聯(lián)邦風(fēng)險(xiǎn)與授權(quán)管理計(jì)劃持續(xù)監(jiān)管策略及指南

1、Con ti nu ous Mon itori ng Strategy & GuideVersio n 2.0June 6, 2014Executive SummarysesysuThe OMB memorandum M-10-15, issued on April 21,2010, changed from static point in time curity authorizatio n processes to Ongoing Assessme nt and Authorizati on throughout the stem developme nt life cycle.

2、Con siste nt with this new direct ion favored by OMB and pported in NIST guideli nes, FedRAMP developed an ongoing assessme nt and authorizati on program for the purpose of maintaining the authorization of Cloud Service Providers (CSP).2(權(quán)方(10年4月21日，美國(guó)政府管理預(yù)算局(OMB發(fā)布了 M-10-15備忘錄，將時(shí)間安全授過(guò)程中的靜態(tài)點(diǎn)改為貫穿系統(tǒng)開(kāi)發(fā)生

3、命周期的持續(xù)評(píng)估和授權(quán)。除了OMB NIST指導(dǎo)針也支持了這個(gè)新動(dòng)向，F(xiàn)edRAM開(kāi)發(fā)了一套持續(xù)評(píng)估和授權(quán)程序用以維持云服務(wù)商 CSP的授權(quán)。syarto系A(chǔ)lter a system receives a FedRAMP authorization, it is probable that the security posture of the stem could cha nge over time due to cha nges in the hardware or software on the cloud service of ering, or also due to the di

4、scovery and provocation of new exploits. Ongoing assessment d authorizati on provides federal age ncies using cloud services a method of detect ing cha nges the security posture of a system for the purpose of making risk-based decisi ons.統(tǒng)獲得FedRAMP授權(quán)后，由于云服務(wù)產(chǎn)品的硬件或軟件變化，或是因?yàn)樾侣┒?，?的安全態(tài)勢(shì)可能會(huì)隨時(shí)間發(fā)生變化。持續(xù)評(píng)估和授

5、權(quán)給使用云服務(wù)的聯(lián)邦機(jī)構(gòu)提供了 測(cè)系統(tǒng)安全態(tài)勢(shì)變化的方法，這樣機(jī)構(gòu)就可以做風(fēng)險(xiǎn)導(dǎo)向決策。bamThis guide describes the FedRAMP strategy for CSPs to use once they have received a FedRAMP Provisi onal Authorizati on. CSPs must con ti nu ously mon itor the cloud service offeri ng to detect cha nges in the security posture of the system to en able w

6、ell-i nformed risk- sed decision making. This guide instructs CSPs on the FedRAMP strategy to continuously on itor their systems.FedRAMP策略。為了更清楚地制定風(fēng)險(xiǎn)導(dǎo)向決策, 勢(shì)旦云服務(wù)商(CPSs)收到FedRAMP的臨時(shí)授權(quán)，就可以參考本指南描述的CPS必須持續(xù)監(jiān)控檢測(cè)系統(tǒng)安全態(tài) 變化的云服務(wù)產(chǎn)品。本指南在FedRAM策略方面指導(dǎo)CPS如何持續(xù)監(jiān)控系統(tǒng)。Docume nt Revisio n HistoryDatePage(s)Descripti onAut

7、hor06/06/2014Major revision for SP800-53 Revision 4.In cludes new template and formatt ing cha nges.FedRAMP PMODatePage(s)Descripti onAuthorTable of ContentsList of TablesList of FiguresABOUT THIS DOCUMENTThis document has been developed to provide guidanee on continuous monitoring and ongoing autho

8、rizati on in support of maintaining a security authorizati on that meets the FedRAMP requirements. This document is not a FedRAMP template - there is nothing to fill out in this docume nt.本文檔為FedRAMP要求的維持安全授權(quán)所需的持續(xù)監(jiān)控和持續(xù)授權(quán)提供指導(dǎo)，本文檔 不是FedRAMP模版一一無(wú)需填寫。WHO SHOULD USE THIS DOCUMENT?本文檔的適用對(duì)象This docume nt i

9、s inten ded to be used by Cloud Service Providers (CSPs), Third Party Assessor Orga ni zati ons (3PAOs), gover nment con tractors worki ng on FedRAMP projects, and government employees working on FedRAMP projects. This document may also prove useful for other orga ni zati ons that are develop ing a

10、continu ous mon itori ng program.云服務(wù)商、第三方評(píng)估機(jī)構(gòu)、涉及 FedRAMP項(xiàng)目的政府合約商以及政府雇員可以使用 本文檔，正在開(kāi)發(fā)持續(xù)監(jiān)管程序的其他組織也可使用。HOW THIS DOCUMENT IS ORGANIZED文檔結(jié)構(gòu)This docume nt is divided into seve n sect ions and one appe ndix.Section 1Provides an overview of the continuous monitoring process.Section 2Describes roles and respo

11、nsibilities for stakeholders other than CSPs.Section 3Describes how operational visibility, change control and incident response support con ti nu ous mon itor ing.Appe ndix ADescribes the security con trol freque ncies.HOW TO CONTACT US 聯(lián)系方式Questi ons about FedRAMP or this docume nt may be directed

12、 toFor more in formatio n about FedRAMP, visit the website at.1. OVERVIEW 概述Within the FedRAMP Security Assessme nt Framework, once an authorizati on has bee n gran ted, the CSP' s security posture isorednaccord ing to the assessme nt and authorizati onprocess. Monitoring security controls is pa

13、rt of the overall risk management framework for information security and is a requirement for CSPs to maintain a security authorization that meets the FedRAMP requireme nts.在FedRAMP安全評(píng)估框架內(nèi)，一旦CSP獲得授權(quán)，那么就會(huì)依據(jù)評(píng)估和授權(quán)過(guò)程對(duì) CSP的安全態(tài)勢(shì)進(jìn)行監(jiān)控。監(jiān)視安全控制是整個(gè)信息安全風(fēng)險(xiǎn)管理框架的一部分，也是 對(duì)CSP的要求，以保持滿足FedRAMP要求的安全授權(quán)。Traditio nally, th

14、is process has bee n referred to as“C nti nu ous Mon itori ng ” as no ted in NIST SP 800-137 In formatio n Security Continu ous Mon itori ng for Federal In formatio n Systems and Orga ni zatio ns. Other NIST docume nts such as NIST SP 800-37, Revisi on 1 refer to“ ongoing assessment of security cont

15、ro.s It is impO'rtant to note that both the terms“ Con ti nu ous Mon itori ng” ago in g'Security Assessme nts mean esse ntially the samething and should be in terpreted as such.從傳統(tǒng)意義上來(lái)說(shuō)，這個(gè)過(guò)程也就是NIST SP 800-137聯(lián)邦信息系統(tǒng)及組織的信息安全 持續(xù)監(jiān)管中提到的“持續(xù)監(jiān)管”。其他NIST文檔如NIST SP 800-37修訂版1中提 到了 “安全控制的持續(xù)評(píng)估”。重要的是要注意“持

16、續(xù)監(jiān)管”和“持續(xù)安全評(píng)估”的意 義在本質(zhì)上是一樣的，也應(yīng)理解為相同的事件。Perform ing ongoing security assessme nts determ ines whether the set of deployed security controls in a cloud information system remains effective in light of new exploits and attacks, and planned and unplanned changes that occur in the system and its environmen

17、t over time. To maintain an authorization that meets the FedRAMP requirements, CSPs must monitor their security con trols, assess them on a regular basis, and dem on strate that the security posture of their service offeri ng is continu ously acceptable.實(shí)施持續(xù)的安全評(píng)估可以確定在云信息系統(tǒng)中已部署的某套安全措施對(duì)新的滲透和攻擊、 及在系統(tǒng)和自

18、身環(huán)境中隨時(shí)間出現(xiàn)的計(jì)劃和非計(jì)劃變更是否依然有效。CSP為了維持滿足FedRAMP要求的授權(quán)，必須定期監(jiān)視、評(píng)估其安全措施、并證明其提供的服務(wù)的安 全態(tài)勢(shì)持續(xù)滿足要求。Ongoing assessment of security controls results in greater control over the security posture of the CSP system and en ables timely risk-ma nageme nt decisi on s .Security-related in formatio n collected through conti

19、nuous monitoring is used to make recurring updates to the security assessme nt package. Ongoing due dilige nee and review of security con trols en ables the security authorizatio n package to remai n curre nt which allows age ncies to make in formed risk man ageme nt decisi ons as they use cloud ser

20、vices.安全控制措施的持續(xù)評(píng)估使CSP系統(tǒng)的安全態(tài)勢(shì)得到更強(qiáng)的安全控制，并能及時(shí)實(shí)施風(fēng) 險(xiǎn)管理決策。持續(xù)監(jiān)管過(guò)程中收集到的安全相關(guān)信息用于不斷更新安全評(píng)估組件。持續(xù) 的嚴(yán)格評(píng)估和安全措施檢查使安全授權(quán)包保持最新，即允許代理在使用云服務(wù)時(shí)做出有 據(jù)可循的風(fēng)險(xiǎn)管理決策。1.1. PURPOSE OF THIS DOCUMENT 本文檔的目的This docume nt is inten ded to provide CSPs with guida nee and in structi ons on how to impleme nt their con ti nu ous mon itori

21、ng program. Certa in deliverables and artifacts related to continuous monitoring that FedRAMP requires from CSP 'as discussed in this document 本文檔目的是為CSP實(shí)施持續(xù)監(jiān)管計(jì)劃提供指導(dǎo)和說(shuō)明。某些FedRAMP要求CSP提供的、與持續(xù)監(jiān)管相關(guān)的可交付成果和組件會(huì)在本文檔中討論。1.2. CONTINUOUS MONITORING PROCESS 持續(xù)監(jiān)管過(guò)程The FedRAMP con ti nu ous mon itori ng prog

22、ram is based on the continu ous mon itori ng process described in NIST SP 800-137, I nformation Security Con tin uous Mo nitori ng for Federal In formatio n Systems and Orga ni zation The goal is to provide: (i) operati onal visibility; (ii) man aged cha nge con trol; (iii) and atte ndance to in cid

23、e nt resp onse duties.For more in formatio n on in cide nt resp on se, review the FedRAMPI ncide nt Com mun icatio ns ProcedureFedRAMP持續(xù)監(jiān)管計(jì)劃是以NIST SP 800-137聯(lián)邦信息系統(tǒng)和組織信息安全的持續(xù)監(jiān) 管中描述的持續(xù)監(jiān)管過(guò)程為基礎(chǔ)的。目標(biāo)是提供：(i)運(yùn)營(yíng)可視化；(ii)變更控制管理；(iii)參與事件響應(yīng)職責(zé)。想要獲取更多事件響應(yīng)的信息，可以參閱FedRAMP的事件通信規(guī)程。The effectiveness of a CSP c'nii

24、nuous monitoring capability supports ongoing authorization and reauthorization decisions. Security-related information collected during continuous mon itori ng is used to make updates to the security authorizati on package.Updated docume nts provide evide nee that FedRAMP baseli ne security con trol

25、s continue to safeguard the system as orig in ally pla nn ed.CSP寺續(xù)監(jiān)管能力的有效性支持持續(xù)授權(quán)和再授權(quán)決策。持續(xù)監(jiān)管過(guò)程中收集到的安全 相關(guān)信息用于更新安全授權(quán)組件包。更新的文檔為FedRAMP的基線安全控制措施按原計(jì)劃持續(xù)保護(hù)系統(tǒng)的供證明。As defi ned by the Nati onal In stitute of Stan dards and Tech no logy (NIST), the process for continuous monitoring includes the following initia

26、tives:正如NIST的定義，持續(xù)監(jiān)管的過(guò)程包括如下舉措：Define a continu ous mon itori ng strategy based on risk tolera nee that maintains clear visibility into assets and awareness of vulnerabilities and utilizes up-to-date threat in formati on.基于風(fēng)險(xiǎn)承受能力定義持續(xù)監(jiān)管策略，這樣的監(jiān)管策略具有資產(chǎn)可見(jiàn) 性,知悉安全隱患，并能夠利用最新的威脅信息。Establish measures, metrics

27、, and status mon itori ng and con trol assessme nts freque ncies that make known orga ni zati onal security status and detect cha nges to in formatio n system in frastructure and environments of operatio n, and status of security con trol effective ness in a manner that supports con ti nued operati

28、on with in acceptable risk tolerances.建立措施、度量和狀態(tài)監(jiān)控，控制報(bào)告組織安全狀態(tài)的評(píng)估頻率， 并在可接受的風(fēng)險(xiǎn)承受能力范圍內(nèi)，以支持持續(xù)運(yùn)營(yíng)的方式，檢測(cè)信息系統(tǒng)基礎(chǔ) 設(shè)施和運(yùn)營(yíng)環(huán)境以及安全控制有效性的狀態(tài)變更。Implement a continuous monitoring program to collect the data required for the defi ned measures and report on findin gs; automate collect ion, an alysis and report ing of da

29、ta where possible實(shí)施持續(xù)監(jiān)管計(jì)劃，收集確定的措施需要的數(shù)據(jù)，并對(duì)發(fā)現(xiàn)作 報(bào)告；盡可能將數(shù)據(jù)收集、分析和報(bào)告過(guò)程自動(dòng)化。An alyze the data gathered an dReport findings accompa nied by recomme ndati ons. It may become n ecessary to collect additi onal in formati on to clarify or suppleme nt existi ng mon itori ng data.分析收集到的數(shù)據(jù)并報(bào)告包含建議的發(fā)現(xiàn)。收集額外的信 息以闡明或補(bǔ)充目

30、前的監(jiān)控?cái)?shù)據(jù)可能是必要的。Resp ond to assessme nt findings by making decisi ons to either mitigate tech ni cal, man ageme nt and operati on al vuln erabilities; or accept the risk; or tran sfer it to ano ther authority .通過(guò)制定緩解技術(shù)上的、管理上的還是操作上的漏洞決策對(duì)評(píng)估發(fā)現(xiàn)做 出響應(yīng)；或者接受風(fēng)險(xiǎn)；或?qū)⑵滢D(zhuǎn)移給另一個(gè)授權(quán)方。Review and Update the mon itori ng pr

31、ogram, revis ing the con ti nu ous mon itori ng strategy and maturi ng measureme nt capabilities to in crease visibility into assets and aware ness of vuln erabilities; further enhance data drive n con trol of the security of an orga ni zati on' s in f(biom nfrastructure; and in crease orga ni z

32、ati onal flexibility.檢查和更新監(jiān)控計(jì)劃，校正持續(xù)監(jiān)管策略并使度量能力趨于成熟，以增加資產(chǎn)的可見(jiàn)性 和安全隱患意識(shí)；更進(jìn)一步加強(qiáng)組織信息基礎(chǔ)設(shè)施的數(shù)據(jù)驅(qū)動(dòng)控制安全，增加組 織靈活性。Figure 1-NIST Special Publication 800-137 Continuous Monitoring ProcessSecurity con trol assessme nts performed periodically validate whether stated security con trols are impleme nted correctly, ope

33、rati ng as inten ded, and meet FedRAMP baseli ne security con trols. Security status report ing provides federal officials with in formatio n n ecessary to make risk-based decisi ons and provides assura nee to existi ng customer age ncies regard ing the security posture of the system.周期性的執(zhí)行安全控制評(píng)估以驗(yàn)證

34、是否正確地實(shí)施規(guī)定的 安全措施，是否按照計(jì)劃運(yùn)行安全措施，以及是否滿足 FedRAMP的基線安全控制。安 全狀態(tài)報(bào)告為聯(lián)邦機(jī)構(gòu)提供必要的信息以便其制定基于風(fēng)險(xiǎn)的決策，并給當(dāng)前客戶代理 提供關(guān)于系統(tǒng)安全態(tài)勢(shì)的保證。2. CONTINUOUS MONITORING ROLES &RESPONSIBILITIES 持續(xù)監(jiān)管角色及責(zé)任2.1. AUTHORIZING OFFICIAL 授權(quán)機(jī)構(gòu)Authoriz ing Officials and their teams （“ AOs' ） serve as the focal point for coord in atio n ofco

35、n ti nu ous mon itori ng activities for CSPs. CSPs must coord in ate with their AOs to send security control artifacts at various points in time. The AOs monitor both the Plan of Action& Milest ones （POA&M） and any major sig ni fica nt cha nges and report ing artifacts （such as vuln erabilit

36、y scan reports） associated with the CSP service offeri ng. AOs use this in formatio n so that risk-based decisions can be made about ongoing authorization Agency customers must perform the following tasks in support of CSP continuous monitoring:授權(quán)機(jī)構(gòu)及其團(tuán)隊(duì)（“AOs在 CSP的持續(xù)監(jiān)管活動(dòng)的協(xié)調(diào)中起關(guān)鍵作用。 CSP必須配合 其AOs在各個(gè)時(shí)間點(diǎn)發(fā)

37、送安全控制組件。AOs對(duì)行動(dòng)計(jì)劃和里程碑（POA&）及任何重 大的變更進(jìn)行監(jiān)控，并對(duì) CSP提供服務(wù)的相關(guān)組件進(jìn)行報(bào)告（例如漏洞掃描報(bào)告）。AOs利用這些信息以便制定出持續(xù)授權(quán)的基于風(fēng)險(xiǎn)的決策。代理客戶必須執(zhí)行以下任務(wù) 以支持CSP的持續(xù)監(jiān)管：? Notify CSP if the age ncy becomes aware of an in cide nt that a CSP has not yet reported 如果代理發(fā)現(xiàn)CSP還未上報(bào)的緊急事件，則通知 CSP? Provide a primary and sec on dary POC for CSPs and US-C

38、ERT as described in age ncy為CSP和美國(guó)計(jì)算機(jī)緊急響應(yīng)小組（United States Computer EmergencyReadi ness Team）提供以代理描述的主要和次要的 POC（ poi nts of con tact聯(lián)系點(diǎn)）? and CSPIn cide nt Resp onse Pla nsCSP應(yīng)急響應(yīng)計(jì)劃? Notify US-CERT whe n a CSP reports an in cide nt當(dāng)CSF報(bào)告緊急事件時(shí)，通知 US-CERT? Work with CSPs to resolve in cide nts; provide

39、 coordi nati on with US-CERT if n ecessary 與CSP-起解決緊急事件；如果有必要的話，配合US-CERT0? Notify FedRAMP ISSO of CSP in cide nt activity通知FedRAMP的ISSO （信息系統(tǒng)安全官）CSPR急事件活動(dòng)。? Mon itor security con trols that are age ncy resp on sibilities.監(jiān)視代理負(fù)責(zé)的安全控制措施。During in cide nt resp on se, both CSPs and leverag ing age ncie

40、s are resp on sible for coord in at ing incident handling activities together, and with US-CERT. The team based approach to in cide nt han dli ng en sures that all parties are in formed and en ables in cide nts to be closed asquickly as possible.在應(yīng)急響應(yīng)中，CSPs利益相關(guān)的代理，以及 US-CERT, 起負(fù)責(zé) 協(xié)調(diào)處理緊急事件?；诰o急事件處理的團(tuán)

41、隊(duì)確保通知所有相關(guān)部門，確保盡快解決問(wèn)題。2.2. FEDRAMP PMOThe FedRAMP Program Ma nageme nt Office (PMO) acts as the liais on for the Joi nt Authorizati on Board for en suri ng that CSPs with a JAB P-ATO strictly adhere to their established Continuous Monitoring Plan. The JAB and FedRAMP PMO only perform Contin uous Mo n

42、itori ng activities for those CSPs that have a JAB P-ATO.FedRAMP計(jì)劃管理辦公室作為Joi nt Authorization Board(聯(lián)合授權(quán)董事會(huì))的聯(lián)絡(luò)員， 確保擁有 JAB P-ATO ( Joi nt Authorization Board Provisio nal Authorities to Operate)的 CSP嚴(yán)格遵守其制定的持續(xù)監(jiān)管計(jì)劃。JAB和FedRAMP PMO只為獲得JAB P-ATO的 CSP實(shí)施持續(xù)監(jiān)管活動(dòng)。注：JAB是FedRAMP計(jì)劃的主要管理團(tuán)隊(duì)，由國(guó)防部、國(guó)土安全部以及美國(guó)總務(wù)管理局的首

43、席信息官組成2.3. DEPARTMENT OF HOMELAND SECURIT Y (DHS) 國(guó)土安 全部The FedRAMP Policy Memo released by OMB defi nes the DHS FedRAMP respo nsibilities to include: OM發(fā)布的FedRAMP政策備忘錄定義了 DHSFedRAMP的責(zé)任包括：? Assisti ng gover nmen t-wide and age ncy-specific efforts to provide adequate, risk-based and cost-effective c

44、ybersecurity協(xié)助全政府和特定代理努力提供充足的、基于風(fēng)險(xiǎn)的和性價(jià)比高的網(wǎng)絡(luò)安全。? Coord in at ing cybersecurity operati ons and in cide nt resp onse and providi ng appropriate assista nee協(xié)調(diào)網(wǎng)絡(luò)安全運(yùn)營(yíng)與應(yīng)急響應(yīng)并提供適當(dāng)?shù)膸椭? Develop ing con ti nu ous mon itori ng sta ndards for ongoing cybersecurity of Federal in formati on systems to in clude rea

45、l-time mon itori ng and continu ously verified operating configurations為聯(lián)邦信息系統(tǒng)的持續(xù)網(wǎng)絡(luò)安全開(kāi)發(fā)持續(xù)監(jiān)管標(biāo)準(zhǔn)，該標(biāo)準(zhǔn)要囊括實(shí)時(shí)監(jiān)管和持 續(xù)驗(yàn)證的操作配置? Develop ing guida nee on age ncy impleme ntati on of the Trusted Internet Conn ecti on (TIC) program for cloud services.為云服務(wù)開(kāi)發(fā)可信互聯(lián)網(wǎng)連接計(jì)劃的代理實(shí)施指南The FedRAMP PMO works with DHS to incorpo

46、rate DHS sguidanee into the FedRAMP program guidanee and documents. FedRAMP PMO和 DHS 協(xié)作將 DHS 的指南納入到 FedRAMP計(jì)劃指南和文檔中。24 THIRD PART Y ASSESSMENT ORGANIZATION (3PAO) 第 三方評(píng)估機(jī)構(gòu)Third Party Assessme nt Orga ni zati ons (3PAO) are resp on sible for in depe nden tly verify ing and validating the control impl

47、ementation and test results for CSPs in the continuous monitoring phase of the FedRAMP process. Specifically, 3PAOs are resp on sible for:在FedRAMP過(guò)程中，第三方評(píng)估機(jī)構(gòu)負(fù)責(zé)為CPS蟲立驗(yàn)證和確認(rèn)控制措施實(shí)施以及測(cè)試 結(jié)果。第三方評(píng)估機(jī)構(gòu)尤其要負(fù)責(zé)：? Assessing a defined subset of the security controls annually. 安全控制措施確定子集的年度評(píng)估? Submitting the assessm

48、ent report to the ISSO one year after thCeSP' sauthorization date and each year thereafter.CSP授權(quán)日期之后的一年以及往后的每一年，提交評(píng)估報(bào)告給ISSO? Performing announced penetration testing. 實(shí)施正規(guī)的滲透測(cè)試? Perform annual scans of web applications, databases, and operating systems. 每年對(duì)web應(yīng)用、數(shù)據(jù)庫(kù)和操作系統(tǒng)進(jìn)行掃描? Assessing changed c

49、ontrols on an ad hoc basis as requested by the AOs for any changes made to the system by the CSP.按照AOs （授權(quán)機(jī)構(gòu)）的要求，一旦 CPS對(duì)系統(tǒng)做出任何變更，隨時(shí)對(duì)變更的控 制措施進(jìn)行評(píng)估。In order to be effective in this role, 3PAOs are responsible for ensuring that the chain of custody is maintained for any 3PAO authored documentation. 3PAO

50、s must also be able to vouch for the veracity and integrity of data provided by the CSP for inclusion in 3PAO authoreddocumentation. As an example:為了使這一作用更有效，3PAOs負(fù)責(zé)保證維護(hù)3PAOs授權(quán)文 檔的監(jiān)管鏈。3PAOs也必須有能力保證CS為3PAO授權(quán)文檔提供的數(shù)據(jù)精確性和完整性。 例如：? If scans are performed by the CSP, the 3PAO must either be on site and ob

51、serve the CSP performing the scans or be able to monitor or verify the results of the scans through other means documented and approved by the AO.如果CS執(zhí)行掃描，3PAO要么必須在現(xiàn)場(chǎng)觀察CS實(shí)施掃描，要么能夠通過(guò)其他登 記在案并經(jīng)AO比準(zhǔn)的方式進(jìn)行監(jiān)控或驗(yàn)證掃描結(jié)果。? Documentation provided to the CSP must be placed in a format that either the CSP cannot a

52、lter or that allows the 3PAO to verify the integrity of the document. 提供給CSP勺文檔必須以CS無(wú)法更改或允許3PAO驗(yàn)證文檔完整性的格式放置。3. CONTINUOUS MONITORING PROCESS AREASE 持續(xù)監(jiān) 管過(guò)程3.1. OPERATIONAL VISIBILITY 運(yùn)營(yíng)可見(jiàn)性An important aspect of a CSP'csontinuous monitoring program is to provide evidence that demonstrates the eff

53、icacy of its program. CSPs and its independent assessors are required to provide evidentiary information to AOs at a minimum of a monthly, annually, every 3 years, and on an as-needed frequency after authorization is granted.The submission of these deliverables allow AOs to evaluate the risk posture

54、 of the CSP' s i snegr. vi ce offerCSP持續(xù)監(jiān)管計(jì)劃的一個(gè)重要作用就是提供證據(jù)證明其計(jì)劃的有效性。CSP和其獨(dú)立評(píng)估人在獲得授權(quán)之后，至少以每月、每年、每三年及需要的頻率提供證據(jù)信息給AOs。這些交付件的提交能讓AOs評(píng)估CSP提供的服務(wù)的風(fēng)險(xiǎn)態(tài)勢(shì)。Table A-1 notes which deliverables are required as part of continuous monitoring activities. These deliverables in clude provid ing evide nee, such as pr

55、ovid ing mon thly vuln erability sca ns of CSPs operati ng systems/i nfrastructure, databases, and web applicati ons.表A-1所示的是作為持續(xù)監(jiān)管活動(dòng)的一部分，所要求的交付件。這些交付件包括提供證 據(jù)，例如每月提供CSP操作系統(tǒng)/基礎(chǔ)設(shè)施、數(shù)據(jù)庫(kù)和web應(yīng)用的漏洞掃描。As part of the con ti nu ous mon itori ng process CSPs are required to have a 3PAO perform an assessme nt o

56、n an annual basis for a subset of the overall con trols impleme nted on the system. During the annual assessment the controls listed in Table A-1 are tested along with an additional number of controls selected by the AO. The AO has the option to vary the total number of controls tested to meet the d

57、esired level of effort for testing. The AO selects the additional controls for testing based on the following criteria in Table 3-1.作為持續(xù)監(jiān)管過(guò)程的一部分，要求CSP有 3PAO每年為其系統(tǒng)中實(shí)施的全面控制措施的一個(gè)子集實(shí)施評(píng)估。在每年的評(píng)估期間，對(duì)表A-1中所列的控制措施連同AO選擇的一些額外控制措施一起進(jìn)行測(cè)試。為了滿足測(cè)試要求，AO可以選擇改變要測(cè)試的控制措施總數(shù)。AO以下面表3-1中的標(biāo)準(zhǔn)為測(cè)試選擇附加的控制措施。There are additi ona

58、l requireme nts for testi ng and con trol selecti on for CSPs that are tran siti oning to the FedRAMP 800-53 Revision 4 baseline. For additional guidance to on Revision 4 tran siti on test ing guida nce, review theFedRAMP Revisio n 4 Tran siti on Guide測(cè)試的附加要求和CPS的可選控制措施，正在成為 FedRAMP 800-53版本4的基線。對(duì) 于版本4的轉(zhuǎn)變測(cè)試指南的額外指南，請(qǐng)參考 FedRAMP Revision 4 Tran sition GuideCriteriaDescripti on1.Con diti on of previous assessme ntAny conditions made by th