The Federal Risk and Authorization Management Program has listed some actions it requires CSPs, or cloud service providers, to perform in response to an emergency directive released by the Cybersecurity and Infrastructure Security Agency to mitigate vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure products.
In a blog post published Thursday, FedRAMP stated that CSPs that maintain federal data are covered by CISA’s Emergency Directive 24-01.
CSPs that fall within the scope of the directive should assess and implement the actions outlined in the document and upload responses to the incident response folder in their respective FedRAMP secure repository.
Responses for required task 2e and task 3 in the Supplemental Direction should be uploaded by Feb. 5 and Feb. 28, respectively.
FedRAMP is also requesting that CSPs send an email to the FedRAMP Program Management Office and all agency customer authorizing officials with notification of the completed action and upload a copy of email notifications to the incident response folder in their respective secure repository.
The program released the actions in consultation with the FedRAMP Joint Authorization Board and CISA.