Incident Response
NIST SP 800-53, Rev. 3 (IR-8) identifies the need for having “a formal, focused, and coordinated approach to responding to incidents.”
The components of the Incident Response (IR) Plan should address the following:
- Roadmap for implementing incident response capability;
- Structure and organization for implementing the incident response capability;
- High-level approach for implementing the incident response capability;
- Unique requirements (incident response) of the organization;
- Reportable incidents;
- Metrics for measuring the incident response capability; and
- Resources and management support needed to effectively maintain and mature an incident response capability.
Sources for Incident Response Reporting and Alerts
- Cloud Security Alliance CloudCERT
- Fourm of Incident Response and Security Teams (FIRST)
- DHS National Cyber Alert System
- DHS US-CERT Incident Reporting System
The shared tenant architecture of cloud services implies that a single incident may impact multiple Federal agencies leveraging the cloud services. FedRAMP will work with US-CERT (an office within DHS) to coordinate incident response activities.
Part of a CSP security authorization package requires CSPs to have incident response plans in accordance with existing Federal Policies such as OMB M-07-16 and NIST Special Publication 800-61. In the event of a security incident, a CSP must notify both US-CERT and the impacted Federal agency Security Operation Centers (SOCs).
FedRAMP and US-CERT will then coordinate response efforts across impacted Government Agencies including activities such as forensic analysis through root cause and recommended remediation actions. Impacted agencies provide input to agency specific remediation actions that are required per contractual or compliance requirements.
FedRAMP and US-CERT will summarize the findings in an Incident Report that will be made available by FedRAMP to agencies leveraging the FedRAMP Provisional Authorization. Additionally, if CSP actions must be taken to prevent future occurrences, the actions will be recorded by the CSP in their POA&M and monitored. Based on the severity of the incident and the impact it has on Federal agencies, the FedRAMP PMO may initiate a review of a CSP’s Provisional Authorization with the JAB.