to perform a risk analysis evolves, FedRAMP will continue to refine requirements to appropriately provide clarity around the risk hygiene of the cloud services providers. This is one area where FedRAMP will continue to seek guidance and suggestions from the FSCAC as well as other stakeholders as technology evolves, and we continue to look at ways to enhance visibility into the overall risk posture of cloud service offerings.
November 2, 2023 – Automation Initiative & Opportunities
Jackie Snouffer: “Will you make those [OSCAL packages] available to agencies for reuse, or will you use that internally by the PMO to move something to the marketplace?”
FedRAMP PMO Response: FedRAMP intends to treat OSCAL packages the same as any other packages received, and would share them with Agencies.
FedRAMP intends to provide additional means for agencies to consume OSCAL content via FedRAMP APIs and other supporting OSCAL tooling.
Daniel Pane: “I’m curious if we have any stats or metrics on the number of agencies that have tools or are ready to ingest OSCAL packages or ready for that automation.”
FedRAMP PMO Response: No, we do not have metrics or statistics on the number of agencies that have tools or are ready to ingest OSCAL package. The PMO is considering providing local open source tooling to address the ability for all stakeholders to develop, validate and consume OSCAL content without sending potentially sensitive content to an external API.
November 9, 2023 – FSCAC Deliverable Focus
Bill Hunt: “How was the equivalent of the MITRE att&ck framework used when prioritizing the controls for the Rev5 baseline?”
FedRAMP PMO Response: As input to the Rev 5 baseline, FedRAMP worked with a team of experts, including DoD .car team members, to evaluate and score (using the MITRE ATT&CK framework) the previous (Rev 4) baselines, including those controls where a Rev 4 control was withdrawn and moved to another
control as part of Rev 5. That scoring was provided to the JAB Technical Representatives (TR) as input for consideration, but was not used as the primary driver to determine the Rev 5 baselines. The TRs felt that the scoring was likely more applicable to the Continuous Monitoring phase and the
frequency of control assessment. The scoring was considered to determine the Rev 5 annual
assessment “core” controls (those that need to be tested every year).
U.S. General Services Administration