Breaking it down further I see some things of note...
"(2) Avoid unnecessary and unjustified bundling that precludes small business participation as contractors (see 7.107) (15 U.S.C. 631(j))." This is contrary to sentiments I have observed in various venues where agency CISOs and CIOs and subordinates seem to be promoting the use of *fewer* vendors, under the notion that fewer vendors to manage means less risk, or fewer attack vectors, etc. Valid concerns on both sides - one example, having single vendor bundling limits innovation yet smaller vendors cannot effectively manage risks and threats of "moving fast and breaking things". Seems like an area where more data is needed and definitely more discussion.
Re: reference to in 40 U.S.C. 11312 and in particular "(6) provide the means for senior management personnel of the executive agency to obtain timely information regarding the progress of an investment in an information system, including a system of milestones for measuring progress, on an independently verifiable basis, in terms of cost, capability of the system to meet specified requirements, timeliness, and quality." we are working on an interactive tool for this - if anyone has any metrics, spreadsheet templates, report templates or other suggestions they want us to incorporate into this tool, we are happy to open source the tool when completed.
Re: - "OMB's implementing policies including Appendix III of OMB Circular A-130" says: "Automated Information Security Programs. Agencies shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications". and "Technical and operational controls support management controls. To be effective, all must interrelate." The last ATO I went through, everything was siloed and very disconnected, each group handing over its narrow deliverables to the next without any interrelation. Has anyone seen this practiced concretely in any agency? From my experience, as yet no one from the agencies seem to know who has the responsibility to increase the automation of security programs. We even offer OSCAL SSPs and such to the agencies but as yet have no takers.
Also in A-140 Appendix III: "The Appendix no longer requires the preparation of formal risk analyses. In the past, substantial resources have been expended doing complex analyses of specific risks to systems, with limited tangible benefit in terms of improved security for the systems. Rather than continue to try to precisely measure risk, security efforts are better served by generally assessing risks and taking actions to manage them. While formal risk analyses need not be performed, the need to determine adequate security will require that a risk-based approach be used. This risk assessment approach should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards." Would that conflict with RA-3?
Also in Appendix III: "Authorization is not a decision that should be made by the security staff."and "Management authorization should be based on an assessment of management, operational, and technical controls." Related to the above lack of any effective automation adoption yet, ie OSCAL, how is this to be done otherwise? This is also related to the above single vendor issue - if the GRC tools in-house or otherwise do not support OSCAL, how can we expect any progress? There should be rapid agency adoption of newer tools (many are open source) that provide OSCAL ingestion and sharing. I am happy to run an agency training session on OSCAL and how it can be used for effective automation of authorization and continuous review of the ATO if there is interest.
Alo of note in A-130: 'agencies report security deficiencies and material weaknesses within their FMFIA reporting mechanisms as defined by OMB Circular No. A-123, "Management Accountability and Control," and take corrective actions in accordance with that directive' and "summary of agency security plans be included in the information resources management plan" - does anyone have a link to public examples of these actual reports?
I'm sure there's more to unpack going down the rabbit hole :)
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------
Original Message:
Sent: May 21, 2021 10:45:35 AM
From: Michael Roza
Subject: FedRAMP System Security Plan (SSP) HIgh/Moderate/Low Baseline Templates - Updated
Yes, that is how I read it.
It was not a wholesale update say to 800-53 rev 5 for example.
Original Message:
Sent: 5/21/2021 10:49:00 AM
From: Robert Ficcaglia
Subject: RE: FedRAMP System Security Plan (SSP) HIgh/Moderate/Low Baseline Templates - Updated
If I'm reading it right, the changes are very targeted to specific controls only:
SA-4 Additional FedRAMP Requirements and Guidance:
Requirement: The service provider must comply with Federal Acquisition Regulation (FAR) Subpart 7.103, and Section 889 of the John S. McCain National Defense Authorization Act (NDAA) for Fiscal Year 2019 (Pub. L. 115-232), and FAR Subpart 4.21, which implements Section 889 (as well as any added updates related to FISMA to address security concerns in the system acquisitions process).
Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.
See https://www.niap-ccevs.org/Product/
Additionally, the following updates were made to the Incident Response Testing High baseline control (IR-3) (in bold):
- IR-3-2 Requirement:
The service provider defines tests and/or exercises in accordance with NIST Special Publication 800-61 (as amended). Functional Testing must occur prior to testing for initial authorization. Annual functional testing may be concurrent with required penetration tests (see CA-8). The service provider provides test plans to the JAB/AO annually. Test plans are approved and accepted by the JAB/AO prior to test commencing.
The parameter for IR-3-1 has also been amended to: "at least every six (6) months, including functional at least annually."
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
Original Message:
Sent: May 20, 2021 11:57:53 PM
From: Michael Roza
Subject: FedRAMP System Security Plan (SSP) HIgh/Moderate/Low Baseline Templates - Updated
Hi All,
FedRAMP just published updated System Security Plan (SSP) High/Moderate/Low Baseline Templates
The FedRAMP SSP High/Moderate/Low Baseline Templates provides the FedRAMP High/Moderate/Low Baseline baseline security control requirements for High/Moderate/Low Baseline impact cloud systems. These templates provide the framework to capture the system environment, system responsibilities, and the current status of High/Moderate/Low baseline controls required for the systems.
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------