联邦风险与授权管理计划-持续监管策略及指南

ContinuousMonitoringStrategy&GuideVersion2.0June6,2014ExecutiveSummaryTheOMBmemorandumM-10-15,issuedonApril21,2010,changedfromstaticpointintimesecurityauthorizationprocessestoOngoingAssessmentandAuthorizationthroughoutthesystemdevelopmentlifecycle.ConsistentwiththisnewdirectionfavoredbyOMBandsupportedinNISTguidelines,FedRAMPdevelopedanongoingassessmentandauthorizationprogramforthepurposeofmaintainingtheauthorizationofCloudServiceProviders(CSP).2010年4月21日，美国政府管理预算局（ OMB）发布了M-10-15备忘录，将时间安全授权过程中的静态点改为贯穿系统开发生命周期的持续评估和授权。除了OMB，NIST指导方针也支持了这个新动向，FedRAMP开发了一套持续评估和授权程序用以维持云服务商（CSP）的授权。AfterasystemreceivesaFedRAMPauthorization,itisprobablethatthesecuritypostureofthesystemcouldchangeovertimeduetochangesinthehardwareorsoftwareonthecloudserviceoffering,oralsoduetothediscoveryandprovocationofnewexploits.Ongoingassessmentandauthorizationprovidesfederalagenciesusingcloudservicesamethodofdetectingchangestothesecuritypostureofasystemforthepurposeofmakingrisk-baseddecisions.系统获得FedRAMP授权后，由于云服务产品的硬件或软件变化，或是因为新漏洞，系统的安全态势可能会随时间发生变化。持续评估和授权给使用云服务的联邦机构提供了检测系统安全态势变化的方法，这样机构就可以做风险导向决策。ThisguidedescribestheFedRAMPstrategyforCSPstouseoncetheyhavereceivedaFedRAMPProvisionalAuthorization.CSPsmustcontinuouslymonitorthecloudserviceofferingtodetectchangesinthesecuritypostureofthesystemtoenablewell-informedrisk-baseddecisionmaking.ThisguideinstructsCSPsontheFedRAMPstrategytocontinuouslymonitortheirsystems.一旦云服务商（CPSs）收到FedRAMP的临时授权，就可以参考本指南描述的 FedRAMP策略。为了更清楚地制定风险导向决策， CPS必须持续监控检测系统安全态势变化的云服务产品。本指南在FedRAMP策略方面指导CPS如何持续监控系统。DocumentRevisionHistoryDate Page(s) Description AuthorMajorrevisionforSP800-53Revision4.06/06/2014 Includesnewtemplateandformattingchanges.

FedRAMPPMOTableofContentsAboutthisdocument 7Whoshouldusethisdocument? 7Howthisdocumentisorganized 7Howtocontactus 71. Overview 81.1. PurposeofThisDocument 91.2. ContinuousMonitoringProcess 92. ContinuousMonitoringRoles&Responsibilities 112.1. AuthorizingOfficial 112.2. FedRAMPPMO 132.3. Departmentofhomelandsecurity(DHS) 132.4. ThirdPartyAssessmentOrganization(3PAO) 133. ContinuousMonitoringProcessArease 153.1. OperationalVisibility 153.2. ChangeControl 173.3. IncidentResponse 18AppendixA –ControlFrequencies 19AppendixB –TemplateMonthlyReportingSummary 47JABP-ATOContinuousMonitoringAnalysis 47ListofTablesTable3-1 –ControlSelectionCriteria 17TableA-1 –SummaryofContinuousMonitoringActivities&Deliverables 46ListofFiguresFigure1 –NISTSpecialPublication800-137ContinuousMonitoringProcess.11ABOUTTHISDOCUMENTThisdocumenthasbeendevelopedtoprovideguidanceoncontinuousmonitoringandongoingauthorizationinsupportofmaintainingasecurityauthorizationthatmeetstheFedRAMPrequirements.ThisdocumentisnotaFedRAMPtemplate--thereisnothingtofilloutinthisdocument.本文档为FedRAMP要求的维持安全授权所需的持续监控和持续授权提供指导，本文档不是FedRAMP模版——无需填写。WHOSHOULDUSETHISDOCUMENT?本文档的适用对象ThisdocumentisintendedtobeusedbyCloudServiceProviders(CSPs),ThirdPartyAssessorOrganizations(3PAOs),governmentcontractorsworkingonFedRAMPprojects,andgovernmentemployeesworkingonFedRAMPprojects.Thisdocumentmayalsoproveusefulforotherorganizationsthataredevelopingacontinuousmonitoringprogram.云服务商、第三方评估机构、涉及FedRAMP项目的政府合约商以及政府雇员可以使用本文档，正在开发持续监管程序的其他组织也可使用。HOWTHISDOCUMENTISORGANIZED文档结构Thisdocumentisdividedintosevensectionsandoneappendix.Section1 Providesanoverviewofthecontinuousmonitoringprocess.Section2 DescribesrolesandresponsibilitiesforstakeholdersotherthanCSPs.Section3 Describeshowoperationalvisibility,changecontrolandincidentresponsesupportcontinuousmonitoring.AppendixA Describesthesecuritycontrolfrequencies.HOWTOCONTACTUS联系方式QuestionsaboutFedRAMPorthisdocumentmaybedirectedto info@.FormoreinformationaboutFedRAMP,visitthewebsiteat.OVERVIEW概述WithintheFedRAMPSecurityAssessmentFramework,onceanauthorizationhasbeengranted,theCSP’ssecuritypostureismonitoredaccordingtotheassessmentandauthorizationprocess.MonitoringsecuritycontrolsispartoftheoverallriskmanagementframeworkforinformationsecurityandisarequirementforCSPstomaintainasecurityauthorizationthatmeetstheFedRAMPrequirements.在FedRAMP安全评估框架内，一旦CSP获得授权，那么就会依据评估和授权过程对CSP的安全态势进行监控。监视安全控制是整个信息安全风险管理框架的一部分，也是对CSP的要求，以保持满足FedRAMP要求的安全授权。Traditionally,thisprocesshasbeenreferredtoas“ContinuousMonitoringasnotedinNISTSP800-137InformationSecurityContinuousMonitoringforFederalInformationSystemsandOrganizations.OtherNISTdocumentssuchasNISTSP800-37,Revision1referto“ongoingassessmentofsecuritycontrols”.Itisimportanttonotethatboththeterms“ContinuousMonitoring”and“OngoingSecurityAssessments”meanessentiallythesamethingandshouldbeinterpretedassuch.

”从传统意义上来说，这个过程也就是《NISTSP800-137联邦信息系统及组织的信息安全持续监管》中提到的“持续监管”。其他NIST文档如NISTSP800-37修订版1中提到了“安全控制的持续评估”。重要的是要注意“持续监管”和“持续安全评估”的意义在本质上是一样的，也应理解为相同的事件。Performingongoingsecurityassessmentsdetermineswhetherthesetofdeployedsecuritycontrolsinacloudinformationsystemremainseffectiveinlightofnewexploitsandattacks,andplannedandunplannedchangesthatoccurinthesystemanditsenvironmentovertime.TomaintainanauthorizationthatmeetstheFedRAMPrequirements,CSPsmustmonitortheirsecuritycontrols,assessthemonaregularbasis,anddemonstratethatthesecuritypostureoftheirserviceofferingiscontinuouslyacceptable.实施持续的安全评估可以确定在云信息系统中已部署的某套安全措施对新的渗透和攻击、及在系统和自身环境中随时间出现的计划和非计划变更是否依然有效。CSP为了维持满足FedRAMP要求的授权，必须定期监视、评估其安全措施、并证明其提供的服务的安全态势持续满足要求。OngoingassessmentofsecuritycontrolsresultsingreatercontroloverthesecuritypostureoftheCSPsystemandenablestimelyrisk-managementdecisions.Security-relatedinformationcollectedthroughcontinuousmonitoringisusedtomakerecurringupdatestothesecurityassessmentpackage.Ongoingduediligenceandreviewofsecuritycontrolsenablesthesecurityauthorizationpackagetoremaincurrentwhichallowsagenciestomakeinformedriskmanagementdecisionsastheyusecloudservices.安全控制措施的持续评估使CSP系统的安全态势得到更强的安全控制，并能及时实施风险管理决策。持续监管过程中收集到的安全相关信息用于不断更新安全评估组件。持续的严格评估和安全措施检查使安全授权包保持最新，即允许代理在使用云服务时做出有据可循的风险管理决策。1.1. PURPOSEOFTHISDOCUMENT本文档的目的ThisdocumentisintendedtoprovideCSPswithguidanceandinstructionsonhowtoimplementtheircontinuousmonitoringprogram.CertaindeliverablesandartifactsrelatedtocontinuousmonitoringthatFedRAMPrequiresfromCSP’sarediscussedinthisdocument本文档目的是为CSP实施持续监管计划提供指导和说明。某些FedRAMP要求CSP提供的、与持续监管相关的可交付成果和组件会在本文档中讨论。1.2. CONTINUOUSMONITORINGPROCESS持续监管过程TheFedRAMPcontinuousmonitoringprogramisbasedonthecontinuousmonitoringprocessdescribedinNISTSP800-137,InformationSecurityContinuousMonitoringforFederalInformationSystemsandOrganizationgoalistoprovide:(i)operationalvisibility;(ii)managedchangecontrol;(iii)andattendancetoincidentresponseduties.Formoreinformationonincidentresponse,reviewtheFedRAMPIncidentCommunicationsProcedure

.The.FedRAMP持续监管计划是以《NISTSP800-137联邦信息系统和组织信息安全的持续监管》中描述的持续监管过程为基础的。目标是提供：(i)运营可视化；(ii)变更控制管理；(iii)参与事件响应职责。想要获取更多事件响应的信息，可以参阅FedRAMP的《事件通信规程》。TheeffectivenessofaCSP’scontinuousmonitoringcapabilitysupportsongoingauthorizationandreauthorizationdecisions.Security-relatedinformationcollectedduringcontinuousmonitoringisusedtomakeupdatestothesecurityauthorizationpackage.UpdateddocumentsprovideevidencethatFedRAMPbaselinesecuritycontrolscontinuetosafeguardthesystemasoriginallyplanned.CSP持续监管能力的有效性支持持续授权和再授权决策。持续监管过程中收集到的安全相关信息用于更新安全授权组件包。更新的文档为FedRAMP的基线安全控制措施按原计划持续保护系统的供证明。AsdefinedbytheNationalInstituteofStandardsandTechnology(NIST),theprocessforcontinuousmonitoringincludesthefollowinginitiatives:正如

NIST的定义，持续监管的过程包括如下举措：Defineacontinuousmonitoringstrategybasedonrisktolerancethatmaintainsclearvisibilityintoassetsandawarenessofvulnerabilitiesandutilizesup-to-datethreatinformation. 基于风险承受能力定义持续监管策略，这样的监管策略具有资产可见性，知悉安全隐患，并能够利用最新的威胁信息。Establishmeasures,metrics,andstatusmonitoringandcontrolassessmentsfrequenciesthatmakeknownorganizationalsecuritystatusanddetectchangestoinformationsysteminfrastructureandenvironmentsofoperation,andstatusofsecuritycontroleffectivenessinamannerthatsupportscontinuedoperationwithinacceptablerisktolerances.

建立措施、度量和状态监控，控制报告组织安全状态的评估频率，并在可接受的风险承受能力范围内，以支持持续运营的方式，检测信息系统基础设施和运营环境以及安全控制有效性的状态变更。Implementacontinuousmonitoringprogramtocollectthedatarequiredforthedefinedmeasuresandreportonfindings;automatecollection,analysisandreportingofdatawherepossible. 实施持续监管计划，收集确定的措施需要的数据，并对发现作报告；尽可能将数据收集、分析和报告过程自动化。AnalyzethedatagatheredandReportfindingsaccompaniedbyrecommendations.Itmaybecomenecessarytocollectadditionalinformationtoclarifyorsupplementexistingmonitoringdata.

分析收集到的数据并报告包含建议的发现。收集额外的信息以阐明或补充目前的监控数据可能是必要的。Respondtoassessmentfindingsbymakingdecisionstoeithermitigatetechnical,managementandoperationalvulnerabilities;oraccepttherisk;ortransferittoanotherauthority. 通过制定缓解技术上的、管理上的还是操作上的漏洞决策对评估发现做出响应；或者接受风险；或将其转移给另一个授权方。ReviewandUpdatethemonitoringprogram,revisingthecontinuousmonitoringstrategyandmaturingmeasurementcapabilitiestoincreasevisibilityintoassetsandawarenessofvulnerabilities;furtherenhancedatadrivencontrolofthesecurityofanorganization

’sinformationinfrastructure;andincreaseorganizationalflexibility.

检查和更新监控计划，校正持续监管策略并使度量能力趋于成熟，以增加资产的可见性和安全隐患意识；更进一步加强组织信息基础设施的数据驱动控制安全，增加组织灵活性。Figure1 –NISTSpecialPublication800-137ContinuousMonitoringProcessSecuritycontrolassessmentsperformedperiodicallyvalidatewhetherstatedsecuritycontrolsareimplementedcorrectly,operatingasintended,andmeetFedRAMPbaselinesecuritycontrols.Securitystatusreportingprovidesfederalofficialswithinformationnecessarytomakerisk-baseddecisionsandprovidesassurancetoexistingcustomeragenciesregardingthesecuritypostureofthesystem.周期性的执行安全控制评估以验证是否正确地实施规定的安全措施，是否按照计划运行安全措施，以及是否满足FedRAMP的基线安全控制。安全状态报告为联邦机构提供必要的信息以便其制定基于风险的决策，并给当前客户代理提供关于系统安全态势的保证。CONTINUOUSMONITORINGROLES&RESPONSIBILITIES持续监管角色及责任2.1. AUTHORIZINGOFFICIAL授权机构AuthorizingOfficialsandtheirteams( “AOs”)serveasthefocalpointforcoordinationofcontinuousmonitoringactivitiesforCSPs.CSPsmustcoordinatewiththeirAOstosendsecuritycontrolartifactsatvariouspointsintime.TheAOsmonitorboththePlanofAction&Milestones(POA&M)andanymajorsignificantchangesandreportingartifacts(suchasvulnerabilityscanreports)associatedwiththeCSPserviceoffering.AOsusethisinformationsothatrisk-baseddecisionscanbemadeaboutongoingauthorization.AgencycustomersmustperformthefollowingtasksinsupportofCSPcontinuousmonitoring:授权机构及其团队(“AOs”)在CSP的持续监管活动的协调中起关键作用。 CSP必须配合其AOs在各个时间点发送安全控制组件。AOs对行动计划和里程碑（POA&M）及任何重大的变更进行监控，并对CSP提供服务的相关组件进行报告（例如漏洞扫描报告）。AOs利用这些信息以便制定出持续授权的基于风险的决策。代理客户必须执行以下任务以支持CSP的持续监管：NotifyCSPiftheagencybecomesawareofanincidentthataCSPhasnotyetreported如果代理发现CSP还未上报的紧急事件，则通知CSP。ProvideaprimaryandsecondaryPOCforCSPsandUS-CERTasdescribedinagency为CSP和美国计算机紧急响应小组（UnitedStatesComputerEmergencyReadinessTeam）提供以代理描述的主要和次要的 POC（pointsofcontact 联系点）。andCSPIncidentResponsePlansCSP应急响应计划NotifyUS-CERTwhenaCSPreportsanincident当CSP报告紧急事件时，通知US-CERTWorkwithCSPstoresolveincidents;providecoordinationwithUS-CERTifnecessary与CSP一起解决紧急事件；如果有必要的话，配合 US-CERT。NotifyFedRAMPISSOofCSPincidentactivity通知FedRAMP的ISSO（信息系统安全官）CSP紧急事件活动。Monitorsecuritycontrolsthatareagencyresponsibilities.监视代理负责的安全控制措施。Duringincidentresponse,bothCSPsandleveragingagenciesareresponsibleforcoordinatingincidenthandlingactivitiestogether,andwithUS-CERT.Theteambasedapproachtoincidenthandlingensuresthatallpartiesareinformedandenablesincidentstobeclosedasquicklyaspossible.在应急响应中，CSPs，利益相关的代理，以及US-CERT，一起负责协调处理紧急事件。基于紧急事件处理的团队确保通知所有相关部门，确保尽快解决问题。2.2. FEDRAMPPMOTheFedRAMPProgramManagementOffice(PMO)actsastheliaisonfortheJointAuthorizationBoardforensuringthatCSPswithaJABP-ATOstrictlyadheretotheirestablishedContinuousMonitoringPlan.TheJABandFedRAMPPMOonlyperformContinuousMonitoringactivitiesforthoseCSPsthathaveaJABP-ATO.FedRAMP计划管理办公室作为JointAuthorizationBoard（联合授权董事会）的联络员，确保拥有JABP-ATO（JointAuthorizationBoardProvisionalAuthoritiestoOperate）的CSP严格遵守其制定的持续监管计划。ATO的CSP实施持续监管活动。

JAB和

FedRAMPPMO只为获得

JABP-注：JAB是FedRAMP计划的主要管理团队，由国防部、国土安全部以及美国总务管理局的首席信息官组成2.3. DEPARTMENTOFHOMELANDSECURITY(DHS)国土安全部TheFedRAMPPolicyMemoreleasedbyOMBdefinestheDHSFedRAMPresponsibilitiestoinclude:OMB发布的FedRAMP政策备忘录定义了DHSFedRAMP的责任包括：Assistinggovernment-wideandagency-specificeffortstoprovideadequate,risk-basedandcost-effectivecybersecurity协助全政府和特定代理努力提供充足的、基于风险的和性价比高的网络安全。Coordinatingcybersecurityoperationsandincidentresponseandprovidingappropriateassistance协调网络安全运营与应急响应并提供适当的帮助DevelopingcontinuousmonitoringstandardsforongoingcybersecurityofFederalinformationsystemstoincludereal-timemonitoringandcontinuouslyverifiedoperatingconfigurations为联邦信息系统的持续网络安全开发持续监管标准，该标准要囊括实时监管和持续验证的操作配置DevelopingguidanceonagencyimplementationoftheTrustedInternetConnection(TIC)programforcloudservices.为云服务开发可信互联网连接计划的代理实施指南TheFedRAMPPMOworkswithDHStoincorporateprogramguidanceanddocuments.FedRAMPPMO

DHS’sguidanceintotheFedRAMP和DHS协作将DHS的指南纳入到FedRAMP计划指南和文档中。2.4. THIRDPARTYASSESSMENTORGANIZATION(3PAO)第三方评估机构ThirdPartyAssessmentOrganizations(3PAO)areresponsibleforindependentlyverifyingandvalidatingthecontrolimplementationandtestresultsforCSPsinthecontinuousmonitoringphaseoftheFedRAMPprocess.Specifically,3PAOsareresponsiblefor:在FedRAMP过程中，第三方评估机构负责为CPS独立验证和确认控制措施实施以及测试结果。第三方评估机构尤其要负责：? Assessingadefinedsubsetofthesecuritycontrolsannually.安全控制措施确定子集的年度评估? SubmittingtheassessmentreporttotheISSOoneyearaftertheauthorizationdateandeachyearthereafter.

CSP’sCSP授权日期之后的一年以及往后的每一年，提交评估报告给

ISSOPerformingannouncedpenetrationtesting.实施正规的渗透测试Performannualscansofwebapplications,databases,andoperatingsystems.每年对web应用、数据库和操作系统进行扫描AssessingchangedcontrolsonanadhocbasisasrequestedbytheAOsforanychangesmadetothesystembytheCSP.按照AOs（授权机构）的要求，一旦CPS对系统做出任何变更，随时对变更的控制措施进行评估。Inordertobeeffectiveinthisrole,3PAOsareresponsibleforensuringthatthechainofcustodyismaintainedforany3PAOauthoreddocumentation.3PAOsmustalsobeabletovouchfortheveracityandintegrityofdataprovidedbytheCSPforinclusionin3PAOauthoreddocumentation.Asanexample:为了使这一作用更有效，3PAOs负责保证维护3PAOs授权文档的监管链。3PAOs也必须有能力保证CSP为3PAO授权文档提供的数据精确性和完整性。例如：IfscansareperformedbytheCSP,the3PAOmusteitherbeonsiteandobservetheCSPperformingthescansorbeabletomonitororverifytheresultsofthescansthroughothermeansdocumentedandapprovedbytheAO.如果CSP执行扫描，3PAO要么必须在现场观察CSP实施扫描，要么能够通过其他登记在案并经AO批准的方式进行监控或验证扫描结果。DocumentationprovidedtotheCSPmustbeplacedinaformatthateithertheCSPcannotalterorthatallowsthe3PAOtoverifytheintegrityofthedocument.提供给CSP的文档必须以CSP无法更改或允许3PAO验证文档完整性的格式放置。CONTINUOUSMONITORINGPROCESSAREASE持续监管过程3.1. OPERATIONALVISIBILITY运营可见性AnimportantaspectofaCSP’scontinuousmonitoringprogramistoprovideevidencethatdemonstratestheefficacyofitsprogram.CSPsanditsindependentassessorsarerequiredtoprovideevidentiaryinformationtoAOsataminimumofamonthly,annually,every3years,andonanas-neededfrequencyafterauthorizationisgranted.ThesubmissionofthesedeliverablesallowAOstoevaluatetheriskpostureoftheCSP’sserviceoffering.CSP持续监管计划的一个重要作用就是提供证据证明其计划的有效性。 CSP和其独立评估人在获得授权之后，至少以每月、每年、每三年及需要的频率提供证据信息给AOs。这些交付件的提交能让AOs评估CSP提供的服务的风险态势。TableA-1noteswhichdeliverablesarerequiredaspartofcontinuousmonitoringactivities.Thesedeliverablesincludeprovidingevidence,suchasprovidingmonthlyvulnerabilityscansofCSPsoperatingsystems/infrastructure,databases,andwebapplications.表A-1所示的是作为持续监管活动的一部分，所要求的交付件。这些交付件包括提供证据，例如每月提供CSP操作系统/基础设施、数据库和web应用的漏洞扫描。AspartofthecontinuousmonitoringprocessCSPsarerequiredtohavea3PAOperformanassessmentonanannualbasisforasubsetoftheoverallcontrolsimplementedonthesystem.DuringtheannualassessmentthecontrolslistedinTableA-1aretestedalongwithanadditionalnumberofcontrolsselectedbytheAO.TheAOhastheoptiontovarythetotalnumberofcontrolstestedtomeetthedesiredlevelofeffortfortesting.TheAOselectstheadditionalcontrolsfortestingbasedonthefollowingcriteriainTable3-1.作为持续监管过程的一部分，要求CSP有3PAO每年为其系统中实施的全面控制措施的一个子集实施评估。在每年的评估期间，对表A-1中所列的控制措施连同AO选择的一些额外控制措施一起进行测试。为了满足测试要求，AO可以选择改变要测试的控制措施总数。AO以下面表3-1中的标准为测试选择附加的控制措施。ThereareadditionalrequirementsfortestingandcontrolselectionforCSPsthataretransitioningtotheFedRAMP800-53Revision4baseline.ForadditionalguidancetoonRevision4transitiontestingguidance,reviewtheFedRAMPRevision4TransitionGuide.测试的附加要求和CPS的可选控制措施，正在成为FedRAMP800-53版本4的基线。对于版本4的转变测试指南的额外指南，请参考《FedRAMPRevision4TransitionGuide》CriteriaDescription1.ConditionofpreviousAnyconditionsmadebytheauthorizingofficial(AO)intheassessmentauthorizationletterorduringapreviousassessment.Thiswouldincludetheresolutionofvulnerabilitieswithincertaintime-frames,implementationofnewcapabilities,etc.2.WeaknessidentifiedAnyareasinwhichacloudsystemhashadknownsincethelastvulnerabilitiesorenhancedriskrelatedtospecificcontrols.assessmentExamplesmightincludeactualorsuspectedintrusion,compromise,malwareevent,lossofdata,orDoS/DDoSattack.3.KnownorsuspectedAnyareaswherethecloudsystemhasdemonstratedaweaknesstesting/continuousorvulnerabilityincontinuousmonitoringandtestingrelatedmonitoringfailureControlimplementationthathaschangedsincelastassessmentNewlydiscoveredvulnerability,zero-dayattack,orexploitRecommendationofAuthorizingOfficialorOrganization

tospecificsecuritycontrolsExamplesmightincludethosecontrolsrelatedtopatchmanagement,configurationmanagement,orvulnerabilityscanning.Anycontrolimplementationsthathavechangedsincethelastassessment.Thesechangesmightnotreachthelevelofasignificantchangebutduetotheirchangeinimplementationstatuswouldrequireanindependentassessmentofthatimplementation.Selectadditionalcontrolsfortestingwhenthesystemisaffectedbynewlydiscoveredvulnerabilitiesorzero-dayexploits.ExampleswouldincludetheHeartbleedvulnerability.Basedondirectknowledgeanduseofacloudsystem,authorizingofficialsororganizationscanrequiretheCSPtotestadditionalcontrolsbasedonuniquemissionconcernsorbasedonthe CSP’s performancesincetheirlastassessment.Table3-1 –ControlSelectionCriteria3.2. CHANGECONTROL变更控制SystemsaredynamicandFedRAMPanticipatesthatallsystemsareinaconstantstateofchange.ConfigurationmanagementandchangecontrolprocesseshelpmaintainasecurebaselineconfigurationoftheCSP ’sarchitecture .Routineday-to-daychangesaremanagedthroughtheCSP ’schangemanagementprocessdescribedintheir ConfigurationManagementPlan .系统是动态的，且FedRAMP期望所有的系统都处于一种不断变化的状态。配置管理和变更控制过程有助于维持CSP架构的安全基线配置。通过CSP在其《配置管理计划》中描述的变更管理方法管理日常的变更。However,beforeaplannedmajorsignificantchangetakes place,CSP’smustperformaSecurityImpactAnalysistodetermineifthechangewilladverselyaffectthesecurityofthesystem.TheSecurityImpactAnalysisisastandardpartofaCSP ’schangecontrolprocessasdescribedintheCSP ’sConfigurationManagementPlan .然而，在计划内的重大变更发生前，CSP必须实施安全影响分析以便决定此变更是否会对系统安全产生负面影响。安全影响分析是CSP在其《配置管理计划》中描述的变更控制流程的一个标准件。CSPsmustnotifytheirAOwithaminimumof30daysbeforeimplementinganyplannedmajorsignificantchanges.TheAOsmightrequiremoretimebasedontheseverityofthechangebeingimplementedsoCSPsmustworkclosewiththeAOstounderstandhowmuchtimeisneededinadvanceofmajorchanges.CSPsmustcompletea SignificantChangeSecurityImpactAnalysisForm andprovidetotheAOfortheiranalysis.Allplansformajorsignificantchangesmustincluderationaleformakingthechange,andaSecurityAssessmentPlan(SAP)fortestingthechangepriortoandfollowingimplementationintheproductionsystem.在实施任何计划的重大变更之前，CSP必须至少30天内通知其AO。基于要实施的变更的严重性，AO可能需要更多的时间，所以CSP必须与AO紧密配合以便知道重大变更前需要提前多长时间通知AO。CSP必须完成《重大变更安全影响分析表》并提供给AO以便其分析。所有重大变更计划必须包含变更的基本原理，以及《安全评估计划》，用以测试在生产系统实施变更之前和之后的变化。Ifanyanticipatedchangeaddsresidualrisk,orcreatesotherriskexposurethattheAOfindsunacceptable,theATOcouldberevokedifthechangeismadewithoutpriorapproval.ThegoalisforCSPstomakeplannedchangesinacontrolledmannersothatthesecuritypostureofthesystemisnotlowered.如果任何预期的变更增加了声誉风险或产生了其他AO不能接受的暴露风险，ATO可以撤销没有事先批准的变更。这样做的目的是为了让CSP以可控的方式制定计划变更，以便系统的安全态势不会被削弱。AfterimplementationtheCSPmustsubmitanewSecurityAssessmentReporttotheAObasedonasecurityassessmentperformedbya3PAOinaccordancewiththeSAPandwithinthetimeframeagreedbetweentheCSPandAO.Additionally,theCSPwillneedtosubmitupdateddocumentationpertainingtothenewlyimplementedchanges.实施变更之后，CSP必须提交新的《安全评估报告》给 AO，这份报告是3PAO依据SAP，在CSP和AO约定的时间表内基于安全评估完成的。另外，CSP需要提交适合最近实施的变更的更新文档。3.3. INCIDENTRESPONSE应急响应FedRAMPrequiresthatCSPsdemonstratethattheyareabletoadequatelyrespondtosecurityincidents.AspartoftheFedRAMPrequirements,CSPsarerequiredtosubmitandmaintainanincidentresponseguide,whichisapprovedbytheAO.CSPsarealsorequiredtofollowtheincidentresponseandreportingguidancecontainedinthe FedRAMPIncidentCommunicationsProcedure

.FedRAMP要求CSP证明其有能力对安全紧急事件做出充分响应。作为 FedRAMP要求的一部分，CSP需要提交并维护一份经AO批准的应急响应指南。CSP也要遵循应急响应并对《FedRAMP事件通信规程》中包含的报告指南。APPENDIXA–CONTROLFREQUENCIES附录A-控制频率Securitycontrolshavedifferentfrequenciesforperformanceandreview,andsomecontrolsrequirereviewmoreoftenthanothers.TableA-1summarizestheminimallyrequiredfrequenciesrequiredforthedifferentcontinuousmonitoringactivities.SomecontinuousmonitoringactivitiesrequirethattheCSPsubmitsadeliverabletotheirAO.NotethatCSPsarerequiredtosubmitdeliverableslistedinTableA-1iftheyhavefullorsharedresponsibilityforthelistedcontrol.However,inheritedcontrolsdonotrequirethesubmissionofadeliverable.Forexample,insomecases,PaaSorSaaSofferingsmayinheritphysicalandenvironmentalprotectioncontrolsfromanIaaSandwouldthereforenotsubmitdeliverablesforthoseinheritedcontrols.安全控制针对实施和检查有不同的频率，某些控制措施要求的检查频率比其他措施的要多。表A-1总结了不同持续监管活动的最低频率要求。某些持续监管活动要求CSP提交交付件给他们的AO。如果CSP对表中列出的控制措施负有全部或部分责任，则要求CSP提交表A-1中列出的交付件。但是，继承父类的控制措施不要求提交交付件。例如：在某些情况下，PaaS或SaaS提供的控制措施可能从IaaS继承物理和环境的保护措施，因此PaaS或SaaS就不用为其继承的控制措施提交交付件。Othercontinuousmonitoringactivitiesdonotrequireadeliverable,andwillbereviewedby3PAOsduringsecurityassessments.CSPsmustbeabletodemonstrateto3PAOsthatongoingcontinuousmonitoringactivitiesareinplace,andhavebeenoccurringasrepresentedintheSystemSecurityPlan.Forexample,ifaCSPhasindicatedintheirSystemSecurityPlanthattheymonitorunsuccessfulloginattemptsonanongoingbasis,the3PAOmayasktoseelogfiles,alongwiththeCSPanalysisofthelogfiles,forrandomdatesoverthecourseofpriorauthorizationperiod(e.g.,bi-annual,annual).其他持续监管活动不要求交付件，且在安全评估期间由3PAOs进行检查。CSP必须能够向3PAO证明连续不断的持续监管活动已经到位，且作为《系统安全计划》的代表一直运行。例如，如果CSP已经在其《系统安全计划》中表明其连续监控登录失败的行为，那么3PAO可能要求查看CSP之前的授权期限中的任意日期的日志文件、日志文件分析。InTableA-1,refertothe“Description”columnforinformationaboutwhatisrequiredandwhenitisrequiredtobesubmitted.AcheckmarkineithertheCSPAuthoredDeliverablecolumnor3PAOAuthoredDeliverablecolumnofTableA-1indicatesthatadeliverableisrequired.表A-1中“描述”列指的是：要求何时提交以及提交什么内容。表

A-1

中，CSP授权的交付件列表或3PAO授权的交付件列表表明需要提交的交付件。IfconcernsariseaboutthesecuritypostureoftheCSPsystem,AOsmayaskforasecurityartifactatanypointintime.Forexample,ifaCSPindicatesintheirSystemSecurityPlanthattheyactivelymonitorinformationsystemconnections,theAOcouldasktheCSPtosendthemlogfilesnippetsforaparticularconnectionatanypointintime.IfitbecomesknownthatanentitythatconnectstoaCSPhasbeencompromisedbyanunauthorizeduser,theAOcoordinatewiththeCSPtocheckinontheinterconnectionmonitoringoftheCSP.CSPsshouldanticipatethatasidefromscheduledcontinuousmonitoringdeliverables,andasidefromtestingperformedby3PAOs,thattheAOsmayrequestcertainsystemartifactsonanadhocbasisifthereareconcerns.如果对CSP系统的安全态势产生担忧， AOs可以在任何时间点请求一个安全组建。例如，如果一个CSP在其《系统安全计划》中表明他们积极地监控信息系统连接， AO可能要求CSP发送其在任何时间点的一个特殊连接的日志文件片段。如果发现连接CSP的实体已经被一个非授权使用者盗用，那么AO配合CSP检查CSP的交互连接监控。如果存在担忧的话，CSP应该预料到除预定的持续监管交付件、3PAOs执行的测试以外，AOs可能要求特定系统专责性质的组件。CSPsarerequiredtosubmitascheduleofactivitieswithin15daysfromthedateoftheirauthorizationtotheirAOsandannuallythereafter.ThisscheduleassistsCSPsinmanagingcontinuousmonitoringactivities.CSP需要在其获得授权之日起的 15日内，提交活动计划表给其 AOs，此后每年提交一次。这个计划表帮助 CSP管理持续监管活动。Note:ForcontrolsthatdonothaveacheckineithertheCSPauthoreddeliverableor3PAOauthoreddeliverableinTableA-1,CSPswillberequiredtoprovideevidenceofcomplianceminimallyduringannualassessmentanduponrequest.注意：表

A-1

中既不在

CSP授权交付件或

3PAO授权交付件上登记的控制措施，根据要求，

CSP至少在年度评估期间提供遵从证据。Row#

CSP

3PAOControlName

ControlID

Description

Authored

Authored

NotesDeliverable

DeliverableContinuousandOngoingRow#ControlName ControlID1 Information SI-4SystemMonitoring

DescriptionTheorganization:Monitorstheinformationsystemtodetect:Attacksandindicatorsofpotentialattacksinaccordancewith[Assignment:organization-definedmonitoringobjectives];andUnauthorizedlocal,network,andremoteconnections;Identifiesunauthorizeduseoftheinformationsystemthrough[Assignment:organization-definedtechniquesandmethods];Deploysmonitoringdevices:(i)strategicallywithintheinformationsystemtocollectorganization-determinedessentialinformat