Vulnerability Detection and Response¶

Providers MUST systematically, persistently, and promptly discover and identify vulnerabilities within their cloud service offering using appropriate techniques such as assessment, scanning, threat intelligence, vulnerability disclosure mechanisms, bug bounties, penetration testing, incident response, automated control testing, supply chain monitoring, and other relevant capabilities; this process is called vulnerability detection. Vulnerability detection includes persistently verifying and validating that information resources and processes are operating as intended and documented for FedRAMP Practices.

Notes:

• FedRAMP's vulnerability detection (and response) rules are intended to set modern expectations for maintaining the security of a cloud service. Historical FedRAMP guidance on vulnerability scanning or continuous monitoring generally focused only on CVE-type vulnerabilities while leaving other types of vulnerabilities and exposures unaddressed.
• Providers are encouraged to leverage their existing holistic security review, architecture review, and similar processes to meet these requirements. FedRAMP strongly discourages providers from implementing separate vulnerability detection and response processes for FedRAMP reporting that are operated by independent compliance branches unless these processes are consuming data directly from the areas of the cloud service that actively maintain it.

Terms: Cloud Service Offering, FedRAMP Practices, Incident, Information Resource, Persistently, Promptly, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers MUST systematically, persistently, and promptly track, evaluate, monitor, mitigate, remediate, assess exploitation of, report, and otherwise manage all detected vulnerabilities within their cloud service offering; this process is called vulnerability response.

Notes:

• If it is not possible to fully mitigate vulnerabilities or remediate vulnerabilities, providers SHOULD instead partially mitigate vulnerabilities promptly, progressively, and persistently.
• FedRAMP does not use the terms "mitigation" and "remediation" interchangeably. Mitigation is the process of reducing the risk and impact of a vulnerability through partial mitigation and even full mitigation; remediation is the process of entirely eliminating the vulnerability. A fully mitigated vulnerability will still exist (with negligible risk) until it has been remediated. This separation is based on the plain language definitions of these words.
• Please refer to FedRAMP Definitions for strict interpretation in the FedRAMP context.

Terms: Cloud Service Offering, Fully Mitigated Vulnerability, Partially Mitigated Vulnerability, Persistently, Promptly, Remediated Vulnerability, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers MUST treat problems or failures with their vulnerability detection and response processes as vulnerabilities.

Terms: Vulnerability, Vulnerability Detection, Vulnerability Response

Providers SHOULD make design and architecture decisions for their cloud service offering that mitigate the risk of vulnerabilities by default AND decrease the risk and complexity of vulnerability detection and response.

Terms: Cloud Service Offering, Vulnerability, Vulnerability Detection, Vulnerability Response

Providers SHOULD use automated services to improve and streamline vulnerability detection and response.

Terms: Vulnerability, Vulnerability Detection, Vulnerability Response

Providers SHOULD automatically perform vulnerability detection on representative samples of new or significantly changed information resources.

Terms: Information Resource, Vulnerability, Vulnerability Detection

Providers SHOULD NOT weaken the security of information resources to facilitate vulnerability scanning, detection, or assessment activities.

Terms: Information Resource, Vulnerability, Vulnerability Detection

Providers SHOULD NOT deploy or otherwise activate new machine-based information resources with Known Exploited Vulnerabilities.

Terms: Information Resource, Known Exploited Vulnerability (KEV), Machine-Based (Information Resources), Vulnerability

Providers MAY sample effectively identical information resources, especially machine-based information resources, when performing vulnerability detection UNLESS doing so would decrease the efficiency or effectiveness of vulnerability detection.

Terms: Information Resource, Machine-Based (Information Resources), Vulnerability, Vulnerability Detection

Providers MUST verify and validate the status of non-machine-based information resources at least once every 3 months.

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification

Terms: Drift, Information Resource, Likely, Persistently, Vulnerability, Vulnerability Detection

Terms: Drift, Information Resource, Likely, Persistently, Vulnerability, Vulnerability Detection

Terms: Fully Mitigated Vulnerability, Likely, Partially Mitigated Vulnerability, Potential Agency Impact, Remediated Vulnerability, Vulnerability

Providers SHOULD mitigate or remediate remaining vulnerabilities during routine operations as determined necessary by the provider.

Terms: Vulnerability

Providers SHOULD remediate Known Exploited Vulnerabilities according to the due dates in the CISA Known Exploited Vulnerabilities Catalog (even if the vulnerability has been fully mitigated) as required by CISA Binding Operational Directive (BOD) 26-04 or any successor guidance from CISA.

Reference: CISA BOD 26-04

Terms: Known Exploited Vulnerability (KEV), Vulnerability

Terms: Information Resource, Machine-Based (Information Resources), Persistently, Vulnerability, Vulnerability Detection

Terms: Information Resource, Machine-Based (Information Resources), Validation, Verification