FedRAMP Continuous Monitoring in RegScale
Background
The FedRAMP program requires Cloud Service Providers (CSP) to continuously monitor the cloud service offering to detect changes in the security posture of the system to enable well-informed risk-based decision making. This guide instructs the CSP on how to use RegScale to prepare monthly Continuous Monitoring (ConMon) reports for FedRAMP.
The FedRAMP continuous monitoring program is based on the continuous monitoring process described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide: (i) operational visibility; (ii) managed change control; and (iii) attendance to incident response duties. For more information on incident response, review the FedRAMP Incident Communications Procedure.
In short, each month, CSPs need to supply a package of reports to their FedRAMP sponsor outlining the security posture of their accredited system. This report is outlined in the Continuous Monitoring Strategy Guide published by FedRAMP. The report contains the following artifacts as outlined in the FedRAMP Continuous Monitoring Deliverables Template (Bold are generated by RegScale):
- Continuous Monitoring Monthly Executive Summary
- Vulnerability and Configuration Scanning
- Plan of Actions and Milestones (POA&M)
- Integrated Inventory
- Deviation Request Form (DRF)
As highlighted above, RegScale can generate the POA&M, Inventory, and DRF artifacts. For POA&M and Inventory, RegScale relies upon external data to generate these reports. Specifically the monthly vulnerability and compliance scans. Once an initial set of ConMon artifacts are imported, monthly scan ingestion will update the inventory and POA&Ms. Deviations can be manually created in RegScale to populate the DRF.
RegScale Process
Initialization
The FedRAMP artifacts are a feature of RegScale's Security Plans module. To generate these artifacts, there needs to be a Security Plan in RegScale corresponding to the Security Plan submitted and approved in the FedRAMP process. As the ConMon does not address any security controls, the plan in RegScale does not need to have all security control implementations completed.
The Security Plan can be created manually or a FedRAMP formatted Security Plan can be imported. To import a Security Plan, see FedRAMP Imports.
Baseline
In order to ensure continuity between existing manual ConMon artifacts and RegScale generated ones, import the existing Inventory, POA&M, and DRF spreadsheets. This is only needed once.
- Import the FedRAMP Integrated Inventory:
This creates the assets in the Security Plan - Import the FedRAMP POA&M:
This creates the issues in the Security Plan (both opened and closed) - Import the FedRAMP Deviation Request Form:
This updates issues with deviation requests
Monthly Scan Data
After importing the baseline data, monthly scan data will update the records in RegScale, which can be exported and submitted to FedRAMP sponsors.
Depending upon the scan type, setup a live integration or scheduled task to import flat files. Set the values in the init.yaml configuration file or automation manager settings as follows. See Scanner Integrations. for more information:
| Key | Notes | FedRAMP Value / Type |
|---|---|---|
| dueDates | default days for due date (in days) | dict: {'high': 30, 'moderate': 90, 'low': 180} |
| incrementPoamIdentifier | If the issues use "otherIdentifier" for POA&M id, this will increment the pattern by +1 | bool: true |
| ingestClosedIssues | Whether or not to import closed issues | bool: true |
| issueCreation | For Commercial Scan integrations, this determines whether an issue is created for each unique vulnerability / asset pair: PerAsset or only for each unique vulnerability: Consolidated | string: "PerAsset" |
| poamTitleType | What to use for the title of poams created from scans | string: "Cve" |
| tenableGroupByPlugin | For Tenable scans, can group by Plugin Id (vice CVE) | bool: true |
| threadMaxWorkers | Maximum number of worker threads | int: 1-8 default: 4 |
| vulnerabilityCreation | For Commercial Scan integrations, this determines whether an issue is created for vulnerabilities. Options are: "NoIssue" -don't create issues from vulnerabilities. "IssueCreation" - create issues from vulnerabilities. "PoamCreation" - create issues/POA&Ms from vulnerabilities | string: "PoamCreation" |
Each scan import will:
- Create a "scan history" in the Security Plan
- Create vulnerabilities for each vulnerability in the scan
- Check the KEV database at CISA and set vulnerabilities with existing KEV records as "known exploitable"
- Set any assets that are not in the scan as "inactive"
- Add any assets that are not in the Security Plan
- Mark any vulnerabilities and issues matching the same source (e.g. Prisma) that are not in the scans as "closed"
- Create issues for scan results that are not currently issues (new vulnerabilities)
- Update issues for scan results that already exist as issues with any new affected assets
- Set the due date for each newly created issue according to its severity
Manually Review POA&Ms
After the scans are imported, the POA&M issues should be manually reviewed prior to submission.
- Review the newly opened and closed Issues/POA&Ms in RegScale for any concerns
- Create or update deviations for any Operational Requirements, Risk Adjustments, or False Positives in the new issues
- Update the "Milestones" field in the Issues/POA&Ms
- Update any Vendor Dependencies
Export the FedRAMP Artifacts
Once the scans update Inventory and POA&Ms and each have been manually reviewed, export the artifacts from RegScale. Note, the 'status date' in each of the exports will be set to the date that the file is exported. Update if desired.
- Export the Integrated Inventory
- Export the POA&M
- Export the Deviation Request Form
- Manually create the Executive Summary Report (RegScale will eventually add this as a generated report)
Copies of these exports will remain in the Security Plan's File Subsystem until deleted by the end user.
Updated 13 days ago