A Survey of FedRAMP’s New Supply Chain Requirements

Coalfire Assessment Team

May 2, 2022
Blog Images 2022 Fed RAMP Survey tile

Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of many recent compromises to government information systems and critical infrastructure.

Key takeaways:

  • Supply chain management is not brand new. It has existed for a while now within Defense Federal Acquisition Regulation Supplement (DFARS) Part 252 and SA-12, first existing in NIST 800-53 revision 3 for systems with a High FIPS-199 categorization.
  • FedRAMP’s focus in 2022 on supply chain requirements have significantly increased through the publication of the new supply chain risk management (SR) control family in NIST 800-53 revision 5.
  • CSPs adhering to the FedRAMP standard will need to itemize their Cloud Service Offering (CSO) vendors and develop a risk management plan for supply chains.
  • Vendors will need to be reviewed for NIST 800-171 compliance by the CSP on an annual basis.

Supply chain management

Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of many recent compromises to government information systems and critical infrastructure. Through the presidential executive order on improving the nation’s cybersecurity (May 2021) and the earlier finalized publication of NIST 800-53 revision 5 (September 2020), it will come as no surprise that FedRAMP will place a special emphasis on this domain once the FedRAMP 800-53 revision 5 baselines are finalized later this year.

This isn’t the first time supply chain security has come under scrutiny from regulators. DoD has been evaluating their supply chain using NIST 800-171 through DFARS Part 252 for years now.

What’s changing in FedRAMP

While it wasn’t completely absent in the FedRAMP baseline of NIST 800-53 revision 4 controls, supply chain risk management was definitely more obscure. In the past, SA-12 was the only control requiring CSPs to protect against supply chain threats, and only at the FedRAMP High baseline. This left the majority of cloud systems handling their individual supply chains without regulatory oversight.

SA-12 | Supply chain protection | The organization protects against supply chain threats to the information system, system component, or information system service by employing [Assignment: organization-defined security safeguards] as part of a comprehensive, defense-in-breadth information security strategy.

Other than SA-12, the FedRAMP baseline contained some minor indications throughout the supplemental guidance that supply chain considerations should be made for incident reporting, maintenance, and the like, but there were no overt requirements to be audited.

The new revision of NIST 800-53 expands the concepts found in SA-12 and fleshes out details on full supply chain lifecycle management. With the creation of a new control family, it’s certain that these requirements will now undergo 3PAO testing as part of new and annual assessments.

Enter the Supply Chain Risk Management (SR) family of controls…

Key requirements from the SR family

The new supply chain risk management (SR) control family brings twelve (12) new controls/control enhancements to the FedRAMP Moderate baseline and fourteen (14) forward in FedRAMP High. To provide some high-level insights, CSPs looking to adopt the new control family will need to progress through the following phases:

Identify and enumerate system vendors

While not specifically called out in the new controls, identifying and enumerating the information system’s suppliers is going to be critical to building a risk management strategy. The scope of this task will be limited to vendors that provide products or services that support the CSO (authorization boundary). Based on the Discussion found in the SR-2 control, CSPs should target any vendor from which they receive products, systems, and/or services.

Coalfire has seen that CSPs forget to consider products installed within the CSO that simply reach out of the authorization boundary to determine if software/firmware security or feature releases are available. CSPs must evaluate all of these connections as part of their supply chain risk management (SCRM) plan.

Develop a risk management plan for supply chains

The SR-2 control requires that organizations develop a new document known as the SCRM Plan. There’s an extensive Discussion found in the body of NIST 800-53 that provides some color on what it will contain (“Discussion” is the term that replaced “Supplemental Guidance” from the rev 4 standard). In summary, the plan will outline at least the following:

  • Organizational policy on supply chain risk management (SR-2 Discussion)
  • Supplier requirements (SR-2 Discussion)
  • Managment, implementation, and monitoring of SCRM controls (SR-3, SR-6)
  • Supply chain risk tolerances (SR-2 Discussion)
  • Supply chain risk mitigation strategies (SR-2 Discussion)
  • Associated roles and responsibilities (SR-2 Discussion)
  • Process for identifying and addressing supply chain weaknesses (SR-3)
  • Documentation of acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chains (SR-5)
  • Documentation of how CSOs receive notifications from their vendors of newly discovered vulnerabilities (SR-8).
  • Inspection methodology for vendor-provided components (at random or at an organizationally defined trigger point), as well as methods to ensure products are not counterfeit (SR-9, SR-10)
  • Product disposal procedures (SR-12)

*The parentheses at the end of each bullet identifies where the requirement originated from. In the case the origin was a Discussion, it will not be held as a solid requirement, but more of a guideline.

Cloud organizations are given a good bit of liberty in what they want to include in the formal SCRM Plan versus what they’d like to integrate in other policy documents. In fact, the Discussion for the SR-2 control also allows organizations to eliminate the SCRM Plan entirely and simply integrate all the concepts into other system plans, if desired. This may prove to be a more challenging strategy when the audit takes place, since auditors will be hoping to see everything laid out clearly in one place, but it could be navigated.

Staff a supply chain risk management team

CSPs will be required to establish a supply chain risk management team that takes ownership of SCRM activities. The SR-2 (1) control allows CSPs to have flexibility on both who will be members of the team and what the specific oversight activities will be.

Enforce the SCRM plan

Once the SCRM Plan has been written and approved by the appropriate level of management, it will need to be enforced and monitored throughout the year. Since this control area is so new, the 3PAO will take special care to analyze the SR controls and provide detailed results in the next audit.

Monitor suppliers

One of the more significant aspects of the new requirements is that CSPs will be required to monitor their suppliers on an annual cadence. The SR-6 control outlines:

SR-6 | Supplier assessments and reviews | Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].

While this seems open to interpretation at first glance, further reading will find that FedRAMP will be implementing additional requirements stipulating that CSOs leverage NIST 800-171 or a “commensurate security and compliance framework” for the evaluation on an annual frequency. A special footnote from the PMO states that “CSOs must ensure that vendors are compliant with physical facility access and logical access controls to supplied products.”.

Within the Discussion for SR-6, it’s noted that organizations are able to leverage “documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor” to fulfill the review.

Supply chain vs external service connection

While external information system services and interconnections would technically be considered part of a CSO’s supply chain, it’s likely that these will continue to be evaluated separately through the External System Services (SA-9) and Information Exchange (CA-3) security controls.

External services are generally logical interconnections between CSOs to other systems that are not owned by the hosting CSP. The requirements in SA-9 and CA-3 will continue to carry stringent requirements for external services being leveraged by a cloud service offering.

Concluding thoughts

The new supply chain risk management family provides structure for a previously neglected aspect of system management. While this article doesn’t comprehensively cover every new requirement, the theme being conveyed by NIST and the FedRAMP PMO is that security and accountability should be built into federal CSO’s supply chain processes. With the additional scrutiny being placed on supply chains during the NIST 800-53 revision 5 audits, this represents another solid step in the right direction for tightening organizational security posture.