The Federal Risk and Authorization Management Program has released three new documents to clarify its process for continuously monitoring FedRAMP-authorized cloud service providers.
FedRAMP said Tuesday the new continuous monitoring documents include a draft of the “Automated Vulnerability Risk Adjustment Framework Guidance,” which is intended to help CSPs build and deploy an automated vulnerability risk adjustment tool for weaknesses detected by vulnerability scanners.
The draft guide is meant to support CSPs’ efforts to maintain or boost security as well as lessen the level of effort for scanner-related risk reductions.
FedRAMP also responded to requests from cloud companies that want to scan samples of system components rather than the entire system with a document titled “Guide for Determining Eligibility and Requirements for the Use of Sampling for Vulnerability Scans.”
CSPs can use the document as a guide on evaluating representative system components rather than scanning all components.
The third document named “Vulnerability Scanning Requirements” provides a known vulnerability severity scoring framework that supports the creation and use of an automated, Common Vulnerability Scoring System-based risk adjustment tool for vulnerabilities identified by vulnerability scanning systems.
The new documents add to a set of guides that FedRAMP issued in Jan. 31 to streamline and optimize the continuous monitoring process.