Site icon

StateRAMP and Incident Response: What You Need to Know

In the unfortunate event that a breach occurs, organizations must have a plan in place to respond and recover. StateRAMP borrows requirements from FedRAMP and NIST 800-53 to define how exactly state and local governments can implement incident response into their overall security infrastructure.

 

Why Do Organizations Need Incident Response Plans?

Security events happen. Even with the best security measures in place, hackers can squeeze through either due to technological weaknesses or user missteps. That’s why organizations must have plans in place to address these issues. 

There’s a certain level of meta-preparation here. Implementing security controls and IT measures falls under one lane of preparation while having clear policies and practices to identify and address security events as they happen is another. 

Broadly speaking, there are a few steps that will serve as part of an incident response plan:

Incident response plans are a critical part of any organization’s security posture, and as such, the requirements for them are part of nearly any security standard and regulation, including StateRAMP. 

 

StateRAMP and Incident Response Controls (IR)

StateRAMP is a derivation of FedRAMP security, and as such, it pulls select controls from that standard. This context includes several controls from the Incident Response (IR) family of rules found in NIST Special Publication 800-53.

Furthermore, StateRAMP documentation designates specific Impact Levels that each control applies to Low, Low+, and Moderate, with some controls, only showing up at higher levels.

These controls include:

 

Incident Response Policy and Procedures (IR-1)

 

Incident Response Training (IR-2)

Any employee that touches on system resources or data that fall under StateRAMP regulations must receive relevant incident response training. This training should apply to their position and the tasks they undertake concerning StateRAMP-regulated data. 

 

Incident Response Testing (IR-3)

Organizations should regularly test their incident response policies and capabilities to ensure they operate as expected. This testing must include simulations, walk-throughs, checklist assessments, and other testing methods.

At StateRAMP Moderate, organizations must also include business continuity, disaster recovery, continuity of operations, contingency, crisis communication, infrastructure, and emergency plans as part of their coordination with incident response efforts.

 

Incident Handling (IR-4)

Organizations must demonstrate the capacity to:

Part and parcel of this requirement is the ability of organizations to incorporate all relevant practices that go into incident response. This incorporation includes having reporting and communication in place to move information about incidents up and down the hierarchy and identify critical areas where security incidents are more likely to occur (phishing emails, API attacks, etc.). 

Additionally, requirements at the Moderate Level include using automated incident handling processes to collect live response data, network packet capture, and forensic analysis.

 

Incident Monitoring (IR-5)

Incidents must be reported and monitored throughout their lifecycle. Organizations must track and document these incidents, communicating them to relevant response teams and stakeholders. This documentation can come from network monitoring tools, incident reports, user interactions, third-party vendors and supply chain partners, and auditing tools.

 

Incident Reporting (IR-6)

Simply put, this requirement states that an organization must include policies that dictate that personnel report suspected incidents within a predetermined time frame, that there is a position or role responsible for receiving these reports, and that personnel knows who this position is and how to contact that person.

At StateRAMP Moderate, organizations must also include automated reporting mechanisms like email or messaging that stem from the automated incident response capabilities details in IR 4.

 

Incident Response Assistance (IR-7)

The organization must integrate or create resources to support incident response handling, specifically on behalf of users. This includes options like a response help desk, ticketing, and consumer redress systems.

At StateRAMP Low+, organizations must also establish operational relationships with external providers of system protection capabilities, specifically managed security and response services.

At StateRAMP Moderate, organizations must include everything from Low+ and include the ability for users to obtain response assistance via push/pull mechanisms, like website assistance or proactive incident information sent via email.

 

Incident Response Plan (IR-8)

IR-8 Requires several control implementations for incident response plans. These controls include:

Furthermore, the organization must distribute copies of the plan to those responsible for the practices defined therein, update the plan in response to changes in technology or vulnerabilities, and communicate those changes to those enacting the plan.

 

Incident Spillage Response (IR-9)

Information spillage is the problem of protected data “spilling over” into unauthorized systems where StateRAMP policies don’t protect them. At a bare minimum, rapid corrective action must be taken to correct the issue and sanitize any system or media where the information was found. This corrective action includes identifying contaminated systems, quarantining them, completely eradicating traces of unauthorized information, and auditing systems to ensure that none of the problematic information remains.

This requirement is only expected at StateRAMP Low+ and Moderate levels.

Additionally, StateRAMP Moderate also requires that organizations provide training for spillage response, implement procedures to ensure that personnel using contaminated systems can continue in their tasks during decontamination, and provide information about laws, orders, policies, regulations, and standards related to their exposure to contaminated systems.

 

Monitor Personnel Security Controls with Continuum GRC

To protect your critical assets, you should always take personnel security seriously–if not for compliance. With the Continuum GRC Platform, you can identify, monitor, and maintain your PS controls in real-time while managing StateRAMP compliance.

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version