Course Features and Functions

and Resources button.

Let’s take a moment to familiarize ourselves with the features and functions of this course. To navigate the

course, you may select the Back and Next buttons located at the bottom of the screen, or you may use the

Menu tab located on the left side of the screen to select the screen you'd like to view. Use the Play and

Pause buttons located at the bottom of the screen to start and stop the screen content. You may also select

the replay button to view the content again. Use the Description tab on the left side of the screen to read a

detailed description of the screen elements including the image descriptions, screen text, and audio script.

You may also access the Resources button at the top right corner of the screen to open additional course

Welcome to Part Four of the FedRAMP Training Series:

1.Introduction to the Federal Risk and Authorization Program (FedRAMP) - 100A

2.FedRAMP System Security Plan (SSP) Required Documents - 200A

3.Security Assessment Plan (SAP) Overview - 200B

4.Security Assessment Report (SAR) Overview - 200C

6.Continuous Monitoring (ConMon) Overview - 200D

and will assist with writing compliant control implementation descriptions in the System Security Plan or SSP.

By providing insight into what to expect when going through the FedRAMP assessment process, we want to

ensure CSPs have the knowledge and resources to successfully achieve FedRAMP authorization.

• What is expected in a control implementation description

• The difference between a good control implementation and a poor control implementation

At the conclusion of this training session, you should understand:

• Document acceptance criteria

• Technical acceptance criteria

• What is expected in a control implementation description

• The difference between a good control implementation and a poor control implementation

1. Allocate Sufficient Time and Effort for Writing

2. Strongly and Clearly Articulate Security Architecture and Implementations

3. Tell a Story

The System Security Plan is a document that requires an eye for detail. A few small mistakes can create a

lot of questions following the review by the FedRAMP PMO, Agency, or JAB and slow down the assessment

process. Before beginning documentation, it is important to understand the full scope of creating the SSP

and level of effort required to make it good.

It is important to understand writing the SSP takes time, effort, careful thinking, and strong, clear articulation

of your system's functionality. The SSP is required to be complete and well-structured,

• Make sure that you have the required expertise and knowledge of NIST and FedRAMP security controls.

• Make sure you have enough resources - often one writer is not enough and you may have to allocate

additional resources and subject matter experts to complete the SSP (or System Security Plan).

a risk based justification as to why.

We will touch more on these next points in a later slide but be clear, concise, consistent, and complete when

writing and make sure you adequately reference all documentation and that your system is compliant with

A Poor Control Implementation Description

Video covering A Poor Control Implementation Description

• Does not identify all persons responsible (by role) for implementing/enforcing the solution to the security

control

Implementation statements

The customer specific responsibility should be addressed explicitly and consistently (e.g. addressed under a

"Customer Responsibility" heading). This is so that customers know exactly what their responsibilities are

with regard to meeting the control requirement exclusively or in partnership with the CSP.

configured uniquely for each device type. It is expected that unique implementations would be addressed by

Policies and procedures as well as supporting documents should be explicitly referenced (Title, date and

version) so it is clear which is active.

If the entire referenced document does not apply, specific sections references should be provided so the

applicable sections can be located easily.

Reviewer should not have to rely solely on following the references to understand the control implementation.

An overview of what the referenced document addresses and direct relevancy to the control requirement

should be provided so the SSP can stand on its own.

• Contains text not directly relevant to describing how the control is implemented

•

• The wrong Implementation Status is checked

• For example, Is marked Planned but does not identify planned date or where it is marked

Alternative Implementation it does not clearly describe the alternative.

• As general guidance If all or part of the control is an alternative implementation then the status

"Partially Implemented" and "Alternative Implementation" are both checked. If all or part of the

control is planned then the status "Partially Implemented" and "Planned" are both checked. If

selecting a status of Planned, Alternative Implementation, and/or Not Applicable, the aspects of

the control that are Planned, Alternative, and/or Not Applicable should be clearly explained in the

implementation description. If the control is solely a customer responsibility and the CSP has no

responsibility for the implementation of the control, then "Implemented" is checked and the

Video covering Readability Example

AC-17, Part a

• Asks for establishment and documentation of usage restrictions, configuration/ connection requirements,

and implementation guidance for each type of remote access allowed

• Poor Example - AC-17, Part a:

Remote access for privileged functions be permitted only for compelling operational needs, shall be strictly

controlled, and must be approved in writing by <role named> . . . The number of users who can access

You can point out that there is heavy use of passive voice (four times).

• The heavy use of passive voice fails to give specific information. So "what" and "how" are not answered.

• Not all the requirements are addressed.

Save words, and omit "this makes it difficult for a reviewer to understand what was meant." You are

explaining that concept with your detailed comments.

The XYZ system has data backup procedures in accordance with control requirements. Daily incremental

least annually]; and

In analyzing a proper response to a control, let’s look at a control in the Access Control family. AC 2

individual, shared, group, system, temporary, and service. The identification of authorized users of the

information system and the specification of access privileges reflects the requirements in other security

controls in the security plan. Users requiring administrative privileges on information system accounts

receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business

owner, or chief information security officer) responsible for approving such accounts and privileged access.

Organizations may choose to define access privileges or other attributes by account, by type of account, or

a combination of both. Other attributes required for authorizing access include, for example, restrictions on

system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business

requirements, (e.g., time zone differences, customer requirements, remote access to support travel

Control Definition

may be reviewed. The Test Case workbook provides a standard risk and controls template for assessing

baseline controls and helps to drive consistency in the annual assessment testing performed by Third

Party Assessor Organizations (3PAOs). 3PAOs use this workbook to test selected baseline controls per

required test procedures and document any control deficiencies and findings.

Use the control as a cascading point to the rest of the definition

• “The organization…” Assigns account managers for information system accounts.

• “The organization…” Establishes conditions for group and role membership.

• The verbs in each control explain the action to be implemented and must be used in the description.

Here is where the story-telling begins:

Control Writing Tips

• The CSP can choose to include a reference to the policies where these accounts are identified, as long as

accounts can be located.